terraform-aws-fortigate

Create a FortiGate VM. This module can optionally pre-configure the FortiGate, either using a configuration file supplied by you (in an S3 bucket) or by simply loading a basic config that ensures the firewall is reachable over the assigned Elastic IP. This is useful when you don't have other means of connectivity into the VPC.

Usage

module "firewall" {
  source         = "rhythmictech/fortigate/aws"
  config_bucket_name   = "${local.account_id}-${var.region}-fortigate-config"
  create_config_bucket = true
  enable_auto_config   = true
  external_subnet_id   = "subnet-01234567890"
  instance_type        = "t3.large"
  internal_subnet_id   = "subnet-01234567891"
  load_default_config  = true
  vpc_id               = "vpc-01234567890"
}

Warning: When using the default config bootstrapper, an admin password is set. This password is stored in Secrets Manager but is ultimately pulled into the bootstrap config file stored in S3. This means that it is both in S3 and in the tfstate file unencrypted.

For production use, it is recommended to change the password after provisioning and update Terraform to not attempt to load a default config, which will then cause the temporary secret to be removed from both S3 and Secrets Manager.

Requirements

Name	Version
terraform	>= 0.13.4
aws	>= 3.8

Providers

Name	Version
aws	4.17.1

Modules

Name	Source	Version
fortigate_password	rhythmictech/secretsmanager-random-secret/aws	~> 1.4
keypair	rhythmictech/secretsmanager-keypair/aws	~> 0.0.4

Resources

Name	Type
aws_eip.this	resource
aws_eip_association.this	resource
aws_iam_instance_profile.this	resource
aws_iam_policy.bucket_access	resource
aws_iam_role.this	resource
aws_iam_role_policy_attachment.bucket_access	resource
aws_iam_role_policy_attachment.sdn_access	resource
aws_instance.this	resource
aws_network_interface.outbound	resource
aws_route53_record.this	resource
aws_s3_bucket.config	resource
aws_s3_bucket_object.default_config	resource
aws_s3_bucket_public_access_block.config	resource
aws_security_group.external	resource
aws_security_group.internal	resource
aws_security_group_rule.allow_admin_https	resource
aws_security_group_rule.allow_admin_https_sgs	resource
aws_security_group_rule.allow_admin_ssh	resource
aws_security_group_rule.allow_admin_ssh_sgs	resource
aws_security_group_rule.allow_all_internal	resource
aws_security_group_rule.allow_all_out_external	resource
aws_security_group_rule.allow_all_out_internal	resource
aws_security_group_rule.allow_fortiguard	resource
aws_ami.byol	data source
aws_ami.ondemand	data source
aws_iam_policy_document.assume	data source
aws_iam_policy_document.bucket_access	data source
aws_partition.current	data source
aws_region.current	data source
aws_secretsmanager_secret.password	data source
aws_secretsmanager_secret_version.password	data source

Inputs

Name	Description	Type	Default	Required
allowed_admin_cidrs	Public CIDRs that will be able to access the FortiGate admin ports	list(string)	[ "0.0.0.0/0" ]	no
allowed_admin_security_group_id	Security group allowed to access admininstrative ports	string	null	no
ami_account_id	AWS account holding Fortinet AMI (GovCloud uses 874634375141)	string	"679593333241"	no
ami_byol_filter	AMI name string for on demand FG AMI	string	"FortiGate-VM64-AWS build*"	no
ami_ondemand_filter	AMI name string for on demand FG AMI	string	"FortiGate-VM64-AWSONDEMAND*"	no
config_bucket_config_file	Name of the configuration file in the S3 bucket	string	"fortigate.conf"	no
config_bucket_license_file	Name of the license file (leave blank if using on demand)	string	""	no
config_bucket_name	Name of config bucket. If create_config_bucket = true, a bucket with this name will be created.	string	""	no
config_bucket_region	Region that the S3 bucket is in. Required when the bucket is not created by this module.	string	""	no
create_config_bucket	Create a bucket for configuration auto loading	bool	false	no
create_config_bucket_iam_policy	Attach an IAM policy granting the FortiGate instance read access to all objects in the bucket.	bool	true	no
create_keypair	Whether to create a keypair for this instance, which will be stored in Secrets Manager	bool	true	no
create_route53_address	Associate a Route53 entry to the public EIP	bool	false	no
enable_auto_config	Enable auto configuration	bool	false	no
enable_sdn_access	Enable FortiGate SDN access to AWS resources	bool	false	no
external_subnet_id	Subnet ID to use for public interface	string	n/a	yes
https_admin_port	HTTPS port for administrative access	number	443	no
instance_type	Instance type for FG	string	"m5.large"	no
internal_subnet_id	Subnet ID to use for internal interface	string	n/a	yes
keypair	Keypair to use for EC2 instance (set to blank to omit a keypair, not used if create_keypair==true)	string	null	no
load_default_config	Place a default configuration file in the config bucket with the specified name	bool	false	no
name	Name of this Fortigate instance	string	"fortigate"	no
override_ami	Specify to force a specific AMI	string	""	no
route53_address	Route 53 address (do not include full domain)	string	""	no
route53_zone_id	n/a	string	""	no
tags	Tags to apply to supported resources (don't include name tag)	map(string)	{}	no
use_byol	Use BYOL license (as opposed to on demand pricing)	bool	false	no
vpc_id	VPC to create resources in	string	n/a	yes

Outputs

Name	Description
eip_fortigate	Elastic IP address of firewall
instance_fortigate	Fortigate Instance ID
instance_fortigate_primary_network_interface_id	Primary ENI ID (attach route tables to this)
keypair_key_name	Instance keypair name
s3_bucket_config	S3 bucket holding configuration
secretsmanager_secret_arn	FortiGate admin password secret
security_group_external	Security group for external access
security_group_internal	Security group for internal access