terraform-aviatrix-backbone

Description

This module composes the mc-transit, mc-firenet and peering modules(1)(2) together to provide a reference transit layer implementation.

Compatibility

Module version	Terraform version	Controller version	Terraform provider version	Used Transit module	Used Firenet module
v1.2.3	>=1.3.0	>= 7.1	~> 3.1.0	v2.5.1	v1.5.0

Check release notes for more details. Check compatibility list for older versions.

Usage Example

module "framework" {
  source  = "terraform-aviatrix-modules/backbone/aviatrix"
  version = "v1.2.2"

  global_settings = {

    transit_accounts = {
      aws   = "AWS-Account",
      azure = "Azure-Account",
      gcp   = "GCP-Account",
    }

    firenet_firewall_image = {
      aws   = "Palo Alto Networks VM-Series Next-Generation Firewall Bundle 1",
      azure = "Palo Alto Networks VM-Series Next-Generation Firewall Bundle 1",
      gcp   = "Palo Alto Networks VM-Series Next-Generation Firewall BUNDLE1",
    }

    transit_ha_gw = false

  }

  transit_firenet = {

    #Transit firenet in AWS, using default_firewall_image
    transit1a = {          
      transit_cloud       = "aws",
      transit_cidr        = "10.1.0.0/23",
      transit_region_name = "eu-central-1",
      transit_asn         = 65101,
      firenet             = true,
    },

    #Egress transit firenet, with different NGFW then provided in default_firewall_image (override).
    transit1b = {                           
      transit_cloud                         = "aws",
      transit_cidr                          = "10.1.0.0/23",
      transit_region_name                   = "eu-central-1",
      transit_asn                           = 65111,
      transit_enable_egress_transit_firenet = true,
      firenet                               = true,
      firenet_firewall_image                = "Fortinet FortiGate Next-Generation Firewall",
    },    

    #Transit in Azure
    transit2 = {
      transit_cloud       = "azure",
      transit_cidr        = "10.1.2.0/23",
      transit_region_name = "West Europe",
      transit_asn         = 65102,
    },

    #Transit firenet in GCP, using default_firewall_image
    transit3 = {
      transit_cloud       = "gcp",
      transit_cidr        = "10.1.4.0/23",
      transit_lan_cidr    = "10.99.1.0/24",
      firenet_egress_cidr = "10.99.2.0/24",
      transit_region_name = "us-east1",
      transit_asn         = 65103,
      firenet             = true,
    },    
  }
}

Variables

The following variables are required:

key	value
transit_firenet	A map with all relevant transit and firenet arguments. See Transit-Firenet map arguments to see which arguments are supported and mandatory. Can also be provided as JSON or YAML.

The following variables are optional:

key	default	value
global_settings		Map of values to override default behavior or set standard values.
enable_max_performance		Enable/disable multiple tunnels for peerings between HPE gateways.
excluded_cidrs	["0.0.0.0/0", ]	List of CIDR's to exlude in peerings (not used for custom peerings).
peering_mode	full_mesh_optimized	Choose between full_mesh, full_mesh_optimized, custom or none.
peering_map	{}	If peering_mode is custom, this map of peerings will be built. Example see link.
peering_prune_list	[]	If peering_mode is full_mesh or optimized_full_mesh, this list of peerings will NOT be built. Example see link.

Transit Firenet map arguments

Arguments in this map prepended with "transit_" are pushed to the underlying mc-transit module. Arguments prepended with "firenet_" are pushed to the mc-firenet module. As such, more details on these arguments can also be found in the documentation of the mc-transit and mc-firenet modules. (e.g. "transit_cidr" maps to the "cidr" argument on the mc-transit module)

The following arguments are mandatory in the "transit_firenet" map variable:

key	value
transit_cloud	Cloud in which this entry needs to be deployed. Valid values are: aws, azure, gcp, ali, oci.
transit_cidr	The CIDR for creating the transit (firenet) VPC/VNET/VCN.
transit_region_name	The name of the region in which this entry needs to be deployed.
transit_asn	A global unique AS Number for the transit gateway.

The following arguments are optional in the transit firenet map variable: Any options set here will override the default_* variables for that particular instance.

= AWS, = Azure, = GCP, = OCI, = Alibaba

Key	Supported_CSP's	Default value	Description
transit_allocate_new_eip		null	When value is false, reuse an idle address in Elastic IP pool for this gateway. Otherwise, allocate a new Elastic IP and use it for this gateway.
transit_account**			Access accounts to be used to deploy the transit Firenet infrastructure.
transit_availability_domain			Availability domain in OCI.
transit_az_support		true	Set to false if the region does not support Availability Zones.
transit_az1		a az-1 b	Concatenates with region to form az names. e.g. eu-central-1a. Only used for insane mode and AWS GWLB.
transit_az2		b az-2 c	Concatenates with region to form az names. e.g. eu-central-1b. Only used for insane mode and AWS GWLB. If az1 and az2 are equal. Single AZ mode (deploy everyting in 1 AZ) is triggered.
transit_azure_eip_name_resource_group		null	Name of public IP Address resource and its resource group in Azure to be assigned to the Transit Gateway instance.
transit_bgp_ecmp		false	Enable Equal Cost Multi Path (ECMP) routing for the next hop
transit_bgp_hold_time		180	Set the BGP Hold time.
transit_bgp_lan_interfaces			A list of interfaces to run BGP protocol on top of the ethernet interface
transit_bgp_lan_interfaces_count			Number of interfaces that will be created for BGP over LAN enabled Azure transit.
transit_bgp_manual_spoke_advertise_cidrs			Intended CIDR list to advertise via BGP. Example: "10.2.0.0/16,10.4.0.0/16"
transit_bgp_polling_time		50	BGP route polling time. Unit is in seconds
transit_connected_transit		true	Set to false to disable connected_transit
transit_customer_managed_keys			Customer managed key ID for EBS Volume encryption.
transit_eip		null	Required when allocate_new_eip is false. It uses the specified EIP for this gateway.
transit_enable_active_standby		false	Enables Active-Standby Mode. Available only with HA enabled.
transit_enable_active_standby_preemptive		false	Enables Preemptive Mode for Active-Standby. Available only with BGP enabled, HA enabled and Active-Standby enabled.
transit_enable_advertise_transit_cidr		false	Switch to enable/disable advertise transit VPC network CIDR for a VGW connection
transit_enable_bgp_over_lan		false	Enable BGP over LAN. Creates interface for integration with SDWAN or other BGP peerings over LAN.
transit_enable_egress_transit_firenet		false	Enable Egress Transit FireNet
transit_enable_encrypt_volume		false	Set to true to enable EBS volume encryption for Gateway.
transit_enable_firenet		false	Sign of readiness for FireNet connection with TGW
transit_enable_gateway_load_balancer		false	Enable FireNet interfaces with AWS Gateway Load Balancer.
transit_enable_gro_gso		true	Enable GRO/GSO for this transit gateway.
transit_enable_monitor_gateway_subnets		false	If set to true, the Monitor Gateway Subnets feature in AWS is enabled.
transit_enable_multi_tier_transit		false	Switch to enable multi tier transit
transit_enable_preserve_as_path		false	Enable preserve as_path when advertising manual summary cidrs on BGP transit gateway.
transit_enable_s2c_rx_balancing		false	Allows to toggle the S2C receive packet CPU re-balancing on transit gateway.
transit_enable_vpc_dns_server		null	Enable VPC DNS Server for Gateway.
transit_segmentation		true	Switch to true to enable transit segmentation
transit_enable_transit_firenet		false	Sign of readiness for Transit FireNet connection
transit_fault_domain			Fault domain in OCI.
transit_gw_name			Name for the transit gateway.
transit_ha_availability_domain			Availability domain in OCI for HA GW.
transit_ha_azure_eip_name_resource_group		null	Name of public IP Address resource and its resource group in Azure to be assigned to the Transit Gateway instance.
transit_ha_bgp_lan_interfaces			A list of interfaces to run BGP protocol on top of the ethernet interface
transit_ha_cidr			The IP CIDR to be used to create ha_region spoke subnet. Only required when ha_region is set.
transit_ha_eip		null	Required when allocate_new_eip is false. It uses the specified EIP for this gateway.
transit_ha_fault_domain			Fault domain in OCI for HA GW.
transit_ha_gw		true	Set to false if you only want to deploy a single Aviatrix transit gateway
transit_ha_region			Region for multi region HA. HA is multi-az single region by default, but will become multi region when this is set.
transit_hybrid_connection		false	Sign of readiness for TGW connection
transit_insane_mode		false	Set to true to enable insane mode encryption
transit_instance_size (insane mode/firenet)		c5n.xlarge Standard_D3_v2 n1-highcpu-4 VM.Standard2.4	The size of the Aviatrix transit gateways when insane mode or Transit Firenet is enabled.
transit_instance_size		t3.medium Standard_B1ms n1-standard-1 VM.Standard2.2 ecs.g5ne.large	The size of the Aviatrix transit gateways.
transit_lan_cidr			CIDR For LAN VPC for GCP Firenet. Only required when deploying in GCP and enable_transit_firenet is true.
transit_learned_cidr_approval		false	Switch to true to enable learned CIDR approval
