{"id":19508840,"url":"https://github.com/rhythmictech/terraform-aws-fortigate","last_synced_at":"2025-08-13T23:07:19.612Z","repository":{"id":38334215,"uuid":"237475602","full_name":"rhythmictech/terraform-aws-fortigate","owner":"rhythmictech","description":"Create a FortiGate VM. This module can optionally pre-configure the FortiGate, either using a configuration file supplied by you (in an S3 bucket) or by simply loading a basic config that ensures the firewall is reachable over the assigned Elastic IP. This is useful when you don't have other means of connectivity into the VPC.","archived":false,"fork":false,"pushed_at":"2024-09-26T00:43:49.000Z","size":39,"stargazers_count":2,"open_issues_count":0,"forks_count":2,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-04-26T03:44:01.559Z","etag":null,"topics":["aws","ec2","fortigate","terraform","terraform-module"],"latest_commit_sha":null,"homepage":"https://registry.terraform.io/modules/rhythmictech/fortigate/aws","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rhythmictech.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2020-01-31T16:58:04.000Z","updated_at":"2024-09-26T00:43:16.000Z","dependencies_parsed_at":"2025-04-26T03:41:55.132Z","dependency_job_id":null,"html_url":"https://github.com/rhythmictech/terraform-aws-fortigate","commit_stats":null,"previous_names":[],"tags_count":8,"template":false,"template_full_name":null,"purl":"pkg:github/rhythmictech/terraform-aws-fortigate","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rhythmictech%2Fterraform-aws-fortigate","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rhythmictech%2Fterraform-aws-fortigate/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rhythmictech%2Fterraform-aws-fortigate/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rhythmictech%2Fterraform-aws-fortigate/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rhythmictech","download_url":"https://codeload.github.com/rhythmictech/terraform-aws-fortigate/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rhythmictech%2Fterraform-aws-fortigate/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":270330595,"owners_count":24565816,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-13T02:00:09.904Z","response_time":66,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","ec2","fortigate","terraform","terraform-module"],"created_at":"2024-11-10T23:10:04.182Z","updated_at":"2025-08-13T23:07:19.594Z","avatar_url":"https://github.com/rhythmictech.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# terraform-aws-fortigate\n\n[![tflint](https://github.com/rhythmictech/terraform-aws-fortigate/workflows/tflint/badge.svg?branch=master\u0026event=push)](https://github.com/rhythmictech/terraform-aws-fortigate/actions?query=workflow%3Atflint+event%3Apush+branch%3Amaster)\n[![tfsec](https://github.com/rhythmictech/terraform-aws-fortigate/workflows/tfsec/badge.svg?branch=master\u0026event=push)](https://github.com/rhythmictech/terraform-aws-fortigate/actions?query=workflow%3Atfsec+event%3Apush+branch%3Amaster)\n[![yamllint](https://github.com/rhythmictech/terraform-aws-fortigate/workflows/yamllint/badge.svg?branch=master\u0026event=push)](https://github.com/rhythmictech/terraform-aws-fortigate/actions?query=workflow%3Ayamllint+event%3Apush+branch%3Amaster)\n[![misspell](https://github.com/rhythmictech/terraform-aws-fortigate/workflows/misspell/badge.svg?branch=master\u0026event=push)](https://github.com/rhythmictech/terraform-aws-fortigate/actions?query=workflow%3Amisspell+event%3Apush+branch%3Amaster)\n[![pre-commit-check](https://github.com/rhythmictech/terraform-aws-fortigate/workflows/pre-commit-check/badge.svg?branch=master\u0026event=push)](https://github.com/rhythmictech/terraform-aws-fortigate/actions?query=workflow%3Apre-commit-check+event%3Apush+branch%3Amaster)\n\u003ca href=\"https://twitter.com/intent/follow?screen_name=RhythmicTech\"\u003e\u003cimg src=\"https://img.shields.io/twitter/follow/RhythmicTech?style=social\u0026logo=twitter\" alt=\"follow on Twitter\"\u003e\u003c/a\u003e\n\nCreate a FortiGate VM. This module can optionally pre-configure the FortiGate, either using a configuration file supplied by you (in an S3 bucket) or by simply loading a basic config that ensures the firewall is reachable over the assigned Elastic IP. This is useful when you don't have other means of connectivity into the VPC.