-
Notifications
You must be signed in to change notification settings - Fork 2
/
ise_in_aws.vmx.yaml
269 lines (238 loc) · 8.38 KB
/
ise_in_aws.vmx.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
---
#
# The default LAN Setting for a new network will be :
#
# | Name | Subnet | MX IP
# |---------------------|-------------------|--------------
# | Single LAN Settings | 192.168.128.0/24 | 192.168.128.1
#
- name: Create a vMX Network '{{ meraki_org_name }}:{{ meraki_vmx_net_name }}'
cisco.meraki.meraki_network:
org_name: "{{ meraki_org_name }}"
net_name: "{{ meraki_vmx_net_name }}"
state: present
type: appliance
timezone: America/Los_Angeles # Timezones: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
tags: ise, demo, lab, hub, mx
register: vmx_network
# - name: vmx_network
# ansible.builtin.debug: var=vmx_network
- name: Create SG-AllowAll Security Group
amazon.aws.ec2_group:
name: SG-AllowAll
description: Allow all traffic
vpc_id: "{{ vpc.vpc.id }}"
region: "{{ aws_region }}"
rules:
- proto: all
cidr_ip: 0.0.0.0/0 # any
rule_desc: Allow All
rules_egress:
- proto: all
cidr_ip: 0.0.0.0/0 # any
rule_desc: Allow All
tags:
Name: SG-AllowAll
project: "{{ project_name }}"
started: "{{ '%Y-%m-%dT%H:%M:%S-%Z' | strftime }}"
register: sg_allowall
# - name: Show sg_allowall
# ansible.builtin.debug: var=sg_allowall
- name: Check for Existing vMX Instance (idempotency) | {{ project_name }}
community.aws.ec2_instance_info: # get all by default
filters:
instance-state-name: ["running"]
"tag:project": "{{ project_name }}"
"tag:Name": "{{ vmx_name }}"
"tag:product": "vMX"
register: vmx
- name: Show Existing vMX
when: vmx is defined
ansible.builtin.debug: var=vmx
- name: Claim License, Generate Token, and Create vMX Instance
when: vmx.instances | count <= 0
block:
- name: Claim vMX Device & License
ansible.builtin.uri:
url: "https://api.meraki.com/api/v1/networks/{{ vmx_network.data.id }}/devices/claim/vmx"
method: POST
headers:
Accept: application/json
Content-Type: application/json
X-Cisco-Meraki-API-Key: "{{ lookup('env','MERAKI_KEY') }}"
body:
size: "{{ vmx_license_size }}"
body_format: json
status_code: 200
validate_certs: false
return_content: true
register: new_vmx
# - name: Show vmx
# ansible.builtin.debug: var=new_vmx.json
- name: Generate vMX Token
ansible.builtin.uri:
url: "https://api.meraki.com/api/v1/devices/{{ new_vmx.json.serial }}/appliance/vmx/authenticationToken"
method: POST
headers:
Accept: application/json
Content-Type: application/json
X-Cisco-Meraki-API-Key: "{{ lookup('env','MERAKI_KEY') }}"
body_format: json
status_code: 201
validate_certs: false
return_content: true
register: vmx_token_response
# - name: Show vmx_token_response
# ansible.builtin.debug: var=vmx_token_response.json
- name: Extract Token
ansible.builtin.set_fact:
meraki_vmx_authentication_token: "{{ vmx_token_response.json.token }}"
# - name: Show token
# ansible.builtin.debug: var=meraki_vmx_authentication_token
#
# 💡 Uses the community.aws.ec2_instance module which supports `user_data`
# field for inclusion of the Meraki vMX Authentication Token!
#
- name: Create vMX Instance
community.aws.ec2_instance:
# state: present # instances exist but not guarantee of state (e.g. running)
state: running # present + ensures the instances are running for public IP address!
# state: started # running + waits for EC2 status checks; ~3 minutes per node
vpc_subnet_id: "{{ subnet_public.subnet.id }}"
region: "{{ aws_region }}"
image_id: "{{ vmx_aws_ami }}"
instance_type: "{{ vmx_aws_instance_type }}"
key_name: "{{ ssh_keypair_name }}" # SSH Keypair Name
security_group: "{{ sg_allowall.group_name }}"
network:
assign_public_ip: yes
delete_on_termination: yes
private_ip_address: "{{ vmx_private_ip }}"
volumes:
- device_name: /dev/xvda
ebs:
delete_on_termination: true
volume_size: 10
user_data: "{{ meraki_vmx_authentication_token | trim }}"
wait: yes # must wait to get eni for NAT and private RT changes
tags:
Name: "{{ vmx_name }}"
project: "{{ project_name }}"
product: vMX
started: "{{ '%Y-%m-%dT%H:%M:%S-%Z' | strftime }}"
register: vmx
- name: Show vMX Instance
ansible.builtin.debug: var=vmx
#
# ⚠ Requires the vMX to be initialized; Use `wait: yes` above
# ⚠ Works with eni_id but not subnet_id
#
- name: Disable Source/Destination Check for vMX as NAT device!
