Deploying autoscaling using Azure Terraform module

You can deploy FortiGate-VM autoscaling on Azure by using the autoscaling group (ASG) Terraform module. You can use the module interactively or by downloading the entire repository. The following documentation uses the prebuilt example to explain the configuration points and the steps to deploy the infrastructure.

All cloud modules require Terraform 1.8 or later.

See the following for resources:

• GitHub: https://github.com/fortinetdev/terraform-azurerm-cloud-modules
• Terraform registry: https://registry.terraform.io/modules/fortinetdev/cloud-modules/azurerm/latest

Support

Fortinet-provided scripts in this and other GitHub projects do not fall under the regular Fortinet technical support scope and are not supported by FortiCare Support Services. For direct issues, see the issues tab of this GitHub project. For other questions related to this project, contact github@fortinet.com.

Authenticating to Azure

When possible, using the Azure-specific CLI method to authenticate and authorize the Terraform deployment is recommended. See Azure Provider: Authenticating using a Service Principal with a Client Secret.

main.tf and terraform.tfvars

The cloud modules follow a similar file structure. At the root level of each module, you find the following main.tf and terraform.tfvars.

The main.tf file at the root level is used to enumerate and resolve the variables defined in the terraform.tfvars file. These values are passed to the downstream modules to perform the following:

• Resolve the variables for FortiGate bootstrap configuration
• Cloud infrastructure configuration around the virtual private cloud (VPC), subnet, load balancer, cloud storage, cloud function, secret management, and so on

When troubleshooting deployment issues, troubleshooting from the error back up to the root directory main.tf file and terraform.tfvars is recommended.

FortiGate and ASG

Each cloud module example creates a bootstrap configuration file and places that file in a cloud storage medium or a bucket.

The Terraform scripts take in the networking information of the VPC subnets and leverage that information to create a FortiOS CLI configuration that matches the subnet information of each interface configured.

Azure VMSS

An Azure VM scale set (VMSS) is the autoscaling mechanism in Azure. The Terraform deployment configures the settings by using an image search function to search the marketplace images and the version specified.

The other settings in regards to the number and default amount of VM instances with in the VMSS are set in the main.tf at the fortigate scale set directory.

Changing variables

The folder structure and relationship with the files is important. Each example contains directory traversals to go up a directory and back down into the root directory then the modules directory to find the cloud and FortiGate configuration submodules.

Most if not all variable values are configurable from the terraform.tfvars file in each modules in each example.

Following are the most commonly changed variables in terraform.tfvars:

• FortiOS image URI
• Key pair/secret and key
• Administrator password
• Regions and zones
• VPC and subnet information
• FortiGate configuration file

For a specific example for any Terraform module, see Terraform modules for FortiGate VMs on Azure.

The following provides an example for changing variables to use a specific FortiGate-VM image. The following assumes that you know how to and have created a custom image, or know the location of the image to reference in the Terraform scripts.

Edit the following and use the URI of the image you created earlier. The FortiGate image should be created with the standard VHD backing storage type and not SSD.

Edit the main.tf file in \modules\fortigate\scaleset, make the following changes to the resource:

resource "azurerm_linux_virtual_machine_scale_set" "vmss" {
#Use Custom Image
  source_image_id = "/subscriptions/2f96c44c-cfb2-4621-bd36-65ba45185e0c/resourceGroups/rho-marketplace/providers/Microsoft.Compute/images/fortios-ums-b3434-byol-w"

Comment out the following:

Comment out the following:  
#Use Marketplace Image
  #source_image_reference {
  #  publisher = "fortinet"
  #  offer     = "fortinet_fortigate-vm_v5"
  #  sku       = var.image_sku
  #  version   = var.image_version
  #}
  #plan {
  #  name      = var.image_sku
  #  publisher = "fortinet"
  #  product   = "fortinet_fortigate-vm_v5"
  #}

Initializing and applying the configuration

The modules are architected so that you can configure, initialize, and apply the examples where they sit in the directory structure of the repository when downloaded or cloned to your working directory.

To initialize and apply the configuration:

When all configuration and variable changes are made to fit your environment, run the following:

terraform init
terraform apply

At this point, Terraform uses the credentials specified in the respective files or the authentication tokens generated from the CLI authentication process to make changes to your cloud environment.