Monday, November 10, 2025

Using Pulumi for managing fortios IaC

In this example, I will demo using Pulumi with fortios

https://www.pulumi.com/registry/packages/fortios/api-docs/firewall/addrgrp/


The advantage over Terraform

  •   handle multiple languages like go or yaml
  •   Secrets are encrypted by default
  •   Simpler to set up
  •   Quicker to debug and built-in diagnostics identification


So here's my Pulumi.yaml built from a yaml template


root@debian-s-1vcpu-1gb-nyc3-01:~/pul2# cat Pulumi.yaml 

name: basic


runtime: yaml


config:

  fortios:cabundlefile:

    value: /etc/ssl/certs/firewall.crt

  fortios:hostname:

    value: xxx.xxx.xxx.xxx 

  fortios:insecure:

    value: true 

  fortios:token:

    value: thsNr5qt6dgj7Nfh3Ggynq6z1NGpzn 


resources:

  # Create provider instance

  fortios-provider:

    type: pulumi:providers:fortios

    properties:

      cabundlefile: ${fortios:cabundlefile}

      hostname: ${fortios:hostname}

      insecure: ${fortios:insecure}

      token: ${fortios:token}

 # Create a Static Route Item

  route1:

    type: fortios:networking:RouteStatic

    properties:

      dst: 10.13.2.14/32

      gateway: 192.168.111.111

      device: lan5

    options:

      provider: ${fortios-provider}


# Create a Static Route Item

  route2:

    type: fortios:networking:RouteStatic

    properties:

      dst: 10.32.2.12/32

      gateway: 192.168.111.111

      device: lan5

    options:

      provider: ${fortios-provider}

      

  trname1:

    type: fortios:firewall:Address

    properties:

      name: ken01111

      allowRouting: disable

      subnet: 12.1.1.0 255.255.255.0

      type: ipmask

      visibility: enable


  trname2:   

    type: fortios:firewall:Address

    properties:

      name: ken01112

      allowRouting: disable

      subnet: 12.2.1.0 255.255.255.0

      type: ipmask

      visibility: enable


  trname3:   

    type: fortios:firewall:Address

    properties:

      name: ken01113

      allowRouting: disable

      subnet: 13.2.1.0 255.255.255.0

      type: ipmask

      visibility: enable



  trname:

    type: fortios:firewall:Addrgrp

    properties:

      allowRouting: disable

      name: BLOCKITNOW

      comment: my_block_list

      visibility: enable

      members:

        - name: ${trname1.name}

        - name: ${trname2.name}

        - name: ${trname3.name} 

To execute the task, just run "pulumi up"


For this demo, I'm using these versions










NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)