diff --git a/modules/common/common/main.tf b/modules/common/common/main.tf new file mode 100644 index 0000000..ec9d49d --- /dev/null +++ b/modules/common/common/main.tf @@ -0,0 +1,47 @@ +resource "azurerm_resource_group" "resource_group" { + name = var.resource_group_name + location = var.location + tags = var.tags +} + +module "regions" { + source = "Azure/avm-utl-regions/azurerm" + version = "0.5.1" + + count = var.is_zonal ? 1 : 0 + use_cached_data = false + enable_telemetry = false + availability_zones_filter = true + recommended_filter = false +} + +resource "null_resource" "validate_region" { + count = var.is_zonal ? 1 : 0 + + lifecycle { + precondition { + condition = contains(keys(module.regions[0].regions_by_name), var.location) + error_message = "The selected region (${var.location}) does not support Availability Zones. Change to a supported region or set configuration to not use zones" + } + + postcondition { + condition = length(var.availability_zones) == length(distinct(var.availability_zones)) + error_message = "Duplicate zones: ${join(", ", var.availability_zones)}" + } + + postcondition { + condition = length(var.availability_zones) == tonumber(var.availability_zones_num) || length(var.availability_zones) == 0 + error_message = "The number of availability zones in list (${join(", ", var.availability_zones)}) must match the specified number of Availability Zones (${var.availability_zones_num})." + } + + postcondition { + condition = !(!can(regex("^([0-9]+)$", var.availability_zones_num)) || length(module.regions[0].regions_by_name[var.location].zones) < tonumber(var.availability_zones_num)) + error_message = "The value of availability zones must be valid for the current region and a whole number." + } + + postcondition { + condition = length([for zone in var.availability_zones : zone if !contains(module.regions[0].regions_by_name[var.location].zones, tonumber(zone))]) == 0 + error_message = "Invalid zones for region ${var.location}: ${join(", ", var.availability_zones)}" + } + } +} diff --git a/modules/common/outputs.tf b/modules/common/common/outputs.tf old mode 100755 new mode 100644 similarity index 89% rename from modules/common/outputs.tf rename to modules/common/common/outputs.tf index 675a9e3..02cdeb2 --- a/modules/common/outputs.tf +++ b/modules/common/common/outputs.tf @@ -18,7 +18,7 @@ output "admin_username" { value = var.admin_username } -output "admin_password"{ +output "admin_password" { value = var.admin_password } @@ -26,7 +26,7 @@ output "vm_instance_identity" { value = var.vm_instance_identity_type } -output "module_name"{ +output "module_name" { value = var.module_name } @@ -34,7 +34,7 @@ output "module_version" { value = var.module_version } -output "bootstrap_script"{ +output "bootstrap_script" { value = var.bootstrap_script } @@ -127,4 +127,12 @@ output "storage_account_ip_rules" { } output "role_definition" { value = var.role_definition -} \ No newline at end of file +} + +output "regions" { + value = module.regions +} + +output "SSH_authentication_type_condition" { + value = var.authentication_type == "SSH Public Key" ? true : false +} diff --git a/modules/common/common/variables.tf b/modules/common/common/variables.tf new file mode 100644 index 0000000..ba44dc1 --- /dev/null +++ b/modules/common/common/variables.tf @@ -0,0 +1,277 @@ +//************** Basic config variables**************// +variable "resource_group_name" { + description = "Azure Resource Group name to build into" + type = string +} + +variable "resource_group_id" { + description = "Azure Resource Group ID to use." + type = string + default = "" +} + +variable "location" { + description = "The location/region where resources will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions" + type = string +} + +variable "tags" { + description = "Tags to be associated with the resource group." + type = map(string) + default = {} +} + +//************** Availability Zones variables ************** +variable "is_zonal" { + description = "Define if resources should be deployed in Availability Zones" + type = bool + default = false +} + +variable "availability_zones_num" { + description = "Number of availability zones to use. Relevant only if 'is_zonal' is true" + type = string + default = "0" +} + +variable "availability_zones" { + description = "A list of availability zones to use." + type = list(string) + default = [] +} + +//************** Virtual machine instance variables ************** +variable "admin_username" { + description = "Administrator username of deployed VM. Due to Azure limitations 'notused' name can be used" + type = string + default = "notused" +} + +variable "admin_password" { + description = "Administrator password of deployed Virtual Machine. The password must meet the complexity requirements of Azure" + type = string +} + +variable "admin_shell" { + description = "The admin shell to configure on machine or the first time" + type = string + default = "/etc/cli.sh" + + validation { + condition = contains([ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ], var.admin_shell) + error_message = "Variable [admin_shell] must be one of the following: '/etc/cli.sh', '/bin/bash', '/bin/csh', '/bin/tcsh'." + } +} + +variable "serial_console_password_hash" { + description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + type = string +} + +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string +} + +variable "vm_instance_identity_type" { + description = "Managed Service Identity type" + type = string + default = "SystemAssigned" +} + +variable "module_name" { + description = "Template name. Should be defined according to deployment type(ha, vmss)" + type = string +} + +variable "module_version" { + description = "Template name. Should be defined according to deployment type(e.g. ha, vmss)" + type = string +} + +variable "bootstrap_script" { + description = "An optional script to run on the initial boot" + type = string + default = "" +} + +variable "os_version" { + description = "GAIA OS version" + type = string + + validation { + condition = contains([ + "R8110", + "R8120", + "R82" + ], var.os_version) + error_message = "Variable [os_version] must be one of the following: 'R8110', 'R8120', 'R82'." + } +} + +variable "installation_type" { + description = "Installation type." + type = string + + validation { + condition = contains([ + "cluster", + "vmss", + "management", + "standalone", + "gateway", + "mds-primary", + "mds-secondary", + "mds-logserver" + ], var.installation_type) + error_message = "Variable [installation_type] must be one of the following: 'cluster', 'vmss', 'management', 'standalone', 'gateway', 'mds-primary', 'mds-secondary', 'mds-logserver'." + } +} + +variable "number_of_vm_instances" { + description = "Number of VM instances to deploy" + type = string +} + +variable "allow_upload_download" { + description = "Allow upload/download to Check Point" + type = bool +} + +variable "is_blink" { + description = "Define if blink image is used for deployment" + type = bool +} + +variable "vm_size" { + description = "Specifies size of Virtual Machine" + type = string + + validation { + condition = contains(["Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_M8ms", + "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_F2", "Standard_F4", + "Standard_F8", "Standard_F16", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5", + "Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", + "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", + "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" + ], var.vm_size) + error_message = <<-EOF + Variable [vm_size] must be one of the allowed VM sizes: 'Standard_F2s', 'Standard_F4s', 'Standard_F8s', + 'Standard_F16s', 'Standard_M8ms', 'Standard_M16ms', 'Standard_M32ms', 'Standard_M64ms', 'Standard_M64s', + 'Standard_F2', 'Standard_F4', 'Standard_F8', 'Standard_F16', 'Standard_D2_v5', 'Standard_D4_v5', + 'Standard_D8_v5', 'Standard_D16_v5', 'Standard_D32_v5', 'Standard_D2s_v5', 'Standard_D4s_v5', + 'Standard_D8s_v5', 'Standard_D16s_v5', 'Standard_D2d_v5', 'Standard_D4d_v5', 'Standard_D8d_v5', + 'Standard_D16d_v5', 'Standard_D32d_v5', 'Standard_D2ds_v5', 'Standard_D4ds_v5', 'Standard_D8ds_v5', + 'Standard_D16ds_v5', 'Standard_D32ds_v5'. + EOF + } +} + +variable "delete_os_disk_on_termination" { + type = bool + description = "Delete datadisk when VM is terminated" + default = true +} + +variable "publisher" { + description = "CheckPoint publisher" + default = "checkpoint" +} + +//************** Storage image reference and plan variables ****************// +variable "vm_os_offer" { + description = "The name of the image offer to be deployed." + type = string + + validation { + condition = contains([ + "check-point-cg-r8110", + "check-point-cg-r8120", + "check-point-cg-r82" + ], var.vm_os_offer) + error_message = "Variable [vm_os_offer] must be one of the following: 'check-point-cg-r8110', 'check-point-cg-r8120', 'check-point-cg-r82'." + } +} + +variable "vm_os_sku" { + description = "The sku of the image to be deployed" + type = string + + validation { + condition = contains([ + "sg-byol", + "sg-ngtp", + "sg-ngtx", + "mgmt-byol", + "mgmt-25" + ], var.vm_os_sku) + error_message = "Variable [vm_os_sku] must be one of the following: 'sg-byol', 'sg-ngtp', 'sg-ngtx', 'mgmt-byol', 'mgmt-25'." + } +} + +variable "vm_os_version" { + description = "The version of the image that you want to deploy. " + type = string + default = "latest" +} + +variable "disk_size" { + description = "Storage data disk size size(GB). Select a number between 100 and 3995" + type = string + + validation { + condition = can(tonumber(var.disk_size)) && tonumber(var.disk_size) >= 100 && tonumber(var.disk_size) <= 3995 + error_message = "Variable [disk_size] must be a number between 100 and 3995." + } +} + +//************** Storage OS disk variables **************// +variable "storage_os_disk_create_option" { + description = "The method to use when creating the managed disk" + type = string + default = "FromImage" +} + +variable "storage_os_disk_caching" { + description = "Specifies the caching requirements for the OS Disk" + default = "ReadWrite" +} + +variable "managed_disk_type" { + description = "Specifies the type of managed disk to create. Possible values are either Standard_LRS, StandardSSD_LRS, Premium_LRS" + type = string + default = "Standard_LRS" + + validation { + condition = contains([ + "Standard_LRS", + "Premium_LRS" + ], var.managed_disk_type) + error_message = "Variable [managed_disk_type] must be one of the following: 'Standard_LRS', 'Premium_LRS'." + } +} + +variable "authentication_type" { + description = "Specifies whether a password authentication or SSH Public Key authentication should be used" + type = string + + validation { + condition = contains([ + "Password", + "SSH Public Key" + ], var.authentication_type) + error_message = "Variable [authentication_type] must be one of the following: 'Password', 'SSH Public Key'." + } +} + +//********************** Role Assignments variables**************************// +variable "role_definition" { + description = "Role definition. The full list of Azure Built-in role descriptions can be found at https://docs.microsoft.com/bs-latn-ba/azure/role-based-access-control/built-in-roles" + type = string + default = "Contributor" +} diff --git a/modules/vnet/versions.tf b/modules/common/common/versions.tf old mode 100755 new mode 100644 similarity index 95% rename from modules/vnet/versions.tf rename to modules/common/common/versions.tf index 0ec4dcc..a501015 --- a/modules/vnet/versions.tf +++ b/modules/common/common/versions.tf @@ -1,3 +1,3 @@ terraform { required_version = ">= 0.14.3" -} \ No newline at end of file +} diff --git a/modules/common/custom-image/locals.tf b/modules/common/custom-image/locals.tf new file mode 100644 index 0000000..734042f --- /dev/null +++ b/modules/common/custom-image/locals.tf @@ -0,0 +1,3 @@ +locals { + custom_image_condition = var.source_image_vhd_uri == "noCustomUri" ? false : true +} diff --git a/modules/common/custom-image/main.tf b/modules/common/custom-image/main.tf new file mode 100644 index 0000000..dc498ec --- /dev/null +++ b/modules/common/custom-image/main.tf @@ -0,0 +1,14 @@ +resource "azurerm_image" "custom_image" { + count = local.custom_image_condition ? 1 : 0 + name = "custom-image" + location = var.location + resource_group_name = var.resource_group_name + + os_disk { + os_type = "Linux" + os_state = "Generalized" + blob_uri = var.source_image_vhd_uri + } + + tags = var.tags +} diff --git a/modules/common/custom-image/outputs.tf b/modules/common/custom-image/outputs.tf new file mode 100644 index 0000000..bfa29d3 --- /dev/null +++ b/modules/common/custom-image/outputs.tf @@ -0,0 +1,7 @@ +output "id" { + value = local.custom_image_condition ? azurerm_image.custom_image[0].id : null +} + +output "create_custom_image" { + value = local.custom_image_condition +} diff --git a/modules/common/custom-image/variables.tf b/modules/common/custom-image/variables.tf new file mode 100644 index 0000000..0b23530 --- /dev/null +++ b/modules/common/custom-image/variables.tf @@ -0,0 +1,23 @@ +//********************** Basic Configurations **************************// +variable "resource_group_name" { + description = "Azure Resource Group name to build into." + type = string +} + +variable "location" { + description = "The location/region where the custom image will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions." + type = string +} + +variable "tags" { + description = "The tags to associate with the custom image." + type = map(string) + default = {} +} + +//********************** Custom Image Variables **************************// +variable "source_image_vhd_uri" { + description = "The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images." + type = string + default = "noCustomUri" +} diff --git a/modules/common/main.tf b/modules/common/main.tf deleted file mode 100755 index d83c3e9..0000000 --- a/modules/common/main.tf +++ /dev/null @@ -1,6 +0,0 @@ -resource "azurerm_resource_group" "resource_group" { - name = var.resource_group_name - location = var.location - tags = var.tags -} - diff --git a/modules/common/network-security-group/local.tf b/modules/common/network-security-group/local.tf new file mode 100644 index 0000000..fb491a3 --- /dev/null +++ b/modules/common/network-security-group/local.tf @@ -0,0 +1,4 @@ +locals { + // Create a new NSG only if nsg_id is not provided + create_new_nsg = var.nsg_id == "" ? true : false +} diff --git a/modules/common/network-security-group/main.tf b/modules/common/network-security-group/main.tf new file mode 100644 index 0000000..7212e6a --- /dev/null +++ b/modules/common/network-security-group/main.tf @@ -0,0 +1,25 @@ +//********************* Network Security Group Configurations **************************// +resource "azurerm_network_security_group" "nsg" { + count = local.create_new_nsg ? 1 : 0 + name = var.security_group_name + location = var.location + resource_group_name = var.resource_group_name + tags = var.tags +} + +//********************* Security Rules Configurations **************************// +resource "azurerm_network_security_rule" "security_rule" { + count = local.create_new_nsg ? length(var.security_rules) : 0 + name = lookup(var.security_rules[count.index], "name") + priority = lookup(var.security_rules[count.index], "priority", 4096 - length(var.security_rules) + count.index) + direction = lookup(var.security_rules[count.index], "direction") + access = lookup(var.security_rules[count.index], "access") + protocol = lookup(var.security_rules[count.index], "protocol") + source_port_range = lookup(var.security_rules[count.index], "source_port_ranges") + destination_port_range = lookup(var.security_rules[count.index], "destination_port_ranges") + description = lookup(var.security_rules[count.index], "description") + source_address_prefix = lookup(var.security_rules[count.index], "source_address_prefix") + destination_address_prefix = lookup(var.security_rules[count.index], "destination_address_prefix") + resource_group_name = var.resource_group_name + network_security_group_name = azurerm_network_security_group.nsg[0].name +} diff --git a/modules/common/network-security-group/output.tf b/modules/common/network-security-group/output.tf new file mode 100644 index 0000000..8294208 --- /dev/null +++ b/modules/common/network-security-group/output.tf @@ -0,0 +1,7 @@ +output "id" { + value = local.create_new_nsg ? azurerm_network_security_group.nsg[0].id : var.nsg_id +} + +output "name" { + value = local.create_new_nsg ? azurerm_network_security_group.nsg[0].name : null +} diff --git a/modules/network_security_group/variables.tf b/modules/common/network-security-group/variables.tf old mode 100755 new mode 100644 similarity index 60% rename from modules/network_security_group/variables.tf rename to modules/common/network-security-group/variables.tf index 363489e..de42a2e --- a/modules/network_security_group/variables.tf +++ b/modules/common/network-security-group/variables.tf @@ -1,10 +1,11 @@ +//********************* Basic Configurations **************************// variable "resource_group_name" { description = "Azure Resource Group name to build into" - type = string + type = string } variable "location" { - type = string + type = string description = "The location/region where Network Security Group will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions" } @@ -19,25 +20,16 @@ variable "tags" { default = {} } -# Security Rules definition +//********************* Use Existing NSG **************************// +variable "nsg_id" { + description = "If you want to use an existing Network Security Group, provide the ID here" + type = string + default = "" +} +//********************* Security Rules definition **************************// variable "security_rules" { description = "Security rules for the Network Security Group using this format name = [priority, direction, access, protocol, source_port_range, destination_port_range, source_address_prefix, destination_address_prefix, description]" - type = list(any) - default = [] -} - -variable "source_address_prefix" { - description = "Source address prefix to be applied to all rules" - type = list(string) - default = ["*"] - # Example ["10.0.3.0/24"] or ["VirtualNetwork"] + type = list(any) + default = [] } - -variable "destination_address_prefix" { - description = "Destination address prefix to be applied to all rules" - type = list(string) - default = ["*"] - # Example ["10.0.3.0/32","10.0.3.128/32"] or ["VirtualNetwork"] -} - diff --git a/modules/network_security_group/versions.tf b/modules/common/network-security-group/versions.tf old mode 100755 new mode 100644 similarity index 95% rename from modules/network_security_group/versions.tf rename to modules/common/network-security-group/versions.tf index 0ec4dcc..a501015 --- a/modules/network_security_group/versions.tf +++ b/modules/common/network-security-group/versions.tf @@ -1,3 +1,3 @@ terraform { required_version = ">= 0.14.3" -} \ No newline at end of file +} diff --git a/modules/common/storage-account/locals.tf b/modules/common/storage-account/locals.tf new file mode 100644 index 0000000..cc2c7ce --- /dev/null +++ b/modules/common/storage-account/locals.tf @@ -0,0 +1,51 @@ +locals { + serial_console_ips = contains(keys(local.serial_console_ips_per_location), var.location) ? local.serial_console_ips_per_location[var.location] : [] + storage_account_ip_rules = concat(local.serial_console_ips, var.storage_account_additional_ips) + + serial_console_ips_per_location = { + "eastasia" : ["20.205.69.28", "20.195.85.180"], + "southeastasia" : ["20.205.69.28", "20.195.85.180"], + "australiacentral" : ["20.53.53.224", "20.70.222.112"], + "australiacentral2" : ["20.53.53.224", "20.70.222.112"], + "australiaeast" : ["20.53.53.224", "20.70.222.112"], + "australiasoutheast" : ["20.53.53.224", "20.70.222.112"], + "brazilsouth" : ["91.234.136.63", "20.206.0.194"], + "brazilsoutheast" : ["91.234.136.63", "20.206.0.194"], + "canadacentral" : ["52.228.86.177", "52.242.40.90"], + "canadaeast" : ["52.228.86.177", "52.242.40.90"], + "northeurope" : ["52.146.139.220", "20.105.209.72"], + "westeurope" : ["52.146.139.220", "20.105.209.72"], + "francecentral" : ["20.111.0.244", "52.136.191.10"], + "francesouth" : ["20.111.0.244", "52.136.191.10"], + "germanynorth" : ["51.116.75.88", "20.52.95.48"], + "germanywestcentral" : ["51.116.75.88", "20.52.95.48"], + "centralindia" : ["20.192.168.150", "20.192.153.104"], + "southindia" : ["20.192.168.150", "20.192.153.104"], + "westindia" : ["20.192.168.150", "20.192.153.104"], + "japaneast" : ["20.43.70.205", "20.189.228.222"], + "japanwest" : ["20.43.70.205", "20.189.228.222"], + "koreacentral" : ["20.200.196.96", "52.147.119.29"], + "koreasouth" : ["20.200.196.96", "52.147.119.29"], + "norwaywest" : ["20.100.1.184", "51.13.138.76"], + "norwayeast" : ["20.100.1.184", "51.13.138.76"], + "switzerlandnorth" : ["20.208.4.98", "51.107.251.190"], + "switzerlandwest" : ["20.208.4.98", "51.107.251.190"], + "uaecentral" : ["20.45.95.66", "20.38.141.5"], + "uaenorth" : ["20.45.95.66", "20.38.141.5"], + "uksouth" : ["20.90.132.144", "20.58.68.62"], + "ukwest" : ["20.90.132.144", "20.58.68.62"], + "swedencentral" : ["51.12.72.223", "51.12.22.174"], + "swedensouth" : ["51.12.72.223", "51.12.22.174"], + "centralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus2" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "northcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "southcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus2" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus3" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus2euap" : ["20.45.242.18", "20.51.21.252"], + "centraluseuap" : ["20.45.242.18", "20.51.21.252"] + } +} diff --git a/modules/common/storage-account/main.tf b/modules/common/storage-account/main.tf new file mode 100644 index 0000000..8bea470 --- /dev/null +++ b/modules/common/storage-account/main.tf @@ -0,0 +1,47 @@ +//********************** Existing Storage Account **************************// +data "azurerm_storage_account" "existing_storage_account" { + count = var.storage_account_deployment_mode == "Existing" ? 1 : 0 + name = var.existing_storage_account_name + resource_group_name = var.existing_storage_account_resource_group_name +} + +locals { + // Validate the storage account location matches the resource group location + validate_location = var.storage_account_deployment_mode == "Existing" ? ( + data.azurerm_storage_account.existing_storage_account[0].location == var.location ? 0 : index("error:", "The storage account must be in the same location as the resource group.") + ) : 0 +} + +//********************** New Storage Account **************************// +resource "random_id" "random_id" { + count = var.storage_account_deployment_mode == "New" ? 1 : 0 + keepers = { + resource_group = var.resource_group_name + } + byte_length = 8 +} + + +resource "azurerm_storage_account" "vm_boot_diagnostics_storage" { + count = var.storage_account_deployment_mode == "New" ? 1 : 0 + name = "bootdiag${random_id.random_id[count.index].hex}" + resource_group_name = var.resource_group_name + location = var.location + account_tier = var.storage_account_tier + account_replication_type = var.account_replication_type + account_kind = "StorageV2" + min_tls_version = "TLS1_2" + + network_rules { + default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" + ip_rules = local.storage_account_ip_rules + } + + blob_properties { + delete_retention_policy { + days = "15" + } + } + + tags = var.tags +} diff --git a/modules/common/storage-account/outputs.tf b/modules/common/storage-account/outputs.tf new file mode 100644 index 0000000..dbb9fd1 --- /dev/null +++ b/modules/common/storage-account/outputs.tf @@ -0,0 +1,22 @@ +output "boot_diagnostics" { + value = var.storage_account_deployment_mode == "None" ? false : true +} + +output "storage_account_ip_rules" { + value = local.storage_account_ip_rules +} + +output "storage_account_primary_blob_endpoint" { + value = var.storage_account_deployment_mode == "None" || var.storage_account_deployment_mode == "Managed" ? "" : ( + var.storage_account_deployment_mode == "Existing" ? data.azurerm_storage_account.existing_storage_account[0].primary_blob_endpoint : + azurerm_storage_account.vm_boot_diagnostics_storage[0].primary_blob_endpoint + ) +} + +output "storage_account_type" { + value = var.storage_account_type +} + +output "storage_account_deployment_mode" { + value = var.storage_account_deployment_mode +} diff --git a/modules/common/storage-account/variables.tf b/modules/common/storage-account/variables.tf new file mode 100644 index 0000000..3d633ad --- /dev/null +++ b/modules/common/storage-account/variables.tf @@ -0,0 +1,117 @@ +//********************** Basic Configurations **************************// +variable "resource_group_name" { + description = "Azure Resource Group name to build into." + type = string +} + +variable "location" { + description = "The location/region where resources will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions." + type = string +} + +variable "tags" { + description = "Tags to be associated with the storage account." + type = map(string) + default = {} +} + +//********************** Storage Account Variables **************************// +variable "storage_account_deployment_mode" { + description = "The deployment mode for the storage account." + type = string + default = "New" + + validation { + condition = contains([ + "New", + "Existing", + "Managed", + "None" + ], var.storage_account_deployment_mode) + error_message = "The storage_account_deployment_mode variable must be one of 'New', 'Existing', 'Managed' or 'None'." + } +} + +variable "existing_storage_account_name" { + description = "The name of an existing storage account." + type = string + default = "" + + validation { + condition = var.storage_account_deployment_mode == "Existing" ? var.existing_storage_account_name != "" : true + error_message = "Variable [existing_storage_account_name] must be set only when 'storage_account_deployment_mode' is set to 'Existing'." + } +} + +variable "existing_storage_account_resource_group_name" { + description = "The resource group name of an existing storage account." + type = string + default = "" + + validation { + condition = var.storage_account_deployment_mode == "Existing" ? var.existing_storage_account_resource_group_name != "" : true + error_message = "Variable [existing_storage_account_resource_group_name] must be set only when 'storage_account_deployment_mode' is set to 'Existing'." + } +} + +variable "add_storage_account_ip_rules" { + description = "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location." + type = bool + default = false +} + +variable "storage_account_additional_ips" { + description = "IPs/CIDRs that are allowed access to the Storage Account." + type = list(string) + default = [] + + validation { + condition = !contains(var.storage_account_additional_ips, "0.0.0.0") && can([for ip in var.storage_account_additional_ips : regex("^(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$", + ip)]) + error_message = "Variable [storage_account_additional_ips] must be a list of valid IP addresses and cannot contain '0.0.0.0'." + } +} + +variable "storage_account_type" { + description = "Defines the type of storage account to be created." + type = string + default = "Standard_LRS" + + validation { + condition = contains([ + "Standard_LRS", + "Premium_LRS" + ], var.storage_account_type) + error_message = "Variable [storage_account_type] must be one of 'Standard_LRS', 'Premium_LRS'." + } +} + +variable "storage_account_tier" { + description = "Defines the Tier to use for this storage account." + type = string + default = "Standard" + + validation { + condition = contains([ + "Standard", + "Premium" + ], var.storage_account_tier) + error_message = "Variable [storage_account_tier] must be one of 'Standard' or 'Premium'." + } +} + +variable "account_replication_type" { + description = "Defines the type of replication to use for this storage account." + type = string + default = "LRS" + + validation { + condition = contains([ + "LRS", + "GRS", + "RAGRS", + "ZRS" + ], var.account_replication_type) + error_message = "Variable [account_replication_type] must be one of 'LRS', 'GRS', 'RAGRS' or 'ZRS'." + } +} diff --git a/modules/common/versions.tf b/modules/common/storage-account/versions.tf old mode 100755 new mode 100644 similarity index 95% rename from modules/common/versions.tf rename to modules/common/storage-account/versions.tf index 0ec4dcc..a501015 --- a/modules/common/versions.tf +++ b/modules/common/storage-account/versions.tf @@ -1,3 +1,3 @@ terraform { required_version = ">= 0.14.3" -} \ No newline at end of file +} diff --git a/modules/common/variables.tf b/modules/common/variables.tf deleted file mode 100755 index 4741b8b..0000000 --- a/modules/common/variables.tf +++ /dev/null @@ -1,361 +0,0 @@ -//************** Basic config variables**************// -variable "resource_group_name" { - description = "Azure Resource Group name to build into" - type = string -} - -variable "resource_group_id" { - description = "Azure Resource Group ID to use." - type = string - default = "" -} - -variable "location" { - description = "The location/region where resources will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions" - type = string -} -//************** Virtual machine instance variables ************** -variable "admin_username" { - description = "Administrator username of deployed VM. Due to Azure limitations 'notused' name can be used" - type = string - default = "notused" -} - -variable "admin_password" { - description = "Administrator password of deployed Virtual Machine. The password must meet the complexity requirements of Azure" - type = string -} - -variable "serial_console_password_hash" { - description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" - type = string - default = "" -} - -variable "maintenance_mode_password_hash" { - description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" - type = string - default = "" -} - -variable "tags" { - description = "Tags to be associated with the resource group." - type = map(string) - default = {} -} - -variable "boot_diagnostics" { - type = bool - description = "Enable or Disable boot diagnostics" - default = true -} - -variable "storage_account_additional_ips" { - type = list(string) - description = "IPs/CIDRs that are allowed access to the Storage Account" - default = [] - validation { - condition = !contains(var.storage_account_additional_ips, "0.0.0.0") && can([for ip in var.storage_account_additional_ips: regex("^(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$", ip)]) - error_message = "Invalid IPv4 address." - } -} -locals { - serial_console_ips_per_location = { - "eastasia" : ["20.205.69.28", "20.195.85.180"], - "southeastasia" : ["20.205.69.28", "20.195.85.180"], - "australiacentral" : ["20.53.53.224", "20.70.222.112"], - "australiacentral2" : ["20.53.53.224", "20.70.222.112"], - "australiaeast" : ["20.53.53.224", "20.70.222.112"], - "australiasoutheast" : ["20.53.53.224", "20.70.222.112"], - "brazilsouth" : ["91.234.136.63", "20.206.0.194"], - "brazilsoutheast" : ["91.234.136.63", "20.206.0.194"], - "canadacentral" : ["52.228.86.177", "52.242.40.90"], - "canadaeast" : ["52.228.86.177", "52.242.40.90"], - "northeurope" : ["52.146.139.220", "20.105.209.72"], - "westeurope" : ["52.146.139.220", "20.105.209.72"], - "francecentral" : ["20.111.0.244", "52.136.191.10"], - "francesouth" : ["20.111.0.244", "52.136.191.10"], - "germanynorth" : ["51.116.75.88", "20.52.95.48"], - "germanywestcentral" : ["51.116.75.88", "20.52.95.48"], - "centralindia" : ["20.192.168.150", "20.192.153.104"], - "southindia" : ["20.192.168.150", "20.192.153.104"], - "westindia" : ["20.192.168.150", "20.192.153.104"], - "japaneast" : ["20.43.70.205", "20.189.228.222"], - "japanwest" : ["20.43.70.205", "20.189.228.222"], - "koreacentral" : ["20.200.196.96", "52.147.119.29"], - "koreasouth" : ["20.200.196.96", "52.147.119.29"], - "norwaywest" : ["20.100.1.184", "51.13.138.76"], - "norwayeast" : ["20.100.1.184", "51.13.138.76"], - "switzerlandnorth" : ["20.208.4.98", "51.107.251.190"], - "switzerlandwest" : ["20.208.4.98", "51.107.251.190"], - "uaecentral" : ["20.45.95.66", "20.38.141.5"], - "uaenorth" : ["20.45.95.66", "20.38.141.5"], - "uksouth" : ["20.90.132.144", "20.58.68.62"], - "ukwest" : ["20.90.132.144", "20.58.68.62"], - "swedencentral" : ["51.12.72.223", "51.12.22.174"], - "swedensouth" : ["51.12.72.223", "51.12.22.174"], - "centralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], - "eastus2" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], - "eastus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], - "northcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], - "southcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], - "westus2" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], - "westus3" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], - "westcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], - "westus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], - "eastus2euap" : ["20.45.242.18", "20.51.21.252"], - "centraluseuap" : ["20.45.242.18", "20.51.21.252"] - } - serial_console_ips = contains(keys(local.serial_console_ips_per_location),var.location) ? local.serial_console_ips_per_location[var.location] : [] - storage_account_ip_rules = concat(local.serial_console_ips, var.storage_account_additional_ips) -} -variable "vm_instance_identity_type" { - description = "Managed Service Identity type" - type = string - default = "SystemAssigned" -} - -variable "module_name"{ - description = "Template name. Should be defined according to deployment type(ha, vmss)" - type = string -} - -variable "module_version"{ - description = "Template name. Should be defined according to deployment type(e.g. ha, vmss)" - type = string -} - -variable "bootstrap_script" { - description = "An optional script to run on the initial boot" - type = string - default = "" -} - -variable "os_version"{ - description = "GAIA OS version" - type = string -} - -locals { // locals for 'os_version' allowed values - os_version_allowed_values = [ - "R8110", - "R8120", - "R82" - ] - // will fail if [var.installation_type] is invalid: - validate_os_version_value = index(local.os_version_allowed_values, var.os_version) -} - -variable "installation_type"{ - description = "Installation type. Allowed values: cluster, vmss" - type = string -} - -locals { // locals for 'installation_type' allowed values - installation_type_allowed_values = [ - "cluster", - "vmss", - "management", - "standalone", - "gateway", - "mds-primary", - "mds-secondary", - "mds-logserver" - ] - // will fail if [var.installation_type] is invalid: - validate_installation_type_value = index(local.installation_type_allowed_values, var.installation_type) -} - -variable "number_of_vm_instances"{ - description = "Number of VM instances to deploy" - type = string -} - -variable "allow_upload_download" { - description = "Allow upload/download to Check Point" - type = bool -} - -variable "is_blink" { - description = "Define if blink image is used for deployment" -} - -variable "vm_size" { - description = "Specifies size of Virtual Machine" - type = string -} - -locals {// locals for 'vm_size' allowed values -allowed_vm_sizes = ["Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_M8ms", "Standard_M16ms", - "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_F2", "Standard_F4", "Standard_F8", - "Standard_F16", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5", - "Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", - "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", - "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", - "Standard_D32ds_v5" - ] - // will fail if [var.vm_size] is invalid: - validate_vm_size_value = index(local.allowed_vm_sizes, var.vm_size) -} -variable "delete_os_disk_on_termination" { - type = bool - description = "Delete datadisk when VM is terminated" - default = true -} - -variable "publisher" { - description = "CheckPoint publisher" - default = "checkpoint" -} - -//************** Storage image reference and plan variables ****************// -variable "vm_os_offer" { - description = "The name of the image offer to be deployed.Choose from: check-point-cg-r8110, check-point-cg-r8120, check-point-cg-r82" - type = string -} - -locals { // locals for 'vm_os_offer' allowed values - vm_os_offer_allowed_values = [ - "check-point-cg-r8110", - "check-point-cg-r8120", - "check-point-cg-r82" - ] - // will fail if [var.vm_os_offer] is invalid: - validate_os_offer_value = index(local.vm_os_offer_allowed_values, var.vm_os_offer) - validate_os_version_match = regex(split("-", var.vm_os_offer)[3], lower(var.os_version)) -} - -variable "vm_os_sku" { - /* - Choose from: - - "sg-byol" - - "sg-ngtp" (for R81 and above) - - "sg-ngtx" (for R81 and above) - - "mgmt-byol" - - "mgmt-25" - */ - description = "The sku of the image to be deployed" - type = string -} - -locals { // locals for 'vm_os_sku' allowed values - vm_os_sku_allowed_values = [ - "sg-byol", - "sg-ngtp", - "sg-ngtx", - "mgmt-byol", - "mgmt-25" - ] - // will fail if [var.vm_os_sku] is invalid: - validate_vm_os_sku_value = index(local.vm_os_sku_allowed_values, var.vm_os_sku) -} - -variable "vm_os_version" { - description = "The version of the image that you want to deploy. " - type = string - default = "latest" -} - -variable "storage_account_type" { - description = "Defines the type of storage account to be created. Valid options is Standard_LRS, Premium_LRS" - type = string - default = "Standard_LRS" -} - -locals { // locals for 'storage_account_type' allowed values - storage_account_type_allowed_values = [ - "Standard_LRS", - "Premium_LRS" - ] - // will fail if [var.storage_account_type] is invalid: - validate_storage_account_type_value = index(local.storage_account_type_allowed_values, var.storage_account_type) -} - -variable "storage_account_tier" { - description = "Defines the Tier to use for this storage account.Valid options are Standard and Premium" - default = "Standard" -} - -locals { // locals for 'storage_account_tier' allowed values - storage_account_tier_allowed_values = [ - "Standard", - "Premium" - ] - // will fail if [var.storage_account_tier] is invalid: - validate_storage_account_tier_value = index(local.storage_account_tier_allowed_values, var.storage_account_tier) -} - -variable "account_replication_type" { - description = "Defines the type of replication to use for this storage account.Valid options are LRS, GRS, RAGRS and ZRS" - type = string - default = "LRS" -} - -locals { // locals for 'account_replication_type' allowed values - account_replication_type_allowed_values = [ - "LRS", - "GRS", - "RAGRS", - "ZRS" - ] - // will fail if [var.account_replication_type] is invalid: - validate_account_replication_type_value = index(local.account_replication_type_allowed_values, var.account_replication_type) -} - -variable "disk_size" { - description = "Storage data disk size size(GB). Select a number between 100 and 3995" - type = string -} - -resource "null_resource" "disk_size_validation" { - // Will fail if var.disk_size is less than 100 or more than 3995 - count = tonumber(var.disk_size) >= 100 && tonumber(var.disk_size) <= 3995 ? 