Appendix D: Ivanti Connect Secure Terraform Template
Terraform is an open source tool to easily define, preview, and deploy cloud infrastructure on AWS Cloud. Ivanti provides sample Terraform template files for 2 NICs and 3 NICs to deploy the Ivanti Connect Secure Virtual Appliance on AWS Cloud. Users can modify this to make it suitable for their need. To download the Cloud Templates, see product-downloads.
Base Setup
#Terraform version
terraform {
required_version = ">= v0.12.24"
}
#Region
provider "aws" {
region = var.region
#zone = var.zone
}
#Create a VPC
resource "aws_vpc" "vpc" {
tags = {
Name = var.vpc
}
cidr_block = "10.22.0.0/16"
}
#Create Subnet for zone-1
#Internal Port
resource "aws_subnet" "vsw-zone-1-pcs-int-port-subnet" {
vpc_id = aws_vpc.vpc.id
cidr_block = var.subnet_map[var.zone_1]["pcs_int_port"]["cidr"]
availability_zone = var.zone_1
tags = {
Name = var.subnet_map[var.zone_1]["pcs_int_port"]["name"]
}
}
#External Port
resource "aws_subnet" "vsw-zone-1-pcs-ext-port-subnet" {
vpc_id = aws_vpc.vpc.id
cidr_block = var.subnet_map[var.zone_1]["pcs_ext_port"]["cidr"]
availability_zone = var.zone_1
tags = {
Name = var.subnet_map[var.zone_1]["pcs_ext_port"]["name"]
}
}
#Management Port
resource "aws_subnet" "vsw-zone-1-pcs-mgmt-port-subnet" {
vpc_id = aws_vpc.vpc.id
cidr_block = var.subnet_map[var.zone_1]["pcs_mgmt_port"]["cidr"]
availability_zone = var.zone_1
tags = {
Name = var.subnet_map[var.zone_1]["pcs_mgmt_port"]["name"]
}
}
#Tunnel Subnet
resource "aws_subnet" "vsw-zone-1-pcs-tunnel-subnet" {
vpc_id = aws_vpc.vpc.id
cidr_block = var.subnet_map[var.zone_1]["pcs_tunnel_subnet"]["cidr"]
availability_zone = var.zone_1
tags = {
Name = var.subnet_map[var.zone_1]["pcs_tunnel_subnet"]["name"]
}
}
#Create Subnet for zone-2
#Internal Port
resource "aws_subnet" "vsw-zone-2-pcs-int-port-subnet" {
vpc_id = aws_vpc.vpc.id
cidr_block = var.subnet_map[var.zone_2]["pcs_int_port"]["cidr"]
availability_zone = var.zone_2
tags = {
Name = var.subnet_map[var.zone_2]["pcs_int_port"]["name"]
}
}
#External Port
resource "aws_subnet" "vsw-zone-2-pcs-ext-port-subnet" {
vpc_id = aws_vpc.vpc.id
cidr_block = var.subnet_map[var.zone_2]["pcs_ext_port"]["cidr"]
availability_zone = var.zone_2
tags = {
Name = var.subnet_map[var.zone_2]["pcs_ext_port"]["name"]
}
}
#Management Port
resource "aws_subnet" "vsw-zone-2-pcs-mgmt-port-subnet" {
vpc_id = aws_vpc.vpc.id
cidr_block = var.subnet_map[var.zone_2]["pcs_mgmt_port"]["cidr"]
availability_zone = var.zone_2
tags = {
Name = var.subnet_map[var.zone_2]["pcs_mgmt_port"]["name"]
}
}
#Tunnel Port
resource "aws_subnet" "vsw-zone-2-pcs-tunnel-subnet" {
vpc_id = aws_vpc.vpc.id
cidr_block = var.subnet_map[var.zone_2]["pcs_tunnel_subnet"]["cidr"]
availability_zone = var.zone_2
tags = {
Name = var.subnet_map[var.zone_2]["pcs_tunnel_subnet"]["name"]
}
}
#Create Security Group for PCS Internal Port
resource "aws_security_group" "sg_pcs_int_port" {
name = var.security_group_map["pcs_int_port"]
description = "Security Group rules for PCS Internal Port"
vpc_id = aws_vpc.vpc.id
tags = {
Name = var.security_group_map["pcs_int_port"]
}
#HTTP
ingress {
description = "HTTP Port 80"
from_port = 80
to_port = 80
protocol = "tcp"
