xdr-terraform-modules/base/_archive/cisco_vpn/quickstart-cisco-asav-ravpn/templates/quickstart-cisco-asav-ravpn-instance.yaml

AWSTemplateFormatVersion: 2010-09-09
Description: >-
  Cisco Systems - Creates the necessary policies, roles, security group and
  launches Cisco ASAv Instance(s). (qs-1qp7e9tnh)
Metadata:
  ParameterLabels:
    InstanceTypeParam:
      default: ASAv instance type
    KeyPair:
      default: keypair name
    MgmtSubnet1CIDR:
      default: Mgmt subnet 1
    PrivateSubnet1ID:
      default: Private subnet 1
    PublicSubnet1ID:
      default: Public subnet 1
    VPCID:
      default: VPC ID
    DnsName:
      default: Dns name
    ASAv1HostName:
      default: ASAv1 Hostname
    VPNPoolFrom1:
      default: VPN Pool Start
    VPNPoolTo1:
      default: VPN Pool Finish
    VPNPoolCIDRMask1:
      default: NETMASK of VPN Pool
    VPCCIDRMASK:
      default: netmask of VPCCIDR
    VPCPOOL:
      default: pool of VPC
    VPNUser:
      default: VPN User
    VPNPassword:
      default: VPN Password
    OnPremCIDRMask:
      default: onprem network MASK
    OnPremPool:
      default: onprem pool
    PrivateSubnet1GW:
      default: private subnet GW
    PrivateSubnet1CIDR:
      default: private subnet CIDR format
    PrivateSubnet1Pool:
      default: Private subnet pool
    PrivateSubnet1CIDRMask:
      default: Private subnet mask
    PublicHostedZone:
      default: Private hosted zone Id
    MgmtRouteTable:
      default: Management route table Id
    ASAvInstanceSGMGMT:
      default: ASAv Instance Management Security group Id
    ASAvInstanceSGOUTSIDE:
      default: ASAv Instance Outside Security group Id
    ASAvInstanceSGINSIDE:
      default: ASAv Instance Inside Security group Id
Parameters:
  InstanceTypeParam:
    Type: String
    Default: c5.large
    AllowedValues:
      - m4.large
      - m4.xlarge
      - m4.2xlarge
      - c3.large
      - c3.xlarge
      - c3.2xlarge
      - c4.large
      - c4.xlarge
      - c4.2xlarge
      - c5.large
      - c5.xlarge
      - c5.2xlarge
    Description: Select an instance size for the ASAv.
  KeyPair:
    Type: AWS::EC2::KeyPair::KeyName
    Description: ASAv instances will launch with this keypair
  VPCID:
    Type: AWS::EC2::VPC::Id
    Description: Select VPC which ASAv will be deployed in
  VPNUser:
    Type: String
    Description: Test VPN Username
  VPNPassword:
    Type: String
    Description: Test VPN Password
    NoEcho: true
  MgmtSubnet1CIDR:
    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
    Description: CIDR block for Mgmt subnet 1 in Availability Zone 1
    Type: String
  PrivateSubnet1ID:
    Type: AWS::EC2::Subnet::Id
    Description: Private Subnet 1 ID
  PublicSubnet1ID:
    Type: AWS::EC2::Subnet::Id
    Description: Public Subnet 1 ID
  DnsName:
    Type: String
    Description: DNS name of PublicHostedZone
  ASAv1HostName:
    Type: String
    Description: ASAv1 Hostname
  VPNPoolFrom1:
    Type: String
    Description: VPN Pool Start
  VPNPoolTo1:
    Type: String
    Description: VPN Pool Finish
  VPNPoolCIDRMask1:
    Type: String
    Description: NETMASK of VPN CIDR Pool
  VPCCIDRMASK:
    Type: String
    Description: netmask of VPC
  VPCPOOL:
    Type: String
    Description: pool of VPC
  OnPremCIDRMask:
    Type: String
    Description: onprem network MASK
  OnPremPool:
    Type: String
    Description: onprem pool
  PrivateSubnet1GW:
    Type: String
    Description: private subnet GW
  PrivateSubnet1CIDR:
    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
    Description: CIDR block for the On-prem network
    Type: String
  PrivateSubnet1Pool:
    Type: String
    Description: Private subnet pool
  PrivateSubnet1CIDRMask:
    Type: String
    Description: Private subnet mask

  PublicHostedZone:
    Type: String
    Description: Resource ID of the Public Hosted Zone
  MgmtRouteTable:
    Type: String
    Description: Resource ID of the Management Route Table
  ASAvInstanceSGMGMT:
    Type: String
    Description: Security Group ID for Management instance
  ASAvInstanceSGOUTSIDE:
    Type: String
    Description: Security Group ID for Outside instance
  ASAvInstanceSGINSIDE:
    Type: String
    Description: Security Group ID for Inside instance
  InstanceIdentifier:
    Type: Number
    Description: RAVPN Instance No.
