Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
564
Views
2
Helpful
5
Replies

Terraform Azure Marketplace vFTD

Jesse-H
Level 1
Level 1

‎01-23-2024 09:35 AM

Hi! I'm looking for help using Terraform to deploy a vFTD from Azure Marketplace. Has anyone been able to do this? Thank you!

Labels:
0 Helpful
5 Replies 5

Torbjørn
Spotlight
Spotlight

‎01-23-2024 10:20 AM

I have not deployed the vFTD specifically, but I have deployed other marketplace images using Terraform. Is there something specific about the vFTD deployment you need help with?

You will first need to accept the terms using the azure_marketplace_agreement resource. Then you can deploy the appliance using the azurerm_linux_virtual_machine resource and specifying the image to use under "plan" and "storage_image_reference" like so:

storage_image_reference {
  publisher = "${publisher}" 
  offer = "${offer}" 
  sku = "${sku}"
  version = "${version}"
}
plan {
  name = "${sku}"
  product = "${offer}" 
  publisher = "${publisher}" 
}

The best way to figure out the specific values you will need to set is by using the regular web-ui to prepare a deployment and inspecting the resulting ARM template.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev
0 Helpful

Jesse-H
Level 1
Level 1
In response to Torbjørn

‎01-23-2024 11:14 AM

Thanks for the quick reply!  Here is what I've got so far.
The "Cisco Secure Firewall Threat Defense Virtual" marketplace agreement has been accepted, and this marketplace item has been deployed successfully through the portal.

When trying the deploy through Terraform, the following error is received:

Error: creating Linux Virtual Machine (Subscription: "<>" Resource Group Name: "lab-vftd-rg" Virtual Machine Name: "TEST-VFTD-01"): compute.VirtualMachinesClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="ResourcePurchaseValidationFailed" Message="User failed validation to purchase resources. Error message: 'Offer with PublisherId: 'cisco', OfferId: 'cisco-firepower-threat-defense-appliance' cannot be purchased due to validation errors. For more information see details. Correlation Id: '' The Offer: 'cisco-firepower-threat-defense-appliance' cannot be purchased by subscription: 'df714601-8550-4aff-9fe2-69744d896d06' as it is not to be sold in market: 'US'. Please choose a subscription which is associated with a different market. Correlation Id ''.'"


Here is the terraform:

resource "tls_private_key" "ssh" {
algorithm = "RSA"
rsa_bits = 4096
}

resource "azurerm_network_interface" "management" {
name = "${lower(var.CODE)}-${lower(var.vnet_region_code)}-management-nic"
location = var.REGION
resource_group_name = var.resource_group_name

ip_configuration {
name = "management"
subnet_id = azurerm_subnet.management.id
private_ip_address_allocation = "Dynamic"
}

tags = local.tags
}

resource "azurerm_network_interface" "diagnostic" {
name = "${lower(var.CODE)}-${lower(var.vnet_region_code)}-diagnostic-nic"
location = var.REGION
resource_group_name = var.resource_group_name

ip_configuration {
name = "diagnostic"
subnet_id = azurerm_subnet.diagnostic.id
private_ip_address_allocation = "Dynamic"
}

tags = local.tags
}

resource "azurerm_network_interface" "outside_public" {
name = "${lower(var.CODE)}-${lower(var.vnet_region_code)}-outside-public-nic"
location = var.REGION
resource_group_name = var.resource_group_name

ip_configuration {
name = "outside_public"
primary = true
subnet_id = azurerm_subnet.outside_public.id
private_ip_address_allocation = "Dynamic"
}

ip_configuration {
name = "outside_pat"
subnet_id = azurerm_subnet.outside_public.id
private_ip_address_allocation = "Dynamic"
public_ip_address_id = azurerm_public_ip.outside_pat.id
}

ip_configuration {
name = "outside_nat"
subnet_id = azurerm_subnet.outside_public.id
private_ip_address_allocation = "Dynamic"
public_ip_address_id = azurerm_public_ip.outside_nat.id
}

tags = local.tags
}

resource "azurerm_network_interface" "inside_private" {
name = "${lower(var.CODE)}-${lower(var.vnet_region_code)}-inside-private-nic"
location = var.REGION
resource_group_name = var.resource_group_name

ip_configuration {
name = "inside_private"
subnet_id = azurerm_subnet.inside_private.id
private_ip_address_allocation = "Dynamic"
}

tags = local.tags
}

resource "azurerm_marketplace_agreement" "vftd3" {
publisher = "cisco"
offer = "cisco-firepower-threat-defense-appliance"
plan = "cisco-asav-four-nic-byol"
}

resource "random_string" "this" {
length = 6
numeric = false
upper = false
special = false
}

resource "azurerm_storage_account" "this" {
name = "vftd${random_string.this.result}"
location = var.REGION
resource_group_name = var.resource_group_name
account_tier = "Standard"
account_replication_type = "LRS"
}

resource "azurerm_linux_virtual_machine" "main" {
name = "TEST-VFTD-01"
resource_group_name = var.resource_group_name
location = var.REGION
size = var.vm_size
admin_username = var.admin_username
network_interface_ids = [
azurerm_network_interface.management.id,
azurerm_network_interface.diagnostic.id,
azurerm_network_interface.outside_public.id,
azurerm_network_interface.inside_private.id,

]

boot_diagnostics {
storage_account_uri = azurerm_storage_account.this.primary_blob_endpoint
}

admin_ssh_key {
username = var.admin_username
public_key = tls_private_key.ssh.public_key_openssh
}

plan {
name = "cisco-asav-four-nic-byol"
product = "cisco-firepower-threat-defense-appliance"
publisher = "cisco"
}

source_image_reference {
publisher = "cisco"
offer = "cisco-ftdv"
sku = "ftdv-azure-payg"
version = "725208.0.0"
}

os_disk {
storage_account_type = "Standard_LRS"
caching = "ReadWrite"
disk_size_gb = 500
}

tags = local.tags

depends_on = [azurerm_marketplace_agreement.vftd3]
}

Of course, I can deploy the same appliance from the marketplace without any problems.

0 Helpful

snetlamu
Cisco Employee
Cisco Employee
In response to Jesse-H

‎01-23-2024 08:37 PM

Have you tried this solution?
Solution: Remove the plan block in azurerm_linux_virtual_machine resource
https://stackoverflow.com/questions/72076412/unable-to-deploy-windows-vm-not-to-be-sold-in-market-us

If that doesn't fix your problem, use our template: https://github.com/CiscoDevNet/secure-firewall/tree/main/FTD/Azure/Terraform/SingleInstance for deploying Single Instance of FTDv on Azure.

Torbjørn
Spotlight
Spotlight
In response to Jesse-H

‎01-24-2024 12:25 AM - edited ‎01-24-2024 12:27 AM

I suspect that this error can be related to your plan name being set to "cisco-asav-four-nic-byol", I believe this should be set to "ftdv-azure-byol".

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

snetlamu
Cisco Employee
Cisco Employee
In response to Torbjørn

‎01-24-2024 10:14 PM

This might be it, great catch!

0 Helpful
Customers Also Viewed These Support Documents