feat(core): Improve Fortigate sample configuration (#620)

naveenkoppula · web-flow · commit 8c5e015d45e3 · 2021-02-17T14:24:31.000-05:00
* Adding additional replacements for firewall configuration

* Fixing tests for Firewall instances
diff --git a/reference-artifacts/Third-Party/firewall-example-FUTURE.txt b/reference-artifacts/Third-Party/firewall-example-FUTURE.txt
@@ -167,8 +167,8 @@ edit FG-traffic
       set peertype any
       set proposal aes256-sha256
       set dhgrp 2
-      set remote-gw ${PublicVpnTunnel2OutsideAddress1}
-      set psksecret ${PublicPreSharedSecret2-1}
+      set remote-gw ${PublicVpnTunnelOutsideAddress2}
+      set psksecret ${PublicPreSharedSecret2}
       set dpd-retryinterval 10
     next
   end
@@ -199,8 +199,8 @@ edit FG-traffic
       set mtu 1427
     next
     edit "tgw-vpn2"
-      set ip ${PublicCgwTunnel2InsideAddress1} 255.255.255.255
-      set remote-ip ${PublicVpnTunnel2InsideAddress1} 255.255.255.255
+      set ip ${PublicCgwTunnelInsideAddress2} 255.255.255.255
+      set remote-ip ${PublicVpnTunnelInsideAddress2} 255.255.255.255
 	  set explicit-web-proxy enable
       set allowaccess ping
       set type tunnel 
@@ -758,7 +758,7 @@ edit FG-traffic
         set route-map-out "rmap-outbound"
         set link-down-failover enable
       next
-      edit ${PublicVpnTunnel2InsideAddress1}
+      edit ${PublicVpnTunnelInsideAddress2}
         set capability-default-originate enable
         set remote-as ${PublicVpnBgpAsn1}
         set route-map-out "rmap-outbound"
diff --git a/src/deployments/cdk/src/apps/phase-1.ts b/src/deployments/cdk/src/apps/phase-1.ts
@@ -20,7 +20,7 @@ import { CentralBucketOutput, LogBucketOutput } from '../deployments/defaults/ou
 import * as budget from '../deployments/billing/budget';
 import * as certificates from '../deployments/certificates';
 import * as defaults from '../deployments/defaults';
-import * as firewall from '../deployments/firewall/cluster';
+import * as firewallCluster from '../deployments/firewall/cluster';
 import * as firewallSubscription from '../deployments/firewall/subscription';
 import * as reports from '../deployments/reports';
 import * as ssm from '../deployments/ssm/session-manager';
@@ -288,7 +288,7 @@ export async function deploy({ acceleratorConfig, accountStacks, accounts, conte
   }
 
   // Create the firewall
-  await firewall.step2({
+  await firewallCluster.step2({
     accountStacks,
     config: acceleratorConfig,
     outputs,
diff --git a/src/deployments/cdk/src/deployments/firewall/cluster/outputs.ts b/src/deployments/cdk/src/deployments/firewall/cluster/outputs.ts
@@ -50,6 +50,13 @@ export const FirewallVpnTunnelOptions = t.interface({
   vpnTunnelOutsideAddress1: t.string,
   vpnBgpAsn1: t.string,
   preSharedSecret1: t.string,
+  cgwTunnelInsideAddress2: t.string,
+  cgwTunnelOutsideAddress2: t.string,
+  cgwBgpAsn2: t.string,
+  vpnTunnelInsideAddress2: t.string,
+  vpnTunnelOutsideAddress2: t.string,
+  vpnBgpAsn2: t.string,
+  preSharedSecret2: t.string,
 });
 
 export type FirewallVpnTunnelOptions = t.TypeOf<typeof FirewallVpnTunnelOptions>;
diff --git a/src/deployments/cdk/src/deployments/firewall/cluster/step-1.ts b/src/deployments/cdk/src/deployments/firewall/cluster/step-1.ts
@@ -39,7 +39,6 @@ export async function step1(props: FirewallStep1Props) {
         continue;
       }
 
-      // TODO We could create a nested stack here
       await createFirewallEips({
         scope: accountStack,
         vpcConfig,
diff --git a/src/deployments/cdk/src/deployments/firewall/cluster/step-2.ts b/src/deployments/cdk/src/deployments/firewall/cluster/step-2.ts
@@ -148,6 +148,13 @@ async function createCustomerGateways(props: {
         vpnTunnelOutsideAddress1: options.getAttString('VpnOutsideIpAddress1'),
         vpnBgpAsn1: options.getAttString('VpnBgpAsn1'),
         preSharedSecret1: options.getAttString('PreSharedKey1'),
+        cgwTunnelInsideAddress2: options.getAttString('CgwInsideIpAddress2'),
+        cgwTunnelOutsideAddress2: options.getAttString('CgwOutsideIpAddress2'),
+        cgwBgpAsn2: options.getAttString('CgwBgpAsn2'),
+        vpnTunnelInsideAddress2: options.getAttString('VpnInsideIpAddress2'),
+        vpnTunnelOutsideAddress2: options.getAttString('VpnOutsideIpAddress2'),
+        vpnBgpAsn2: options.getAttString('VpnBgpAsn2'),
+        preSharedSecret2: options.getAttString('PreSharedKey2'),
       };
 
       // Creating VPN connection route table association and propagation
diff --git a/src/deployments/cdk/test/apps/unsupported-changes.mocks.ts b/src/deployments/cdk/test/apps/unsupported-changes.mocks.ts
@@ -734,6 +734,13 @@ export function createPhaseInput(): Omit<PhaseInput, 'accountStacks'> {
               vpnTunnelOutsideAddress1: '35.182.31.119',
               vpnBgpAsn1: '64512',
               preSharedSecret1: 'yTHR4PMEE7GQJr8dnC4JsIgX9eXMpPUt',
+              cgwTunnelInsideAddress2: '169.254.11.2',
+              cgwTunnelOutsideAddress2: '3.97.102.213',
+              cgwBgpAsn2: '65523',
+              vpnTunnelInsideAddress2: '169.254.11.1',
+              vpnTunnelOutsideAddress2: '52.60.189.14',
+              vpnBgpAsn2: '65521',
+              preSharedSecret2: '2ywd00tL_lEQ4fX9aoGBd41oUkjx6v6y',
             },
           },
           {
@@ -783,6 +790,13 @@ export function createPhaseInput(): Omit<PhaseInput, 'accountStacks'> {
               vpnTunnelOutsideAddress1: '35.182.50.24',
               vpnBgpAsn1: '64512',
               preSharedSecret1: 'T8euLki9G2ERUw0Z2qiFJkG_KFyh5ivW',
+              cgwTunnelInsideAddress2: '169.254.150.38',
+              cgwTunnelOutsideAddress2: '52.60.163.124',
+              cgwBgpAsn2: '65523',
+              vpnTunnelInsideAddress2: '169.254.150.37',
+              vpnTunnelOutsideAddress2: '52.60.81.195',
+              vpnBgpAsn2: '65521',
+              preSharedSecret2: '.yPhfn75glcBbwNo4ZuMJ8T973F88gLC',
             },
           },
           {
diff --git a/src/lib/cdk-constructs/src/firewall/instance.ts b/src/lib/cdk-constructs/src/firewall/instance.ts
@@ -15,6 +15,11 @@ export interface FirewallVpnTunnelOptions {
   vpnTunnelOutsideAddress1: string;
   vpnBgpAsn1: string;
   preSharedSecret1: string;
+  preSharedSecret2: string;
+  vpnTunnelInsideAddress2: string;
+  vpnTunnelOutsideAddress2: string;
+  cgwTunnelInsideAddress2: string;
+  cgwTunnelOutsideAddress2: string;
 }
 
 export interface FirewallConfigurationProps {
@@ -170,6 +175,11 @@ export class FirewallInstance extends cdk.Construct {
       this.template.addReplacement(`\${${name}VpnTunnelInsideAddress1}`, vpnTunnelOptions?.vpnTunnelInsideAddress1);
       this.template.addReplacement(`\${${name}VpnBgpAsn1}`, vpnTunnelOptions?.vpnBgpAsn1);
       this.template.addReplacement(`\${${name}PreSharedSecret1}`, vpnTunnelOptions?.preSharedSecret1);
+      this.template.addReplacement(`\${${name}CgwTunnelOutsideAddress2}`, vpnTunnelOptions?.cgwTunnelOutsideAddress2);
+      this.template.addReplacement(`\${${name}CgwTunnelInsideAddress2}`, vpnTunnelOptions?.cgwTunnelInsideAddress2);
+      this.template.addReplacement(`\${${name}VpnTunnelOutsideAddress2}`, vpnTunnelOptions?.vpnTunnelOutsideAddress2);
+      this.template.addReplacement(`\${${name}VpnTunnelInsideAddress2}`, vpnTunnelOptions?.vpnTunnelInsideAddress2);
+      this.template.addReplacement(`\${${name}PreSharedSecret2}`, vpnTunnelOptions?.preSharedSecret2);
     }
 
     return networkInterface;

Original file line number	Diff line number	Diff line change
`@@ -39,7 +39,6 @@ export async function step1(props: FirewallStep1Props) {`
`39`	`39`	`continue;`
`40`	`40`	`}`
`41`	`41`
`42`		`- // TODO We could create a nested stack here`
`43`	`42`	`await createFirewallEips({`
`44`	`43`	`scope: accountStack,`
`45`	`44`	`vpcConfig,`