So in Terraform we used similar groups and rules between our WEST, and EAST firewall clusters. So each group we manage by TF has the same details.
Since it's best security practice to avoid using the same api-key between DataCenters we use tfvars and auto.tfvars to call up the API-key ( aka token )
e.g my provider.tf
gn.admin@debian-s-2vcpu-4gb-120gb-intel-atl1-01:~# cat provider.tf
terraform {
required_providers {
fortios = {
source = "fortinetdev/fortios"
}
}
}
# FortiOS Provider Details for the FW1 and FW2
#
provider "fortios" {
hostname = var.hostname_value
token = var.token
insecure = "true"
}
Now in our variables.tf definition we define the variables
gn.admin@debian-s-2vcpu-4gb-120gb-intel-atl1-01:~# cat variables.tf
# variables.tf socpuppets
# FW1 = WEST COAST , FW2 - EAST COAST
#
#
variable "hostname_value" {
description = "The desired hostname for the resource"
type = string
}
variable "token" {
description = "The desired API-token for the resource"
type = string
}
my *.auto.tfvars
gn.admin@debian-s-2vcpu-4gb-120gb-intel-atl1-01:~# ls -ltr *auto.tfvars
-rw-r--r-- 1 root root 41 Jan 11 2023 terraform1.auto.tfvars
-rw-r--r-- 1 root root 41 Jan 19 2023 terraform2.auto.tfvars
root@debian-s-2vcpu-4gb-120gb-intel-atl1-01:~# cat *.auto.tfvars
token = "yy1t5w3rbt5Qwx79dg1Gw40w4Qprh3"
token = "1cy8qb396qcjHxq0qGs3fsx4Nr7mpz"
root@debian-s-2vcpu-4gb-120gb-intel-atl1-01:~#
So now when I run my apply, we just call up the FW1 or FW2 for execution
e.g
main.tf
gn.admin@debian-s-2vcpu-4gb-120gb-intel-atl1-01:~# terraform apply -var-file=terraform1.auto.tfvars
var.hostname_value
The desired hostname for the resource
Enter a value: FW1
fortios_firewall_address.dumbass: Refreshing state... [id=dumbass]
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
# fortios_firewall_address.dumbass will be updated in-place
~ resource "fortios_firewall_address" "dumbass" {
~ comment = " Managed by TERRAFORMS " -> " Managed by TERRAFORMS BLOGGER DEMO "
id = "dumbass"
name = "dumbass"
- visibility = "enable" -> null
# (41 unchanged attributes hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
We found that this simplifies items when you have multiple objects that you are managing with code.
To recap
breakout your main.tf into provider.tf and main.tf, define variables.tf and auto.tfvars and call up and auto-populate the token
NSE ( network security expert) and Route/Switching Engineer
No comments:
Post a Comment