\n\n## Usage\n```\nmodule \"firewall\" {\n  source         = \"rhythmictech/fortigate/aws\"\n  config_bucket_name   = \"${local.account_id}-${var.region}-fortigate-config\"\n  create_config_bucket = true\n  enable_auto_config   = true\n  external_subnet_id   = \"subnet-01234567890\"\n  instance_type        = \"t3.large\"\n  internal_subnet_id   = \"subnet-01234567891\"\n  load_default_config  = true\n  vpc_id               = \"vpc-01234567890\"\n}\n```\n\n*Warning*: When using the default config bootstrapper, an admin password is set. This password is stored in Secrets Manager but is ultimately pulled into the bootstrap config file stored in S3. This means that it is both in S3 and in the tfstate file unencrypted.\n\nFor production use, it is recommended to change the password after provisioning and update Terraform to not attempt to load a default config, which will then cause the temporary secret to be removed from both S3 and Secrets Manager.\n\n\u003c!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK --\u003e\n## Requirements\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"requirement_terraform\"\u003e\u003c/a\u003e [terraform](#requirement\\_terraform) | \u003e= 0.13.4 |\n| \u003ca name=\"requirement_aws\"\u003e\u003c/a\u003e [aws](#requirement\\_aws) | \u003e= 3.8 |\n\n## Providers\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"provider_aws\"\u003e\u003c/a\u003e [aws](#provider\\_aws) | 4.17.1 |\n\n## Modules\n\n| Name | Source | Version |\n|------|--------|---------|\n| \u003ca name=\"module_fortigate_password\"\u003e\u003c/a\u003e [fortigate\\_password](#module\\_fortigate\\_password) | rhythmictech/secretsmanager-random-secret/aws | ~\u003e 1.4 |\n| \u003ca name=\"module_keypair\"\u003e\u003c/a\u003e [keypair](#module\\_keypair) | rhythmictech/secretsmanager-keypair/aws | ~\u003e 0.0.4 |\n\n## Resources\n\n| Name | Type |\n|------|------|\n| [aws_eip.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip) | resource |\n| [aws_eip_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip_association) | resource |\n| [aws_iam_instance_profile.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |\n| [aws_iam_policy.bucket_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |\n| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |\n| [aws_iam_role_policy_attachment.bucket_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |\n| [aws_iam_role_policy_attachment.sdn_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |\n| [aws_instance.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource |\n| [aws_network_interface.outbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_interface) | resource |\n| [aws_route53_record.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |\n| [aws_s3_bucket.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |\n| [aws_s3_bucket_object.default_config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_object) | resource |\n| [aws_s3_bucket_public_access_block.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |\n| [aws_security_group.external](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |\n| [aws_security_group.internal](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |\n| [aws_security_group_rule.allow_admin_https](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |\n| [aws_security_group_rule.allow_admin_https_sgs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |\n| [aws_security_group_rule.allow_admin_ssh](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |\n| [aws_security_group_rule.allow_admin_ssh_sgs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |\n| [aws_security_group_rule.allow_all_internal](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |\n| [aws_security_group_rule.allow_all_out_external](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |\n| [aws_security_group_rule.allow_all_out_internal](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |\n| [aws_security_group_rule.allow_fortiguard](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |\n| [aws_ami.byol](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |\n| [aws_ami.ondemand](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |\n| [aws_iam_policy_document.assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_iam_policy_document.bucket_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |\n| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |\n| [aws_secretsmanager_secret.password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source |\n| [aws_secretsmanager_secret_version.password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret_version) | data source |\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| \u003ca name=\"input_allowed_admin_cidrs\"\u003e\u003c/a\u003e [allowed\\_admin\\_cidrs](#input\\_allowed\\_admin\\_cidrs) | Public CIDRs that will be able to access the FortiGate admin ports | `list(string)` | \u003cpre\u003e[\u003cbr\u003e  \"0.0.0.0/0\"\u003cbr\u003e]\u003c/pre\u003e | no |\n| \u003ca name=\"input_allowed_admin_security_group_id\"\u003e\u003c/a\u003e [allowed\\_admin\\_security\\_group\\_id](#input\\_allowed\\_admin\\_security\\_group\\_id) | Security group allowed to access admininstrative ports | `string` | `null` | no |\n| \u003ca name=\"input_ami_account_id\"\u003e\u003c/a\u003e [ami\\_account\\_id](#input\\_ami\\_account\\_id) | AWS account holding Fortinet AMI (GovCloud uses `874634375141`) | `string` | `\"679593333241\"` | no |\n| \u003ca name=\"input_ami_byol_filter\"\u003e\u003c/a\u003e [ami\\_byol\\_filter](#input\\_ami\\_byol\\_filter) | AMI name string for on demand FG AMI | `string` | `\"FortiGate-VM64-AWS build*\"` | no |\n| \u003ca name=\"input_ami_ondemand_filter\"\u003e\u003c/a\u003e [ami\\_ondemand\\_filter](#input\\_ami\\_ondemand\\_filter) | AMI name string for on demand FG AMI | `string` | `\"FortiGate-VM64-AWSONDEMAND*\"` | no |\n| \u003ca name=\"input_config_bucket_config_file\"\u003e\u003c/a\u003e [config\\_bucket\\_config\\_file](#input\\_config\\_bucket\\_config\\_file) | Name of the configuration file in the S3 bucket | `string` | `\"fortigate.conf\"` | no |\n| \u003ca name=\"input_config_bucket_license_file\"\u003e\u003c/a\u003e [config\\_bucket\\_license\\_file](#input\\_config\\_bucket\\_license\\_file) | Name of the license file (leave blank if using on demand) | `string` | `\"\"` | no |\n| \u003ca name=\"input_config_bucket_name\"\u003e\u003c/a\u003e [config\\_bucket\\_name](#input\\_config\\_bucket\\_name) | Name of config bucket. If `create_config_bucket = true`, a bucket with this name will be created. | `string` | `\"\"` | no |\n| \u003ca name=\"input_config_bucket_region\"\u003e\u003c/a\u003e [config\\_bucket\\_region](#input\\_config\\_bucket\\_region) | Region that the S3 bucket is in. Required when the bucket is not created by this module. | `string` | `\"\"` | no |\n| \u003ca name=\"input_create_config_bucket\"\u003e\u003c/a\u003e [create\\_config\\_bucket](#input\\_create\\_config\\_bucket) | Create a bucket for configuration auto loading | `bool` | `false` | no |\n| \u003ca name=\"input_create_config_bucket_iam_policy\"\u003e\u003c/a\u003e [create\\_config\\_bucket\\_iam\\_policy](#input\\_create\\_config\\_bucket\\_iam\\_policy) | Attach an IAM policy granting the FortiGate instance read access to all objects in the bucket. | `bool` | `true` | no |\n| \u003ca name=\"input_create_keypair\"\u003e\u003c/a\u003e [create\\_keypair](#input\\_create\\_keypair) | Whether to create a keypair for this instance, which will be stored in Secrets Manager | `bool` | `true` | no |\n| \u003ca name=\"input_create_route53_address\"\u003e\u003c/a\u003e [create\\_route53\\_address](#input\\_create\\_route53\\_address) | Associate a Route53 entry to the public EIP | `bool` | `false` | no |\n| \u003ca name=\"input_enable_auto_config\"\u003e\u003c/a\u003e [enable\\_auto\\_config](#input\\_enable\\_auto\\_config) | Enable auto configuration | `bool` | `false` | no |\n| \u003ca name=\"input_enable_sdn_access\"\u003e\u003c/a\u003e [enable\\_sdn\\_access](#input\\_enable\\_sdn\\_access) | Enable