Create a FortiGate VM. This module can optionally pre-configure the FortiGate, either using a configuration file supplied by you (in an S3 bucket) or by simply loading a basic config that ensures the firewall is reachable over the assigned Elastic IP. This is useful when you don't have other means of connectivity into the VPC.
module "firewall" {
source = "git::https://github.com/rhythmictech/terraform-aws-fortigate"
config_bucket_name = "${local.account_id}-${var.region}-fortigate-config"
create_config_bucket = true
enable_auto_config = true
external_subnet_id = "subnet-01234567890"
instance_type = "t3.large"
internal_subnet_id = "subnet-01234567891"
load_default_config = true
vpc_id = "vpc-01234567890"
}
Warning: When using the default config bootstrapper, an admin password is set. This password is stored in Secrets Manager but is ultimately pulled into the bootstrap config file stored in S3. This means that it is both in S3 and in the tfstate file unencrypted.
For production use, it is recommended to change the password after provisioning and update Terraform to not attempt to load a default config, which will then cause the temporary secret to be removed from both S3 and Secrets Manager.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| allowed_admin_cidrs | Public CIDRs that will be able to access the FortiGate admin ports | list(string) | [ "0.0.0.0/0" ] |
no |
| allowed_admin_security_group_id | Security group allowed to access admininstrative ports | string | "" |
no |
| config_bucket_config_file | Name of the configuration file in the S3 bucket | string | "fortigate.conf" |
no |
| config_bucket_license_file | Name of the license file (leave blank if using on demand) | string | "" |
no |
| config_bucket_name | Name of config bucket. If create\_config\_bucket = true, a bucket with this name will be created. |
string | "" |
no |
| config_bucket_region | Region that the S3 bucket is in. Required when the bucket is not created by this module. | string | "" |
no |
| create_config_bucket | Create a bucket for configuration auto loading | bool | "false" |
no |
| create_config_bucket_iam_policy | Attach an IAM policy granting the FortiGate instance read access to all objects in the bucket. | bool | "true" |
no |
| create_route53_address | Associate a Route53 entry to the public EIP | bool | "false" |
no |
| enable_auto_config | Enable auto configuration | bool | "false" |
no |
| enable_sdn_access | Enable FortiGate SDN access to AWS resources | bool | "false" |
no |
| external_subnet_id | Subnet ID to use for public interface | string | n/a | yes |
| https_admin_port | HTTPS port for administrative access | number | "443" |
no |
| instance_type | string | "m5.large" |
no | |
| internal_subnet_id | Subnet ID to use for internal interface | string | n/a | yes |
| load_default_config | Place a default configuration file in the config bucket with the specified name | bool | "false" |
no |
| name | Name of this Fortigate instance | string | "fortigate" |
no |
| override_ami | Specify to force a specific AMI | string | "" |
no |
| route53_address | Route 53 address (do not include full domain) | string | "" |
no |
| route53_zone_id | string | "" |
no | |
| tags | Tags to apply to supported resources (don't include name tag) | map(string) | {} |
no |
| use_byol | Use BYOL license (as opposed to on demand pricing) | bool | "false" |
no |
| vpc_id | VPC to create resources in | string | n/a | yes |
| Name | Description |
|---|---|
| eip_fortigate | Elastic IP address of firewall |
| instance_fortigate | Fortigate Instance ID |
| instance_fortigate_primary_network_interface_id | Primary ENI ID (attach route tables to this) |
| keypair_key_name | Instance keypair name |
| s3_bucket_config | S3 bucket holding configuration |
| secretsmanager_secret_arn | FortiGate admin password secret |
| security_group_external | Security group for external access |
| security_group_internal | Security group for internal access |