transit_learned_cidrs_approval_mode			Learned cidrs approval mode. Defaults to Gateway. Valid values: gateway, connection
transit_name		avx-<region>-transit	Name for this Transit VPC/VNET/VCN and it's gateways
transit_private_mode_lb_vpc_id			VPC ID of Private Mode load balancer. Required when Private Mode is enabled on the Controller.
transit_private_mode_subnet_zone			Availability Zone of the subnet. Required when Private Mode is enabled on the Controller and cloud_type is AWS or AWSGov.
transit_private_mode_subnets
transit_ha_private_mode_subnet_zone			Availability Zone of the HA subnet. Required when Private Mode is enabled on the Controller and cloud_type is AWS or AWSGov.
transit_resource_group			Specify existing resource group to deploy transit resources into.
transit_single_az_ha		true	Set to false if Controller managed Gateway HA is desired
transit_single_ip_snat		false	Specify whether to enable Source NAT feature in single_ip mode on the gateway or not. Please disable AWS NAT instance before enabling this feature. Currently only supports AWS(1) and AZURE(8)
transit_tags			Map of tags to assign to the gateway.
transit_tunnel_detection_time			The IPsec tunnel down detection time for the Spoke Gateway in seconds. Must be a number in the range [20-600]. Default is 60.
firenet		false	Set to true to deploy firenet in this transit entry.
firenet_attached		true	Attach firewall instances to Aviatrix Gateways.
firenet_bootstrap_bucket_name_1			Name of bootstrap bucket to pull firewall config from. (If bootstrap_bucket_name_2 is not set, this will used for all NGFW instances)
firenet_bootstrap_bucket_name_2			Name of bootstrap bucket to pull firewall config from. (Only used if 2 or more FW instances are deployed, e.g. when ha_gw is true. Applies to "even" fw instances (2,4,6 etc))
firenet_bootstrap_storage_name_1		null	Storagename to get bootstrap files from (PANW only). (If bootstrap_storage_name_2 is not set, this will used for all NGFW instances)
firenet_bootstrap_storage_name_2		null	Storagename to get bootstrap files from (PANW only) (Only used when HA FW instance is deployed)
firenet_custom_fw_names		[]	If set, the NGFW instances will be deployed with the names provided in this list. First half of the list for instances in az1, second half for az2.
firenet_east_west_inspection_excluded_cidrs			Network List Excluded From East-West Inspection.
firenet_egress_cidr			CIDR For Egress VPC for GCP Firenet. Only required when deploying in GCP and enable_transit_firenet is true.
firenet_egress_enabled		false	Enable/disable internet egress via NGFW.
firenet_egress_static_cidrs		[]	List of egress static CIDRs. Egress is required to be enabled. Example: ["1.171.15.184/32", "1.171.15.185/32"].
firenet_file_share_folder_1		null	Name of the folder containing the bootstrap files (PANW only) (If file_share_folder_2 is not set, this will used for all NGFW instances)
firenet_file_share_folder_2		null	Name of the folder containing the bootstrap files (PANW only) (Only used when HA FW instance is deployed)
firenet_firewall_image**			The firewall image to be used to deploy the NGFW's.
firenet_firewall_image_id			Firewall image ID. Applicable to AWS and Azure only. For AWS, please use AMI ID. For Azure, the format is “Publisher:Offer:Plan:Version”.
firenet_firewall_image_version			When not provided, latest available will be used.
firenet_fw_amount			The amount of NGFW instances to deploy. These will be deployed accross multiple AZ's. Amount must be even and only applies when transit is HA.
firenet_iam_role_1			IAM Role used to access bootstrap bucket. (If iam_role_2 is not set, this will used for all NGFW instances)
firenet_iam_role_2			IAM Role used to access bootstrap bucket. (Only used if 2 or more FW instances are deployed, e.g. when ha_gw is true. Applies to "even" fw instances (2,4,6 etc))
firenet_inspection_enabled		true	Enable/disable east/west + north/south inspection via NGFW.
firenet_instance_size		c5.xlarge Standard_D3_v2 n1-standard-4 VM.Standard2.4	Size of the NGFW instances
firenet_keep_alive_via_lan_interface_enabled		False	Enable Keep Alive via Firewall LAN Interface.
firenet_mgmt_cidr			CIDR For Management VPC for GCP Firenet. Only required when deploying in GCP and enable_transit_firenet is true and deploying Palo Alto NGFW.
firenet_password		Aviatrix#1234	Default initial password for firewall instances
firenet_storage_access_key_1		null	Storage_access_key to access bootstrap storage (PANW only) (If storage_access_key_2 is not set, this will used for all NGFW instances)
firenet_storage_access_key_2		null	Storage_access_key to access bootstrap storage (PANW only) (Only used when HA FW instance is deployed)
firenet_tags			Map of tags to assign to the firewall or FQDN egress gw's.
firenet_user_data_1			Userdata to bootstrap FortiGate or Checkpoint Firewall.
firenet_user_data_2			Userdata to bootstrap FortiGate or Checkpoint Firewall. If not set, user_data_1 will be used.
firenet_username		fwadmin	Applicable to Azure or AzureGov deployment only. "admin" as a username is not accepted. (For Checkpoint it is always admin)

