Release Notes - Cisco ISE Terraform AWS Release 2 #Patch 1 #Minor 2

Summary

These changes apply to release ISE 3.4 and later.

This release introduces support for specifying secondary and tertiary nameservers (secondarynameserver, tertiarynameserver) as well as secondary and tertiary NTP servers (secondaryntpserver, tertiaryntpserver), in addition to the existing primarynameserver and primaryntpserver options.

Additionally, primarynameserver and primaryntpserver are now required fields. If either is missing, the Terraform plan will fail validation before execution begins.

---

📦 Dependencies

• Repository - https://github.com/CiscoISE/ciscoise-terraform-automation-aws-vpc

Release Notes - Cisco ISE Terraform AWS Release 2 #Patch 1 #Minor 1

Summary

This release updates the DeploymentStateMachine Step Function to improve Lambda timeout handling and retry logic.

---

Changes

1. Catch Blocks Updated for Timeout Handling

• Updated InvokeCheckISEStatusLambda and InvokeCheckSyncStatusLambda tasks to catch:

  • States.Timeout (Step Function normalized timeout)
  • Lambda.Unknown (legacy Lambda failures)
  • Sandbox.Timedout (appears in CloudWatch logs for Lambda execution timeouts)

• Ensures that Lambda functions exceeding their maximum execution time (900 seconds) are properly routed to retry states.

• Note: Sandbox.Timedout is logged by Lambda but Step Functions internally treats it as States.Timeout

AWS Reference

https://docs.aws.amazon.com/step-functions/latest/dg/sfn-best-practices.html#:~:text=%3A%202%0A%7D%20%5D-,Note,-Unhandled%20errors%20in

📦 Dependencies

• Repository - https://github.com/CiscoISE/ciscoise-terraform-automation-aws-vpc

Release Notes - Cisco ISE Terraform AWS Release 2 #Patch 1

🚀 Features

Cisco ISE Terraform AWS Release 2 #Patch 1

ISE Infrastructure Automation on AWS using Terraform

This new Patch allows Terraform configurations to support the deployment of ISE 3.4 version

Changes:

• The ntpserver field name is changed to primaryntpserver. If you use ntpserver, Cisco ISE services will not start.
• OpenAPI is enabled by default. Hence, the openapi=<yes/no> field is not required.
• If you leave the secondarynameserver field blank and use only the tertiarynameserver field, the Cisco ISE services will not start.
• If you leave the secondaryntpserver field blank and use only the tertiaryntpserver field, the Cisco ISE services will not start.

Supported Cisco ISE 3.4 Deployment regions:

us-east-1, us-east-2, us-west-1, us-west-2, ca-central-1, eu-central-1, eu-west-1, eu-west-2, eu-west-3, eu-north-1, eu-south-1, eu-south-2, ap-southeast-1, ap-southeast-2, ap-southeast-3, ap-southeast-4, ap-south-1, ap-south-2, ap-northeast-1, ap-northeast-2, ap-east-1, me-south-1, ap-northeast-3, sa-east-1, af-south-1, me-central-1

For more information about ISE 3.4, please refer official Release Notes for ISE 3.4
You can also refer official ISE Deployment Guide on AWS Cloud.

📦 Dependencies

• Repository - https://github.com/CiscoISE/ciscoise-terraform-automation-aws-vpc

Release Notes - Cisco ISE Terraform AWS Release 1

🚀 Features

Cisco ISE Terraform AWS Release 1

ISE Infrastructure Automation on AWS using Terraform

This repository enables users to automate the deployment and configuration of Cisco ISE nodes on AWS. It offers two deployment options:

1. Deploy the solution within an existing VPC.
2. Launch the entire infrastructure from scratch, starting with VPC creation, followed by AWS EC2 deployments, and Node Persona configurations.

Supported Cisco ISE Versions:

• 3.1
• 3.2
• 3.3

What does this project do?

1. This project utilizes a Terraform module to deploy up to 58 Cisco ISE nodes (minimum: 2, maximum: 58) on AWS, based on user input. It now supports multi-node deployment with the following features:
   a. Dynamic node count.
   b. Customizable configurations for:
   i. Roles.
   ii. Services.
   iii. Hostnames.
   iv. Instance sizes.
   v. EBS volume sizes.
   c. Automatic creation of Dynamic Route53 records, SSM parameters, and hostname configurations in user data.

2. Once the stack is deployed based on the user-provided configurations in the terraform.tfvars file, an AWS Step Function is triggered to update the ISE nodes with the specified configurations. (Detailed steps for updating nodes with these configurations can be found in the respective terraform.tfvars files.) Following this, the AWS SyncStatus Lambda function runs to monitor and validate the status between the nodes.
   

3. Support has been expanded to include 7 instance types:
   t3.xlarge, m5.2xlarge, c5.4xlarge, m5.4xlarge, c5.9xlarge, m5.8xlarge, m5.16xlarge.

4. An IAM policy with least privileges is included, enabling secure deployment of the ISE stack.

5. Various validations for roles and services are performed prior to deployment.

6. Enhanced documentation, including a detailed readme.md and respective terraform.tfvars for either create-ec2-with-existing-vpc or create-ec2-with-new-vpc file, ensuring easier and more efficient deployment.

7. A clear repository directory structure has been created to improve module organization and understanding.

📦 Dependencies

• Repository - https://github.com/CiscoISE/ciscoise-terraform-automation-aws-vpc