Terraform Provider

Requirements

  • Terraform 0.10.x and above
  • Go 1.9 (to build the provider plugin) and above
  • Firepower v6.4.x or v6.7 in standalone mode

Installation

Download and build the latest release and copy to your terraform plugin directory (typically ~/.terraform.d/plugins/)

Alternatively you can build it.

$ go mod init terraform-provider-ciscofdm
$ go mod tidy
$ go build

Update for Terraform 0.15+

On OSX. This is needed in order to perform a terraform init.

Create a directory and place the compiled plugin there
$HOME/.terraform.d/plugins/registry.terraform.io/hashicorp/ciscofdm/1.0/darwin_amd64

On Linux

$HOME/.terraform.d/plugins/registry.terraform.io/hashicorp/ciscofdm/1.0/linux_amd64

asciicast

Provider Configuration

Example

Example provider:

provider "ciscofdm" {
  api_url = "192.168.128.30"
  username = "admin"
  password = "Admin123"
  ssl_no_verify = true
}
Property Description Default
api_url The IP address of the FDM Required
username The Username to login to the FDM Required
password The Password to login to the FDM Required
ssl_no_verify Boolean to ignore self signed certs Required

Resources

ciscofdm_networkobject

A resource for managing FDM NetworkObjects. There are a couple of fields that can have certain values but no checking of input has been done.

Example

provider "ciscofdm" {
  api_url = "192.168.128.30"
  username = "admin"
  password = "Admin123"
  ssl_no_verify = true
}

resource "ciscofdm_networkobject" "myobject" { name = "Terraform Network Object" subtype = "HOST" value = "2.2.2.3" }

Properties

Property Description Default Valid Values
name Name you wish to call the network object Required
subtype String type that can only be HOST or NETWORK. Required HOST, NETWORK
value If its a host simply put the IP address. If its a NETWORK X.X.X.X/YY Required X.X.X.X , X.X.X.X/YY

ciscofdm_networkobjectgroup

To place NetworkObjects into groups. Please note adding objects that are not already in the system, into the group will make your terraform state become out of sync.

Example

resource "ciscofdm_networkobjectgroup" "myobjectgroup" {
  name = "myNetworkGroup"
  objects {
     netname = "any-ipv6"
     type = "networkobject"
  }
  objects {
     netname = "SomeOtherNet"
     type = "networkobject"
  }
  type = "networkobjectgroup"
}
Property Description Default Valid Values
name Name of the NetworkObjectGroup you would like to create Required
objects Value that can be repeated so that your group can have one or more NetworkObjects. It can only be called 'object'. Required object
netname Name of the NetworkObject you would like to add to the group Required
type This is the type under the 'objects' key:value. It should always be 'networkobject' Required networkobject
type This should always be networkobjectgroup Required networkobjectgroup

ciscofdm_portobject

This creates portobjects for use in access rules. Note that if you create an access port in reverse that it will throw an error. ie/ 5000-4000 rather than 4000-5000.

Example

resource "ciscofdm_portobject" "myportobject" {
  name = "My Application Port 4000-5000 Object"
  layer4 = "TCP"
  port = "4000-5000"
}
Property Description Default Valid Values
name Name of the Port Object you want to create. Required
layer4 Layer4 option of either TCP or UDP Required TCP or UDP
port This can either be a single port, a range of ports. And not comma delimited ports. Required 1 or 1-2 and NOT 1-2,5

ciscofdm_portobjectgroup

This is the Port Object group resource, that is similar to the network object group.

Example

resource "ciscofdm_portobjectgroup" "myportobjectgroup" {
  name = "GSPORTGROUP"
  description = "My Port Group"
  type = "portobjectgroup"
  objects {
    name = "FTP"
    type = "tcpportobject"
  }
  objects {
    name = "GTP_PORTS-2123"
    type = "tcpportobject"
  }
}
Property Description Default Valid Values
name Name of the Port Object Group you want to create. Required
description Description for the Port Object Group Optional
type The tag is static but I kept it in the config. Required portobjectgroup
objects This is the TypeSet heirarchy Required
name This is the name of any existing port object that you want to add Required
type Only two options but no error check in place so anything else will error Required tcpportobject or udpportobject

ciscofdm_accessrule

This is the Access Rule resource. Applying this configuration you can implement access rules to your FDM. Please note there isn't any error checking to see if objects you're calling are actually there(Although not hard to do, it's tedious right now). As an example lets say you enter an arbitrary Intrusion or File Policy into your rule. If it doesnt it exist it will error out.

