- This project runs terraform module to deploy upto 58 ISE nodes(min:2 | max:58) on AWS based on User Input
- It deploys the required Infrastructure and configure ISE nodes as per user Input
- This module requires creation of minimun 2 subnets in the VPC infrastructure
- 3.1
- 3.2
- 3.3
- Terraform >= 1.5.0
- AWS CLIv2
-
To install terraform, follow the instructions as per your operating system - Install Terraform
-
To install AWS CLIv2, follow the instructions mentioned here - Install AWS CLIv2
-
To configure and allow access to AWS account, create IAM user with least privilege access policy- create terraform-iam-policy.
For more comprehensive information on configuring Identity and Access Management You can find detailed guidance here.
-
create Programmatic Access Key (AWS Access key and Secret key). Follow this document to manage access keys - How to manage aws access keys.
Run aws configure as below and enter the access and secret keys.
aws configure
AWS Access Key ID [*******************]: <Enter access key>
AWS Secret Access Key [********************]: <Enter secret key>
Default region name [us-east-2]:
Before running terraform modules, follow below steps
- Subscribe to Cisco ISE product in AWS marketplace
- Login to AWS console and search for AWS Marketplace Subscriptions.
- In the Manage subscriptions window, select Discover Products in the left pane. Search for Cisco Identity Services Engine (ISE) in the search bar and subscribe to it.
-
Create a ec2 key pair by following this documentation - Create ec2 key pair
-
Setup SSH for git, follow this documentation - How to setup SSH for git
-
It is recommended to create a s3 bucket beforehand to store terraform backend state files which needs to be referenced in below terraform init command. Storing terraform state files in s3 provides enhanced collaboration, security and durability over keeping state files locally
- Existing s3 bucket can be used to store the backend files. If you want to create a new bucket, Refer this documentation - How to create a s3 bucket
- After creating s3 bucket, make sure to update the bucket name in the least privilege access policy
To refer the detailed structure of this terraform module, check here - Module structure
Clone this git repo by using below this command
git clone https://github.com/CiscoISE/ciscoise-terraform-automation-aws-nodes.git
Choose one of the following options to setup ISE infra
To deploy using an existing VPC
cd examples/create-ec2-with-existing-vpc
Refer create-ec2-with-existing-vpc README and update the variables in terraform.tfvars
To deploy using a new VPC
cd examples/create-ec2-with-new-vpc
Refer create-ec2-with-new-vpc README and update the variables in terraform.tfvars
After updating terraform.tfvars run the below commands
terraform init --upgrade \
-backend-config="bucket=<bucket_name>" \ # Specify the s3 bucket name created in prerequisites - step 3
-backend-config="region=<bucket_region>" \ # Specify the s3 bucket region e.g., us-east-1 for N. Virginia
-reconfigure
terraform plan
terraform apply
Type 'yes' when prompted after running terraform apply
After terraform apply is completed, the output block will be generated as shown in the screenshot below
After setting up ISE infra using terraform, it will take 45-60 minutes (Note: Time may vary based on number of nodes) for the stack to deploy and ISE application to come up
NOTE: As ISE is launched in a Private VPC, Currently EC2 machines are accessible for all IPs and Ports. To allow access for ISE specific ports and protocols, you can update the 'Inbound Rules' and 'Outbound Rules' accordingly on the AWS Console. Please update Security Group named- "ISE-Security-group". This security group is created for the Cisco ISE instances by this module itself.
For your reference, below screenshot shows the AWS State Machine output (Can be found under AWS Step Functions) after ISE application is successfully launched and running. Each Lambda has its own Log Groups created while launching the stack. Please monitor logs as per the requirement.
To destroy the ISE infrastructure resources created by this module, run below commands.
NOTE:
Manual changes/resource creation outside this terrform module will not be tracked in the terraform state and cause issues if user needs to upgrade/destory the deployed stack. Please avoid manual changes.
If still manual changes are needed then please keep a note of changes, revert them before making any upgrade or destroy.
terraform destroy -plan
terraform destroy
To know more about the destroy command, please refer this terraform destroy page
If you encounter issues with the terraform destroy command, attempt to run the command again. Additionally, you can track the resources managed by Terraform using the following command
terraform state list