LEC additions and fixes

terraform/citrix-adc/main.tf

@@ -1,4 +1,21 @@
+module "vsphere_deployment" {
+    # Check if this needs to run based on global settings
+    count = var.terraform_settings.deploy_vsphere ? 1 : 0
+    # Import the source module
+    source = "./modules/vsphere.netscaler.deployment"
+
+    # vSphere settings
+    vsphere = var.vsphere
+
+    # VM settings
+    vm = var.vm
+}
+
+
 module "base_configuration" {
+    # Check if this needs to run based on global settings
+    count = var.terraform_settings.deploy_settings ? 1 : 0
+    # Import the source module
     source = "./modules/netscaler.base.configuration"
 
     # Default settings / Best Practices & Profiles
@@ -7,8 +24,6 @@ module "base_configuration" {
     base_configuration = var.base_configuration
     base_configuration_snip = var.base_configuration_snip
 
-
-
     # Virtual Servers / Services creation
     # base_vservers.tf
     servers = var.servers
@@ -23,7 +38,15 @@ module "base_configuration" {
     # base_gateway.tf
     gateway = var.gateway
 
+}
+
+module "letsencrypt" {
+    count = var.terraform_settings.deploy_letsencrypt ? 1 : 0
+    source = "./modules/netscaler.letsencrypt"
+
+    # LetsEncrypt configuration
 
+    # Set these variables in the module variables.tf file
+    # They have been excluded from the main terraform.tfvars file for ease of reading
+}
 
-
-}

terraform/citrix-adc/modules/netscaler.base.configuration/base_gateway.tf

@@ -8,19 +8,6 @@ resource "citrixadc_authenticationvserver" "aaa_vserver" {
     depends_on = [citrixadc_nsfeature.advanced_nsfeature]
 }
 
-# # Bind authentication policy to AAA vserver
-# resource "citrixadc_authenticationvserver_authenticationldappolicy_binding" "aaa_policy_bind" {
-#   count = var.base_configuration.advanced ? 1 : 0
-#   name      = citrixadc_authenticationvserver.aaa_vserver[count.index].name
-#   policy    = citrixadc_authenticationpolicy.auth_authpolicy.name
-#   priority  = 90
-#   #bindpoint = "REQUEST"
-
-#   depends_on = [
-#     citrixadc_vpnvserver.gw_vserver
-#     ]
-# }
-
 resource "citrixadc_authenticationvserver_authenticationpolicy_binding" "tf_bind" {
   name     = "AAA_LDAPS"
   policy   = "pol_auth_ldaps"

terraform/citrix-adc/modules/netscaler.base.configuration/base_vservers.tf

@@ -44,7 +44,7 @@ resource "citrixadc_lbvserver" "lb_vserver" {
     citrixadc_sslcipher.ssl_cg_fe_TLS13,
     citrixadc_sslprofile.ssl_prof_fe_13,
     citrixadc_sslprofile.ssl_prof_fe_13_SNI,
-  ]
+  ]  
 }
 
 

terraform/citrix-adc/modules/netscaler.base.configuration/provider.tf

@@ -5,16 +5,4 @@ terraform {
       source = "citrix/citrixadc"
     }
   }
-}
-
-# Target non default partition
-provider "citrixadc" {
-  endpoint   = var.logon_information.host
-  username   = var.logon_information.username
-  password   = var.logon_information.password
-  do_login   = true
-
-# Allow connection upon invalid certificate
-  insecure_skip_verify = true
-
 }