FortiGate SDN access to AWS resources | `bool` | `false` | no |\n| \u003ca name=\"input_external_subnet_id\"\u003e\u003c/a\u003e [external\\_subnet\\_id](#input\\_external\\_subnet\\_id) | Subnet ID to use for public interface | `string` | n/a | yes |\n| \u003ca name=\"input_https_admin_port\"\u003e\u003c/a\u003e [https\\_admin\\_port](#input\\_https\\_admin\\_port) | HTTPS port for administrative access | `number` | `443` | no |\n| \u003ca name=\"input_instance_type\"\u003e\u003c/a\u003e [instance\\_type](#input\\_instance\\_type) | Instance type for FG | `string` | `\"m5.large\"` | no |\n| \u003ca name=\"input_internal_subnet_id\"\u003e\u003c/a\u003e [internal\\_subnet\\_id](#input\\_internal\\_subnet\\_id) | Subnet ID to use for internal interface | `string` | n/a | yes |\n| \u003ca name=\"input_keypair\"\u003e\u003c/a\u003e [keypair](#input\\_keypair) | Keypair to use for EC2 instance (set to blank to omit a keypair, not used if `create_keypair==true`) | `string` | `null` | no |\n| \u003ca name=\"input_load_default_config\"\u003e\u003c/a\u003e [load\\_default\\_config](#input\\_load\\_default\\_config) | Place a default configuration file in the config bucket with the specified name | `bool` | `false` | no |\n| \u003ca name=\"input_name\"\u003e\u003c/a\u003e [name](#input\\_name) | Name of this Fortigate instance | `string` | `\"fortigate\"` | no |\n| \u003ca name=\"input_override_ami\"\u003e\u003c/a\u003e [override\\_ami](#input\\_override\\_ami) | Specify to force a specific AMI | `string` | `\"\"` | no |\n| \u003ca name=\"input_route53_address\"\u003e\u003c/a\u003e [route53\\_address](#input\\_route53\\_address) | Route 53 address (do not include full domain) | `string` | `\"\"` | no |\n| \u003ca name=\"input_route53_zone_id\"\u003e\u003c/a\u003e [route53\\_zone\\_id](#input\\_route53\\_zone\\_id) | n/a | `string` | `\"\"` | no |\n| \u003ca name=\"input_tags\"\u003e\u003c/a\u003e [tags](#input\\_tags) | Tags to apply to supported resources (don't include name tag) | `map(string)` | `{}` | no |\n| \u003ca name=\"input_use_byol\"\u003e\u003c/a\u003e [use\\_byol](#input\\_use\\_byol) | Use BYOL license (as opposed to on demand pricing) | `bool` | `false` | no |\n| \u003ca name=\"input_vpc_id\"\u003e\u003c/a\u003e [vpc\\_id](#input\\_vpc\\_id) | VPC to create resources in | `string` | n/a | yes |\n\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| \u003ca name=\"output_eip_fortigate\"\u003e\u003c/a\u003e [eip\\_fortigate](#output\\_eip\\_fortigate) | Elastic IP address of firewall |\n| \u003ca name=\"output_instance_fortigate\"\u003e\u003c/a\u003e [instance\\_fortigate](#output\\_instance\\_fortigate) | Fortigate Instance ID |\n| \u003ca name=\"output_instance_fortigate_primary_network_interface_id\"\u003e\u003c/a\u003e [instance\\_fortigate\\_primary\\_network\\_interface\\_id](#output\\_instance\\_fortigate\\_primary\\_network\\_interface\\_id) | Primary ENI ID (attach route tables to this) |\n| \u003ca name=\"output_keypair_key_name\"\u003e\u003c/a\u003e [keypair\\_key\\_name](#output\\_keypair\\_key\\_name) | Instance keypair name |\n| \u003ca name=\"output_s3_bucket_config\"\u003e\u003c/a\u003e [s3\\_bucket\\_config](#output\\_s3\\_bucket\\_config) | S3 bucket holding configuration |\n| \u003ca name=\"output_secretsmanager_secret_arn\"\u003e\u003c/a\u003e [secretsmanager\\_secret\\_arn](#output\\_secretsmanager\\_secret\\_arn) | FortiGate admin password secret |\n| \u003ca name=\"output_security_group_external\"\u003e\u003c/a\u003e [security\\_group\\_external](#output\\_security\\_group\\_external) | Security group for external access |\n| \u003ca name=\"output_security_group_internal\"\u003e\u003c/a\u003e [security\\_group\\_internal](#output\\_security\\_group\\_internal) | Security group for internal access |\n\u003c!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK --\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frhythmictech%2Fterraform-aws-fortigate","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frhythmictech%2Fterraform-aws-fortigate","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frhythmictech%2Fterraform-aws-fortigate/lists"}