0 : "variable disk_size must be a number between 100 and 3995" -} - -//************** Storage OS disk variables **************// -variable "storage_os_disk_create_option" { - description = "The method to use when creating the managed disk" - type = string - default = "FromImage" -} - -variable "storage_os_disk_caching" { - description = "Specifies the caching requirements for the OS Disk" - default = "ReadWrite" -} - -variable "managed_disk_type" { - description = "Specifies the type of managed disk to create. Possible values are either Standard_LRS, StandardSSD_LRS, Premium_LRS" - type = string - default = "Standard_LRS" -} - -locals { // locals for 'managed_disk_type' allowed values - managed_disk_type_allowed_values = [ - "Standard_LRS", - "Premium_LRS" - ] - // will fail if [var.managed_disk_type] is invalid: - validate_managed_disk_type_value = index(local.managed_disk_type_allowed_values, var.managed_disk_type) -} - -variable "authentication_type" { - description = "Specifies whether a password authentication or SSH Public Key authentication should be used" - type = string -} -locals { // locals for 'authentication_type' allowed values - authentication_type_allowed_values = [ - "Password", - "SSH Public Key" - ] - // will fail if [var.authentication_type] is invalid: - validate_authentication_type_value = index(local.authentication_type_allowed_values, var.authentication_type) -} - - -//********************** Role Assignments variables**************************// -variable "role_definition" { - description = "Role definition. The full list of Azure Built-in role descriptions can be found at https://docs.microsoft.com/bs-latn-ba/azure/role-based-access-control/built-in-roles" - type = string - default = "Contributor" -} \ No newline at end of file diff --git a/modules/common/vnet/locals.tf b/modules/common/vnet/locals.tf new file mode 100644 index 0000000..8538556 --- /dev/null +++ b/modules/common/vnet/locals.tf @@ -0,0 +1,25 @@ +locals { + // Create a new VNet only if address_space is provided + create_new_vnet = var.address_space != "" ? true : false + + // Regex for validating CIDR notation + regex_valid_network_cidr = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))|$" + + next_hop_type_allowed_values = [ + "VirtualNetworkGateway", + "VnetLocal", + "Internet", + "VirtualAppliance", + "None" + ] + + subnets = local.create_new_vnet ? azurerm_subnet.subnet.*.id : ( + length(var.subnet_names) == 1 ? [data.azurerm_subnet.frontend[0].id] : + [data.azurerm_subnet.frontend[0].id, data.azurerm_subnet.backend[0].id] + ) + + subnet_prefixes = local.create_new_vnet ? azurerm_subnet.subnet.*.address_prefixes[*][0] : ( + length(var.subnet_names) == 1 ? [data.azurerm_subnet.frontend[0].address_prefixes[0]] : + [data.azurerm_subnet.frontend[0].address_prefixes[0], data.azurerm_subnet.backend[0].address_prefixes[0]] + ) +} diff --git a/modules/common/vnet/main.tf b/modules/common/vnet/main.tf new file mode 100644 index 0000000..fb6bc35 --- /dev/null +++ b/modules/common/vnet/main.tf @@ -0,0 +1,106 @@ +//********************** New Virtual Network **************************// +resource "azurerm_virtual_network" "vnet" { + count = local.create_new_vnet ? 1 : 0 + name = var.vnet_name + location = var.location + address_space = [var.address_space] + resource_group_name = var.resource_group_name + dns_servers = var.dns_servers + tags = merge(lookup(var.tags, "virtual-network", {}), lookup(var.tags, "all", {})) +} + +resource "azurerm_subnet" "subnet" { + depends_on = [ + azurerm_virtual_network.vnet + ] + count = local.create_new_vnet ? length(var.subnet_names) : 0 + name = var.subnet_names[count.index] + virtual_network_name = azurerm_virtual_network.vnet[0].name + resource_group_name = var.resource_group_name + address_prefixes = [var.subnet_prefixes[count.index]] +} + +resource "azurerm_subnet_network_security_group_association" "security_group_frontend_association" { + depends_on = [ + azurerm_virtual_network.vnet, + azurerm_subnet.subnet[0] + ] + count = local.create_new_vnet ? 1 : 0 + subnet_id = azurerm_subnet.subnet[0].id + network_security_group_id = var.nsg_id +} + +resource "azurerm_subnet_network_security_group_association" "security_group_backend_association" { + depends_on = [ + azurerm_virtual_network.vnet, + azurerm_subnet.subnet[1] + ] + count = local.create_new_vnet ? (length(var.subnet_names) >= 2 ? 1 : 0) : 0 + subnet_id = azurerm_subnet.subnet[1].id + network_security_group_id = var.nsg_id +} + +resource "azurerm_route_table" "frontend" { + count = local.create_new_vnet ? 1 : 0 + name = azurerm_subnet.subnet[0].name + location = var.location + resource_group_name = var.resource_group_name + + route { + name = "Local-Subnet" + address_prefix = azurerm_subnet.subnet[0].address_prefixes[0] + next_hop_type = local.next_hop_type_allowed_values[1] + } + + route { + name = "To-Internal" + address_prefix = var.address_space + next_hop_type = local.next_hop_type_allowed_values[3] + next_hop_in_ip_address = join(".", [for i, v in split(".", element(split("/", azurerm_subnet.subnet[0].address_prefixes[0]), 0)) : i == 3 ? tostring(tonumber(v) + 4) : v]) + } + + tags = merge(lookup(var.tags, "route-table", {}), lookup(var.tags, "all", {})) +} + +resource "azurerm_subnet_route_table_association" "frontend_association" { + count = local.create_new_vnet ? 1 : 0 + subnet_id = azurerm_subnet.subnet[0].id + route_table_id = azurerm_route_table.frontend[0].id +} + +resource "azurerm_route_table" "backend" { + count = local.create_new_vnet ? (length(var.subnet_names) >= 2 ? 1 : 0) : 0 + name = azurerm_subnet.subnet[1].name + location = var.location + resource_group_name = var.resource_group_name + + route { + name = "To-Internet" + address_prefix = "0.0.0.0/0" + next_hop_type = local.next_hop_type_allowed_values[3] + next_hop_in_ip_address = join(".", [for i, v in split(".", element(split("/", azurerm_subnet.subnet[1].address_prefixes[0]), 0)) : i == 3 ? tostring(tonumber(v) + 4) : v]) + } + + tags = merge(lookup(var.tags, "route-table", {}), lookup(var.tags, "all", {})) +} + +resource "azurerm_subnet_route_table_association" "backend_association" { + count = local.create_new_vnet ? (length(var.subnet_names) >= 2 ? 1 : 0) : 0 + subnet_id = azurerm_subnet.subnet[1].id + route_table_id = azurerm_route_table.backend[0].id +} + +//********************** Existing Virtual Network **************************// +data "azurerm_subnet" "frontend" { + count = !local.create_new_vnet ? 1 : 0 + name = var.subnet_names[0] + virtual_network_name = var.vnet_name + resource_group_name = var.existing_vnet_resource_group +} + +data "azurerm_subnet" "backend" { + count = !local.create_new_vnet && length(var.subnet_names) >= 2 ? 1 : 0 + name = var.subnet_names[1] + virtual_network_name = var.vnet_name + resource_group_name = var.existing_vnet_resource_group +} diff --git a/modules/common/vnet/outputs.tf b/modules/common/vnet/outputs.tf new file mode 100644 index 0000000..41b179b --- /dev/null +++ b/modules/common/vnet/outputs.tf @@ -0,0 +1,27 @@ +output "id" { + value = local.create_new_vnet ? azurerm_virtual_network.vnet[0].id : null +} + +output "name" { + value = local.create_new_vnet ? azurerm_virtual_network.vnet[0].name : var.vnet_name +} + +output "location" { + value = local.create_new_vnet ? azurerm_virtual_network.vnet[0].location : var.location +} + +output "address_spaces" { + value = local.create_new_vnet ? azurerm_virtual_network.vnet[0].address_space : [var.address_space] +} + +output "subnets" { + value = local.subnets +} + +output "subnet_prefixes" { + value = local.subnet_prefixes +} + +output "allocation_method" { + value = var.allocation_method +} diff --git a/modules/common/vnet/variables.tf b/modules/common/vnet/variables.tf new file mode 100644 index 0000000..d25ecfd --- /dev/null +++ b/modules/common/vnet/variables.tf @@ -0,0 +1,96 @@ +//********************** Basic Configurations **************************// +variable "resource_group_name" { + description = "Azure Resource Group name to build into." + type = string +} + +variable "location" { + description = "The location/region where the core network will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions." + type = string +} + +variable "tags" { + description = "Tags to be associated with Virtual Network and subnets" + type = map(map(string)) + default = {} +} + +//********************** Virtual Network Variables **************************// +variable "vnet_name" { + description = "Name of Virtual Network." + type = string + default = "vnet01" +} + + +// The name of the resource group where the Virtual Network is located. Required when using an existing Virtual Network. +variable "existing_vnet_resource_group" { + description = "The name of the resource group where the Virtual Network is located. Required when using an existing Virtual Network." + type = string + default = "" + + validation { + condition = local.create_new_vnet || (!local.create_new_vnet && var.existing_vnet_resource_group != "") + error_message = "Variable [existing_vnet_resource_group] must be provided when using an existing Virtual Network." + } +} + +variable "subnet_names" { + description = "A list of subnet names in a Virtual Network" + type = list(string) + default = ["Frontend", "Backend"] + + validation { + condition = length(var.subnet_names) <= 2 && length(var.subnet_names) >= 1 + error_message = "At least one subnet is required and a maximum of two subnets are supported." + } +} + +variable "address_space" { + description = "The address prefixes of the virtual network." + type = string + default = "10.0.0.0/16" + + validation { + condition = var.address_space != "" ? can(regex(local.regex_valid_network_cidr, var.address_space)) : true + error_message = "Variable [address_space] must be a valid address in CIDR notation." + } +} + +variable "subnet_prefixes" { + description = "The address prefixes to be used for subnets" + type = list(string) + default = ["10.0.0.0/24", "10.0.1.0/24"] + + validation { + condition = local.create_new_vnet ? length(var.subnet_names) == length(var.subnet_prefixes) : true + error_message = "The length of [subnet_names] and [subnet_prefixes] must be the same." + } + + validation { + condition = local.create_new_vnet ? alltrue([for prefix in var.subnet_prefixes : can(regex(local.regex_valid_network_cidr, prefix))]) : true + error_message = "All values in [subnet_prefixes] must be valid addresses in CIDR notation." + } +} + +variable "nsg_id" { + description = "Network security group to be associated with a Virtual Network and subnets" + type = string +} + +variable "dns_servers" { + description = " DNS servers to be used with a Virtual Network. If no values specified, this defaults to Azure DNS." + type = list(string) + default = [] +} + +variable "allocation_method" { + description = "IP address allocation method." + type = string + default = "Static" + + validation { + condition = contains(["Static"], var.allocation_method) + error_message = "Variable [allocation_method] must be 'Static'." + } +} diff --git a/modules/common/vnet/versions.tf b/modules/common/vnet/versions.tf new file mode 100644 index 0000000..a501015 --- /dev/null +++ b/modules/common/vnet/versions.tf @@ -0,0 +1,3 @@ +terraform { + required_version = ">= 0.14.3" +} diff --git a/modules/common/vwan/locals.tf b/modules/common/vwan/locals.tf new file mode 100644 index 0000000..08606a4 --- /dev/null +++ b/modules/common/vwan/locals.tf @@ -0,0 +1,4 @@ +locals { + // Create a new VWAN only if vwan_hub_address_prefix is provided + create_new_vwan = var.vwan_hub_address_prefix != "" ? true : false +} diff --git a/modules/common/vwan/main.tf b/modules/common/vwan/main.tf new file mode 100644 index 0000000..43e7ed0 --- /dev/null +++ b/modules/common/vwan/main.tf @@ -0,0 +1,25 @@ +//********************** New Virtual WAN **************************// +resource "azurerm_virtual_wan" "vwan" { + count = local.create_new_vwan ? 1 : 0 + name = var.vwan_name + resource_group_name = var.resource_group_name + location = var.location + tags = merge(lookup(var.tags, "virtual-wan", {}), lookup(var.tags, "all", {})) +} + +resource "azurerm_virtual_hub" "vwan_hub" { + count = local.create_new_vwan ? 1 : 0 + name = var.vwan_hub_name + resource_group_name = var.resource_group_name + location = var.location + address_prefix = var.vwan_hub_address_prefix + virtual_wan_id = azurerm_virtual_wan.vwan[0].id + tags = merge(lookup(var.tags, "virtual-hub", {}), lookup(var.tags, "all", {})) +} + +//********************** Existing Virtual WAN **************************// +data "azurerm_virtual_hub" "vwan_hub" { + count = local.create_new_vwan ? 0 : 1 + name = var.vwan_hub_name + resource_group_name = var.vwan_hub_resource_group +} diff --git a/modules/common/vwan/outputs.tf b/modules/common/vwan/outputs.tf new file mode 100644 index 0000000..16381f8 --- /dev/null +++ b/modules/common/vwan/outputs.tf @@ -0,0 +1,11 @@ +output "hub_id" { + value = local.create_new_vwan ? azurerm_virtual_hub.vwan_hub[0].id : data.azurerm_virtual_hub.vwan_hub[0].id +} + +output "hub_virtual_router_asn" { + value = local.create_new_vwan ? azurerm_virtual_hub.vwan_hub[0].virtual_router_asn : data.azurerm_virtual_hub.vwan_hub[0].virtual_router_asn +} + +output "hub_virtual_router_ips" { + value = local.create_new_vwan ? azurerm_virtual_hub.vwan_hub[0].virtual_router_ips : data.azurerm_virtual_hub.vwan_hub[0].virtual_router_ips +} diff --git a/modules/common/vwan/variables.tf b/modules/common/vwan/variables.tf new file mode 100644 index 0000000..f7ef236 --- /dev/null +++ b/modules/common/vwan/variables.tf @@ -0,0 +1,37 @@ +//********************** Basic Configurations **************************// +variable "resource_group_name" { + description = "The name of the resource group in which to create the resources." + type = string +} + +variable "location" { + description = "The Azure region where the resources will be created." + type = string +} + +variable "tags" { + description = "Assign tags by resource." + type = map(map(string)) + default = {} +} + +//********************** Virtual WAN Configurations **************************// +variable "vwan_name" { + description = "The name of the Virtual WAN." + type = string +} + +variable "vwan_hub_name" { + description = "The name of the Virtual Hub." + type = string +} + +variable "vwan_hub_resource_group" { + description = "The resource group name for the Virtual Hub when using an existing VWAN." + type = string +} + +variable "vwan_hub_address_prefix" { + description = "The address prefix for the Virtual Hub." + type = string +} diff --git a/modules/common/vwan/versions.tf b/modules/common/vwan/versions.tf new file mode 100644 index 0000000..a501015 --- /dev/null +++ b/modules/common/vwan/versions.tf @@ -0,0 +1,3 @@ +terraform { + required_version = ">= 0.14.3" +} diff --git a/modules/high-availability/README.md b/modules/high-availability/README.md new file mode 100644 index 0000000..bdedee9 --- /dev/null +++ b/modules/high-availability/README.md @@ -0,0 +1,212 @@ +# Check Point CloudGuard High Availability Module +This Terraform module deploys Check Point CloudGuard Network Security High Availability solution in azure. +As part of the deployment the following resources are created: +- Resource group +- Virtual network +- Network security group +- System assigned identity +- Availability Set - conditional creation +- Storage account + +For additional information, +please see the [CloudGuard Network for Azure High Availability Cluster Deployment Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_Azure_HA_Cluster/Default.htm) + +This solution uses the following submodules: +- common - used for creating a resource group and defining common variables. +- vnet - used for creating new virtual network and subnets. +- network_security_group - used for creating new network security groups and rules. +- storage-account - used for creating new storage account or using an existing one to use for the boot diagnostics. + +## Usage +Follow best practices for using CGNS modules on [the root page](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/azure/latest). + +**Example:** +```hcl +provider "azurerm" { + features {} +} + +module "example_module" { + source = "CheckPointSW/cloudguard-network-security/azure//modules/high-availability" + version = "1.0.6" + + # Authentication Variables + client_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + client_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + tenant_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + subscription_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + + # Basic Configurations Variables + tenant_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + resource_group_name = "checkpoint-ha-terraform" + cluster_name = "checkpoint-ha-terraform" + location = "eastus" + tags = {} + + # Virtual Machine Instances Variables + source_image_vhd_uri = "noCustomUri" + authentication_type = "Password" + admin_password = "xxxxxxxxxxxx" + sic_key = "xxxxxxxxxxxx" + serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + vm_size = "Standard_D4ds_v5" + disk_size = "110" + os_version = "R82" + vm_os_sku = "sg-byol" + vm_os_offer = "check-point-cg-r82" + allow_upload_download = true + admin_shell = "/etc/cli.sh" + bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" + enable_custom_metrics = true + availability_type = "Availability Zone" + availability_zones = ["1", "2"] + + # Smart-1 Cloud Variables + smart_1_cloud_token_a = "xxxxxxxxxxxx" + smart_1_cloud_token_b = "xxxxxxxxxxxx" + + # Networking Variables + vnet_name = "checkpoint-ha-vnet" + frontend_subnet_name = "Frontend" + backend_subnet_name = "Backend" + address_space = "10.0.0.0/16" + subnet_prefixes = ["10.0.1.0/24", "10.0.2.0/24"] + nsg_id = "" + storage_account_deployment_mode = "New" + add_storage_account_ip_rules = false + storage_account_additional_ips = [] + vips_names = [] + + # Load Balancers Variables + enable_floating_ip = true + use_public_ip_prefix = false + create_public_ip_prefix = false + existing_public_ip_prefix_id = "" +} +``` + +## Conditional creation +### Virtual Network: +You can specify wether you want to create a new Virtual Network or use an existing one: +- To create a new Virtual Network: + ``` + address_space = "10.0.0.0/16" + ``` +- To use an existing Virtual Network: + ``` + address_space = "" + existing_vnet_resource_group = "EXISTING VIRTUAL NETWORK RESOURCE GROUP NAME" + ``` + When using an existing Virtual Network the variable `frontend_subnet_name` and `backend_subnet_name` will be used as the name of the existing subnets inside the Virtual Network, you can also ignore the `address_prefixes` when you use an existing Virtual Network. + +### Availability types deployment: +- To deploy the solution based on Azure Availability Set and create a new Availability Set for the virtual machines: + ``` + availability_type = "Availability Set" + ``` + Otherwise, to deploy the solution based on Azure Availability Zone in supported regions: + ``` + availability_type = "Availability Zone" + ``` + +- To specify which zones to deploy into (up to 2 zones for HA), set: + ``` + availability_zones = ["1", "2"] + ``` + If availability_zones is not provided or is set to an empty list ([]), the deployment will still use multiple zones by default. + +### Custom metrics: +To enable CloudGuard metrics in order to send statuses and statistics collected from HA instances to the Azure Monitor service: +``` +enable_custom_metrics = true +``` + +### Public IP prefix: +To create new public IP prefix for the public IP: + ``` + use_public_ip_prefix = true + create_public_ip_prefix = true + ``` +To use an existing public IP prefix for the public IP: + ``` + use_public_ip_prefix = true + create_public_ip_prefix = false + existing_public_ip_prefix_id = "public IP prefix resource id" + ``` + +### Boot Diagnostics: +You can configure boot diagnostics by selecting the desired storage account deployment mode or disabling boot diagnostics entirely. The available options for `storage_account_deployment_mode` are: +- `New` Creates a new storage account to be used for boot diagnostics.
+Usage: `storage_account_deployment_mode = "New"` +- `Exists` Uses an existing storage account for boot diagnostics.
+Usages: + ``` + storage_account_deployment_mode = "Existing" + existing_storage_account_name = "EXISTING_STORAGE_ACCOUNT_NAME" + existing_storage_account_resource_group_name = "EXISTING_STORAGE_ACCOUNT_RESOURCE_GROUP_NAME" + ``` +- `Managed`: Uses a managed (automatically created) storage account for boot diagnostics.
+Usage: `storage_account_deployment_mode = "Managed"` +- `None`: Disables boot diagnostics.
+Usage: `storage_account_deployment_mode = "None"`
+ +## Module's variables: +| Name | Description | Type | Allowed values | +| ---- | ----------- | ---- | -------------- | +| **client_secret** | The client secret value of the Service Principal used to deploy the solution | string | N/A | +| **client_id** | The client ID of the Service Principal used to deploy the solution | string | N/A | +| **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | N/A | +| **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | N/A | +| **tenant_id** | The tenant ID of the Service Principal used to deploy the solution. | string | N/A | +| **resource_group_name** | The name of the resource group that will contain the contents of the deployment. | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens, and parentheses and cannot end in a period. | +| **cluster_name** | The name of the Check Point Cluster Object. | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long. | +| **location** | The region where the resources will be deployed at. | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions. | +| **tags** | Tags can be associated either globally across all resources or scoped to specific resource types. For example, a global tag can be defined as: {"all": {"example": "example"}}.
Supported resource types for tag assignment include:
`all` (Applies tags universally to all resource instances)
`resource-group`
`virtual-network`
`network-security-group`
`network-interface`
`public-ip`
`public-ip-prefix`
`load-balancer`
`route-table`
`storage-account`
`virtual-machine`
`custom-image`
`availability-set`
**Important:** When identical tag keys are defined both globally under `all` and within a specific resource scope, the tag value specified under `all` overrides the resource-specific tag. | map(map(string)) | **Defaults:** {} | +| **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images. | string | **Default:** "noCustomUri" | +| **admin_username** | Administrator username of deployed VM. Due to Azure limitations 'notused' name can be used. | string | **Default:** "notused" | +| **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used. | string | "Password";
"SSH Public Key"; | +| **admin_password** | The password associated with the local administrator account on each cluster member. | string | Password must have 3 of the following: 1 lowercase character, 1 uppercase character, 1 number, and 1 special character. | +| **admin_SSH_key** | The SSH public key for SSH connections to the instance. Used when the authentication_type is 'SSH Public Key'. | string | **Default:** "" | +| **sic_key** | The Secure Internal Communication one-time secret used to set up trust between the cluster object and the management server. | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long. | +| **serial_console_password_hash** | Optional parameter to enable serial console connection in case of SSH key as authentication type. | string | N/A | +| **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions. | string | N/A | +| **number_of_vm_instances** | Number of VM instances to deploy. | string | **Default:** "2" | +| **vm_size** | Specifies the size of the Virtual Machine. | string | A list of valid VM sizes (e.g., "Standard_D4ds_v5", "Standard_D8ds_v5", etc). | +| **disk_size** | Storage data disk size (GB). | string | A number in the range 100 - 3995 (GB). | +| **os_version** | GAIA OS version. | string | "R8110";
"R8120"; | +| **vm_os_sku** | A SKU of the image to be deployed. | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license; | +| **vm_os_offer** | The name of the image offer to be deployed. | string | "check-point-cg-r8110";
"check-point-cg-r8120";
"check-point-cg-r82"; | +| **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point. | boolean| true;
false;| +| **admin_shell** | Enables selecting different admin shells. | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh;
**Default:** "/etc/cli.sh" | +| **bootstrap_script** | An optional script to run on the initial boot. | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" | +| **is_blink** | Define if blink image is used for deployment | boolean | true;
false;
**Default:** true | +| **enable_custom_metrics** | Indicates whether CloudGuard Metrics will be used for Cluster members monitoring. | boolean | true;
false;
**Default:** true | +| **availability_type** | Optional parameter, specifies whether to deploy the solution based on Azure Availability Set or Azure Availability Zone. | string | "Availability Zone";
"Availability Set";
**Default:** "Availability Zone" | +| **availability_zones** | Optional parameter, specifies in which zones to deploy the solution (up to two zones). | list(string) | ["1"];
["1", "2"];
**Default:** [] | +| **smart_1_cloud_token_a** | Smart-1 Cloud token to connect automatically ***Member A*** to Check Point's Security Management as a Service. | string | A valid token copied from the Connect Gateway screen in the Smart-1 Cloud portal. | +| **smart_1_cloud_token_b** | Smart-1 Cloud token to connect automatically ***Member B*** to Check Point's Security Management as a Service. | string | A valid token copied from the Connect Gateway screen in the Smart-1 Cloud portal. | +| **vnet_name** | The name of the virtual network that will be created. | string | The name must begin with a letter or number, end with a letter, number, or underscore, and may contain only letters, numbers, underscores, periods, or hyphens. | +| **existing_vnet_resource_group** | The name of the resource group where the Virtual Network is located. Required when using an existing Virtual Network. | string | **Default:** "" | +| **frontend_subnet_name** | The Virtual Network subnet name for the frontend interface. | string | N/A | +| **backend_subnet_name** | The Virtual Network subnet name for the backend interface. | string | N/A | +| **address_space** | The address prefixes of the virtual network. | string | Valid CIDR block
**Default:** "10.0.0.0/16" | +| **subnet_prefixes** | The address prefixes to be used for created subnets. | string | The subnets need to contain within the address space for this virtual network (defined by the `address_space` variable).
