NetApp
diff --git a/‎Terraform/deploy-fsx-ontap/module/README.md‎
Lines changed: 28 additions & 20 deletions b/‎Terraform/deploy-fsx-ontap/module/README.md‎
Lines changed: 28 additions & 20 deletions
diff --git a/‎Terraform/deploy-fsx-ontap/module/main.tf‎
Lines changed: 23 additions & 144 deletions b/‎Terraform/deploy-fsx-ontap/module/main.tf‎
Lines changed: 23 additions & 144 deletions
@@ -21,15 +21,23 @@ Calling this terraform module will result the following:
 * Create a new AWS Security Group in your VPC with the following rules:
     - **Ingress** allow all ICMP traffic
     - **Ingress** allow nfs port 111 (both TCP and UDP)
-    - **Ingress** allow cifc TCP port 139
+    - **Ingress** allow cifs TCP port 139
     - **Ingress** allow snmp ports 161-162 (both TCP and UDP)
     - **Ingress** allow smb cifs TCP port 445
-    - **Ingress** alloe bfs mount port 635 (both TCP and UDP)
+    - **Ingress** allow nfs mount port 635 (both TCP and UDP)
+    - **Ingress** allow kerberos TCP port 749
+    - **Ingress** allow nfs port 2049 (both TCP and UDP)
+    - **Ingress** allow nfs lock and monitoring 4045-4046 (both TCP and UDP)
+    - **Ingress** allow nfs quota TCP 4049
+    - **Ingress** allow Snapmirror Intercluster communication TCP port 11104
+    - **Ingress** allow Snapmirror data transfer TCP port 11105
+    - **Ingress** allow ssh port 22
+    - **Ingress** allow https port 443
     - **Egress** allow all traffic
 * Create a new FSx for Netapp ONTAP file-system in your AWS account named "_terraform-fsxn_". The file-system will be created with the following configuration parameters:
     * 1024Gb of storage capacity
     * Multi AZ deployment type
-    * 256Mbps of throughput capacity 
+    * 128Mbps of throughput capacity 
 
 * Create a Storage Virtual Maching (SVM) in this new file-system named "_first_svm_"
 * Create a new FlexVol volume in this SVM named "_vol1_" with the following configuration parameters:
@@ -49,8 +57,8 @@ Calling this terraform module will result the following:
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.6.6 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.25 |
+| terraform | >= 1.6.6 |
+| aws provider | >= 5.25 |
 
 ### AWS Account Setup
 
@@ -68,24 +76,23 @@ Calling this terraform module will result the following:
 > [!NOTE]
 > In this sample, the AWS Credentials were configured through [AWS CLI](https://aws.amazon.com/cli/), which adds them to a shared configuration file (option 4 above). Therefore, this documentation only provides guidance on setting-up the AWS credentials with shared configuration file using AWS CLI.
 
-    #### Configure AWS Credentials using AWS CLI
+#### Configure AWS Credentials using AWS CLI
 
-    The AWS Provider can source credentials and other settings from the shared configuration and credentials files. By default, these files are located at `$HOME/.aws/config` and `$HOME/.aws/credentials` on Linux and macOS, and `"%USERPROFILE%\.aws\credentials"` on Windows.
+The AWS Provider can source credentials and other settings from the shared configuration and credentials files. By default, these files are located at `$HOME/.aws/config` and `$HOME/.aws/credentials` on Linux and macOS, and `"%USERPROFILE%\.aws\credentials"` on Windows.
 
-    There are several ways to set your credentials and configuration setting using AWS CLI. We will use [`aws configure`](https://docs.aws.amazon.com/cli/latest/reference/configure/index.html) command:
+There are several ways to set your credentials and configuration setting using AWS CLI. We will use [`aws configure`](https://docs.aws.amazon.com/cli/latest/reference/configure/index.html) command:
 