# Please restrict your ingress to only necessary IPs and ports.
# Opening to 0.0.0.0/0 can lead to security vulnerabilities.
#cidr_blocks = # add your IP address here
cidr_blocks = [ "0.0.0.0/0" ]
}
#HTTPS
ingress {
description = "HTTPS port 443"
from_port = 443
to_port = 443
protocol = "tcp"
# Please restrict your ingress to only necessary IPs and ports.
# Opening to 0.0.0.0/0 can lead to security vulnerabilities.
#cidr_blocks = # add your IP address here
cidr_blocks = [ "0.0.0.0/0" ]
}
#SSh
ingress {
description = "SSh port 6667"
from_port = 6667
to_port = 6667
protocol = "tcp"
# Please restrict your ingress to only necessary IPs and ports.
# Opening to 0.0.0.0/0 can lead to security vulnerabilities.
#cidr_blocks = # add your IP address here
cidr_blocks = [ "0.0.0.0/0" ]
}
#SSh
ingress {
description = "SSh port 22"
from_port = 22
to_port = 22
protocol = "tcp"
# Please restrict your ingress to only necessary IPs and ports.
# Opening to 0.0.0.0/0 can lead to security vulnerabilities.
#cidr_blocks = # add your IP address here
cidr_blocks = [ "0.0.0.0/0" ]
}
#DMI Netconf port
ingress {
description = "DMI Netconf port"
from_port = 830
to_port = 830
protocol = "tcp"
cidr_blocks = [ "0.0.0.0/0" ]
}
#Allow All ICMP
ingress {
description = "Allow All ICMP"
from_port = -1
to_port = -1
protocol = "icmp"
cidr_blocks = [ "0.0.0.0/0" ]
}
#TCP Ports for Cluster Communication
ingress {
description = "TCP Ports for Cluster Communication"
from_port = 11000
to_port = 11099
protocol = "tcp"
cidr_blocks = [ "0.0.0.0/0" ]
}
#TCP Ports 4808 and 4809 for Cluster Communication
ingress {
description = "TCP Ports 4808 and 4809 for Cluster Communication"
from_port = 4808
to_port = 4809
protocol = "tcp"
cidr_blocks = [ "0.0.0.0/0" ]
}
#TCP Ports 4900 - 4910 for Cluster Key Exchange and State Sync
ingress {
description = "TCP Ports 4900 - 4910 for Cluster Key Exchange and State Sync"
from_port = 4900
to_port = 4910
protocol = "tcp"
cidr_blocks = [ "0.0.0.0/0" ]
}
#UDP Ports for Cluster Communication
ingress {
description = "UDP Ports for Cluster Communication"
from_port = 4803
to_port = 4803
protocol = "udp"
cidr_blocks = [ "0.0.0.0/0" ]
}
#UDP Ports for Cluster HeartBeat
ingress {
description = "UDP Ports for Cluster HeartBeat"
from_port = 4804
to_port = 4804
protocol = "udp"
cidr_blocks = [ "0.0.0.0/0" ]
}
#UDP Ports for L3 Connection
ingress {
description = "UDP Ports for Pulse L3 Connection"
from_port = 4500
to_port = 4500
protocol = "udp"
cidr_blocks = [ "0.0.0.0/0" ]
}
#Allow all Outbound connections(this is needed for AWS)
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
#Create Security Group for External Port
resource "aws_security_group" "sg_pcs_ext_port" {
name = var.security_group_map["pcs_ext_port"]
description = "Security Group rules for PCS External Port"
vpc_id = aws_vpc.vpc.id
tags = {
Name = var.security_group_map["pcs_ext_port"]
}
#HTTP
ingress {
description = "HTTP Port 80"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = [ "0.0.0.0/0" ]
}
#HTTPS
ingress {
description = "HTTPS port 443"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = [ "0.0.0.0/0" ]
}
#Allow All ICMP
ingress {
description = "Allow All ICMP"
from_port = -1
to_port = -1
protocol = "icmp"
cidr_blocks = [ "0.0.0.0/0" ]
}
#UDP Ports for L3 Connection
ingress {
description = "UDP Ports for L3 Connection"
from_port = 4500
to_port = 4500
protocol = "udp"
cidr_blocks = [ "0.0.0.0/0" ]
}
#Allow all Outbound connections
egress {
description = "Allow all outbound connections"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
#Create Security Group for Management Port
resource "aws_security_group" "sg_pcs_mgmt_port" {
name = var.security_group_map["pcs_mgmt_port"]
description = "Security Group rules for Management Port"
vpc_id = aws_vpc.vpc.id
tags = {
Name = var.security_group_map["pcs_mgmt_port"]
}
#HTTP
ingress {
description = "Allow all HTTP"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = [ "0.0.0.0/0" ]
}
#HTTPS
ingress {
description = "Allow all HTTPS"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = [ "0.0.0.0/0" ]
}
#DMI Netconf port
ingress {
description = "Allow DMI Netconf"
from_port = 830
to_port = 830
protocol = "tcp"
cidr_blocks = [ "0.0.0.0/0" ]
}
#Allow All ICMP
ingress {
description = "Allow All ICMP"
from_port = -1
to_port = -1
protocol = "icmp"
cidr_blocks = [ "0.0.0.0/0" ]
}
#Allow all Outbound connections
egress {
description = "Allow all outbound connections"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
#Create Security Group for Backend Servers
resource "aws_security_group" "sg_backend_svr" {
name = var.security_group_map["backend_svr"]
description = "Security Group for backend servers in protected network"
vpc_id = aws_vpc.vpc.id
tags = {
Name = var.security_group_map["backend_svr"]
}
#HTTPS
ingress {
description = "Allow all HTTPS"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = [ "0.0.0.0/0" ]
}
#HTTP
ingress {
description = "Allow all HTTP"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = [ "0.0.0.0/0" ]
}
#SSH
ingress {
description = "Allow all SSH"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = [ "0.0.0.0/0" ]
}
#Allow All ICMP
ingress {
description = "Allow all ICMP"
from_port = -1
to_port = -1
protocol = "icmp"
cidr_blocks = [ "0.0.0.0/0" ]
}
#Allow all Outbound connections
egress {
description = "Allow all outbound connections"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
#Create internet gateway, so instances can connect to internet
resource "aws_internet_gateway" "internet_gateway" {
vpc_id = aws_vpc.vpc.id
tags = {
#Name = "vpc-internet-gateway"
Name = "${aws_vpc.vpc.tags["Name"]}-igw"
}
}
#Create route to internet in VPC default route table through internet gateway created in Internet Gateway Block
resource "aws_route" "route_to_internet" {
route_table_id = aws_vpc.vpc.default_route_table_id
destination_cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.internet_gateway.id
#depends_on = ["aws_route_table.testing"]
}
ICS with 2 NICs
#Terraform version
terraform {
required_version = ">= v0.12.24"
}
#Region
provider "aws" {
region = var.region
#zone = var.zone
}
#Data sources
#VPCs
#Available VPCs in the region
data "aws_vpcs" "ds_vpcs" {
}
#VPC of interest
data "aws_vpcs" "ds_vpc" {
filter {
name = "tag:Name"
values = [var.vpc]
}
}
data "aws_vpc" "ds_vpc" {
tags = {
Name = var.vpc
}
}
#Security Group for Internal Port
data "aws_security_group" "sg_pcs_int_port" {
name = var.security_group_map["pcs_int_port"]
vpc_id = local.vpc_id
}
#Security Group for External Port
data "aws_security_group" "sg_pcs_ext_port" {
name = var.security_group_map["pcs_ext_port"]
vpc_id = local.vpc_id
}
#Security Group for Management Port
data "aws_security_group" "sg_pcs_mgmt_port" {
name = var.security_group_map["pcs_mgmt_port"]
vpc_id = local.vpc_id
}
#Security Group for Backend Servers
data "aws_security_group" "sg_backend_svr" {
name = var.security_group_map["backend_svr"]
vpc_id = local.vpc_id
}
#Internal Port Subnet for zone_1
data "aws_subnet" "zone_1_pcs_int_port_subnet" {
vpc_id = local.vpc_id
filter {
name = "tag:Name"
values = [ var.subnet_map[var.zone_1]["pcs_int_port"]["name"]]
}
}
#External Port Subnet for zone_1
data "aws_subnet" "zone_1_pcs_ext_port_subnet" {
vpc_id = local.vpc_id
filter {
name = "tag:Name"
values = [ var.subnet_map[var.zone_1]["pcs_ext_port"]["name"]]
}
}
#Management Port Subnet for zone_1
data "aws_subnet" "zone_1_pcs_mgmt_port_subnet" {
vpc_id = local.vpc_id
filter {
name = "tag:Name"
values = [ var.subnet_map[var.zone_1]["pcs_mgmt_port"]["name"]]
}
}
#Internal Port Subnet for zone_2
data "aws_subnet" "zone_2_pcs_int_port_subnet" {
vpc_id = local.vpc_id
filter {
name = "tag:Name"
values = [ var.subnet_map[var.zone_1]["pcs_int_port"]["name"]]
}
}
#External Port Subnet for zone_2
data "aws_subnet" "zone_2_pcs_ext_port_subnet" {
vpc_id = local.vpc_id
filter {
name = "tag:Name"
values = [ var.subnet_map[var.zone_1]["pcs_ext_port"]["name"]]
}
}
#Management Port Subnet for zone_2
data "aws_subnet" "zone_2_pcs_mgmt_port_subnet" {
vpc_id = local.vpc_id
filter {
name = "tag:Name"
values = [ var.subnet_map[var.zone_1]["pcs_mgmt_port"]["name"]]
}
}
#AMI ID corresponding to the image name passed
data "aws_ami_ids" "ds_image" {
owners = ["self"]
filter {
name = "tag:Name"
values = [var.image_name]
}
}
data "aws_ami" "ds_pcs_image_info_for_ami_id" {
//executable_users = ["self"]
most_recent = true
//name_regex = "^ami-"
#owners = ["self"]
owners = [var.image_from]
filter {
name = "image-id"
values = [ var.ami_id ]
}
}
#Local variables
locals {
#vpcs_list = "${data.alicloud_vpcs.vpcs_ds.vpcs}"
vpc_id = data.aws_vpc.ds_vpc.id
#vsws_list_in_vpc = "${data.alicloud_vswitches.vswitches_ds.vswitches}"
#sec_groups_list = "${data.alicloud_security_groups.sec_groups_ds.groups}"
subnet_id_map = {
"${var.zone_1}" = {
"pcs_int_port" = data.aws_subnet.zone_1_pcs_int_port_subnet.id
"pcs_ext_port" = data.aws_subnet.zone_1_pcs_ext_port_subnet.id
"pcs_mgmt_port" = data.aws_subnet.zone_1_pcs_mgmt_port_subnet.id
},
"${var.zone_2}" = {
"pcs_int_port" = data.aws_subnet.zone_2_pcs_int_port_subnet.id
"pcs_ext_port" = data.aws_subnet.zone_2_pcs_ext_port_subnet.id
"pcs_mgmt_port" = data.aws_subnet.zone_2_pcs_mgmt_port_subnet.id
},
}
security_group_id_map = {
"pcs_int_port" = data.aws_security_group.sg_pcs_int_port.id
"pcs_ext_port" = data.aws_security_group.sg_pcs_ext_port.id
"pcs_mgmt_port" = data.aws_security_group.sg_pcs_mgmt_port.id
"backend_svr" = data.aws_security_group.sg_backend_svr.id
}
}
#Create AWS Key Pair that can be used to connect to VM console on AWS cloud
resource "aws_key_pair" "aws_public_key" {
key_name = "${var.instance_name}-${var.ssh_key_map["name"]}"
public_key = var.ssh_key_map["public_key"]
}
#Create a instance on AWS
resource "aws_instance" "pcs_instance" {
#ami = data.aws_ami.ds_image_info.image_id
ami = var.ami_id
#instance_type = "t2.micro"
#instance_type = var.instance_type #ecs.hfc5.large
instance_type = var.instance_type_map["2_nics"]
#key name that has to be associated with this PCS instance
#key_name = var.ssh_key_map["name"] #this should be same as the key_name used as part of aws_key_pair resource
key_name = aws_key_pair.aws_public_key.key_name
tags = {
Name = var.instance_name
}
#instance_name = var.instance_name
availability_zone = var.zone
#subnet from which pcs int port has to be created
subnet_id = local.subnet_id_map[var.zone]["pcs_int_port"]
#security group to assign to PCS internal port(primary interface)
#security_groups = [ local.security_group_id_map["pcs_int_port"] ]
vpc_security_group_ids = [ local.security_group_id_map["pcs_int_port"] ]
#Associate a public ip address with the PCS instance(instead of Elastic IP)
#associate_public_ip_address = true
#user-data to be used for PCS initial config
user_data = "<pulse-config><primary-dns>8.8.8.8</primary-dns><secondary-dns>8.8.8.9</secondary-dns><wins-server>1.1.1.1</wins-server><dns-domain>pcsqa.psecure.net</dns-domain><admin-username>admindb</admin-username><admin-password>********</admin-password><cert-common-name>aws-pcs.psecure.net</cert-common-name><cert-random-text>fdsfpisonvsfnms</cert-random-text><cert-organisation>Psecure Org</cert-organisation><config-download-url></config-download-url><config-data></config-data><auth-code-license></auth-code-license><enable-license-server>n</enable-license-server><accept-license-agreement>y</accept-license-agreement></pulse-config>"
}
#Create External Port and attach to instance
resource "aws_network_interface" "pcs_ext_port" {
description = "External port"
subnet_id = local.subnet_id_map[var.zone]["pcs_ext_port"]
security_groups = [ local.security_group_id_map["pcs_ext_port"] ]
attachment {
instance = aws_instance.pcs_instance.id
device_index = 1 #Integer to define the devices index (1 indicates eth1, 2 indicates eth2)
}
}
#Create a new EIP for Internal Port
resource "aws_eip" "pcs_int_port_eip" {
vpc = true
#make a reference to aws_internet_gateway
#depends_on = [ aws_internet_gateway.internet_gateway ]
}
#Assign the EIP to the instance (this will get assigned to the default interface, which is internal port)
resource "aws_eip_association" "pcs_int_port_eip_asso" {
allocation_id = aws_eip.pcs_int_port_eip.id
#instance_id = aws_instance.pcs_instance.id
network_interface_id = aws_instance.pcs_instance.primary_network_interface_id
}
#Create a new EIP for External port
resource "aws_eip" "pcs_ext_port_eip" {
vpc = true
}
#Assign the EIP to the External Port(do not assign to VM instance, since it is used by internal port)
resource "aws_eip_association" "pcs_ext_port_eip_asso" {
allocation_id = aws_eip.pcs_ext_port_eip.id
network_interface_id = aws_network_interface.pcs_ext_port.id
}
#Output
#output "vswitch_id_map" {
# value = local.vswitch_id_map
#}
#output "security_group_id_map" {
# value = local.security_group_id_map
#}
#available images loaded by the user
output "aws_ami_id" {
value = data.aws_ami.ds_pcs_image_info_for_ami_id
}
#details of instance deployed on AWS
output deployed_pcs_info {
value = aws_instance.pcs_instance
}
ICS with 3 NICs
#Terraform version
terraform {
required_version = ">= v0.12.24"
}
#Region
provider "aws" {
region = var.region
#zone = var.zone
}
#Data sources
#VPCs
#Available VPCs in the region
data "aws_vpcs" "ds_vpcs" {
}
#VPC of interest
data "aws_vpcs" "ds_vpc" {
filter {
name = "tag:Name"
values = [var.vpc]
}
}
data "aws_vpc" "ds_vpc" {
tags = {
Name = var.vpc
}
}
#Security Group for Internal Port
data "aws_security_group" "sg_pcs_int_port" {
name = var.security_group_map["pcs_int_port"]
vpc_id = local.vpc_id
}
#Security Group for External Port
data "aws_security_group" "sg_pcs_ext_port" {
name = var.security_group_map["pcs_ext_port"]
vpc_id = local.vpc_id
}
#Security Group for Management Port
data "aws_security_group" "sg_pcs_mgmt_port" {
name = var.security_group_map["pcs_mgmt_port"]
vpc_id = local.vpc_id
}
#Security Group for Backend Servers
data "aws_security_group" "sg_backend_svr" {
name = var.security_group_map["backend_svr"]
vpc_id = local.vpc_id
}
#Internal Port Subnet for zone_1
data "aws_subnet" "zone_1_pcs_int_port_subnet" {
vpc_id = local.vpc_id
filter {
name = "tag:Name"
values = [ var.subnet_map[var.zone_1]["pcs_int_port"]["name"]]
}
}
#External Port Subnet for zone_1
data "aws_subnet" "zone_1_pcs_ext_port_subnet" {
vpc_id = local.vpc_id
filter {
name = "tag:Name"
values = [ var.subnet_map[var.zone_1]["pcs_ext_port"]["name"]]
}
}
#Management Port Subnet for zone_1
data "aws_subnet" "zone_1_pcs_mgmt_port_subnet" {
vpc_id = local.vpc_id
filter {
name = "tag:Name"
values = [ var.subnet_map[var.zone_1]["pcs_mgmt_port"]["name"]]
}
}
#Internal Port Subnet for zone_2
data "aws_subnet" "zone_2_pcs_int_port_subnet" {
vpc_id = local.vpc_id
filter {
name = "tag:Name"
values = [ var.subnet_map[var.zone_1]["pcs_int_port"]["name"]]
}
}
#External Port Subnet for zone_2
data "aws_subnet" "zone_2_pcs_ext_port_subnet" {
vpc_id = local.vpc_id
filter {
name = "tag:Name"
values = [ var.subnet_map[var.zone_1]["pcs_ext_port"]["name"]]
}
}
#Management Port Subnet for zone_2
data "aws_subnet" "zone_2_pcs_mgmt_port_subnet" {
vpc_id = local.vpc_id
filter {
name = "tag:Name"
values = [ var.subnet_map[var.zone_1]["pcs_mgmt_port"]["name"]]
}
}
#==================================================================
#AMI ID corresponding to the image name passed
data "aws_ami_ids" "ds_image" {
owners = ["self"]
filter {
name = "tag:Name"
values = [var.image_name]
}
}
data "aws_ami" "ds_pcs_image_info_for_ami_id" {
//executable_users = ["self"]
most_recent = true
//name_regex = "^ami-"
#owners = ["self"]
owners = [var.image_from]
filter {
name = "image-id"
values = [ var.ami_id ]
}
}
#Local variables
locals {
#vpcs_list = "${data.alicloud_vpcs.vpcs_ds.vpcs}"
vpc_id = data.aws_vpc.ds_vpc.id
#vsws_list_in_vpc = "${data.alicloud_vswitches.vswitches_ds.vswitches}"
#sec_groups_list = "${data.alicloud_security_groups.sec_groups_ds.groups}"
subnet_id_map = {
"${var.zone_1}" = {
"pcs_int_port" = data.aws_subnet.zone_1_pcs_int_port_subnet.id
"pcs_ext_port" = data.aws_subnet.zone_1_pcs_ext_port_subnet.id
"pcs_mgmt_port" = data.aws_subnet.zone_1_pcs_mgmt_port_subnet.id
},
"${var.zone_2}" = {
"pcs_int_port" = data.aws_subnet.zone_2_pcs_int_port_subnet.id
"pcs_ext_port" = data.aws_subnet.zone_2_pcs_ext_port_subnet.id
"pcs_mgmt_port" = data.aws_subnet.zone_2_pcs_mgmt_port_subnet.id
},
}
security_group_id_map = {
"pcs_int_port" = data.aws_security_group.sg_pcs_int_port.id
"pcs_ext_port" = data.aws_security_group.sg_pcs_ext_port.id
"pcs_mgmt_port" = data.aws_security_group.sg_pcs_mgmt_port.id
"backend_svr" = data.aws_security_group.sg_backend_svr.id
}
}
#Create AWS Key Pair that can be used to connect to VM console on AWS cloud
resource "aws_key_pair" "aws_public_key" {
key_name = "${var.instance_name}-${var.ssh_key_map["name"]}"
public_key = var.ssh_key_map["public_key"]
}
#Create a instance on AWS
resource "aws_instance" "pcs_instance" {
#ami = data.aws_ami.ds_image_info.image_id
ami = var.ami_id
#instance_type = "t2.micro"
#instance_type = var.instance_type #ecs.hfc5.large
instance_type = var.instance_type_map["2_nics"]
#key name that has to be associated with this PCS instance
#key_name = var.ssh_key_map["name"] #this should be same as the key_name used as part of aws_key_pair resource
key_name = aws_key_pair.aws_public_key.key_name
tags = {
Name = var.instance_name
}
#instance_name = var.instance_name
availability_zone = var.zone
#subnet from which pcs int port has to be created
subnet_id = local.subnet_id_map[var.zone]["pcs_int_port"]