amazon.aws.ec2_eni:
instance_id: "{{ vmx.instances[0].instance_id }}"
eni_id: "{{ vmx.instances[0].network_interfaces[0].network_interface_id }}"
source_dest_check: false
register: vmx_eni
# - name: Show vmx_eni
# ansible.builtin.debug: var=vmx_eni
- name: Add Public DNS entry for the vMX
when: domain_name is defined
community.aws.route53:
state: present
zone: "{{ domain_name }}"
record: "{{ project_name }}-vmx.{{ domain_name }}"
overwrite: yes
private_zone: no
type: A
ttl: 7200
value: "{{ vmx.instances[0].public_ip_address }}"
wait: no
- name: Add private DNS entry for the vMX
when: domain_name is defined
community.aws.route53:
state: present
zone: "{{ domain_name }}"
record: "{{ project_name }}-vmx.{{ domain_name }}"
overwrite: yes
private_zone: yes
type: A
ttl: 7200
value: "{{ vmx.instances[0].private_ip_address }}"
wait: no
#
# Update the Private Route Table
#
# | Destination | Target |
# |-----------------|--------|
# | 172.31.0.0/16 | local
# | 192.168.0.0/16 | eni-* <=== add this
# | 0.0.0.0/0 | igw-*
#
- name: Update the AWS Private Route Table with vMX VPN Network
community.aws.ec2_vpc_route_table:
vpc_id: "{{ vpc.vpc.id }}"
subnets:
- "{{ subnet_private.subnet.id }}"
routes:
- dest: 0.0.0.0/0
gateway_id: "{{ igw.gateway_id }}"
- dest: 192.168.0.0/16
instance_id: "{{ vmx.instances[0].instance_id }}"
tags:
Name: RT_Private
project: "{{ project_name }}"
started: "{{ '%Y-%m-%dT%H:%M:%S-%Z' | strftime }}"
register: rt_private
- name: Find {{ meraki_vpn_hub.net_name }} Network to use as VPN Hub
cisco.meraki.meraki_network:
org_name: "{{ meraki_org_name }}"
net_name: "{{ meraki_vpn_hub.net_name }}"
state: query
register: lab_network
# - name: Show lab_network
# ansible.builtin.debug: var=lab_network.data
# ⓘ Meraki vMX must be configured "Passthrough or VPN Concentrator" mode!
# "Routed" mode requires 2 or more ports but vMX only has 1 port!
- name: Configure vMX Deployment as Passthrough or VPN Concentrator
delegate_to: localhost
ansible.builtin.uri:
url: "https://api.meraki.com/api/v1/networks/{{ vmx_network.data.id }}/appliance/settings"
method: PUT
headers:
Accept: application/json
Content-Type: application/json
X-Cisco-Meraki-API-Key: "{{ lookup('env','MERAKI_KEY') }}"
body:
deploymentMode: passthrough
body_format: json
status_code: 200
validate_certs: false
return_content: true
register: vmx_deployment
- name: Show vMX Settings
ansible.builtin.debug: var=vmx_deployment.json
- name: Set vMX to VPN Spoke mode to Lab Hub
cisco.meraki.meraki_site_to_site_vpn:
org_name: "{{ meraki_org_name }}"
net_name: "{{ meraki_vmx_net_name }}"
state: present
mode: spoke # use `spoke` to avoid AWS $$$ for outbound `hub` traffic
hubs:
- hub_id: "{{ lab_network.data.id }}"
use_default_route: false # send all default route traffic to this hub
register: spoke_mode
# - name: spoke_mode
# ansible.builtin.debug: var=spoke_mode
- name: Manually add the vMX Local Subnet
ansible.builtin.pause:
prompt: |
You must now manually add the vMX Local Subnet in the Site-to-Site VPN.
1. Open the Meraki Dashboard
2. Go to Security & SDWAN > Configure > Site-to-Site VPN
3. Under VPN Settings, Add a Local Network:
Name: ISE_Meraki_AWS
VPN Mode: Enabled
Subnet: 172.31.0.0/16
4. Save!
You may now ping through the auto-VPN into your AWS instance(s)!
Press Enter to Continue...