-    Run the following command to quickly set and view your credentails, region, and output format. The following example shows sample values:
+Run the following command to quickly set and view your credentails, region, and output format. The following example shows sample values:
 
-    ```shell
-    $ aws configure
-    AWS Access Key ID [None]: < YOUR-ACCESS-KEY-ID >
-    AWS Secret Access Key [None]: < YOUR-SECRET-ACCESS-KE >
-    Default region name [None]: < YOUR-PREFERRED-REGION >
-    Default output format [None]: json
-    ```
-
-    To list configuration data, use the [`aws configire list`](https://docs.aws.amazon.com/cli/latest/reference/configure/list.html) command. This command lists the profile, access key, secret key, and region configuration information used for the specified profile. For each configuration item, it shows the value, where the configuration value was retrieved, and the configuration variable name.
+```shell
+$ aws configure
+AWS Access Key ID [None]: < YOUR-ACCESS-KEY-ID >
+AWS Secret Access Key [None]: < YOUR-SECRET-ACCESS-KE >
+Default region name [None]: < YOUR-PREFERRED-REGION >
+Default output format [None]: json
+```
 
+To list configuration data, use the [`aws configire list`](https://docs.aws.amazon.com/cli/latest/reference/configure/list.html) command. This command lists the profile, access key, secret key, and region configuration information used for the specified profile. For each configuration item, it shows the value, where the configuration value was retrieved, and the configuration variable name.
 
 ## Usage
 
@@ -250,7 +257,7 @@ terraform apply -y
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| fsx_admin_password | The ONTAP administrative password for the fsxadmin user that you can use to administer your file system using the ONTAP CLI and REST API | `string` | n/a | yes |
+| aws_secretsmanager_region | The AWS region where the secret is stored. | `string` | `"us-east-2"` | No |
 | backup_retention_days | The number of days to retain automatic backups. Setting this to 0 disables automatic backups. You can retain automatic backups for a maximum of 90 days. | `number` | `0` | no |
 | cidr_for_sg | cide block to be used for the ingress rules | `string` | `"0.0.0.0/0"` | no |
 | create_sg | Determines whether the SG should be deployed as part of this execution or not | `bool` | `false` | no |
@@ -260,6 +267,7 @@ terraform apply -y
 | fsx_deploy_type | The filesystem deployment type. Supports MULTI_AZ_1 and SINGLE_AZ_1 | `string` | `"MULTI_AZ_1"` | no |
 | fsx_maintenance_start_time | The preferred start time (in d:HH:MM format) to perform weekly maintenance, in the UTC time zone. | `string` | `"1:00:00"` | no |
 | fsx_name | The deployed filesystem name | `string` | `"terraform-fsxn"` | no |
+| fsx_secret_name | The name of the AWS SecretManager secret that holds the ONTAP administrative password for the fsxadmin user that you can use to administer your file system using the ONTAP CLI and REST API. | `string` | `"fsx_secret"` | Yes |
 | fsx_subnets | A list of IDs for the subnets that the file system will be accessible from. Up to 2 subnets can be provided. | `map(any)` | <pre>{<br>  "primarysub": "",<br>  "secondarysub": ""<br>}</pre> | no |
 | fsx_tput_in_MBps | The throughput capacity (in MBps) for the file system. Valid values are 128, 256, 512, 1024, 2048, and 4096. | `number` | `256` | no |
 | kms_key_id | ARN for the KMS Key to encrypt the file system at rest, Defaults to an AWS managed KMS Key. | `string` | `null` | no |
@@ -297,4 +305,4 @@ See the License for the specific language governing permissions and limitations
 
 <!-- END_TF_DOCS -->
 
-© 2024 NetApp, Inc. All Rights Reserved.
+© 2024 NetApp, Inc. All Rights Reserved.
@@ -1,162 +1,35 @@
-// TODO add SG rule for SnapMirror
-
 # Copyright (c) NetApp, Inc.
 # SPDX-License-Identifier: Apache-2.0
 