Mappings:
  AWSAMIRegionMap:
    eu-north-1: 
      HVM64: ami-005e678f521ec99d0
    ap-south-1: 
      HVM64: ami-024dc7bfa98b41ec6
    eu-west-3: 
      HVM64: ami-06c7b0231eb402d16
    eu-west-2: 
      HVM64: ami-0bec420a926af5be6
    eu-west-1: 
      HVM64: ami-09cc7f08a29818836
    ap-northeast-2: 
      HVM64: ami-08d0dad22fc46b6d9
    ap-northeast-1: 
      HVM64: ami-09bdeeb4666c0bb9d
    sa-east-1: 
      HVM64: ami-08e47d7858321f80c
    ca-central-1: 
      HVM64: ami-07f9b49973a350949
    ap-southeast-1: 
      HVM64: ami-0e397151d9d5c4e82
    ap-southeast-2: 
      HVM64: ami-07781517dd89226fb
    eu-central-1: 
      HVM64: ami-000b858ff24a0d33f
    us-east-1: 
      HVM64: ami-0408c1a8f87e2e0d4
    us-east-2: 
      HVM64: ami-06554acf8888fbe0d
    us-west-1: 
      HVM64: ami-0312fb96da1e1fe74
    us-west-2: 
      HVM64: ami-00a1cfa66bfdcfe76
  CIDRtoSubnetmask:
    '16':
      mask: '255.255.0.0'
    '17':
      mask: '255.255.128.0'
    '18':
      mask: '255.255.192.0'
    '19':
      mask: '255.255.224.0'
    '20':
      mask: '255.255.240.0'
    '21':
      mask: '255.255.248.0'
    '22':
      mask: '255.255.252.0'
    '23':
      mask: '255.255.254.0'
    '24':
      mask: '255.255.255.0'
    '25':
      mask: '255.255.255.128'
    '26':
      mask: '255.255.255.192'
    '27':
      mask: '255.255.255.224'
    '28':
      mask: '255.255.255.240'
Resources:
  ASAvDNSRecord:
    Type: AWS::Route53::RecordSet
    Properties:
      HostedZoneId: !Ref PublicHostedZone
      Name: !Join
        - '.'
        - - 'vpn'
          - !Ref DnsName
      TTL: 5
      Type: A
      HealthCheckId: !Ref R53HealthCheck
      SetIdentifier: !Sub 'Frontend-${InstanceIdentifier}'
      Weight: 4
      ResourceRecords:
      - !Ref outsideIP
  R53HealthCheck: 
    Type: 'AWS::Route53::HealthCheck'
    Properties: 
      HealthCheckConfig: 
        IPAddress: !Ref outsideIP
        Port: 443
        Type: HTTPS_STR_MATCH
        ResourcePath: '/'
        RequestInterval: 30
        FailureThreshold: 5
        MeasureLatency: true
        SearchString: '+CSCOE+'
      HealthCheckTags: 
        - 
          Key: Name
          Value: ASAvHealthcheck
  MgmtSubnet1:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPCID
      CidrBlock: !Ref 'MgmtSubnet1CIDR'
      AvailabilityZone: 
        Fn::Select: 
          - !Ref InstanceIdentifier
          - Fn::GetAZs: ""
      Tags:
        - Key: Name
          Value: !Sub 'Mgmt subnet ${InstanceIdentifier}'
  MGMTRouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref 'MgmtSubnet1'
      RouteTableId: !Ref 'MgmtRouteTable'
  outsideIP:
      Type: AWS::EC2::EIP
      Properties:
        Domain: vpc        
  associateOutsideIP:
      Type: AWS::EC2::EIPAssociation
      Properties:
        AllocationId: !GetAtt outsideIP.AllocationId 
        NetworkInterfaceId: !Ref outsideENI
  mgmtENI:
      Type: AWS::EC2::NetworkInterface
      Properties:
         Tags:
         - Key: Name
           Value: MgmtEni
         Description: A nice description.
         SourceDestCheck: false
         GroupSet:
         - !Ref 'ASAvInstanceSGMGMT'
         SubnetId: !Ref MgmtSubnet1
  outsideENI:
      Type: AWS::EC2::NetworkInterface
      Properties:
         Tags:
         - Key: Name
           Value: OutsideEni
         Description: A nice description.
         SourceDestCheck: false
         GroupSet:
         - !Ref 'ASAvInstanceSGOUTSIDE'
         SubnetId: !Ref PublicSubnet1ID
  InsideENI:
      Type: AWS::EC2::NetworkInterface
      Properties:
         Tags:
         - Key: Name
           Value: InsideEni
         Description: A nice description.
