» aviatrix_fqdn

The aviatrix_fqdn resource manages FQDN filtering for Aviatrix gateways.

» Example Usage

# Create an Aviatrix Gateway FQDN filter
resource "aviatrix_fqdn" "test_fqdn" {
  fqdn_tag     = "my_tag"
  fqdn_enabled = true
  fqdn_mode    = "white"

  gw_filter_tag_list {
    gw_name        = "test-gw1"
    source_ip_list = [
      "172.31.0.0/16",
      "172.31.0.0/20"
    ]
  }

  gw_filter_tag_list {
    gw_name        = "test-gw2"
    source_ip_list = [
      "30.0.0.0/16"
    ]
  }

  domain_names {
    fqdn  = "facebook.com"
    proto = "tcp"
    port  = "443"
    action = "Allow" // Optional
  }

  domain_names {
    fqdn  = "reddit.com"
    proto = "tcp"
    port  = "443"
  }
}

» Argument Reference

The following arguments are supported:

  • fqdn_tag - (Required) FQDN Filter tag name.
  • fqdn_enabled - (Optional) FQDN Filter tag status. Valid values: true, false.
  • fqdn_mode - (Optional) Specify FQDN mode: whitelist or blacklist. Valid values: "white", "black".
  • gw_filter_tag_list - (Optional) A list of gateways to attach to the specific tag.
    • gw_name - (Required) Name of the gateway to attach to the specific tag.
    • source_ip_list - (Optional) List of source IPs in the VPC qualified for a specific tag.
  • domain_names - (Optional) One or more domain names in a list with details as listed below:
    • fqdn - (Required) FQDN. Example: "facebook.com".
    • proto - (Required) Protocol. Valid values: "all", "tcp", "udp", "icmp".
    • port - (Required) Port. Example "25".
    • action - (Optional) What action should happen to matching requests. Possible values are: 'Base Policy', 'Allow' or 'Deny'. Defaults to 'Base Policy' if no value provided.
    • For protocol "all", port must be set to "all".
    • For protocol “icmp”, port must be set to “ping”.

» Import

fqdn can be imported using the fqdn_tag, e.g.

$ terraform import aviatrix_fqdn.test fqdn_tag

» Notes

» FireNet

If FQDN is enabled on a gateway for the purposes of the Aviatrix FireNet Solution, you may run into an error requiring SNAT to be disabled when associating the gateway with the firewall (for reasons as described in the note below). Please add an explicit dependency (depends_on) on the aviatrix_firenet resource to ensure the FireNet attachment completes first, before FQDN is enabled for that gateway.

» enable_vpc_dns_server

In order for the FQDN feature to be enabled, the corresponding gateway's enable_vpc_dns_server must be set to false at creation. FQDN will automatically enable that feature, which will cause a diff in the state. Please add lifecycle { ignore_changes = [enable_vpc_dns_server] } within that gateway's resource block in order to workaround this known issue. See here for more information about the lifecycle attribute in Terraform.

» single_ip_snat

In order for the FQDN feature to be enabled, single_ip_snat must be set to true in the corresponding gateway. If it is not set at gateway creation, creation of FQDN resource will automatically enable SNAT and users must rectify the diff in the Terraform state by setting single_ip_snat = true in their gateway resource. An alternative is to add the utilise the lifecycle options in that gateway to ignore any changes, as described in the above bullet point.