-/* 
-  The following resources are a Security Group followed by ingress and egress rules for FSx ONTAP. 
-  The Security Group is not required for deploying FSx ONTAP, but is included here for completeness.
-
-  - If you wish to skip this resource, pass the variable "create_sg" as false to the module block. Otherwise, pass true.
-
-  - If you wish to use the Security Group, choose the relevant source for the ingress rules as cidr block and pass the variable "cidr_for_sg" to the module block.
-
-  Note that a source reference for a Security Group is optional, but is considered to be a best practice.
-  The rules below are just a suggestion for basic functionality.
-*/
-
-resource "aws_security_group" "fsx_sg" {
-  count       = var.create_sg ? 1 : 0
-  name        = "fsx_sg"
-  description = "Allow FSx ONTAP required ports"
-  vpc_id      = var.vpc_id
-}
-
-resource "aws_vpc_security_group_ingress_rule" "all_icmp" {
-  count             = var.create_sg ? 1 : 0
-  security_group_id = aws_security_group.fsx_sg[count.index].id
-  description       = "Allow all ICMP traffic"
-  cidr_ipv4         = "0.0.0.0/0"
-  from_port         = -1
-  to_port           = -1
-  ip_protocol       = "icmp"
-}
-
-resource "aws_vpc_security_group_ingress_rule" "nfs_tcp" {
-  count             = var.create_sg ? 1 : 0
-  security_group_id = aws_security_group.fsx_sg[count.index].id
-  description       = "Remote procedure call for NFS"
-  cidr_ipv4         = var.cidr_for_sg
-  from_port         = 111
-  to_port           = 111
-  ip_protocol       = "tcp"
-}
-
-resource "aws_vpc_security_group_ingress_rule" "nfs_udp" {
-  count             = var.create_sg ? 1 : 0
-  security_group_id = aws_security_group.fsx_sg[count.index].id
-  description       = "Remote procedure call for NFS"
-  cidr_ipv4         = var.cidr_for_sg
-  from_port         = 111
-  to_port           = 111
-  ip_protocol       = "udp"
-}
-
-resource "aws_vpc_security_group_ingress_rule" "cifs" {
-  count             = var.create_sg ? 1 : 0
-  security_group_id = aws_security_group.fsx_sg[count.index].id
-  description       = "NetBIOS service session for CIFS"
-  cidr_ipv4         = var.cidr_for_sg
-  from_port         = 139
-  to_port           = 139
-  ip_protocol       = "tcp"
-}
-
-resource "aws_vpc_security_group_ingress_rule" "snmp_tcp" {
-  count             = var.create_sg ? 1 : 0
-  security_group_id = aws_security_group.fsx_sg[count.index].id
-  description       = "Simple network management protocol for log collection"
-  cidr_ipv4         = var.cidr_for_sg
-  from_port         = 161
-  to_port           = 162
-  ip_protocol       = "tcp"
-}
-
-resource "aws_vpc_security_group_ingress_rule" "snmp_udp" {
-  count             = var.create_sg ? 1 : 0
-  security_group_id = aws_security_group.fsx_sg[count.index].id
-  description       = "Simple network management protocol for log collection"
-  cidr_ipv4         = var.cidr_for_sg
-  from_port         = 161
-  to_port           = 162
-  ip_protocol       = "udp"
-}
-
-resource "aws_vpc_security_group_ingress_rule" "smb_cifs" {
-  count             = var.create_sg ? 1 : 0
-  security_group_id = aws_security_group.fsx_sg[count.index].id
-  description       = "Microsoft SMB/CIFS over TCP with NetBIOS framing"
-  cidr_ipv4         = var.cidr_for_sg
-  from_port         = 445
-  to_port           = 445
-  ip_protocol       = "tcp"
-}
-
-resource "aws_vpc_security_group_ingress_rule" "nfs_mount_tcp" {
-  count             = var.create_sg ? 1 : 0
-  security_group_id = aws_security_group.fsx_sg[count.index].id
-  description       = "NFS mount"
-  cidr_ipv4         = var.cidr_for_sg
-  from_port         = 635
-  to_port           = 635
-  ip_protocol       = "tcp"
-}
-
-resource "aws_vpc_security_group_ingress_rule" "nfs_mount_udp" {
-  count             = var.create_sg ? 1 : 0
-  security_group_id = aws_security_group.fsx_sg[count.index].id
-  description       = "NFS mount"
-  cidr_ipv4         = var.cidr_for_sg
-  from_port         = 635
-  to_port           = 635
-  ip_protocol       = "udp"
-}
-
-resource "aws_vpc_security_group_egress_rule" "allow_all_traffic" {
-  count             = var.create_sg ? 1 : 0
-  security_group_id = aws_security_group.fsx_sg[count.index].id
-  cidr_ipv4         = "0.0.0.0/0"
-  ip_protocol       = "-1"
-}
-
 /*
-  The following resources are for deploying a complete FSx ONTAP file system. 
-  The code below deploys the following resources in this order:
-  1. A file system 
-  2. A storage virtual machine
-  3. A volume within the storage virtual machine
-
-  Every resource include both optional and required parameters, separated by a comment line.
-  Feel free to add or remove optional parameters as needed.
-  The current settings are just a suggestion for basic functionality.
-*/
+   The following resources are for deploying a complete FSx ONTAP file system. 
+   The code below deploys the following resources in this order:
+   1. A file system 
+   2. A storage virtual machine
+   3. A volume within the storage virtual machine
+  
+   Every resource include both optional and required parameters, separated by a comment line.
+   Feel free to add or remove optional parameters as needed.
+ */
 
