-
Notifications
You must be signed in to change notification settings - Fork 2
/
ise_in_aws.ise.yaml
125 lines (120 loc) · 3.89 KB
/
ise_in_aws.ise.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
---
#
# ⚠ Limit CIDR IPs to the Lab Network to Prevent Public Internet Access!
#
- name: Create SG-ISE Security Group
amazon.aws.ec2_group:
name: SG-ISE
description: SG-ISE
# vpc_id: "{{ vpcs.vpcs[0].id }}"
vpc_id: "{{ vpc.vpc.id }}"
region: "{{ aws_region }}"
rules:
- proto: -1
from_port: 0
to_port: 0
cidr_ip: 172.31.0.0/16
rule_desc: Allow all traffic within VPC
- proto: tcp
from_port: 22
to_port: 22
cidr_ip: 0.0.0.0/0
rule_desc: Allow SSH from anywhere
# 💡 Uncomment *only* if you want ISE directly accessible from Internet
# - proto: tcp
# from_port: 443
# to_port: 443
# cidr_ip: 0.0.0.0/0
# rule_desc: Allow HTTPS from anywhere
- proto: -1
from_port: 0
to_port: 0
cidr_ip: 192.168.0.0/16
rule_desc: Allow all traffic from on-premises
rules_egress:
- proto: all
cidr_ip: 0.0.0.0/0 # any
rule_desc: Allow All
tags:
Name: SG-ISE
project: "{{ project_name }}"
started: "{{ '%Y-%m-%dT%H:%M:%S-%Z' | strftime }}"
register: sg_ise
tags:
- sg
- security_group
- name: Create ISE Instance in AWS
loop: "{{ ise_nodes }}"
amazon.aws.ec2_instance:
# state: present # instances exist but not guarantee of state (e.g. running)
state: running # present + ensures the instances are running for public IP address!
# state: started # running + waits for EC2 status checks; ~3 minutes per node
region: "{{ aws_region }}"
vpc_subnet_id: "{{ subnet_private.subnet.id }}"
image_id: "{{ item.ami }}"
instance_type: "{{ item.instance_type }}"
key_name: "{{ ssh_keypair_name }}"
network:
assign_public_ip: yes
delete_on_termination: yes
private_ip_address: "{{ item.private_ip}}"
security_group: "{{ sg_ise.group_id }}"
volumes:
- device_name: /dev/sda1
ebs:
delete_on_termination: true
volume_size: "{{ item.volume_size | default( 300 ) }}"
wait: yes
tags:
Name: "{{ item.name }}"
product: "ISE"
hostname: "{{ item.name }}"
project: "{{ project_name }}"
started: "{{ '%Y-%m-%dT%H:%M:%S-%Z' | strftime }}"
role: "{{ item.role | default('') }}"
personas: "{{ item.personas | default( 'standalone') }}"
user_data: "hostname={{ item.name | lower }}\nprimarynameserver={{ dns_server | default('208.67.222.222') }}\ndnsdomain={{ domain_name | default('demo.local') }}\nntpserver={{ ntp_server | default('time.nist.gov') }}\ntimezone={{ timezone | default('Etc/UTC') }}\nusername={{ ise_username }}\npassword={{ ise_password }}"
register: instances
# - name: Show ISE Instances
# ansible.builtin.debug: var=instances
- name: Add public DNS entry for the ISE node(s)
when: domain_name is defined
loop: "{{ instances.results[0].instances }}"
community.aws.route53:
state: present
zone: "{{ domain_name }}"
record: "{{ item.tags.Name }}.{{ domain_name }}"
overwrite: yes
private_zone: no
type: A
ttl: 7200
value: "{{ item.public_ip_address }}"
wait: no
- name: Add private DNS entry for the ISE node(s)
when: domain_name is defined
loop: "{{ instances.results[0].instances }}"
community.aws.route53:
state: present
zone: "{{ domain_name }}"
record: "{{ item.tags.Name }}.{{ domain_name }}"
overwrite: yes
private_zone: yes
type: A
ttl: 7200
value: "{{ item.private_ip_address }}"
wait: no
- name: Show SSH Commands for ISE Instances
loop: "{{ ise_nodes }}"
ansible.builtin.debug:
msg: |
.
/|\
/|||\
@ /|||||\ @
@ \|/ \|/ @ ping {{ item.private_ip }}
@ @ ssh -i {{ ssh_keypair_private_key }} {{ ise_username }}@{{ item.private_ip }}
@. .@
`Y@ @ @Y`