Automating pingdom probe source IP's in Cisco ASA using Terraform

Automating pingdom probe source IP's in Cisco ASA using Terraform

Pingdom is a monitoring service that uses “a global network of 100+ servers from all over the world as often as every minute.” These servers are called probes.

When a website needs to be monitored, but access to it is restricted by the firewall to source IP addresses of the client, also called whitelisting, a list of the Pingdom probes needs to be maintained. Whenever Pingdom changes or adds a probe - you can see the following issue found on one of their help pages:

One of the most common reason for Pingdom reporting an outage is not that a site or server is down, but that our servers are being blocked by a firewall or access control list.

If a Pingdom probe is blocked - there is a good chance that it will alarm and notify you that you website is down.

Pingdom provides a list of those probes IP addresses here https://my.pingdom.com/probes/ipv4

Terraform is a tool that allows you to automate the provision of infrastructure. I noticed that Terraform has a Cisco ASA provider and gave it a quick whirl:

What I want to do is use the list of the Pingdom probe ip address, and update a network object group in my ASA firewall that has a firewall rule to allow access to the website:

Here is my terraform cisco-asa-pingdom-probes.tf file that implements this.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
provider "ciscoasa" {
api_url = "https://x.x.x.x"
username = "xxxxxxxxxx"
password = "xxxxxxxxxx"
ssl_no_verify = false
}

resource "ciscoasa_network_object_group" "pingdom" {
name = "tf_pingdom_probes"
members = "${split("\n", trimspace(data.http.pingdom_ranges.body))}"

}

data "http" "pingdom_ranges" {
url = "https://my.pingdom.com/probes/ipv4"
}

To run it, you use the following commands:

$terraform init

$terraform apply

Here is the output of terraform apply

terraform

Here object group is shown in Cisco ADSM tool:

ciscoasdm

Next steps would be to schedule this job to run on a recurring basis to keep those probe ip addresses up-to-date.’

Comments

Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now

×