Collection to provision disposable topologies.
The content of this repository is subdivided in the following categories:
build
- Manipulation of
local artifacts
, mainly files operatios.
provision
- Provisonning of
resources
in an cloud provider.
deploy
- Setup of
environments
in the provisionned instances.
test
- Validation of the
environments
from end-to-end.
name | cidr |
---|---|
mgmt | 10.1.0.0 |
outside | 10.1.1.0 |
inside | 10.1.2.0 |
Range | Start | End |
---|---|---|
Network | 10.1.X.254 | 10.1.X.124 |
Host | 10.1.X.123 | 10.1.X.1 |
mgmt | outside | inside | groups | inventory_hostname |
---|---|---|---|---|
10.1.0.254 |
10.1.1.254 |
10.1.2.254 |
panos |
fw01-panos |
10.1.0.253 |
10.1.1.253 |
10.1.2.253 |
asa |
fw01-asa |
10.1.0.252 |
10.1.1.252 |
10.1.2.252 |
fortios |
fw01-fortios |
mgmt | outside | inside | groups | inventory_hostname |
---|---|---|---|---|
10.1.0.200 |
10.1.1.200 |
10.1.2.200 |
tmos |
lb01-tmos |
mgmt | outside | inside | groups | inventory_hostname |
---|---|---|---|---|
10.1.0.150 |
10.1.1.150 |
10.1.2.150 |
ios |
rtr01-ios |
10.1.0.149 |
10.1.1.149 |
10.1.2.149 |
ios |
rtr02-ios |
10.1.0.148 |
10.1.1.148 |
10.1.2.148 |
ios |
rtr03-ios |
10.1.0.147 |
10.1.1.147 |
10.1.2.147 |
ios |
rtr04-ios |
10.1.0.146 |
10.1.1.146 |
10.1.2.146 |
ios |
rtr05-ios |
10.1.0.145 |
10.1.1.145 |
10.1.2.145 |
ios |
rtr06-ios |
mgmt | inside | groups | inventory_hostname |
---|---|---|---|
10.1.0.100 |
10.1.2.100 |
tower |
host01-tower |
10.1.0.99 |
10.1.2.99 |
linux |
host01-linux |
10.1.0.98 |
10.1.2.98 |
windows |
host01-windows |
10.1.0.97 |
10.1.2.97 |
nios |
host01-nios |
10.1.0.96 |
10.1.2.96 |
splunk |
host01-splunk |
pip --user install ansible netaddr boto boto3 passlib
pip install ansible netaddr boto boto3 passlib
Environment | Instructions |
---|---|
AWS | AWS Support ticket to increase Elastic IPs to 30. Default: 5 (Reference) |
Ansible Tower | Red Hat Ansible Tower license (required). - Save the license file in files/licenses/tower . |
Infoblox | - NIOS CP (required). - NIOS TE (optional). |
Cisco | - ASAv BYOL (required). - ASAv (optional). |
F5 | - BigIP PAYG (required). - BigIP BYOL (optional) |
PaloAlto | - Firewall BYOL (required). - Firewall 1 (optional). - Firewall 2 (optional) |
Splunk | - Enterprise (required). - Insights for Infrastructure (optional). |
Fortinet | - Fortigate (required). |
NOTE: In Ansible Tower do standard WEBUI manipulation of Inventories.
- Copy the directory inventories/full to
inventories/mytopology
.
cp -ap inventories/full inventories/mytopology
- Edit the file inventories/mytopology/hosts to choose the nodes in your topology.
vi inventories/mytopology/hosts
- Edit the file inventories/mytopology/group_vars/all.yaml to customize subnets, vpcs, regions...
vi inventories/mytopoly/group_vars/all.yaml
NOTE: For multisite topology, consult cisco_ios
- Save the public ssh_key in
files/keychain/<ec2_vpc_name>.pub
.
cp <my key>.pub files/keychain/site1.pub
cp <my key>.pub files/keychain/site2.pub
cp <my key>.pub files/keychain/site3.pub
- Save the private ssh_key in
files/keychain/<ec2_vpc_name>
.
cp <my key> files/keychain/site1
cp <my key> files/keychain/site2
cp <my key> files/keychain/site3
NOTE: if missing, ssh-keys are generated automatically during
build
./playbooks/main.yaml -i inventories/full
_NOTE: By default everything is provisioned in site1.