terraform/citrix-adc/modules/netscaler.letsencrypt/lec_config.tf

@@ -0,0 +1,99 @@
+
+
+# Create Private Key
+resource "tls_private_key" "le_private_key" {
+  algorithm   = var.letsencrypt_certificate.private_key_algorithm
+  ecdsa_curve = var.letsencrypt_certificate.private_key_ecdsa_curve
+  rsa_bits    = var.letsencrypt_certificate.private_key_rsa_bits
+}
+
+# Register with ACME
+resource "acme_registration" "le_registration" {
+  account_key_pem = tls_private_key.le_private_key.private_key_pem
+  email_address   = var.letsencrypt_certificate.registration_email_address
+
+  depends_on = [
+    tls_private_key.le_private_key
+  ]
+}
+
+# Create Certificate
+resource "acme_certificate" "le_certificate" {
+  account_key_pem           = acme_registration.le_registration.account_key_pem
+  common_name               = var.letsencrypt_certificate.common_name
+  subject_alternative_names = var.letsencrypt_certificate-san
+
+  http_challenge {
+  }
+
+  depends_on = [
+    acme_registration.le_registration
+  ]
+}
+
+# Upload cert files to /nsconfig/ssl on ADC
+resource "citrixadc_systemfile" "le_upload_cert" {
+  filename = "${var.letsencrypt_certificate.common_name}_certificate.cer"
+  filelocation = "/nsconfig/ssl"
+  filecontent = lookup(acme_certificate.le_certificate,"certificate_pem")
+
+  depends_on = [
+    acme_certificate.le_certificate
+  ]
+}
+
+resource "citrixadc_systemfile" "le_upload_key" {
+  filename = "${var.letsencrypt_certificate.common_name}_privatekey.cer"
+  filelocation = "/nsconfig/ssl"
+  filecontent = nonsensitive(lookup(acme_certificate.le_certificate,"private_key_pem"))
+
+  depends_on = [
+    acme_certificate.le_certificate
+  ]
+}
+
+resource "citrixadc_systemfile" "le_upload_root" {
+  filename = "${var.letsencrypt_certificate.common_name}_rootca.cer"
+  filelocation = "/nsconfig/ssl"
+  filecontent = lookup(acme_certificate.le_certificate,"issuer_pem")
+
+  depends_on = [
+    acme_certificate.le_certificate
+  ]
+}
+
+# Implement root certificate
+resource "citrixadc_sslcertkey" "le_implement_rootca" {
+  certkey = "ssl_cert_${var.letsencrypt_certificate.common_name}_RootCA"
+  cert = "/nsconfig/ssl/${var.letsencrypt_certificate.common_name}_rootca.cer"
+  expirymonitor = "DISABLED"
+
+depends_on = [
+    citrixadc_systemfile.le_upload_cert,
+    citrixadc_systemfile.le_upload_key
+  ]
+}
+
+# Implement server certificate
+resource "citrixadc_sslcertkey" "le_implement_certkeypair" {
+  certkey = "ssl_cert_${var.letsencrypt_certificate.common_name}_Server"
+  cert = "/nsconfig/ssl/${var.letsencrypt_certificate.common_name}_certificate.cer"
+  key = "/nsconfig/ssl/${var.letsencrypt_certificate.common_name}_privatekey.cer"
+  expirymonitor = "DISABLED"
+  linkcertkeyname = "ssl_cert_${var.letsencrypt_certificate.common_name}_RootCA"
+
+  depends_on = [
+    citrixadc_sslcertkey.le_implement_rootca
+  ]
+}
+
+# Save config
+resource "citrixadc_nsconfig_save" "le_save" {  
+    all        = true
+    timestamp  = timestamp()
+
+    depends_on = [
+        citrixadc_sslcertkey.le_implement_certkeypair,
+        citrixadc_sslcertkey.le_implement_rootca
+    ]
+}

