Fixing README, eip on outside interface, existing vpc route table control

[abhijitpal]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

I'm raising this issue to discuss about the issues below. Some are feature requests and some are defects. I'm also mentioning the probable solution for each of these points in the relevant section. In parallel to this discussion, I've already forked this repo to fix the below points based on the solution expected to the best of my knowledge and ability

Defects

• Typo in README files
• Few existing inputs and outputs were not documented
• When creating FTD and FMC with existing subnets, new route tables getting created and existing subnet associations are getting removed from main routing table
• FTD user data is not populated with FMC mgmt IP thus 'show managers' on FTD doesn't show the FMC as manager
• usage of deprecated argument 'vpc' for resource 'aws_eip'

Feature suggestions

• adding an option to associate an eip with outside interface. This is so that internal hosts can reach internet through outside interface

New or Affected Resource(s):

Affected

• data "template_file" "ftd_startup_file"
• resource "aws_route_table" "ftd_outside_route"
• resource "aws_route_table" "ftd_inside_route"
• resource "aws_route_table" "ftd_diag_route"
• resource "aws_route_table_association" "inside_association"
• resource "aws_route_table_association" "diag_association"
• resource "aws_eip" "ftd_mgmt_eip"
• resource "aws_eip" "fmcmgmt_eip"

New

• resource "aws_eip" "ftd_outside_eip"
• resource "aws_eip_association" "ftd_outside_ip_assocation"

Describe the solution expected:

The typos in Readme files should be fixed. Also, the missed and new objects needs to be added in the Readme files.

For the points,

• When creating FTD and FMC with existing subnets, new route tables getting created and existing subnet associations are getting removed from main routing table Solution expected: When FMC and FTD are deployed using existing VPC, subnets and igw, the associations of the subnets should not change from the main routing table and also the any form of changes to those subnets would also affect other instances using the same subnets. One way of controlling this is behaviours is the usage of existing variable rta

• FTD user data is not populated with FMC mgmt IP thus 'show managers' on FTD doesn't show the FMC as manager Solution expected: For FTD to populate the correct FMC IP, FMC needs to be first deployed.

• usage of deprecated argument 'vpc' for resource 'aws_eip' Solution expected: The argument 'domain' should be used.

For the below feature suggestion

• adding an option to associate an eip with outside interface. This is so that internal hosts can reach internet through outside interface Solution expected: There should be variable introduced to control whether to associate any eip to the outside interface.

References

• 0000

[abhijitpal]

A draft version of the fixes for all the above-mentioned defects and enhancements can be seen at https://github.com/CiscoDevNet/terraform-aws-secure-firewall/pull/3

[abhijitpal]

Maintainers, can someone please comment on this issue with your thoughts