- Website: https://www.terraform.io
- Mailing list: Google Groups
- Terraform 0.10.x and above
- Go 1.9 (to build the provider plugin) and above
- Firepower v6.4.x or v6.7 in standalone mode
Download and build the latest release and copy to your terraform plugin directory (typically ~/.terraform.d/plugins/)
Alternatively you can build it.
$ go mod init terraform-provider-ciscofdm
$ go mod tidy
$ go build
On OSX. This is needed in order to perform a terraform init
.
Create a directory and place the compiled plugin there
$HOME/.terraform.d/plugins/registry.terraform.io/hashicorp/ciscofdm/1.0/darwin_amd64
On Linux
$HOME/.terraform.d/plugins/registry.terraform.io/hashicorp/ciscofdm/1.0/linux_amd64
Example provider:
provider "ciscofdm" {
api_url = "192.168.128.30"
username = "admin"
password = "Admin123"
ssl_no_verify = true
}
Property | Description | Default |
---|---|---|
api_url |
The IP address of the FDM | Required |
username |
The Username to login to the FDM | Required |
password |
The Password to login to the FDM | Required |
ssl_no_verify |
Boolean to ignore self signed certs | Required |
A resource for managing FDM NetworkObjects. There are a couple of fields that can have certain values but no checking of input has been done.
provider "ciscofdm" {
api_url = "192.168.128.30"
username = "admin"
password = "Admin123"
ssl_no_verify = true
}
resource "ciscofdm_networkobject" "myobject" {
name = "Terraform Network Object"
subtype = "HOST"
value = "2.2.2.3"
}
Property | Description | Default | Valid Values |
---|---|---|---|
name |
Name you wish to call the network object | Required | |
subtype |
String type that can only be HOST or NETWORK. | Required | HOST, NETWORK |
value |
If its a host simply put the IP address. If its a NETWORK X.X.X.X/YY | Required | X.X.X.X , X.X.X.X/YY |
To place NetworkObjects into groups. Please note adding objects that are not already in the system, into the group will make your terraform state become out of sync.
resource "ciscofdm_networkobjectgroup" "myobjectgroup" {
name = "myNetworkGroup"
objects {
netname = "any-ipv6"
type = "networkobject"
}
objects {
netname = "SomeOtherNet"
type = "networkobject"
}
type = "networkobjectgroup"
}
Property | Description | Default | Valid Values |
---|---|---|---|
name |
Name of the NetworkObjectGroup you would like to create | Required | |
objects |
Value that can be repeated so that your group can have one or more NetworkObjects. It can only be called 'object'. | Required | object |
netname |
Name of the NetworkObject you would like to add to the group | Required | |
type |
This is the type under the 'objects' key:value. It should always be 'networkobject' | Required | networkobject |
type |
This should always be networkobjectgroup | Required | networkobjectgroup |
This creates portobjects for use in access rules. Note that if you create an access port in reverse that it will throw an error. ie/ 5000-4000 rather than 4000-5000.
resource "ciscofdm_portobject" "myportobject" {
name = "My Application Port 4000-5000 Object"
layer4 = "TCP"
port = "4000-5000"
}
Property | Description | Default | Valid Values |
---|---|---|---|
name |
Name of the Port Object you want to create. | Required | |
layer4 |
Layer4 option of either TCP or UDP | Required | TCP or UDP |
port |
This can either be a single port, a range of ports. And not comma delimited ports. | Required | 1 or 1-2 and NOT 1-2,5 |
This is the Port Object group resource, that is similar to the network object group.
resource "ciscofdm_portobjectgroup" "myportobjectgroup" {
name = "GSPORTGROUP"
description = "My Port Group"
type = "portobjectgroup"
objects {
name = "FTP"
type = "tcpportobject"
}
objects {
name = "GTP_PORTS-2123"
type = "tcpportobject"
}
}
Property | Description | Default | Valid Values |
---|---|---|---|
name |
Name of the Port Object Group you want to create. | Required | |
description |
Description for the Port Object Group | Optional | |
type |
The tag is static but I kept it in the config. | Required | portobjectgroup |
objects |
This is the TypeSet heirarchy | Required | |
name |
This is the name of any existing port object that you want to add | Required | |
type |
Only two options but no error check in place so anything else will error | Required | tcpportobject or udpportobject |
This is the Access Rule resource. Applying this configuration you can implement access rules to your FDM. Please note there isn't any error checking to see if objects you're calling are actually there(Although not hard to do, it's tedious right now). As an example lets say you enter an arbitrary Intrusion or File Policy into your rule. If it doesnt it exist it will error out.
resource "ciscofdm_accessrule" "myaccessrules" {
name = "GSTERRAFORMRULE001"
ruleaction = "PERMIT"
intrusionpolicy = {
name = "Connectivity Over Security"
type = "intrusionpolicy"
}
}
Property | Description | Default | Valid Values |
---|---|---|---|
name |
Name of the Rule you want | Required | string |
ruleid |
RuleID so if you want to place rules before or another | Optional | int |
sourcezones |
This is a TypeSet so it is declared similarly like "objects" above | ||
name |
Name of an existing zone. Required if sourcezones defined | Required | string |
destinationzones |
This is a TypeSet so it is declared similarly like "objects" above | ||
name |
Name of an existing zone. Required if destinationzones defined | Required | string |
sourcenetworks |
Refer to the network objects | string | |
destinationnetworks |
Refer to the network objects | string |
- Most of the access control elements are implemented just have not documented in the table.
This ensures that after you implement your rules and so forth you can deploy. If you leave it out you can do a manual deployment via the GUI.
resource "ciscofdm_deploy" "deploy" {
name = "deploy"
subtype = "deploy"
value = "true"
}
Property | Description | Default | Valid Values |
---|---|---|---|
name |
The name should be deploy or any string as its not used. | Required | string |
George Seeto - bluecough
License - see the LICENSE file for details