A Terraform script to demonstrate FortiOS provider to configure a FortiGate VM in AWS.
Running the code below with a FortiDemo instance will request a connection to the Security Fabric. The user will need to authorize the FortiGate AWS VM from the Fabric Connectors page.
Additionally, the script will also initiate an AWS Inspector run on the Ubuntu instance in the private subnet.
- Terraform 0.14.4
- An AWS access key
- FortiOS 6.4.4
- Environment with expect tool support https://core.tcl-lang.org/expect/index
Terraform deploys the following components:
- A VPC with two subnets, one private, one public
- An Internet gateway
- A NAT gateway
- An Ubuntu 18.04 instance in the private subnet
- A FortiGate PAYG instance with two NICs, one in each subnet
- An S3 bucket, to store the config files
- A security group with no restrictions
- An AWS Inspector template and targets
Note: By default the script expects an ssh key at ~/.ssh/id_rsa.pub
Note:IPV6 The FortiGate cloud-init data expects an ipv4 address to be added to the trusthost. If you are using ipv6 you will need to adjust the trusthost under config_script set ipv4-trusthost to set ipv6-trusthost To deploy the FortiDemo Inspector:
-
Clone the repository.
-
Change to the cloned directory and initialize the providers and modules:
$ cd fortidemo-inspector $ terraform init
-
Submit the Terraform plan using the command below. Replace the variables with your own AccessKey and Secret Key.
$ terraform plan -var "access_key=<access_key>" -var "secret_key=<secret_key>" -var "fortidemo_ip=<ip_address>"
-
Verify output.
-
Confirm and apply the plan:
$ terraform apply -var "access_key=<access_key>" -var "secret_key=<secret_key>" -var "fortidemo_ip=<ip_address>"
-
If output is satisfactory, type
yes
.
To destroy the cluster, use the command:
$ terraform destroy -var "access_key=<access_key>" -var "secret_key=<secret_key>"
The region is hard-coded to us-west-1
. If the region is changed, the inspector rules must also be changed under rules_package_arns
in "aws_inspector_assessment_template" "inspector_template"
.
Inspector rule ARNs can be found here.
Fortinet-provided scripts in this and other GitHub projects do not fall under the regular Fortinet technical support scope and are not supported by FortiCare Support Services. For direct issues, please refer to the Issues tab of this GitHub project. For other questions related to this project, contact github@fortinet.com.
License © Fortinet Technologies. All rights reserved.