Add files via upload

FortiWeb/Active-Active/Existing-VCN/terraform/customdatafwba.tpl

@@ -0,0 +1,48 @@
+Content-Type: multipart/mixed; boundary="==OCI=="
+MIME-Version: 1.0
+
+--==OCI==
+Content-Type: text/plain; charset="us-ascii"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Content-Disposition: attachment; filename="config"
+
+config system global
+ set hostname ${fwba_vm_name}
+end
+config system interface
+ edit port1
+ set type physical
+ set allowaccess ping ssh snmp http https FWB-manager
+ set mode dhcp
+ next
+end
+config system interface
+ edit port2
+ set type physical
+ set ip ${fwba_ipaddress_port2} ${trust_mask}
+ set allowaccess ping ssh http https
+ next
+end
+config router static
+ edit 1
+ set device port1
+ set gateway ${untrusted_gateway_ip}
+ next
+end
+config system ha
+ set mode active-active-high-volume
+ set group-id 1
+ set group-name fwbaa
+ set priority 1
+ set override enable
+ set tunnel-local ${fwba_ipaddress_port2}
+ set tunnel-peer ${fwbb_ipaddress_port2}
+ set monitor port1 port2
+
+--==OCI==
+Content-Type: text/plain; charset="us-ascii"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+
+--==OCI==--

FortiWeb/Active-Active/Existing-VCN/terraform/customdatafwbb.tpl

@@ -0,0 +1,47 @@
+Content-Type: multipart/mixed; boundary="==OCI=="
+MIME-Version: 1.0
+
+--==OCI==
+Content-Type: text/plain; charset="us-ascii"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Content-Disposition: attachment; filename="config"
+
+config system global
+ set hostname ${fwbb_vm_name}
+end
+config system interface
+ edit port1
+ set type physical
+ set allowaccess ping ssh snmp http https FWB-manager
+ set mode dhcp
+ next
+end
+config system interface
+ edit port2
+ set type physical
+ set ip ${fwbb_ipaddress_port2} ${trust_mask}
+ set allowaccess ping ssh http https
+ next
+end
+config router static
+ edit 1
+ set device port1
+ set gateway ${untrusted_gateway_ip}
+ next
+end
+config system ha
+ set mode active-active-high-volume
+ set group-id 1
+ set group-name fwbaa
+ set override enable
+ set tunnel-local ${fwbb_ipaddress_port2}
+ set tunnel-peer ${fwba_ipaddress_port2}
+ set monitor port1 port2
+
+--==OCI==
+Content-Type: text/plain; charset="us-ascii"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+
+--==OCI==--

FortiWeb/Active-Active/Existing-VCN/terraform/datasources.tf

@@ -0,0 +1,27 @@
+##############################################################################################################
+#
+# FortiWeb Active/Active Load Balanced pair of standalone FortiWeb VMs for resilience and scale
+# Terraform deployment template for Oracle Cloud
+#
+##############################################################################################################
+
+# Gets a list of Availability Domains
+data "oci_identity_availability_domains" "ads" {
+ compartment_id = var.tenancy_ocid
+}
+
+# Gets the boot volume attachments for each instance
+data "oci_core_boot_volume_attachments" "block_attach_fwb_a" {
+ depends_on = [oci_core_instance.vm_fwb_a]
+ availability_domain = oci_core_instance.vm_fwb_a.availability_domain
+ compartment_id = var.compartment_ocid
+ instance_id = oci_core_instance.vm_fwb_a.id
+}
+
+# Gets the boot volume attachments for each instance
+data "oci_core_boot_volume_attachments" "block_attach_fwb_b" {
+ depends_on = [oci_core_instance.vm_fwb_b]
+ availability_domain = oci_core_instance.vm_fwb_b.availability_domain
+ compartment_id = var.compartment_ocid
+ instance_id = oci_core_instance.vm_fwb_b.id
+}