         SourceDestCheck: false
         GroupSet:
         - !Ref 'ASAvInstanceSGINSIDE'
         SubnetId: !Ref PrivateSubnet1ID
  ASAvInstance:
    Type: 'AWS::EC2::Instance'
    Properties:
      Tags:
        - Key: Name
          Value: !Ref ASAv1HostName
      InstanceType: !Ref InstanceTypeParam
      KeyName: !Ref KeyPair
      ImageId: !FindInMap 
        - AWSAMIRegionMap
        - !Ref 'AWS::Region'
        - HVM64
      NetworkInterfaces:
       - NetworkInterfaceId: !Ref 'mgmtENI'
         DeviceIndex: '0'
       - NetworkInterfaceId: !Ref 'outsideENI'
         DeviceIndex: '1'
       - NetworkInterfaceId: !Ref 'InsideENI'
         DeviceIndex: '2'
      UserData:
        Fn::Base64: !Sub  
        - |
          ! ASA Version
          hostname ${ASAv1HostName}
          !
          ip local pool VPN-POOL ${VPNPoolFrom1}-${VPNPoolTo1} mask ${VPNPoolMask1}
          access-list split standard permit ${VPCPOOL} ${VPCMASK}
          access-list split standard permit ${OnPremPool} ${OnPremMask} 
          !
          username ${VPNUser} password ${VPNPassword}
          username ${VPNUser} attributes
          service-type remote-access
          !
          int tengi 0/0
          nameif outside
          security-level 0
          ip address dhcp setroute
          no shut
          int tengi 0/1
          nameif inside
          security-level 100
          ip address dhcp
          no shut 
          interface management0/0
          nameif management
          security-level 100
          ip address dhcp
          no shut
          !
          !
          webvpn
          enable outside
          anyconnect image disk0:/anyconnect-macos-4.8.02045-webdeploy-k9.pkg 1
          anyconnect enable
          tunnel-group-list enable
          group-policy LAB internal
          group-policy LAB attributes
          vpn-tunnel-protocol ssl-client ssl-clientless
          address-pools value VPN-POOL
          split-tunnel-policy tunnelspecified
          split-tunnel-network-list value split
          dynamic-access-policy-record DfltAccessPolicy
          username admin nopassword privilege 15
          tunnel-group LAB type remote-access
          tunnel-group LAB general-attributes
          default-group-policy LAB
          address-pool VPN-POOL
          tunnel-group LAB webvpn-attributes
          group-alias LAB-VPN enable
          !
          dns domain-lookup outside
          dns server-group DefaultDNS
          name-server 208.67.222.222
          name-server 208.67.220.220
          !
          same-security-traffic permit inter-interface
          same-security-traffic permit intra-interface
          !
          route inside ${OnPremPool} ${OnPremMask} ${PrivateSubnet1GW}
          !
          policy-map global_policy
          class inspection_default
            inspect icmp
          !
          access-list 101 extended permit ip any any 
          access-group 101 in interface outside
          access-group 101 in interface inside
          !
          object network NET-${PrivateSubnet1CIDR}
          subnet ${PrivateSubnet1Pool} ${PrivateSubnet1Mask}
          nat (inside,outside) dynamic interface
          !
          crypto key generate rsa modulus 2048
          ssh 0 0 inside
          ssh 0 0 outside
          ssh 0 0 management
          ssh timeout 30
          aaa authentication ssh console LOCAL
          username admin nopassword privilege 15
          username admin attributes
          service-type admin
          !
          name 129.6.15.28 time-a.nist.gov
          name 129.6.15.29 time-b.nist.gov
          name 129.6.15.30 time-c.nist.gov
          ntp server time-c.nist.gov
          ntp server time-b.nist.gov
          ntp server time-a.nist.gov
          icmp permit any outside
          icmp permit any inside
          icmp permit any management
          !
        - VPCMASK: !FindInMap
          - CIDRtoSubnetmask
          - !Ref VPCCIDRMASK
          - mask
          VPNPoolMask1: !FindInMap
          - CIDRtoSubnetmask
          - !Ref VPNPoolCIDRMask1
          - mask
          OnPremMask: !FindInMap
          - CIDRtoSubnetmask
          - !Ref OnPremCIDRMask
          - mask
          PrivateSubnet1Mask: !FindInMap
          - CIDRtoSubnetmask
          - !Ref PrivateSubnet1CIDRMask
          - mask  
Outputs:
  AccountId:
    Description: Amazon Account ID
    Value: !Ref 'AWS::AccountId'
  MgmtSubnet1CIDR:
    Description: Mgmt subnet CIDR
    Value: !Ref 'MgmtSubnet1CIDR'
  MgmtSubnet1ID:
    Description: Mgmt subnet ID
    Value: !Ref 'MgmtSubnet1'
  InsideENI:
    Description: ASAv Instance Inside Network Interface ID
    Value: !Ref 'InsideENI'
  ASAv1MGMTIP:
    Description: ASAv Instance Management IP
    Value: !GetAtt mgmtENI.PrimaryPrivateIpAddress
  ASAv1PublicIP:
    Description: ASAv Instance Public IP
    Value: !Ref outsideIP
  VPNPoolFrom1:
    Description: ASAv Instance VPN Pool From
    Value: !Ref VPNPoolFrom1
  VPNPoolTo1:
    Description: ASAv Instance VPN Pool To
    Value: !Ref VPNPoolTo1
  VPNPoolCIDRMask1:
    Description: ASAv Instance VPN Pool Mask
    Value: !Ref VPNPoolCIDRMask1