README.md

Check Point CloudGuard Management Module

This Terraform module deploys Check Point CloudGuard Network Security Management solution in azure. As part of the deployment the following resources are created:

• Resource group
• Virtual network
• Network security group
• Virtual Machine
• System assigned identity
• Storage account

This solution uses the following submodules:

• common - used for creating a resource group and defining common variables.
• vnet - used for creating new virtual network and subnets or using an existing virtual network.
• network-security-group - used for creating new network security groups and rules or using an existing network security group.
• storage-account - used for creating new storage account or using an existing one to use for the boot diagnostics.

Usage

Follow best practices for using CGNS modules on the root page.

Example:

provider "azurerm" {
  features {}
}

module "example_module" {
  source  = "CheckPointSW/cloudguard-network-security/azure//modules/management"
  version = "1.0.9"

  # Authentication Variables
  client_secret                   = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
  client_id                       = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
  tenant_id                       = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
  subscription_id                 = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

  # Basic Configurations Variables
  resource_group_name = "checkpoint-mgmt-terraform"
  mgmt_name           = "checkpoint-mgmt-terraform"
  location            = "eastus"
  tags                = {}

  # Virtual Machine Instances Variables
  source_image_vhd_uri           = "noCustomUri"
  authentication_type            = "Password"
  admin_password                 = "xxxxxxxxxxxx"
  serial_console_password_hash   = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
  maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
  vm_size                        = "Standard_D4ds_v5"
  disk_size                      = "110"
  os_version                     = "R82"
  vm_os_sku                      = "mgmt-byol"
  vm_os_offer                    = "check-point-cg-r82"
  allow_upload_download          = true
  admin_shell                    = "/etc/cli.sh"
  bootstrap_script               = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
  zone                           = ""

  # Networking Variables
  vnet_name                       = "checkpoint-mgmt-vnet"
  subnet_name                     = "checkpoint-mgmt-vnet-subnet"
  address_space                   = "10.0.0.0/16"
  subnet_prefix                   = "10.0.0.0/24"
  management_GUI_client_network   = "0.0.0.0/0"
  mgmt_enable_api                 = "disable"
  nsg_id                          = ""
  storage_account_deployment_mode = "New"
  add_storage_account_ip_rules    = false
  storage_account_additional_ips  = []
}

Conditional creation

Virtual Network:

You can specify wether you want to create a new Virtual Network or use an existing one:

• To create a new Virtual Network:

  address_space = "10.0.0.0/16"
  

• To use an existing Virtual Network:

  address_space = ""
  existing_vnet_resource_group = "EXISTING VIRTUAL NETWORK RESOURCE GROUP NAME"
  

  When using an existing Virtual Network the variable subnet_name will be used as the name of the existing subnet inside the Virtual Network, you can also ignore the address_prefix when you use an existing Virtual Network.

Availability types deployment:

To define the zone for the Management deployment in Availability Zones supported regions:

zone = "1"

If the zone preference is not important, or the selected region does not support Availability Zones, leave the parameter as an empty string or omit it entirely:

zone = ""

Boot Diagnostics:

You can configure boot diagnostics by selecting the desired storage account deployment mode or disabling boot diagnostics entirely. The available options for storage_account_deployment_mode are:

• New Creates a new storage account to be used for boot diagnostics.
  Usage: storage_account_deployment_mode = "New"
• Exists Uses an existing storage account for boot diagnostics.
  Usages:

  storage_account_deployment_mode              = "Existing"
  existing_storage_account_name                = "EXISTING_STORAGE_ACCOUNT_NAME"
  existing_storage_account_resource_group_name = "EXISTING_STORAGE_ACCOUNT_RESOURCE_GROUP_NAME"
  

• Managed: Uses a managed (automatically created) storage account for boot diagnostics.
  Usage: storage_account_deployment_mode = "Managed"
• None: Disables boot diagnostics.
  Usage: storage_account_deployment_mode = "None"
  

Module's variables:

Name	Description	Type	Allowed values
client_secret	The client secret value of the Service Principal used to deploy the solution	string	N/A
client_id	The client ID of the Service Principal used to deploy the solution	string	N/A
tenant_id	The tenant ID of the Service Principal used to deploy the solution	string	N/A
subscription_id	The subscription ID is used to pay for Azure cloud services	string	N/A
resource_group_name	The name of the resource group that will contain the contents of the deployment.	string	Resource group names only allow alphanumeric characters, periods, underscores, hyphens, and parenthesis and cannot end in a period.
mgmt_name	Management name	string.	N/A
location	The region where the resources will be deployed.	string	The full list of Azure regions can be found at https://azure.microsoft.com/regions.
tags	Tags can be associated either globally across all resources or scoped to specific resource types. For example, a global tag can be defined as: {"all": {"example": "example"}}. Supported resource types for tag assignment include: all (Applies tags universally to all resource instances) resource-group virtual-network network-security-group network-interface public-ip route-table storage-account virtual-machine custom-image Important: When identical tag keys are defined both globally under all and within a specific resource scope, the tag value specified under all overrides the resource-specific tag.	map(map(string))	Defaults: {}
source_image_vhd_uri	The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images.	string	Default: "noCustomUri"
authentication_type	Specifies whether a password authentication or SSH Public Key authentication should be used.	string	"Password"; "SSH Public Key";
admin_password	The password associated with the local administrator account on each cluster member.	string	Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character.
admin_SSH_key	The SSH public key for SSH connections to the instance. Used when the authentication_type is 'SSH Public Key'.	string	Default: ""
serial_console_password_hash	Optional parameter, used to enable serial console connection in case of SSH key as authentication type. To generate a password hash, use the command openssl passwd -6 PASSWORD on Linux and paste it here.	string	N/A
maintenance_mode_password_hash	Maintenance mode password hash, relevant only for R81.20 and higher versions. To generate a password hash, use the command grub2-mkpasswd-pbkdf2 on Linux and paste it here.	string	N/A
vm_size	Specifies the size of the Virtual Machine.	string	A list of valid VM sizes (e.g., "Standard_D4ds_v5", "Standard_D8ds_v5", etc).
disk_size	Storage data disk size (GB).	string	A number in the range 100 - 3995 (GB).
os_version	GAIA OS version.	string	"R8110"; "R8120"; "R82"; "R8210"; **Defaults:**R82
vm_os_sku	A SKU of the image to be deployed.	string	"mgmt-byol" - BYOL license; "mgmt-25" - PAYG;.
vm_os_offer	The name of the image offer to be deployed.	string	"check-point-cg-r8110"; "check-point-cg-r8120"; "check-point-cg-r82"; "check-point-cg-r8210";.
allow_upload_download	Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point.	boolean	true; false;
admin_shell	Enables selecting different admin shells	string	/etc/cli.sh; /bin/bash; /bin/csh; /bin/tcsh; Default: "/etc/cli.sh"
bootstrap_script.	An optional script to run on the initial boot.	string	Bootstrap script example: "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" Default: ""
zone	Optional parameter, specifies the Availability Zone the solution should be deployed in.	string	"1" Default: ""
vnet_name	The name of the virtual network that will be created.	string	The name must begin with a letter or number, end with a letter, number, or underscore, and may contain only letters, numbers, underscores, periods, or hyphens.
existing_vnet_resource_group	The name of the resource group where the Virtual Network is located. Required when using an existing Virtual Network.	string	N/A
subnet_name	The Virtual Network subnet name used for creating a new subnet with that name when create a new Virtual Network or used as the existing subnet name when using an existing Vritual Network.	string	N/A
address_space	The address space that is used by a Virtual Network.	string	A valid address in CIDR notation Default: "10.0.0.0/16"
subnet_prefix	Address prefix to be used for the network subnet.	string	A valid address in CIDR notation Default: "10.0.0.0/24"
management_GUI_client_network	Allowed GUI clients - GUI clients network CIDR.	string	N/A
mgmt_enable_api	Enable API access to the management.	string	"all"; "management_only"; "gui_clients"; "disable"; Default: "disable"
nsg_id	Optional ID for a Network Security Group that already exists in Azure. If not provided, a default NSG will be created.	string	Existing NSG resource ID Default: ""
storage_account_deployment_mode	Choose the boot diagnostics storage account type.	string	New; Existing; Managed; None; Default: New
add_storage_account_ip_rules	Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location. If false, then access will be allowed from all networks. Relevant only if storage_account_deployment_mode = "New".	boolean	true; false; Default: false
storage_account_additional_ips	IPs/CIDRs that are allowed access to the Storage Account. Relevant only if storage_account_deployment_mode = "New".	list(string)	A list of valid IPs and CIDRs Default: []
existing_strorage_account_name	The existing storage account name. Relevant only if storage_account_deployment_mode = "Existing".	string	Default: ""
existing_strorage_account_resource_group_name	The existing storage account resource group name. Relevant only if storage_account_deployment_mode = "Existing".	string	Default: ""
security_rules	Security rules for the Network Security.	list(any)	A security rule is composed of: {name, priority, direction, access, protocol, source_port_ranges, destination_port_ranges, source_address_prefix, destination_address_prefix, description} Default: []