Terraform Module Project

Cisco Secure Firewall deployment in AWS in a Centralized and Distributed Architecture with GWLB using Terrform - Templates

Overview

This solution can be used to learn how to deploy Cisco Secure Firewall in an AWS environment as target devices to AWS Gateway Loadbalancer in order to inspect traffic to and from the applications running in AWS based on the usecases. The solution makes use of Cisco Secure Firewall AWS Terraform module, AWS Terraform provider, Cisco FMC Terraform provider and CDO Terraform to deploy the required resources, register the deployed FTDv instances to FMC (FMCv in AWS or cdFMC) and configure the required features on FMC.

Examples for the following usecases are provided to help you in your deployment in the examples folder:

• Centralized Architecture with existing service and existing spoke VPC with FMC
• Centralized Architecture with existing service and new spoke VPC with FMC
• Centralized Architecture with new service and new spoke VPC with Cloud-delivered FMC
• Distributed Architecture with outbound traffic
• Distributed Architecture with inbound traffic
• Multi VPC hub and spoke architecture for east-west traffic inspection

Note: The terraform example in the root folder is for the usecase Centralized Architecture with existing service and new spoke VPC with FMC

Requirements

Name	Version
terraform	>= 0.13.5
aws	>= 2.7.0
fmc	<= 1.4.8
time	0.10.0

Providers

Name	Version
fmc	<= 1.4.8
time	0.10.0

Modules

Name	Source	Version
gwlb	CiscoDevNet/secure-firewall/aws//modules/gwlb	1.0.28
gwlbe	CiscoDevNet/secure-firewall/aws//modules/gwlbe	1.0.28
instance	CiscoDevNet/secure-firewall/aws//modules/firewall_instance	1.0.28
nat_gw	CiscoDevNet/secure-firewall/aws//modules/nat_gw	1.0.28
service_network	CiscoDevNet/secure-firewall/aws//modules/network	1.0.28
spoke_network	CiscoDevNet/secure-firewall/aws//modules/network	1.0.28
transitgateway	CiscoDevNet/secure-firewall/aws//modules/transitgateway	1.0.28

Resources

Name	Type
fmc_access_policies.access_policy	resource
fmc_access_rules.access_rule_1	resource
fmc_device_physical_interfaces.physical_interfaces00	resource
fmc_device_physical_interfaces.physical_interfaces01	resource
fmc_device_vni.vni	resource
fmc_device_vtep.vtep_policies	resource
fmc_devices.device1	resource
fmc_devices.device2	resource
fmc_ftd_deploy.ftd	resource
fmc_ftd_manualnat_rules.new_rule	resource
fmc_ftd_nat_policies.nat_policy	resource
fmc_host_objects.aws_meta	resource
fmc_host_objects.inside_gw	resource
fmc_policy_devices_assignments.policy_assignment	resource
fmc_security_zone.inside	resource
fmc_security_zone.outside	resource
fmc_security_zone.vni	resource
fmc_smart_license.license	resource
fmc_staticIPv4_route.route	resource
time_sleep.wait_for_ftd	resource
fmc_device_physical_interfaces.one_physical_interface	data source
fmc_device_physical_interfaces.zero_physical_interface	data source
fmc_devices.device	data source
fmc_network_objects.any_ipv4	data source
fmc_port_objects.http	data source
fmc_port_objects.ssh	data source

