Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
4124
Views
0
Helpful
1
Comments

Terraform Provider Cisco ASA

Dinkar Sharma
Cisco Employee
Cisco Employee

‎07-01-2021 11:27 PM - edited ‎07-23-2021 12:18 PM

Introduction

Terraform by Hashicorp is an open-source infrastructure as code (IaaS) software tool that enables you to provision infrastructure and configures it. This document will be demonstrating how to set up Terraform and how to use it to configure Cisco ASA via API. Terraform can also be used to provision ASAv on your choice of provider such as AWS, Azure, VMware, GCP. But for the scope of this document I am just going to use an existing deployed ASAv and configure it using Terraform templates.

Requirements

  • Cisco ASA (Hardware or ASAv)
  • Linux, MAC or Windows host
  • Install Terraform and Required Components
  • Clone Terraform's GitHub repository

Installation Steps

 

1. Install ASA (Hardware or ASAv)

Install ASA software of Cisco ASA hardware platform or ASAv. Please refer to Cisco's official documentation for ASA installation.

Terraforms can also be used to provision software ASA on various provider's platforms. Terraform's repository does have a script for that which can help us to provision devices but I am not going to demonstrate that in this document.

2. Install Linux/MAC or Windows host or VM

Install a supported Windows,  MAC, or Linux host machine where terraform will be installed. If you are using a Linux distribution then use the following commands to install git, curl and golang packages after ubuntu machine is up and running.

sudo apt-get install git
sudo apt-get install curl
sudo apt-get install golang

3. Install Terraform and Required Components

The next step is to install terraform on your desired platform. You can refer to Hashicorp's Official documentation for installation guidelines. For this demonstration purpose, I used an Ubuntu Linux machine and installed terraform following the above documentation guidelines. I am going to list same commands in this document in case the above-mentioned URL changes or becomes inaccessible due to any reason:

  • Ensure that your system is up to date, and you have the gnupg, software-properties-common, and curl packages installed. You will use these packages to verify HashiCorp's GPG signature and install HashiCorp's Debian package repository.
sudo apt-get update && sudo apt-get install -y gnupg software-properties-common curlcurl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
  • Add the official HashiCorp Linux repository.
sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
  • Update to add the repository, and install the Terraform CLI.
sudo apt-get update && sudo apt-get install terraform

4. Clone Terraform's GitHub repository

Clone Hashicorp's Terraform's Cisco ASA provider Github repository using the following command.

git clone https://github.com/hashicorp/terraform-provider-ciscoasa /opt/terraform-asa

Screen Shot 2021-06-25 at 1.14.47 AM.png

  • All the contents of the repository will be copied to /opt/terraform-asa directory.

Screen Shot 2021-06-25 at 1.15.19 AM.png

5. Create a provider file

The Cisco ASA provider is used to interact with Cisco ASA hardware devices or the Cisco ASAv virtual appliance. The provider needs to be configured with the proper credentials before it can be used.

  • Create a "provider.tf" within /opt/terraform-asa directory and paste the following content into it. This contains your ASA's management IP address, username, and password.
provider "ciscoasa" {
  api_url       = "https://10.0.0.5"
  username      = "admin"
  password      = "cisco"
  ssl_no_verify = false
}
  • Run the "terraform init"command to initialize it.

Screen Shot 2021-06-24 at 2.07.44 PM.png

 

Next is to create a terraform config file with config resource you would like to push to ASA. List of all available resources can be found here:

https://registry.terraform.io/providers/hashicorp/ciscoasa/latest/docs

 

Example: Configuring Network Objects on ASA

Create and save a file asa_network_object.tf configure you network objects in the following format.

resource "ciscoasa_network_object" "ipv4host" {
  name  = "ipv4_host"
  value = "192.168.10.5"
}
resource "ciscoasa_network_object" "ipv4range" {
  name  = "ipv4_range"
  value = "192.168.10.5-192.168.10.15"
}
resource "ciscoasa_network_object" "ipv4_subnet" {
  name  = "ipv4_subnet"
  value = "192.168.10.128/25"
}

Before you apply the config, you can always use the command "terraform apply" to validate the config:

Screen Shot 2021-07-02 at 12.12.24 AM.png

Push the config with the command "terraform apply"

 

Screen Shot 2021-07-02 at 12.06.35 AM.png

  • Config will be pushed to ASA:

Screen Shot 2021-07-02 at 2.26.29 AM.png

  • Similarly, you can add another terraform resource file and apply that as well. For example "ASA-Routes.tf" containing static routes.
  • If you try to re-apply previously applied config, terraform does detect notify if there are no changes that need to be applied.

Supported Resources

Terraform only support the following ASA configuration components:

 

0 Helpful
Comments
Andrey Pastukhov
Level 1
Level 1
‎07-05-2023 07:02 AM

Hi!

Help me please. I want configuration any cisco asa devices with terraform.

How I can configure terraform for connect any devices?

If I copy block with 2 or more ip api_url - I got error.  Thanks!

provider "ciscoasa" {
  api_url       = "https://10.0.0.5"
  username      = "admin"
  password      = "cisco"
  ssl_no_verify = false
}

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents