Sample Terraform scripts and GitHub Action demonstrating Cisco Multicloud Defense onboarding/discovery/deployment/protection in an infrastructure-as-code scenario.
Companion to Cisco Devnet learning lab: Cisco Multicloud Defense - Terraform
See:
CiscoDevNet/ciscomcd - Terraform provider
Detailed, step-by-step instructions can be found in the associated DevNet Learning Lab: Cisco Multicloud Defense - Terraform
At a high level:
-
Fork this repository on GitHub.
-
Enable GitHub Actions.
-
Create/download a Cisco Multicloud Defense API Key with admin/read-write role.
-
Configure AWS IAM with GitHub OIDC identity provider/role for the forked repo.
-
Create an AWS EC2 authentication key pair with name:
mcd-lab -
Create an AWS S3 bucket as storage for Terraform state.
-
Create GitHub action repo secrets:
-
AWS_REGION:
us-east-1 -
AWS_OIDC_IDP_ROLE_ARN
-
AWS_S3_BUCKET_NAME
-
MCD_API_KEY: JSON contents of MCD API key file
and repo variable:
- ACTIONS_RUNNER_DEBUG:
true
-
-
GitHub action basic functionality can be verified by running the
Terraform applyaction via a manual run (no resources should get created). Commit-based dispatch can be enabled by uncommenting thepush:section ofaction.yaml. -
Once verified, create a new branch (
Baseline_Cleanup) before proceeding with the lab to create resources - manually running the GitHub action against this baseline branch will destroy all resources created by the lab.
The learning lab then proceeds to create a sample VPC and MCD service VPC and enable various security policies in 7 steps. Each step involves moving a Terraform config file from a module's disabled/ folder into the parent module folder (based on the leading number of the file name), and/or uncommenting/commenting out lines in specific Terraform files (marked with inline comments, e.g. Step 2: Onboard with Cisco Multicloud Defense).