#security group to assign to PCS internal port(primary interface)
#security_groups = [ local.security_group_id_map["pcs_int_port"] ]
vpc_security_group_ids = [ local.security_group_id_map["pcs_int_port"] ]
#Associate a public ip address with the instance(instead of Elastic IP)
#associate_public_ip_address = true
#user-data to be used for initial config
user_data = "<pulse-config><primary-dns>8.8.8.8</primary-dns><secondary-dns>8.8.8.9</secondary-dns><wins-server>1.1.1.1</wins-server><dns-domain>pcsqa.psecure.net</dns-domain><admin-username>admindb</admin-username><admin-password>*******</admin-password><cert-common-name>aws-pcs.psecure.net</cert-common-name><cert-random-text>fdsfpisonvsfnms</cert-random-text><cert-organisation>Psecure Org</cert-organisation><config-download-url>https://ss-pcs-qa.s3.ap-south-1.amazonaws.com/import-config-snat-enabled.xml</config-download-url><config-data></config-data><auth-code-license></auth-code-license><enable-license-server>n</enable-license-server><accept-license-agreement>y</accept-license-agreement></pulse-config>"
}
#Create External Port and attach to instance
resource "aws_network_interface" "pcs_ext_port" {
description = "PCS external port"
subnet_id = local.subnet_id_map[var.zone]["pcs_ext_port"]
security_groups = [ local.security_group_id_map["pcs_ext_port"] ]
attachment {
instance = aws_instance.pcs_instance.id
device_index = 1 #Integer to define the devices index (1 indicates eth1, 2 indicates eth2)
}
}
#Create Management Port and attach to instance
resource "aws_network_interface" "pcs_mgmt_port" {
description = "PCS management port"
subnet_id = local.subnet_id_map[var.zone]["pcs_mgmt_port"]
security_groups = [ local.security_group_id_map["pcs_mgmt_port"] ]
attachment {
instance = aws_instance.pcs_instance.id
device_index = 2 #Integer to define the devices index (1 indicates eth1, 2 indicates eth2)
}
}
#Create a new EIP for Internal port
resource "aws_eip" "pcs_int_port_eip" {
vpc = true
#make a reference to aws_internet_gateway
#depends_on = [ aws_internet_gateway.internet_gateway ]
}
#Assign the EIP to the instance (this will get assigned to the default interface, which is internal port)
resource "aws_eip_association" "pcs_int_port_eip_asso" {
allocation_id = aws_eip.pcs_int_port_eip.id
#instance_id = aws_instance.pcs_instance.id
network_interface_id = aws_instance.pcs_instance.primary_network_interface_id
}
#Create a new EIP for External Port
resource "aws_eip" "pcs_ext_port_eip" {
vpc = true
}
#Assign the EIP to the External Port(do not assign to VM instance, since it is used by internal port)
resource "aws_eip_association" "pcs_ext_port_eip_asso" {
allocation_id = aws_eip.pcs_ext_port_eip.id
network_interface_id = aws_network_interface.pcs_ext_port.id
}
#Create a new EIP for Management Port
resource "aws_eip" "pcs_mgmt_port_eip" {
vpc = true
}
#Assign the EIP to the management Port
resource "aws_eip_association" "pcs_mgmt_port_eip_asso" {
allocation_id = aws_eip.pcs_mgmt_port_eip.id
network_interface_id = aws_network_interface.pcs_mgmt_port.id
}
#Output
#output "vswitch_id_map" {
# value = local.vswitch_id_map
#}
#output "security_group_id_map" {
# value = local.security_group_id_map
#}
#available images loaded by the user
output "aws_ami_id" {
value = data.aws_ami.ds_pcs_image_info_for_ami_id
}
#details of the instance deployed on AWS
output deployed_pcs_info {
value = aws_instance.pcs_instance
}
Variables
variable region {
description = "The region where the resources(VPC, EC2) has to be created"
default = "ap-south-1"
}
variable zone {
description = "The availability zone where the EC2 resource has to be created"
default = "ap-south-1a"
}
variable zone_1 {
description = "The availability zone(zone-1) where the EC2 resource has to be created. Useful for creating resources in different zones"
default = "ap-south-1a"
}
variable zone_2 {
description = "The availability zone(zone-1) where the EC2 resource has to be created. Useful for creating resources in different zones"
default = "ap-south-1b"
}
variable vpc {
description = "The name of the VPC under which subnets has to be created"
default = "vpc-terra-sulthan2"
}
variable subnet_map {
description = "The names of subnets for int, ext and mgmt ports for both zone-1 and zone-2. Customise according to your environment"
type = map
default = {
"ap-south-1a" = {
"pcs_int_port" = {
"name" = "subnet-ap-south-1a-zone-pcs-int-port",
"cidr" = "10.22.0.0/24"
}
"pcs_ext_port" = {
"name" = "subnet-ap-south-1a-zone-pcs-ext-port",
"cidr" = "10.22.1.0/24"
}
"pcs_mgmt_port" = {
"name" = "subnet-ap-south-1a-zone-pcs-mgmt-port",
"cidr" = "10.22.2.0/24"
}
"pcs_tunnel_subnet" = {
"name" = "subnet-ap-south-1a-zone-pcs-tunnel-subnet",
"cidr" = "10.22.3.0/24"
}
}
"ap-south-1b" = {
"pcs_int_port" = {
"name" = "subnet-ap-south-1b-zone-pcs-int-port",
"cidr" = "10.22.4.0/24"
}
"pcs_ext_port" = {
"name" = "subnet-ap-south-1b-zone-pcs-ext-port",
"cidr" = "10.22.5.0/24"
}
"pcs_mgmt_port" = {
"name" = "subnet-ap-south-1b-zone-pcs-mgmt-port",
"cidr" = "10.22.6.0/24"
}
"pcs_tunnel_subnet" = {
"name" = "subnet-ap-south-1b-zone-pcs-tunnel-subnet",
"cidr" = "10.22.7.0/24"
}
}
}
}
variable security_group_map {
description = "The security group names for int, ext, mgmt ports and backend resources. Customise according to your environment"
type = map
default = {
"pcs_int_port" = "sg_pcs_int_port",
"pcs_ext_port" = "sg_pcs_ext_port",
"pcs_mgmt_port" = "sg_pcs_mgmt_port",
"backend_svr" = "sg_backend_svr",
}
}
variable image_name {
description = "Name you want to assign to this VM"
default = "pulse-connect-secure-91r1-1505-4dbe1804-0d2a-499b-bd67-01bfde746ec5-ami-0ea5eb502b988260a.4"
}
variable image_from {
description = "From where should I fetch the image from. can be self|aws-marketplace"
default = "aws-marketplace"
}
variable ami_id {
description = "AMI ID of the image in market place that you want to use to deploy this VM"
default = "ami-02fe67adcf0e0b82a"
}
variable instance_type_map {
description = "The instance types that should be assigned to 2 nics or 3 nics"
type = map
default = {
"2_nics" = "t2.medium",
"3_nics" = "t2.large",
}
}
variable ssh_key_map {
description = "The ssh public key to use to login to the VM instance on AWS cloud"
type = map
default = {
"name" = "aws-public-key",
"public_key" = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC0MoRMdku5GQAKkOmfRzey5MNY9AsDHUXAtfIVvsShNxWXv4t43XjeOT6XhutzU2isYuhFteoA43nSnQ/kYJumO0TRi+cYQdz/KZohhlNcZqQMnlGaQF/ksjjWBSdulcSIRUv1rnEWaygU6VP3KXMAhrPR7710ReSdpth3HYJHROtFT8wFOaZUTwpi7Kjqc3h1q/IjNfe0rdSpyLdaK4XsOEYzRbk7mxddH/VHf+WNTvH2tgtkdMf+cQIMVj40W0aFbZp9bXZY3g2sotIZPViBzyMPaPkCcBm07ZiFFCjx7qUzqLk+IOrOTQNaTbsb3TFsKzKpiYXODRtOoGVXwjtD [email protected]",
}
}
variable instance_type {
default = "t2.medium"
}
variable instance_name {
default = "pcsaws21"
}
variable instance_name_1 {
default = "pcsawsnode1"
}
variable instance_name_2 {
default = "pcsawsnode2"
}
variable cpu_core_count {
default = "4"
}
variable memory_size {
default = "8"
}
variable eni_amount {
default = "2"
}