Global settings for Transit Firenet map

If you want to override default settings, without having to declare them for each individual entry in the transit firenet map, you can do that by defining the global_settings map. The following items are supported:

key	type
transit_accounts	map(string)
transit_bgp_ecmp	bool
transit_bgp_polling_time	number
transit_connected_transit	bool
transit_customer_managed_keys	bool
transit_enable_active_standby_preemptive	bool
transit_enable_advertise_transit_cidr	bool
transit_enable_egress_transit_firenet	bool
transit_enable_encrypt_volume	bool
transit_enable_multi_tier_transit	bool
transit_enable_s2c_rx_balancing	bool
transit_enable_transit_firenet	bool
transit_ha_gw	bool
transit_insane_mode	bool
transit_learned_cidr_approval	bool
transit_learned_cidrs_approval_mode	string
transit_segmentation	bool
transit_single_az_ha	bool
transit_tags	map(string)
transit_tunnel_detection_time	number
transit_enable_preserve_as_path	bool
transit_enable_monitor_gateway_subnets	bool
transit_enable_gro_gso	bool
transit_bgp_hold_time	number
firenet	bool
firenet_attached	bool
firenet_east_west_inspection_excluded_cidrs	list(string)
firenet_egress_enabled	bool
firenet_egress_static_cidrs	list(string)
firenet_firewall_image	map(string)
firenet_fw_amount	number
firenet_inspection_enabled	bool
firenet_keep_alive_via_lan_interface_enabled	bool
firenet_tags	map(string)

Outputs

This module will return the following outputs:

key	description
transit	A map containing all created transit objects
firenet	A map containing all created firenet objects
region_transit_map	A map of all regions with a list per region of transit gw names in that region.

See how to use outputs to attach for example, spokes or VPN's to the transits created with this module.