Skip to content

Latest commit



133 lines (116 loc) · 13.9 KB

File metadata and controls

133 lines (116 loc) · 13.9 KB


tflint tfsec yamllint misspell pre-commit-check follow on Twitter

Create a FortiGate VM. This module can optionally pre-configure the FortiGate, either using a configuration file supplied by you (in an S3 bucket) or by simply loading a basic config that ensures the firewall is reachable over the assigned Elastic IP. This is useful when you don't have other means of connectivity into the VPC.


module "firewall" {
  source         = "rhythmictech/fortigate/aws"
  config_bucket_name   = "${local.account_id}-${var.region}-fortigate-config"
  create_config_bucket = true
  enable_auto_config   = true
  external_subnet_id   = "subnet-01234567890"
  instance_type        = "t3.large"
  internal_subnet_id   = "subnet-01234567891"
  load_default_config  = true
  vpc_id               = "vpc-01234567890"

Warning: When using the default config bootstrapper, an admin password is set. This password is stored in Secrets Manager but is ultimately pulled into the bootstrap config file stored in S3. This means that it is both in S3 and in the tfstate file unencrypted.

For production use, it is recommended to change the password after provisioning and update Terraform to not attempt to load a default config, which will then cause the temporary secret to be removed from both S3 and Secrets Manager.


Name Version
terraform >= 0.13.4
aws >= 3.8


Name Version
aws 4.17.1


Name Source Version
fortigate_password rhythmictech/secretsmanager-random-secret/aws ~> 1.4
keypair rhythmictech/secretsmanager-keypair/aws ~> 0.0.4


Name Type
aws_eip.this resource
aws_eip_association.this resource
aws_iam_instance_profile.this resource
aws_iam_policy.bucket_access resource
aws_iam_role.this resource
aws_iam_role_policy_attachment.bucket_access resource
aws_iam_role_policy_attachment.sdn_access resource
aws_instance.this resource
aws_network_interface.outbound resource
aws_route53_record.this resource
aws_s3_bucket.config resource
aws_s3_bucket_object.default_config resource
aws_s3_bucket_public_access_block.config resource
aws_security_group.external resource
aws_security_group.internal resource
aws_security_group_rule.allow_admin_https resource
aws_security_group_rule.allow_admin_https_sgs resource
aws_security_group_rule.allow_admin_ssh resource
aws_security_group_rule.allow_admin_ssh_sgs resource
aws_security_group_rule.allow_all_internal resource
aws_security_group_rule.allow_all_out_external resource
aws_security_group_rule.allow_all_out_internal resource
aws_security_group_rule.allow_fortiguard resource
aws_ami.byol data source
aws_ami.ondemand data source
aws_iam_policy_document.assume data source
aws_iam_policy_document.bucket_access data source
aws_partition.current data source
aws_region.current data source
aws_secretsmanager_secret.password data source
aws_secretsmanager_secret_version.password data source


Name Description Type Default Required
allowed_admin_cidrs Public CIDRs that will be able to access the FortiGate admin ports list(string)
allowed_admin_security_group_id Security group allowed to access admininstrative ports string null no
ami_account_id AWS account holding Fortinet AMI (GovCloud uses 874634375141) string "679593333241" no
ami_byol_filter AMI name string for on demand FG AMI string "FortiGate-VM64-AWS build*" no
ami_ondemand_filter AMI name string for on demand FG AMI string "FortiGate-VM64-AWSONDEMAND*" no
config_bucket_config_file Name of the configuration file in the S3 bucket string "fortigate.conf" no
config_bucket_license_file Name of the license file (leave blank if using on demand) string "" no
config_bucket_name Name of config bucket. If create_config_bucket = true, a bucket with this name will be created. string "" no
config_bucket_region Region that the S3 bucket is in. Required when the bucket is not created by this module. string "" no
create_config_bucket Create a bucket for configuration auto loading bool false no
create_config_bucket_iam_policy Attach an IAM policy granting the FortiGate instance read access to all objects in the bucket. bool true no
create_keypair Whether to create a keypair for this instance, which will be stored in Secrets Manager bool true no
create_route53_address Associate a Route53 entry to the public EIP bool false no
enable_auto_config Enable auto configuration bool false no
enable_sdn_access Enable FortiGate SDN access to AWS resources bool false no
external_subnet_id Subnet ID to use for public interface string n/a yes
https_admin_port HTTPS port for administrative access number 443 no
instance_type Instance type for FG string "m5.large" no
internal_subnet_id Subnet ID to use for internal interface string n/a yes
keypair Keypair to use for EC2 instance (set to blank to omit a keypair, not used if create_keypair==true) string null no
load_default_config Place a default configuration file in the config bucket with the specified name bool false no
name Name of this Fortigate instance string "fortigate" no
override_ami Specify to force a specific AMI string "" no
route53_address Route 53 address (do not include full domain) string "" no
route53_zone_id n/a string "" no
tags Tags to apply to supported resources (don't include name tag) map(string) {} no
use_byol Use BYOL license (as opposed to on demand pricing) bool false no
vpc_id VPC to create resources in string n/a yes


Name Description
eip_fortigate Elastic IP address of firewall
instance_fortigate Fortigate Instance ID
instance_fortigate_primary_network_interface_id Primary ENI ID (attach route tables to this)
keypair_key_name Instance keypair name
s3_bucket_config S3 bucket holding configuration
secretsmanager_secret_arn FortiGate admin password secret
security_group_external Security group for external access
security_group_internal Security group for internal access