Example(s)

resource "ciscofdm_accessrule" "myaccessrules" {
  name = "GSTERRAFORMRULE001"
  ruleaction = "PERMIT"  
  intrusionpolicy = {
    name = "Connectivity Over Security"
    type = "intrusionpolicy"
  }
}

Property Description Default Valid Values
name Name of the Rule you want Required string
ruleid RuleID so if you want to place rules before or another Optional int
sourcezones This is a TypeSet so it is declared similarly like "objects" above
name Name of an existing zone. Required if sourcezones defined Required string
destinationzones This is a TypeSet so it is declared similarly like "objects" above
name Name of an existing zone. Required if destinationzones defined Required string
sourcenetworks Refer to the network objects string
destinationnetworks Refer to the network objects string
  • Most of the access control elements are implemented just have not documented in the table.

ciscofdm_deploy

This ensures that after you implement your rules and so forth you can deploy. If you leave it out you can do a manual deployment via the GUI.

Example(s)

resource "ciscofdm_deploy" "deploy" {
  name = "deploy"
  subtype = "deploy"
  value = "true"
}
Property Description Default Valid Values
name The name should be deploy or any string as its not used. Required string

Authors & Contributors

George Seeto - bluecough

License

License - see the LICENSE file for details

Use Case

Using the Cisco Secure Firewall Device Manager Terraform Provider.

Using the CiscoFDM provider you will be able to apply Cisco Secure Firewall Port Objects, Port Object Groups, Network Objects, Network Object Groups, and Access Control Polcies

Business Case

This resource will walk you through implementing the CiscoFDM Terraform Provider either through downloading the pre-built binaries to building the plugin with the assumption you have setup your Go environment. This provider will allow you to specificially configure some of the elements with the Cisco Secure Firewall in Standalone device manager mode. You should be able to declarative define your infrastructure using this provider.

Also note the access control policy implementation is not implemented fully. You are able to create rules using networks, zones, ports, enabling snort, and syslog. Some of the other advanced functionality is still currently being worked on.

Installing the pre-built binaries

  • Assumptions - Terraform is installed on your laptop.

To start using the provider in your environment you first need to download the latest binary for your OS and also the version of the Cisco Secure Firewall version you are running. The latest binary can be found here.

Since this is a 3rd party plugin that isn't officially on the Hashicorp Providers list. You will need to perform the following in order to install the provider.

On OSX. This is needed in order to perform a terraform init.

Create a directory and place the compiled binary at the following location.
$HOME/.terraform.d/plugins/registry.terraform.io/hashicorp/ciscofdm/1.0/darwin_amd64

On Linux

$HOME/.terraform.d/plugins/registry.terraform.io/hashicorp/ciscofdm/1.0/linux_amd64

Now in order to use it make sure you have a main.tf file or use the example .tf file from this repository.

$ terraform init

Compiling the provider

  • Assumptions - You have your Golang development environment setup.

Once you have your Golang environment setup simply run the following commands in your cloned repository. It should compile the binary and you will need to place this binary using the above locations in your home directory based upon the OS platform you are on.

$ go mod init terraform-provider-ciscofdm
$ go mod tidy
$ go build

Here is a video example of the above. asciicast

  • Other related labs in DevNet using Terraform
View code on GitHub

Code Exchange Community

Get help, share code, and collaborate with other developers in the Code Exchange community.View Community
Disclaimer:
Cisco provides Code Exchange for convenience and informational purposes only, with no support of any kind. This page contains information and links from third-party websites that are governed by their own separate terms. Reference to a project or contributor on this page does not imply any affiliation with or endorsement by Cisco.