Inputs

Name	Description	Type	Default	Required
aws_access_key	AWS ACCESS KEY	string	n/a	yes
aws_secret_key	AWS SECRET KEY	string	n/a	yes
fmc_host	fmc public IP	string	n/a	yes
fmc_nat_id	FMC Registration NAT ID	string	n/a	yes
fmc_password	FMC User Password for API access	string	n/a	yes
fmc_username	FMC Username for API access	string	n/a	yes
ftd_admin_password	FTD Admin password	string	n/a	yes
reg_key	FTD registration key	string	n/a	yes
availability_zone_count	Spacified availablity zone count .	number	2	no
block_encrypt	boolean value to encrypt block or not	bool	true	no
create_tgw	Boolean value to decide if transit gateway needs to be created	bool	true	no
diag_subnet_cidr	List out diagonastic Subnet CIDR .	list(string)	[ "172.16.24.0/24", "172.16.240.0/24" ]	no
diag_subnet_name	Specified diagonstic subnet names	list(string)	[ "diag1", "diag2" ]	no
fmc_insecure_skip_verify	Condition to verify fmc certificate	bool	true	no
fmc_ip	FMCv IP	string	""	no
ftd_size	FTD Instance Size	string	"c5.xlarge"	no
ftd_version	Version of the FTD to be deployed	string	"ftdv-7.2.7"	no
gwlb_name	name for Gateway loadbalancer	string	"GWLB"	no
gwlb_tg_name	GWLB target group name	string	"gwlb-tg"	no
gwlbe_subnet_cidr	List out GWLBE Subnet CIDR .	list(string)	[ "172.16.212.0/24", "172.16.232.0/24" ]	no
gwlbe_subnet_name	List out GWLBE Subnet names .	list(string)	[ "gwlb1", "gwlb2" ]	no
inscount	FTD instance count	number	2	no
inside_gw_ips	Inside subnet gateway IP	list(string)	[ "172.16.29.1", "172.16.190.1" ]	no
inside_interface_sg	Can be specified multiple times for each ingress rule.	list(object({ from_port = number protocol = string to_port = number cidr_blocks = list(string) description = string }))	[ { "cidr_blocks": [ "172.16.29.0/24", "172.16.190.0/24" ], "description": "HTTP Access", "from_port": 80, "protocol": "TCP", "to_port": 80 } ]	no
inside_subnet_cidr	List out inside Subnet CIDR .	list(string)	[ "172.16.29.0/24", "172.16.190.0/24" ]	no
inside_subnet_name	Specified inside subnet names	list(string)	[ "inside1", "inside2" ]	no
instances_per_az	Spacified no. of instance per az wants to be create .	number	1	no
keyname	key to be used for the instances	string	"ln"	no
mgmt_interface_sg	Can be specified multiple times for each ingress rule.	list(object({ from_port = number protocol = string to_port = number cidr_blocks = list(string) description = string }))	[ { "cidr_blocks": [ "172.16.0.0/24" ], "description": "Mgmt Traffic from FMC", "from_port": 8305, "protocol": "TCP", "to_port": 8305 } ]	no
mgmt_subnet_cidr	List of management Subnet CIDR .	list(string)	[ "172.16.220.0/24", "172.16.210.0/24" ]	no
mgmt_subnet_name	Specified management subnet names	list(string)	[ "mgmt1", "mgmt2" ]	no
ngw_subnet_cidr	List out NGW Subnet CIDR .	list(string)	[ "172.16.211.0/24", "172.16.221.0/24" ]	no
ngw_subnet_name	List out NGW Subnet names .	list(string)	[ "ngw1", "ngw2" ]	no
outside_interface_sg	Can be specified multiple times for each ingress rule.	list(object({ from_port = number protocol = string to_port = number cidr_blocks = list(string) description = string }))	[ { "cidr_blocks": [ "172.16.230.0/24", "172.16.241.0/24" ], "description": "GENEVE Access", "from_port": 6081, "protocol": "UDP", "to_port": 6081 }, { "cidr_blocks": [ "172.16.230.0/24", "172.16.241.0/24" ], "description": "SSH Access", "from_port": 22, "protocol": "TCP", "to_port": 22 } ]	no
outside_subnet_cidr	List out outside Subnet CIDR .	list(string)	[ "172.16.230.0/24", "172.16.241.0/24" ]	no
outside_subnet_name	Specified outside subnet names	list(string)	[ "outside1", "outside2" ]	no
region	AWS REGION	string	"us-east-1"	no
service_create_igw	Boolean value to decide if to create IGW or not	bool	false	no
service_igw_name	name of existing IGW to be used	string	"service-vpc-igw"	no
service_vpc_name	Service VPC Name	string	"Cisco-FMCv"	no
spoke_create_igw	Condition to create IGW .	bool	true	no
spoke_igw_name	name of existing IGW to be used	string	"spoke-igw"	no
spoke_subnet_cidr	List out spoke Subnet CIDR .	list(string)	[ "10.6.1.0/24", "10.6.2.0/24" ]	no
spoke_subnet_name	List out spoke Subnet names .	list(string)	[ "spoke1", "spoke2" ]	no
spoke_vpc_cidr	Specified CIDR for VPC .	string	"10.0.0.0/16"	no
spoke_vpc_name	Specified VPC Name .	string	"spoke-vpc"	no
tgw_subnet_cidr	List of Transit GW Subnet CIDR	list(string)	[]	no
tgw_subnet_name	List of name for TGW Subnets	list(string)	[ "tgw1", "tgw2" ]	no
transit_gateway_name	Name of the Transit Gateway created	string	null	no
use_ftd_eip	boolean value to use EIP on FTD or not	bool	false	no

Outputs

Name	Description
instance_ip	Public IP address of the FTD instances
internet_gateway	Internet Gateway ID