 resource "aws_fsx_ontap_file_system" "terraform-fsxn" {
   // REQUIRED PARAMETERS 
-  subnet_ids          = [var.fsx_subnets["primarysub"], var.fsx_subnets["secondarysub"]]
+  subnet_ids = (var.fsx_deploy_type == "MULTI_AZ_1" ? [var.fsx_subnets["primarysub"], var.fsx_subnets["secondarysub"]] : [var.fsx_subnets["primarysub"]])
   preferred_subnet_id = var.fsx_subnets["primarysub"]
 
   // OPTIONAL PARAMETERS
   storage_capacity                  = var.fsx_capacity_size_gb
-  security_group_ids                = var.create_sg ? [element(aws_security_group.fsx_sg.*.id, 0)] : []
+  security_group_ids                = var.create_sg ? [element(aws_security_group.fsx_sg.*.id, 0)] : [var.security_group_id]
   deployment_type                   = var.fsx_deploy_type
   throughput_capacity               = var.fsx_tput_in_MBps
   weekly_maintenance_start_time     = var.fsx_maintenance_start_time
   kms_key_id                        = var.kms_key_id
   automatic_backup_retention_days   = var.backup_retention_days
   daily_automatic_backup_start_time = var.daily_backup_start_time
-  storage_type                      = var.storage_type
-  fsx_admin_password = var.fsx_admin_password
-  route_table_ids    = var.route_table_ids
-  tags               = var.tags
-  dynamic "disk_iops_configuration" {
-    for_each = var.disk_iops_configuration != null ? [var.disk_iops_configuration] : []
-    content {
-      iops = disk_iops_configuration.value["iops"]
-      mode = disk_iops_configuration.value["mode"]
-    }
-  }
-  # endpoint_ip_address_range = ""
+  fsx_admin_password                = data.aws_secretsmanager_secret_version.fsx_password.secret_string
+  route_table_ids                   = var.route_table_ids
+  tags                              = var.tags
+  disk_iops_configuration           = var.disk_iops_configuration
 }
 
 resource "aws_fsx_ontap_storage_virtual_machine" "mysvm" {
@@ -166,7 +39,6 @@ resource "aws_fsx_ontap_storage_virtual_machine" "mysvm" {
 
   // OPTIONAL PARAMETERS
   root_volume_security_style = var.root_vol_sec_style
-  tags                       = var.tags
   # active_directory_configuration {}
 }
 
@@ -190,5 +62,12 @@ resource "aws_fsx_ontap_volume" "myvol" {
   skip_final_backup                    = var.vol_info["skip_final_backup"]
   # snaplock_configuration {}
   # snapshot_policy {}
-  tags            = var.tags
+}
+#
+# The next two data blocks retrieve the secret from Secrets Manager.
+data "aws_secretsmanager_secret" "fsx_secret" {
+  name = var.fsx_secret_name
+}
+data "aws_secretsmanager_secret_version" "fsx_password" {
+  secret_id = data.aws_secretsmanager_secret.fsx_secret.id
 }