FortiWeb/Active-Active/Existing-VCN/terraform/fortiweb-a.tf

@@ -0,0 +1,92 @@
+##############################################################################################################
+## FortiWeb-A Configuration
+##############################################################################################################
+
+# FortiWeb-A instance configuration
+resource "oci_core_instance" "vm_fwb_a" {
+ availability_domain = lookup(data.oci_identity_availability_domains.ads.availability_domains[var.availability_domain - 1], "name")
+ compartment_id = var.compartment_ocid
+ display_name = "${var.PREFIX}-fwba"
+ shape = var.instance_shape
+
+ create_vnic_details {
+ subnet_id = oci_core_subnet.untrusted_subnet.id
+ display_name = "${var.PREFIX}-fwba-vnic-untrusted"
+ assign_public_ip = true
+ hostname_label = "${var.PREFIX}-fwba-vnic-untrusted"
+ private_ip = var.fwba_ipaddress_port1
+ }
+
+ launch_options {
+ // network_type = "PARAVIRTUALIZED"
+ network_type = "PARAVIRTUALIZED"
+ }
+
+ source_details {
+ source_type = "image"
+ source_id = var.vm_image_ocid // marketplace listing
+ //source_id = "ocid1.image.oc1.phx.aaaaaaaalvrzh6j2edqh6s42rabhbhclwgnk4owdpjhqu5qsgtur7pc4lqaa" // private image
+ boot_volume_size_in_gbs = "50"
+ }
+
+ // Required for bootstrap
+ // Commnet out the following if you use the feature.
+ metadata = {
+ user_data = base64encode(data.template_file.custom_data_fwb_a.rendered)
+ # ssh_authorized_keys = file("~/.ssh/id_rsa.pub")
+ }
+
+ timeouts {
+ create = "60m"
+ }
+}
+
+# FortiWeb-A trust vNIC configuration
+
+resource "oci_core_vnic_attachment" "vnic_attach_trust_a" {
+ depends_on = [oci_core_instance.vm_fwb_a]
+ instance_id = oci_core_instance.vm_fwb_a.id
+ display_name = "${var.PREFIX}-vnic_trust"
+
+ create_vnic_details {
+ subnet_id = oci_core_subnet.trust_subnet.id
+ display_name = "${var.PREFIX}-fwba-vnic-trusted"
+ assign_public_ip = false
+ skip_source_dest_check = true
+ private_ip = var.fwba_ipaddress_port2
+ }
+}
+
+### DISK MANAGEMENT ###
+
+resource "oci_core_volume" "volume_fwb_a" {
+ availability_domain = lookup(data.oci_identity_availability_domains.ads.availability_domains[var.availability_domain - 1], "name")
+ compartment_id = var.compartment_ocid
+ display_name = "${var.PREFIX}-fwba-volume"
+ size_in_gbs = var.volume_size
+}
+
+// Use paravirtualized attachment for now.
+resource "oci_core_volume_attachment" "volume_attach_fwb_a" {
+ attachment_type = "paravirtualized"
+ //attachment_type = "iscsi" // user needs to manually add the iscsi disk on fos after
+ instance_id = oci_core_instance.vm_fwb_a.id
+ volume_id = oci_core_volume.volume_fwb_a.id
+}
+
+// Use for bootstrapping cloud-init
+data "template_file" "custom_data_fwb_a" {
+ template = file("${path.module}/customdatafwba.tpl")
+
+ vars = {
+ fwba_vm_name = "${var.PREFIX}-fwba"
+ untrusted_gateway_ip = oci_core_subnet.untrusted_subnet.virtual_router_ip
+ vcn_cidr = var.vcn
+ fwba_ipaddress_port1 = var.fwba_ipaddress_port1
+ fwba_ipaddress_port2 = var.fwba_ipaddress_port2
+ fwbb_ipaddress_port1 = var.fwbb_ipaddress_port1
+ fwbb_ipaddress_port2 = var.fwbb_ipaddress_port2
+ trust_mask = "255.255.255.240"
+ untrust_mask = "255.255.255.240"
+ }
+}

FortiWeb/Active-Active/Existing-VCN/terraform/fortiweb-b.tf

@@ -0,0 +1,86 @@
+##############################################################################################################
+## FortiWeb-B 
+##############################################################################################################
+resource "oci_core_instance" "vm_fwb_b" {
+ availability_domain = lookup(data.oci_identity_availability_domains.ads.availability_domains[var.availability_domain2 - 1], "name")
+ compartment_id = var.compartment_ocid
+ display_name = "${var.PREFIX}-fwbb"
+ shape = var.instance_shape
+
+ create_vnic_details {
+ subnet_id = oci_core_subnet.untrusted_subnet.id
+ display_name = "${var.PREFIX}-fwbb-vnic-untrusted"
+ assign_public_ip = true
+ hostname_label = "${var.PREFIX}-fwbb-vnic-untrusted"
+ private_ip = var.fwbb_ipaddress_port1
+ }
+
+ launch_options {
+ network_type = "PARAVIRTUALIZED"
+ }
+
+ source_details {
+ source_type = "image"
+ source_id = var.vm_image_ocid // marketplace listing
+ //source_id = "ocid1.image.oc1.phx.aaaaaaaalvrzh6j2edqh6s42rabhbhclwgnk4owdpjhqu5qsgtur7pc4lqaa" // private image
+ boot_volume_size_in_gbs = "50"
+ }
+
+ // Required for bootstrap
+ // Commnet out the following if you use the feature.
+ metadata = {
+ user_data = "${base64encode(data.template_file.custom_data_fwb_b.rendered)}"
+ # ssh_authorized_keys = file("~/.ssh/id_rsa.pub")
+ }
+
+ timeouts {
+ create = "60m"
+ }
+}
+
+# FortiWeb-B trust vNIC configuration
+
+resource "oci_core_vnic_attachment" "vnic_attach_trust_b" {
+ depends_on = [oci_core_instance.vm_fwb_b]
+ instance_id = oci_core_instance.vm_fwb_b.id
+ display_name = "${var.PREFIX}-vnic_trust"
+
+ create_vnic_details {
+ subnet_id = oci_core_subnet.trust_subnet.id
+ display_name = "${var.PREFIX}-fwbb-vnic-trusted"
+ assign_public_ip = false
+ skip_source_dest_check = true
+ private_ip = var.fwbb_ipaddress_port2
+ }
+}
+
+resource "oci_core_volume" "volume_fwb_b" {
+ availability_domain = lookup(data.oci_identity_availability_domains.ads.availability_domains[var.availability_domain2 - 1], "name")
+ compartment_id = var.compartment_ocid
+ display_name = "${var.PREFIX}-fwbb-volume"
+ size_in_gbs = var.volume_size
+}
+
+resource "oci_core_volume_attachment" "volume_attach_fwb_b" {
+ attachment_type = "paravirtualized"
+ //attachment_type = "iscsi" // user needs to manually add the iscsi disk on fos after
+ instance_id = oci_core_instance.vm_fwb_b.id
+ volume_id = oci_core_volume.volume_fwb_b.id
+}
+
+// Use for bootstrapping cloud-init
+data "template_file" "custom_data_fwb_b" {
+ template = file("${path.module}/customdatafwbb.tpl")
+
+ vars = {
+ fwbb_vm_name = "${var.PREFIX}-fwbb"
+ untrusted_gateway_ip = oci_core_subnet.untrusted_subnet.virtual_router_ip
+ vcn_cidr = var.vcn
+ fwbb_ipaddress_port1 = var.fwbb_ipaddress_port1
+ fwbb_ipaddress_port2 = var.fwbb_ipaddress_port2
+ fwba_ipaddress_port1 = var.fwba_ipaddress_port1
+ fwba_ipaddress_port2 = var.fwba_ipaddress_port2
+ trust_mask = "255.255.255.240"
+ untrust_mask = "255.255.255.240"
+ }
+}

FortiWeb/Active-Active/Existing-VCN/terraform/image_subscription.tf

@@ -0,0 +1,38 @@
+//Local variables pointing to the Marketplace catalog resource
+locals {
+ mp_listing_id = var.mp_listing_id
+ mp_listing_resource_id = var.vm_image_ocid
+ mp_listing_resource_version = var.mp_listing_resource_version
+}
+
+//Get Image Agreement
+resource "oci_core_app_catalog_listing_resource_version_agreement" "mp_image_agreement" {
+ listing_id = local.mp_listing_id
+ listing_resource_version = local.mp_listing_resource_version
+}
+
+//Accept Terms and Subscribe to the image, placing the image in a particular compartment
+resource "oci_core_app_catalog_subscription" "mp_image_subscription" {
+ compartment_id = var.compartment_ocid
+ eula_link = oci_core_app_catalog_listing_resource_version_agreement.mp_image_agreement.eula_link
+ listing_id = oci_core_app_catalog_listing_resource_version_agreement.mp_image_agreement.listing_id
+ listing_resource_version = oci_core_app_catalog_listing_resource_version_agreement.mp_image_agreement.listing_resource_version
+ oracle_terms_of_use_link = oci_core_app_catalog_listing_resource_version_agreement.mp_image_agreement.oracle_terms_of_use_link
+ signature = oci_core_app_catalog_listing_resource_version_agreement.mp_image_agreement.signature
+ time_retrieved = oci_core_app_catalog_listing_resource_version_agreement.mp_image_agreement.time_retrieved
+
+ timeouts {
+ create = "30m"
+ }
+}
+
+// Gets the partner image subscription
+data "oci_core_app_catalog_subscriptions" "mp_image_subscription" {
+ #Required
+ compartment_id = var.compartment_ocid
+ listing_id = local.mp_listing_id
+ filter {
+ name = "listing_resource_version"
+ values = ["${local.mp_listing_resource_version}"]
+ }
+}