terraform/citrix-adc/modules/netscaler.letsencrypt/lec_loadbalancer.tf

@@ -0,0 +1,66 @@
+# Add LB Server
+resource "citrixadc_server" "le_lb_install_server" {
+  name      = var.letsencrypt_lb.lb_srv_name
+  ipaddress = var.letsencrypt_lb.backend_ip
+}
+
+# Add LB Service Groups
+resource "citrixadc_servicegroup" "le_lb_install_servicegroup" {
+
+  servicegroupname  = var.letsencrypt_lb.lb_sg_name
+  servicetype       = var.letsencrypt_lb.servicetype
+  healthmonitor     = var.letsencrypt_lb.lb_sg_healthmonitor
+
+  depends_on = [
+    citrixadc_server.le_lb_install_server
+  ]
+}
+
+# Bind LB Server to Service Groups
+resource "citrixadc_servicegroup_servicegroupmember_binding" "le_lb_install_sg_server_binding" {
+  servicegroupname  = citrixadc_servicegroup.le_lb_install_servicegroup.servicegroupname
+  servername        = citrixadc_server.le_lb_install_server.name
+  port              = var.letsencrypt_lb.port
+
+  depends_on = [
+    citrixadc_servicegroup.le_lb_install_servicegroup
+  ]
+}
+
+#####
+# Add and configure LB vServer _ Type http
+#####
+resource "citrixadc_lbvserver" "le_lb_install_vserver_http" {
+  name            = var.letsencrypt_lb.lb_vs_name
+  servicetype     = var.letsencrypt_lb.servicetype
+  ipv46           = var.letsencrypt_lb.frontend_ip
+  port            = var.letsencrypt_lb.port
+  lbmethod        = var.letsencrypt_lb.lb_vs_lbmethod
+  persistencetype = var.letsencrypt_lb.lb_vs_persistencetype
+  timeout         = var.letsencrypt_lb.lb_vs_timeout
+
+  depends_on = [
+    citrixadc_servicegroup_servicegroupmember_binding.le_lb_install_sg_server_binding
+  ]
+}
+
+# Bind LB Service Groups to LB vServers
+resource "citrixadc_lbvserver_servicegroup_binding" "le_lb_install_vserver_sg_binding" {
+  name              = citrixadc_lbvserver.le_lb_install_vserver_http.name
+  servicegroupname  = citrixadc_servicegroup.le_lb_install_servicegroup.servicegroupname
+
+  depends_on = [
+    citrixadc_lbvserver.le_lb_install_vserver_http
+  ]
+}
+
+# Save config
+resource "citrixadc_nsconfig_save" "le_lb_install_save" {
+  all        = true
+  timestamp  = timestamp()
+
+  depends_on = [
+    citrixadc_lbvserver_servicegroup_binding.le_lb_install_vserver_sg_binding
+  ]
+}
+

terraform/citrix-adc/modules/netscaler.letsencrypt/provider.tf

@@ -0,0 +1,11 @@
+terraform {
+  required_providers {
+    # ACME provider for LetsEncrypt
+      acme = {
+      source = "vancluever/acme"
+    }
+      citrixadc = {
+      source = "citrix/citrixadc"
+    }
+  }
+}

terraform/citrix-adc/modules/netscaler.letsencrypt/variables.tf

@@ -0,0 +1,40 @@
+# ADC LetsEncrypt LB configuration variables
+variable letsencrypt_lb {
+  type = map
+  description = "LetsEncrypt LoadBalancer configuration variables"
+  default = {
+    backend-ip  = "192.168.1.25"
+    frontend-ip = "192.168.1.17"
+    servicetype = "TCP"
+    port        = "80"
+    lb_srv_name           = "lb_srv_letsencrypt_backend"
+    lb_sg_name            = "lb_sg_letsencrypt_backend"
+    lb_sg_healthmonitor   = "NO"
+    lb_vs_name            = "lb_vs_letsencrypt"  
+    lb_vs_lbmethod        = "LEASTCONNECTION"
+    lb_vs_persistencetype = "SOURCEIP"
+    lb_vs_timeout         = "2"
+  }
+}
+
+# ADC LetsEncrypt configuration variables
+variable letsencrypt_certificate {
+  type = map
+  description = "Lets Encrypt Certificate configuration variables"
+  default = {
+    private_key_algorithm      = "RSA"
+    private_key_rsa_bits       = "4096"
+    private_key_ecdsa_curve    = "P224"
+    registration_email_address = "you@something.com"
+    common_name                = "environment.com"
+
+  }
+}
+
+variable letsencrypt_certificate-san {
+  type    = list
+  default = [
+    "citrix.YourEnvironment.YourDomain.YourTLD"
+  ]
+}
+