https://github.com/fortinet/aws-cloudformation-resource-provider

AWS CloudFormation Resource Provider
https://github.com/fortinet/aws-cloudformation-resource-provider

Last synced: 3 months ago
JSON representation

AWS CloudFormation Resource Provider

• Host: GitHub
• URL: https://github.com/fortinet/aws-cloudformation-resource-provider
• Owner: fortinet
• License: mit
• Created: 2019-10-16T22:41:52.000Z (about 5 years ago)
• Default Branch: master
• Last Pushed: 2019-11-18T22:15:38.000Z (almost 5 years ago)
• Last Synced: 2024-05-09T07:30:54.799Z (6 months ago)
• Language: Java
• Size: 267 KB
• Stars: 3
• Watchers: 6
• Forks: 2
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

• awesome-cloudformation - Fortinet

README

        
# Introduction

ForitGate CloudFormation resources allow you to interact with components of the FortiGate API through AWS CloudFormation.

# Requirements

* [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html)

* FortiGate must have a public IP address that is reachable from the Internet.

# Set up

1. Install the `cfn` package.

2. Download the ZIP file for the required resource from S3.

    The Following resources are currently availble:

    [Create an Admin user](https://cloudformation-resource-provider.s3-us-west-2.amazonaws.com/fortinet-fortigate-systemadmin.zip)


    [Create a Vlan interface](https://cloudformation-resource-provider.s3-us-west-2.amazonaws.com/fortinet-fortigate-systeminterface.zip)


    [Update DNS](https://cloudformation-resource-provider.s3-us-west-2.amazonaws.com/fortinet-fortigate-systemdns.zip)


3. Locate the downloaded package and upload it to AWS CloudFormation using the command:

   ```sh

   cfn submit -v --region 

   ```

4. Use the token output to monitor the registration process:

   ```sh

   aws cloudformation describe-type-registration --registration-token 

   ```

5. Once the registration is marked as complete you will be able to view the resource in your respective region.

6. Example CloudFormation Templates are available in the [Templates folder](./CloudFormationTemplates). These will provide a starting point for the resource used in CloudFormation.

# The API key

In order to use the custom FortiGate CloudFormation resources you will need to set up an API key on the FortiGate.

## Create an Administrator profile

1. Log in to your FortiGate.

2. Select **System > Admin Profiles > Create new**.

3. Populate the fields as show in the image:


   ![FortiOS Admin Profile](./imgs/APIProfileExample.png)

4. Click **OK**.

## Create the REST API Admin

1. Select **System > Administrators > Create new > REST API Admin**.

2. Use the **Administrtor Profile** you created.

3. Add these **Trusted Hosts**:

   * 63.0.0.0/3

   * 64.0.0.0/2

   * 128.0.0.0/1

   > **Note:** The 0.0.0.0/0 range is not supported. A call may come from many different AWS IP addresses. A full list of AWS ranges is available [here](https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html).

4. Click **OK**.

# Usage

To use a resource in AWS CloudFormation you will need to supply the required parameters. A resource schema can be viewed from the registry in AWS CloudFormation.

Each FortiGate resource requires an API key and a FortiGate IP address or hostname.

Dynamic secrets are not currently supported.

1. In the AWS console, click **Services > Management & Governance > CloudFormation**.

2. Click **Create Stack**.

3. Upload your CloudFormation Template. Examples can be found [here](./CloudFormationTemplates).

4. Specify the required parameters as shown in the image:


![FortiOS Security Fabric Automation Screenshot](./imgs/CloudFormationExample.png)

# Troubleshooting

 A Log group in CloudWatch is automatically created when submitting the resource. To locate it, look in CloudWatch under the resource name.

Following are potential errors that may be returned by the FortiGate:

* 400 : Bad Request: Request cannot be processed by the AP

* 401 : Not Authorized: Request without successful login session

* 403 : Forbidden: Request is missing CSRF token or administrator is missing access profile permissions.

* 404 : Resource Not Found: Unable to find the specified resource.

* 405 : Method Not Allowed: Specified HTTP method is not allowed for this resource.

* 424 : Failed Dependency: Fail dependency can be duplicate resource, missing required parameter, missing required attribute, invalid attribute value.

Further troubleshooting can be done by logging into the FortiGate via `ssh` and entering the following commands:

```

diagnose debug enable

diagnose debug application httpsd -1

```

This will print debugging information when an API request is made.

# Support

Fortinet-provided scripts in this and other GitHub projects do not fall under the regular Fortinet technical support scope and are not supported by FortiCare Support Services.

For direct issues, please refer to the [Issues](https://github.com/fortinet/azure-security-group-update/issues) tab of this GitHub project.

For other questions related to this project, contact [[email protected]](mailto:[email protected]).

## License

[License](./LICENSE) © Fortinet Technologies. All rights reserved.