./playbooks/provision.yaml -i inventories/full
_NOTE: ssh-key are only generated during build.
./playbooks/provision.yaml -i inventories/full --limit linux
_NOTE: ssh-key are only generated during
build
.
./playbooks/main.yaml -i inventories/redhat_rhel
_HINT: Topologies are build from inventories
./playbooks/terminate.yaml -i inventories/cisco_ios --limit site1
./playbooks/provision.yaml -i inventories/cisco_ios --limit tower
./playbooks/reprovision.yaml -i inventories/cisco_ios --limit rtr01-ios
./playbooks/reprovision.yaml -i inventories/cisco_ios --limit ios
This is straighforward for topologies following the guideline for groups and vpc names.
- To spawn the
cisco_ios
with 3 sites:
./playbooks/main.yaml -i inventories/cisco_ios --limit site1
./playbooks/main.yaml -i inventories/cisco_ios --limit site2
./playbooks/main.yaml -i inventories/cisco_ios --limit site3
NOTE: Multiple sites cannot be provisioned in parallel as part of the same play, because of race conditions
NOTE: Mutiple sites can be provisioned in parallel from different terminals with different --limit.
NOTE: Multiple instances are provisioned in parallel.
- To provision
Infoblox
on top of the previous topology:
./playbooks/main.yaml -i inventories/infoblox_nios
- To provision
Splunk
on top of the previous topology:
./playbooks/main.yaml -i inventories/splunk_es
- Create
project
forhttps://www.github.com/victorock/demopoc
. - Create
inventory
and define asource from project
forinventories/cisco_ios/hosts
. - Create
job template
and choose a playbook fromplaybooks
folder (ex: playbooks/main.yaml
).
inventories/
.
├── cisco_ios
│ ├── group_vars
│ │ ├── site1.yaml
│ │ ├── site2.yaml
│ │ └── site3.yaml
│ └── hosts
├── f5_tmos
│ ├── group_vars
│ │ └── all.yaml
│ └── hosts
├── full
│ ├── group_vars
│ │ └── all.yaml
│ └── hosts
├── infoblox_nios
│ ├── group_vars
│ │ └── all.yaml
│ └── hosts
├── microsoft_windows
│ ├── group_vars
│ │ └── all.yaml
│ └── hosts
├── paloalto_panos
│ ├── group_vars
│ │ └── all.yaml
│ └── hosts
├── redhat_rhel
│ ├── group_vars
│ │ └── all.yaml
│ └── hosts
└── splunk_es
├── group_vars
│ └── all.yaml
└── hosts
Due to a limitation in the Infoblox's image, the Infoblox AMI is only accessible through the inside
interface (LAN1)..
As alternative, create a SSH tunnel through Ansible Tower to access Infoblox's WEBUI:
- Add ssh-key to ssh-agent:
ssh-add files/keychain/<ssh_private_key_file>
- Establish SSH Tunnel (localhost:8443 -> 10.1.2.97:443):
ssh -l ec2-user@<tower_public_ip> -L 8443:10.1.2.97:443
- Open Browser:
open -a "Google Chrome" https://localhost:8443/
- Build: Run locally, calling the role build.
- Provision: Run locally, calling the role provision.
- Deploy: Run against the provisioned device, calling the role deploy.
- main.yaml:
- build.yaml:
- provision.yaml:
- deploy.yaml:
- roles:
- deploy_tower:
- deploy_linux:
- network configuration
- baseline packages
- repositories (redhat-rhui)
- subscription (optional)
- tower_setup:
- tower_configure:
- tower_facts
- test.yaml:
- roles:
- test_tower:
- application tests
deploy_<environment> for the following:
- asa
- fortios
Performing the following tasks:
- configure environment administrative password according to the value of variable
deploy_password
.
Don't use any of the content from this repository to manage real production environments.