Requests for new features

[bando483]

Is there an existing issue for this?

• I have searched the existing issues

Description

Hi

I'm working with your code in the current days and I guess it will be used for our production environment, but I'm here writing you to take into account some requests we have in order to enhance the script with minor and major new features:
1- as per the current code there is no chance to change SG definition, unless editing the main.tf of ec2_modules. could it be added in terraform.tfvars the possibility to edit the ISE-Security-Group
2- it would be useful to add some specific tags to EC2s and any created object; it can be done editing your code but it would be interesting to have it directly in terraform.tfvars
3- currently the deploy have two PSNs mandatory to be deployed; a scenario to be taken into account is the following
a- create only PAN and MNT (primary and secondary) without any PSNs
b- create additional PSNs with new Terraform execution; this can be useful for first deployment but even if we would like to increase the environment
c- PSNs and even PAN/MONITOR, in the near future, could be needed to be in different region, in order to have a fully distributed and multi-regional ISE environment. this is the MOST IMPORTANT enhancement we are looking for.
d- èossibility to register PSNs located in different Data Center (either on-prem, or other clouds); as they were input to the script.

Regards
Alessio

New or Affected Resource(s)/Data Source(s)

NEW

Potential ISE Automation Configuration

No response

[sudhanss]

Thanks Alessio(@bando483) for feedback and enhancement suggestion. We have recently enhanced tfvars file on how to use these scripts with no PSNs.
"""7. To create only Primary and secondary nodes without any PSN's, virtual_machines_psn variable should be set to {}"""

We are exploring the possibility to support multi region ISE deployment Could you please share on how do you setup multi region environment for ISE deployment manually eg how do you ensure multi region VPC communication (There are different ways, the ask is to understand your use case of multi region ISE deployment.)

[bando483]

Hi

regarding the change to use script without PSN, is it already in place?
can I launch it in 4 times? I mean... I need to deploy a PAN, then in a second moment a secondary PAN, in a third moment a PSN and finally in a forth iteration another PSN. is it possible? does the Step Function work with this "incremental" scenario?

Regarding your question on multi-region enhancement, our regions are all linked via CloudWAN and into each region a TransitGW regulates the flows; so communication is in place before any deployment.

Our Idea of deploying ISE multi-regionally is not yet well defined but we could have, I would say, 3 possible scenarios:

1- 1PAN+1MNT on region 1, 2 PSN on the same region 1, 2 PSN on region 2, 2 PSN on region 3
2- 1 PAN on region 1, 2 PSN on the same region 1, 1 MNT on region 2, 2 PSN on region 2, 2 PSN on region 3
3- 1PAN+1MNT on region 1, 2 PSN on the same region 1, 1PAN+1MNT on region 2, 2 PSN on region 2, 2 PSN on region 3

regards
Alessio

[sudhanss]

Hi,

The changes are done to have only 2 nodes without any PSN on single terraform run. Framework do not yet support adding node in incremental order. This enhancement is in backlog and will explore the possibility to have that in place.

Thanks for sharing multi region ISE deployment architecture, will keep this in mind while developing scripts.

Thanks & Regards,
Sudhanshu

[bando483]

So that's all for the moment. thanks for taking into accounts the enhancements we have proposed.

is there any chance to keep us posted on future implementation of these features?

from my point of view you can close this topic

regards