**Default:** ["10.0.0.0/24", "10.0.1.0/24"] | +| **nsg_id** | Optional ID for a Network Security Group that already exists in Azure. If not provided, a default NSG will be created. | string | Existing NSG resource ID
**Default:** "" | +| **storage_account_deployment_mode** | Choose the boot diagnostics storage account type. | string | New;
Existing;
Managed;
None;
**Default:** New | +| **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location.
Relevant only if `storage_account_deployment_mode = "New"`. | boolean| true;
false;
**Default:** false | +| **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account.
Relevant only if `storage_account_deployment_mode = "New"`. | list(string) | A list of valid IPs and CIDRs
**Default:** [] | +| **existing_storage_account_name** | The existing storage account name.
Relevant only if `storage_account_deployment_mode = "Existing"`. | string | **Default:** "" | +| **existing_storage_account_resource_group_name** | The existing storage account resource group name.
Relevant only if `storage_account_deployment_mode = "Existing"`. | string | **Default:** "" | +| **sku** | SKU | string | **Default:** "Standard" | +| **security_rules** | Security rules for the Network Security Group. | list(any) | A security rule composed of: {name, priority, direction, access, protocol, source_port_ranges, destination_port_ranges, source_address_prefix, destination_address_prefix, description}
**Default:** [] | +| **vips_names** | Names for additional Virtual IP addresses beyond the primary cluster VIP. Each name creates a corresponding public IP resource. | list(string) | **Default:** [] | +| **lb_probe_name** | Name to be used for lb health probe. | string | **Default:** "health_prob_port" | +| **lb_probe_port** | Port to be used for load balancer health probes and rules. | string | **Default:** "8117" | +| **lb_probe_protocol** | Protocols to be used for load balancer health probes and rules. | string | **Default:** "Tcp" | +| **lb_probe_unhealthy_threshold** | Number of times load balancer health probe has an unsuccessful attempt before considering the endpoint unhealthy. | number | **Default:** 2 | +| **lb_probe_interval** | Interval in seconds load balancer health probe rule perfoms a check. | number | **Default:** 5 | +| **enable_floating_ip** | Indicates whether the load balancers will be deployed with floating IP. | boolean | true;
false;
**Default:** true | +| **use_public_ip_prefix** | Indicates whether the public IP resources will be deployed with public IP prefix. | boolean | true;
false;
**Default:** false | +| **create_public_ip_prefix** | Indicates whether the public IP prefix will be created or an existing one will be used. | boolean | true;
false;
**Default:** false | +| **existing_public_ip_prefix_id** | The existing public IP prefix resource ID. | string | Existing public IP prefix resource ID.
**Default:** "" | \ No newline at end of file diff --git a/modules/high_availability_new_vnet/cloud-init.sh b/modules/high-availability/cloud-init.sh old mode 100755 new mode 100644 similarity index 100% rename from modules/high_availability_new_vnet/cloud-init.sh rename to modules/high-availability/cloud-init.sh diff --git a/modules/high-availability/locals.tf b/modules/high-availability/locals.tf new file mode 100644 index 0000000..c64bf83 --- /dev/null +++ b/modules/high-availability/locals.tf @@ -0,0 +1,17 @@ +locals { + module_name = "high_availability_terraform_registry" + module_version = "1.0.6" + + # Determine if Availability Set should be created + availability_set_condition = var.availability_type == "Availability Set" ? true : false + + # Validate both s1c tokens are unqiue + is_tokens_used = length(var.smart_1_cloud_token_a) > 0 + token_parts_a = split(" ", var.smart_1_cloud_token_a) + token_parts_b = split(" ", var.smart_1_cloud_token_b) + acutal_token_a = local.token_parts_a[length(local.token_parts_a) - 1] + acutal_token_b = local.token_parts_b[length(local.token_parts_b) - 1] + validate_tokens_uniqueness = local.is_tokens_used ? ( + local.acutal_token_a != local.acutal_token_b ? 0 : index("error", "Same Smart-1 Cloud token used for both memeber, you must provide unique token for each member") + ) : 0 +} diff --git a/modules/high-availability/main.tf b/modules/high-availability/main.tf new file mode 100644 index 0000000..260460d --- /dev/null +++ b/modules/high-availability/main.tf @@ -0,0 +1,579 @@ +//********************** Basic Configuration **************************// +module "common" { + source = "../common/common" + resource_group_name = var.resource_group_name + location = var.location + is_zonal = var.availability_type == "Availability Zone" + availability_zones_num = tostring(length(var.availability_zones)) + availability_zones = var.availability_zones + admin_password = var.admin_password + installation_type = "cluster" + module_name = local.module_name + module_version = local.module_version + number_of_vm_instances = var.number_of_vm_instances + allow_upload_download = var.allow_upload_download + vm_size = var.vm_size + disk_size = var.disk_size + is_blink = var.is_blink + os_version = var.os_version + vm_os_sku = var.vm_os_sku + vm_os_offer = var.vm_os_offer + authentication_type = var.authentication_type + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + tags = merge(lookup(var.tags, "resource-group", {}), lookup(var.tags, "all", {})) +} + +//********************** Network Security Group **************************// +module "network_security_group" { + source = "../common/network-security-group" + nsg_id = var.nsg_id + resource_group_name = module.common.resource_group_name + security_group_name = "${module.common.resource_group_name}_nsg" + location = module.common.resource_group_location + security_rules = var.security_rules + tags = merge(lookup(var.tags, "network-security-group", {}), lookup(var.tags, "all", {})) +} + +//********************** Networking **************************// +module "vnet" { + depends_on = [ + module.network_security_group + ] + source = "../common/vnet" + vnet_name = var.vnet_name + resource_group_name = module.common.resource_group_name + existing_vnet_resource_group = var.existing_vnet_resource_group + location = module.common.resource_group_location + address_space = var.address_space + subnet_prefixes = var.subnet_prefixes + subnet_names = [var.frontend_subnet_name, var.backend_subnet_name] + nsg_id = module.network_security_group.id + tags = var.tags +} + + +resource "random_id" "random_id" { + byte_length = 13 + keepers = { + rg_id = module.common.resource_group_id + } +} + +resource "azurerm_public_ip_prefix" "public_ip_prefix" { + count = var.use_public_ip_prefix && var.create_public_ip_prefix ? 1 : 0 + name = "${module.common.resource_group_name}-ipprefix" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + prefix_length = length(var.vips_names) > 4 ? 28 : length(var.vips_names) > 0 ? 29 : 30 + tags = merge(lookup(var.tags, "public-ip-prefix", {}), lookup(var.tags, "all", {})) +} + +resource "azurerm_public_ip" "public_ip" { + count = 2 + name = "${var.cluster_name}${count.index + 1}_IP" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + allocation_method = module.vnet.allocation_method + sku = var.sku + domain_name_label = "${lower(var.cluster_name)}-${count.index + 1}-${random_id.random_id.hex}" + public_ip_prefix_id = var.use_public_ip_prefix ? (var.create_public_ip_prefix ? azurerm_public_ip_prefix.public_ip_prefix[0].id : var.existing_public_ip_prefix_id) : null + tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {})) +} + +resource "azurerm_public_ip" "cluster_vip" { + name = var.cluster_name + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + allocation_method = module.vnet.allocation_method + sku = var.sku + domain_name_label = "${lower(var.cluster_name)}-vip-${random_id.random_id.hex}" + public_ip_prefix_id = var.use_public_ip_prefix ? (var.create_public_ip_prefix ? azurerm_public_ip_prefix.public_ip_prefix[0].id : var.existing_public_ip_prefix_id) : null + tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {})) +} + +resource "azurerm_public_ip" "vips" { + count = length(var.vips_names) + name = var.vips_names[count.index] + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + allocation_method = module.vnet.allocation_method + sku = var.sku + domain_name_label = "${lower(var.vips_names[count.index])}-${count.index}-vip-${random_id.random_id.hex}" + public_ip_prefix_id = var.use_public_ip_prefix ? (var.create_public_ip_prefix ? azurerm_public_ip_prefix.public_ip_prefix[0].id : var.existing_public_ip_prefix_id) : null + tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {})) +} + +resource "azurerm_network_interface" "nic_vip" { + depends_on = [ + azurerm_public_ip.cluster_vip, + azurerm_public_ip.public_ip, + azurerm_public_ip.vips, + ] + name = "${var.cluster_name}1-eth0" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + enable_ip_forwarding = true + enable_accelerated_networking = true + + ip_configuration { + name = "ipconfig1" + primary = true + subnet_id = module.vnet.subnets[0] + private_ip_address_allocation = module.vnet.allocation_method + private_ip_address = cidrhost(module.vnet.subnet_prefixes[0], 5) + public_ip_address_id = azurerm_public_ip.public_ip.0.id + } + + ip_configuration { + name = "cluster-vip" + subnet_id = module.vnet.subnets[0] + primary = false + private_ip_address_allocation = module.vnet.allocation_method + private_ip_address = cidrhost(module.vnet.subnet_prefixes[0], 7) + public_ip_address_id = azurerm_public_ip.cluster_vip.id + } + + dynamic "ip_configuration" { + for_each = var.vips_names + content { + name = "cluster-vip-${index(var.vips_names, ip_configuration.value) + 1}" + subnet_id = module.vnet.subnets[0] + primary = false + private_ip_address_allocation = module.vnet.allocation_method + private_ip_address = cidrhost(module.vnet.subnet_prefixes[0], 7 + index(var.vips_names, ip_configuration.value) + 1) + public_ip_address_id = azurerm_public_ip.vips[index(var.vips_names, ip_configuration.value)].id + } + } + + lifecycle { + ignore_changes = [ + # Ignore changes to ip_configuration when Re-applying, e.g. because a cluster failover and associating the cluster- vip with the other member. + # updates these based on some ruleset managed elsewhere. + ip_configuration + ] + } + + tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {})) +} + +resource "azurerm_network_interface_backend_address_pool_association" "nic_vip_lb_association" { + depends_on = [ + azurerm_network_interface.nic_vip, + azurerm_lb_backend_address_pool.frontend_lb_pool + ] + network_interface_id = azurerm_network_interface.nic_vip.id + ip_configuration_name = "ipconfig1" + backend_address_pool_id = azurerm_lb_backend_address_pool.frontend_lb_pool.id +} + +resource "azurerm_network_interface" "nic" { + depends_on = [ + azurerm_public_ip.public_ip, + azurerm_lb.frontend_lb + ] + name = "${var.cluster_name}2-eth0" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + enable_ip_forwarding = true + enable_accelerated_networking = true + + ip_configuration { + name = "ipconfig1" + primary = true + subnet_id = module.vnet.subnets[0] + private_ip_address_allocation = module.vnet.allocation_method + private_ip_address = cidrhost(module.vnet.subnet_prefixes[0], 6) + public_ip_address_id = azurerm_public_ip.public_ip.1.id + } + + lifecycle { + ignore_changes = [ + # Ignore changes to ip_configuration when Re-applying, e.g. because a cluster failover and associating the cluster- vip with the other member. + # updates these based on some ruleset managed elsewhere. + ip_configuration + ] + } + + tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {})) +} + +resource "azurerm_network_interface_backend_address_pool_association" "nic_lb_association" { + depends_on = [ + azurerm_network_interface.nic, + azurerm_lb_backend_address_pool.frontend_lb_pool + ] + network_interface_id = azurerm_network_interface.nic.id + ip_configuration_name = "ipconfig1" + backend_address_pool_id = azurerm_lb_backend_address_pool.frontend_lb_pool.id +} + +resource "azurerm_network_interface" "nic1" { + depends_on = [ + azurerm_lb.backend_lb + ] + count = 2 + name = "${var.cluster_name}${count.index + 1}-eth1" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + enable_ip_forwarding = true + enable_accelerated_networking = true + + ip_configuration { + name = "ipconfig2" + subnet_id = module.vnet.subnets[1] + private_ip_address_allocation = module.vnet.allocation_method + private_ip_address = cidrhost(module.vnet.subnet_prefixes[1], count.index + 5) + } + + tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {})) +} + +resource "azurerm_network_interface_backend_address_pool_association" "nic1_lb_association" { + depends_on = [ + azurerm_network_interface.nic1, + azurerm_lb_backend_address_pool.backend_lb_pool + ] + count = 2 + network_interface_id = azurerm_network_interface.nic1[count.index].id + ip_configuration_name = "ipconfig2" + backend_address_pool_id = azurerm_lb_backend_address_pool.backend_lb_pool.id +} + +//********************** Load Balancers **************************// +resource "azurerm_public_ip" "public_ip_lb" { + name = "frontend_lb_ip" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + allocation_method = module.vnet.allocation_method + sku = var.sku + domain_name_label = "${lower(var.cluster_name)}-${random_id.random_id.hex}" + public_ip_prefix_id = var.use_public_ip_prefix ? (var.create_public_ip_prefix ? azurerm_public_ip_prefix.public_ip_prefix[0].id : var.existing_public_ip_prefix_id) : null + tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {})) +} + +resource "azurerm_lb" "frontend_lb" { + name = "frontend-lb" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + sku = var.sku + + frontend_ip_configuration { + name = "LoadBalancerFrontend" + public_ip_address_id = azurerm_public_ip.public_ip_lb.id + } + + tags = merge(lookup(var.tags, "load-balancer", {}), lookup(var.tags, "all", {})) +} + +resource "azurerm_lb_backend_address_pool" "frontend_lb_pool" { + loadbalancer_id = azurerm_lb.frontend_lb.id + name = "frontend-lb-pool" +} + +resource "azurerm_lb" "backend_lb" { + name = "backend-lb" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + sku = var.sku + + frontend_ip_configuration { + name = "backend-lb" + subnet_id = module.vnet.subnets[1] + private_ip_address_allocation = module.vnet.allocation_method + private_ip_address = cidrhost(module.vnet.subnet_prefixes[1], 4) + } + + tags = merge(lookup(var.tags, "load-balancer", {}), lookup(var.tags, "all", {})) +} + +resource "azurerm_lb_backend_address_pool" "backend_lb_pool" { + name = "backend-lb-pool" + loadbalancer_id = azurerm_lb.backend_lb.id +} + +resource "azurerm_lb_probe" "azure_lb_healprob" { + count = 2 + loadbalancer_id = count.index == 0 ? azurerm_lb.frontend_lb.id : azurerm_lb.backend_lb.id + name = var.lb_probe_name + protocol = var.lb_probe_protocol + port = var.lb_probe_port + interval_in_seconds = var.lb_probe_interval + number_of_probes = var.lb_probe_unhealthy_threshold +} + +resource "azurerm_lb_rule" "backend_lb_rules" { + loadbalancer_id = azurerm_lb.backend_lb.id + name = "backend-lb" + protocol = "All" + frontend_port = 0 + backend_port = 0 + frontend_ip_configuration_name = "backend-lb" + load_distribution = "Default" + backend_address_pool_ids = [azurerm_lb_backend_address_pool.backend_lb_pool.id] + probe_id = azurerm_lb_probe.azure_lb_healprob[1].id + enable_floating_ip = var.enable_floating_ip +} + +//********************** Availability Set **************************// +resource "azurerm_availability_set" "availability_set" { + count = local.availability_set_condition ? 1 : 0 + name = "${var.cluster_name}-AvailabilitySet" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + platform_fault_domain_count = 2 + platform_update_domain_count = 5 + managed = true + tags = merge(lookup(var.tags, "availability-set", {}), lookup(var.tags, "all", {})) +} + +//********************** Storage accounts **************************// +module "vm_boot_diagnostics_storage" { + source = "../common/storage-account" + storage_account_deployment_mode = var.storage_account_deployment_mode + existing_storage_account_name = var.existing_storage_account_name + existing_storage_account_resource_group_name = var.existing_storage_account_resource_group_name + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + add_storage_account_ip_rules = var.add_storage_account_ip_rules + storage_account_additional_ips = var.storage_account_additional_ips + tags = merge(lookup(var.tags, "storage-account", {}), lookup(var.tags, "all", {})) +} + +//********************** Virtual Machines **************************// +module "custom_image" { + source = "../common/custom-image" + source_image_vhd_uri = var.source_image_vhd_uri + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + tags = merge(lookup(var.tags, "custom-image", {}), lookup(var.tags, "all", {})) +} + +resource "azurerm_virtual_machine" "vm_instance_availability_set" { + depends_on = [ + azurerm_network_interface.nic, + azurerm_network_interface.nic1, + azurerm_network_interface.nic_vip + ] + count = local.availability_set_condition ? module.common.number_of_vm_instances : 0 + name = "${var.cluster_name}${count.index + 1}" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + availability_set_id = local.availability_set_condition ? azurerm_availability_set.availability_set[0].id : "" + vm_size = module.common.vm_size + delete_os_disk_on_termination = module.common.delete_os_disk_on_termination + primary_network_interface_id = count.index == 0 ? azurerm_network_interface.nic_vip.id : azurerm_network_interface.nic.id + network_interface_ids = count.index == 0 ? [ + azurerm_network_interface.nic_vip.id, + azurerm_network_interface.nic1.0.id + ] : [ + azurerm_network_interface.nic.id, + azurerm_network_interface.nic1.1.id + ] + + identity { + type = module.common.vm_instance_identity + } + + storage_image_reference { + id = module.custom_image.id + publisher = module.custom_image.create_custom_image ? null : module.common.publisher + offer = module.common.vm_os_offer + sku = module.common.vm_os_sku + version = module.common.vm_os_version + } + + storage_os_disk { + name = "${var.cluster_name}-${count.index + 1}" + create_option = module.common.storage_os_disk_create_option + caching = module.common.storage_os_disk_caching + managed_disk_type = module.vm_boot_diagnostics_storage.storage_account_type + disk_size_gb = module.common.disk_size + } + + dynamic "plan" { + for_each = module.custom_image.create_custom_image ? [] : [1] + content { + name = module.common.vm_os_sku + publisher = module.common.publisher + product = module.common.vm_os_offer + } + } + + os_profile { + computer_name = "${lower(var.cluster_name)}${count.index + 1}" + admin_username = module.common.admin_username + admin_password = module.common.admin_password + custom_data = templatefile("${path.module}/cloud-init.sh", { + installation_type = module.common.installation_type + allow_upload_download = module.common.allow_upload_download + os_version = module.common.os_version + module_name = module.common.module_name + module_version = module.common.module_version + template_type = "terraform" + is_blink = module.common.is_blink + bootstrap_script64 = base64encode(var.bootstrap_script) + location = module.common.resource_group_location + sic_key = var.sic_key + tenant_id = var.tenant_id + virtual_network = module.vnet.name + cluster_name = var.cluster_name + external_private_addresses = azurerm_network_interface.nic_vip.ip_configuration[1].private_ip_address + enable_custom_metrics = var.enable_custom_metrics ? "yes" : "no" + admin_shell = var.admin_shell + smart_1_cloud_token = count.index == 0 ? var.smart_1_cloud_token_a : var.smart_1_cloud_token_b + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + }) + } + + os_profile_linux_config { + disable_password_authentication = module.common.SSH_authentication_type_condition + dynamic "ssh_keys" { + for_each = module.common.SSH_authentication_type_condition ? [1] : [] + content { + path = "/home/notused/.ssh/authorized_keys" + key_data = var.admin_SSH_key + } + } + } + + boot_diagnostics { + enabled = module.vm_boot_diagnostics_storage.boot_diagnostics + storage_uri = module.vm_boot_diagnostics_storage.storage_account_primary_blob_endpoint + } + + tags = merge(lookup(var.tags, "virtual-machine", {}), lookup(var.tags, "all", {})) +} + +resource "azurerm_virtual_machine" "vm_instance_availability_zone" { + depends_on = [ + azurerm_network_interface.nic, + azurerm_network_interface.nic1, + azurerm_network_interface.nic_vip + ] + count = local.availability_set_condition ? 0 : module.common.number_of_vm_instances + name = "${var.cluster_name}${count.index + 1}" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + zones = length(var.availability_zones) == 0 ? [count.index + 1] : length(var.availability_zones) == 1 ? [var.availability_zones[0]] : [var.availability_zones[count.index]] + vm_size = module.common.vm_size + delete_os_disk_on_termination = module.common.delete_os_disk_on_termination + primary_network_interface_id = count.index == 0 ? azurerm_network_interface.nic_vip.id : azurerm_network_interface.nic.id + network_interface_ids = count.index == 0 ? [ + azurerm_network_interface.nic_vip.id, + azurerm_network_interface.nic1.0.id + ] : [ + azurerm_network_interface.nic.id, + azurerm_network_interface.nic1.1.id + ] + + identity { + type = module.common.vm_instance_identity + } + + storage_image_reference { + id = module.custom_image.id + publisher = module.custom_image.create_custom_image ? null : module.common.publisher + offer = module.common.vm_os_offer + sku = module.common.vm_os_sku + version = module.common.vm_os_version + } + + storage_os_disk { + name = "${var.cluster_name}-${count.index + 1}" + create_option = module.common.storage_os_disk_create_option + caching = module.common.storage_os_disk_caching + managed_disk_type = module.vm_boot_diagnostics_storage.storage_account_type + disk_size_gb = module.common.disk_size + } + + dynamic "plan" { + for_each = module.custom_image.create_custom_image ? [] : [1] + content { + name = module.common.vm_os_sku + publisher = module.common.publisher + product = module.common.vm_os_offer + } + } + + os_profile { + computer_name = "${lower(var.cluster_name)}${count.index + 1}" + admin_username = module.common.admin_username + admin_password = module.common.admin_password + custom_data = templatefile("${path.module}/cloud-init.sh", { + installation_type = module.common.installation_type + allow_upload_download = module.common.allow_upload_download + os_version = module.common.os_version + module_name = module.common.module_name + module_version = module.common.module_version + template_type = "terraform" + is_blink = module.common.is_blink + bootstrap_script64 = base64encode(var.bootstrap_script) + location = module.common.resource_group_location + sic_key = var.sic_key + tenant_id = var.tenant_id + virtual_network = module.vnet.name + cluster_name = var.cluster_name + external_private_addresses = cidrhost(module.vnet.subnet_prefixes[0], 7) + enable_custom_metrics = var.enable_custom_metrics ? "yes" : "no" + admin_shell = var.admin_shell + smart_1_cloud_token = count.index == 0 ? var.smart_1_cloud_token_a : var.smart_1_cloud_token_b + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + }) + } + + os_profile_linux_config { + disable_password_authentication = module.common.SSH_authentication_type_condition + dynamic "ssh_keys" { + for_each = module.common.SSH_authentication_type_condition ? [1] : [] + content { + path = "/home/notused/.ssh/authorized_keys" + key_data = var.admin_SSH_key + } + } + } + + boot_diagnostics { + enabled = module.vm_boot_diagnostics_storage.boot_diagnostics + storage_uri = module.vm_boot_diagnostics_storage.storage_account_primary_blob_endpoint + } + + tags = merge(lookup(var.tags, "virtual-machine", {}), lookup(var.tags, "all", {})) +} + +//********************** Role Assigments **************************// +data "azurerm_role_definition" "virtual_machine_contributor_role_definition" { + name = "Virtual Machine Contributor" +} + +data "azurerm_role_definition" "reader_role_definition" { + name = "Reader" +} + +resource "azurerm_role_assignment" "cluster_virtual_machine_contributor_assignment" { + count = 2 + scope = module.common.resource_group_id + role_definition_id = data.azurerm_role_definition.virtual_machine_contributor_role_definition.id + principal_id = local.availability_set_condition ? lookup(azurerm_virtual_machine.vm_instance_availability_set[count.index].identity[0], "principal_id") : lookup(azurerm_virtual_machine.vm_instance_availability_zone[count.index].identity[0], "principal_id") + + lifecycle { + ignore_changes = [ + role_definition_id, principal_id + ] + } +} + +resource "azurerm_role_assignment" "cluster_reader_assigment" { + count = 2 + scope = module.common.resource_group_id + role_definition_id = data.azurerm_role_definition.reader_role_definition.id + principal_id = local.availability_set_condition ? lookup(azurerm_virtual_machine.vm_instance_availability_set[count.index].identity[0], "principal_id") : lookup(azurerm_virtual_machine.vm_instance_availability_zone[count.index].identity[0], "principal_id") + + lifecycle { + ignore_changes = [ + role_definition_id, principal_id + ] + } +} diff --git a/modules/high-availability/variables.tf b/modules/high-availability/variables.tf new file mode 100644 index 0000000..dfecbc7 --- /dev/null +++ b/modules/high-availability/variables.tf @@ -0,0 +1,353 @@ +//********************** Basic Configuration Variables **************************// +variable "subscription_id" { + description = "Subscription ID" + type = string +} + +variable "tenant_id" { + description = "Tenant ID" + type = string +} + +variable "client_id" { + description = "Application ID(Client ID)" + type = string +} + +variable "client_secret" { + description = "A secret string that the application uses to prove its identity when requesting a token. Also can be referred to as application password." + type = string +} + +variable "resource_group_name" { + description = "Azure Resource Group name to build into." + type = string +} + +variable "cluster_name" { + description = "Cluster name." + type = string +} + +variable "location" { + description = "The location/region where resources will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions." + type = string +} + +variable "tags" { + description = "Assign tags by resource." + type = map(map(string)) + default = {} +} + +//********************** Virtual Machine Instances Variables **************************// +variable "source_image_vhd_uri" { + description = "The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images." + type = string + default = "noCustomUri" +} + +variable "admin_username" { + description = "Administrator username of deployed VM. Due to Azure limitations 'notused' name can be used." + type = string + default = "notused" +} + +variable "authentication_type" { + description = "Specifies whether a password authentication or SSH Public Key authentication should be used." + type = string +} + +variable "admin_password" { + description = "Administrator password of deployed Virtual Macine. The password must meet the complexity requirements of Azure." + type = string +} + +variable "admin_SSH_key" { + type = string + description = "(Optional) The SSH public key for SSH authentication to the template instances." + default = "" +} + + +variable "sic_key" { + description = "Secure Internal Communication (SIC) key." + type = string + + validation { + condition = length(var.sic_key) >= 12 + error_message = "Variable [sic_key] must be at least 12 characters long." + } +} + +variable "serial_console_password_hash" { + description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type." + type = string +} + +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions." + type = string +} + +variable "number_of_vm_instances" { + description = "Number of VM instances to deploy." + type = string + default = "2" +} + +variable "vm_size" { + description = "Specifies size of Virtual Machine." + type = string +} + +variable "disk_size" { + description = "Storage data disk size size (GB). Select a number between 100 and 3995." + type = string +} + +variable "os_version" { + description = "GAIA OS version." + type = string +} + +variable "vm_os_sku" { + description = "The sku of the image to be deployed." + type = string +} + +variable "vm_os_offer" { + description = "The name of the image offer to be deployed." + type = string +} + +variable "allow_upload_download" { + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point." + type = bool +} + +variable "admin_shell" { + description = "The admin shell to configure on machine or the first time." + type = string + default = "/etc/cli.sh" +} + +variable "bootstrap_script" { + description = "An optional script to run on the initial boot." + type = string + default = "" +} + +variable "is_blink" { + description = "Define if blink image is used for deployment" + default = true +} + +variable "enable_custom_metrics" { + description = "Indicates whether CloudGuard Metrics will be use for Cluster members monitoring." + type = bool + default = true +} + +variable "availability_type" { + description = "Specifies whether to deploy the solution based on Azure Availability Set or based on Azure Availability Zone." + type = string + default = "Availability Zone" + + validation { + condition = contains([ + "Availability Zone", + "Availability Set" + ], var.availability_type) + error_message = "Variable [availability_type] must be one of the following: 'Availability Zone', 'Availability Set'." + } +} + +variable "availability_zones" { + description = "A list of availability zones to use for Scale Set." + type = list(string) + default = [] + + validation { + condition = length(var.availability_zones) <= 2 + error_message = "The number of availability zones must be 1 or 2." + } +} + +//********************** Smart-1 Cloud Variables **************************// +variable "smart_1_cloud_token_a" { + description = "Smart-1 Cloud Token, for configuring member A." + type = string +} + +variable "smart_1_cloud_token_b" { + description = "Smart-1 Cloud Token, for configuring member B." + type = string + + validation { + condition = var.smart_1_cloud_token_b != "" && var.smart_1_cloud_token_a != "" ? true : var.smart_1_cloud_token_b == "" && var.smart_1_cloud_token_a == "" + error_message = "To connect to Smart-1 Cloud, you must provide two tokens (one per member)." + } +} + +//********************** Natworking Variables **************************// +variable "vnet_name" { + description = "Virtual Network name." + type = string +} + +variable "existing_vnet_resource_group" { + description = "The name of the resource group where the Virtual Network is located. Required when using an existing Virtual Network." + type = string + default = "" +} + +variable "frontend_subnet_name" { + description = "The Virtual Network subnet name for the frontend interface." + type = string +} + +variable "backend_subnet_name" { + description = "The Virtual Network subnet name for the backend interface." + type = string +} + +variable "address_space" { + description = "The address space that is used by a Virtual Network." + type = string + default = "10.0.0.0/16" +} + +variable "subnet_prefixes" { + description = "Address prefix to be used for network subnets." + type = list(string) + default = ["10.0.0.0/24", "10.0.1.0/24"] +} + +variable "nsg_id" { + description = "(Optional) The Network Security Group ID." + type = string + default = "" +} + +variable "storage_account_deployment_mode" { + description = "The deployment mode for the storage account. Options are 'New', 'Existing', 'Managed' and 'None'. If 'Existing', the storage account must be specified in the variable 'existing_storage_account_id'." + type = string + default = "New" +} + +variable "add_storage_account_ip_rules" { + description = "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location." + type = bool + default = false +} + +variable "storage_account_additional_ips" { + description = "IPs/CIDRs that are allowed access to the Storage Account." + type = list(string) + default = [] +} + +variable "existing_storage_account_name" { + type = string + description = "The name of an existing storage account to use if 'storage_account_deployment_mode' is set to 'Existing'." + default = "" +} + +variable "existing_storage_account_resource_group_name" { + type = string + description = "The resource group name of an existing storage account to use if 'storage_account_deployment_mode' is set to 'Existing'." + default = "" +} + +variable "sku" { + description = "SKU" + type = string + default = "Standard" +} + +variable "security_rules" { + description = "Security rules for the Network Security Group using this format [name, priority, direction, access, protocol, source_source_port_rangesport_range, destination_port_ranges, source_address_prefix, destination_address_prefix, description]." + type = list(any) + default = [ + { + name = "AllowAllInBound" + priority = "100" + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_ranges = "*" + destination_port_ranges = "*" + description = "Allow all inbound connections" + source_address_prefix = "*" + destination_address_prefix = "*" + } + ] +} + +variable "vips_names" { + description = "Names to be used for the VIPs." + type = list(string) + default = [] + + # More than 10 VIPs may result in not enough available IPs available in IpPrefix + validation { + condition = length(var.vips_names) < 10 + error_message = "The number of VIPs must be less than 10." + } +} + +//********************* Load Balancers Variables **********************// +variable "lb_probe_name" { + description = "Name to be used for lb health probe." + type = string + default = "health_prob_port" +} + +variable "lb_probe_port" { + description = "Port to be used for load balancer health probes and rules." + type = string + default = "8117" +} + +variable "lb_probe_protocol" { + description = "Protocols to be used for load balancer health probes and rules." + type = string + default = "Tcp" +} + +variable "lb_probe_unhealthy_threshold" { + description = "Number of times load balancer health probe has an unsuccessful attempt before considering the endpoint unhealthy." + type = number + default = 2 +} + +variable "lb_probe_interval" { + description = "Interval in seconds load balancer health probe rule perfoms a check." + type = number + default = 5 +} + +variable "enable_floating_ip" { + description = "Indicates whether the load balancers will be deployed with floating IP." + type = bool + default = true +} + +variable "use_public_ip_prefix" { + description = "Indicates whether the public IP resources will be deployed with public IP prefix." + type = bool + default = false +} + +variable "create_public_ip_prefix" { + description = "Indicates whether the public IP prefix will created or an existing will be used." + type = bool + default = false +} + +variable "existing_public_ip_prefix_id" { + description = "The existing public IP prefix resource id." + type = string + default = "" +} diff --git a/modules/nva_into_new_vwan/versions.tf b/modules/high-availability/versions.tf old mode 100755 new mode 100644 similarity index 85% rename from modules/nva_into_new_vwan/versions.tf rename to modules/high-availability/versions.tf index 0df2f1c..7e95d53 --- a/modules/nva_into_new_vwan/versions.tf +++ b/modules/high-availability/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.5.0" + required_version = ">= 1.6" required_providers { azurerm = { source = "hashicorp/azurerm" @@ -7,14 +7,13 @@ terraform { } azapi = { source = "Azure/azapi" - version = "~> 2.2.0" - } + version = "~> 2.4.0" + } random = { - version = "~> 3.5.1" + version = "~> 3.6.0" } } } - provider "azapi" { subscription_id = var.subscription_id client_id = var.client_id diff --git a/modules/high_availability_existing_vnet/README.md b/modules/high_availability_existing_vnet/README.md deleted file mode 100755 index e395531..0000000 --- a/modules/high_availability_existing_vnet/README.md +++ /dev/null @@ -1,133 +0,0 @@ -# Check Point CloudGuard High Availability Module - Existing VNet -This Terraform module deploys Check Point CloudGuard Network Security High Availability solution into an existing VNet in azure. -As part of the deployment the following resources are created: -- Resource group -- System assigned identity -- Availability Set - conditional creation - -For additional information, -please see the [CloudGuard Network for Azure High Availability Cluster Deployment Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_Azure_HA_Cluster/Default.htm) - -This solution uses the following modules: -- common - used for creating a resource group and defining common variables. - -## Usage -Follow best practices for using CGNS modules on [the root page](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/azure/latest). - -**Example:** -``` -provider "azurerm" { - features {} -} - -module "example_module" { - - source = "CheckPointSW/cloudguard-network-security/azure//modules/high_availability_existing_vnet" - version = "1.0.8" - - tenant_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - source_image_vhd_uri = "noCustomUri" - resource_group_name = "checkpoint-ha-terraform" - cluster_name = "checkpoint-ha-terraform" - location = "eastus" - vnet_name = "checkpoint-ha-vnet" - vnet_resource_group = "existing-vnet" - frontend_subnet_name = "frontend" - backend_subnet_name = "backend" - frontend_IP_addresses = [5, 6, 7] - backend_IP_addresses = [5, 6, 7] - vips_names = [] - admin_password = "xxxxxxxxxxxx" - smart_1_cloud_token_a = "xxxxxxxxxxxx" - smart_1_cloud_token_b = "xxxxxxxxxxxx" - sic_key = "xxxxxxxxxxxx" - vm_size = "Standard_D4ds_v5" - disk_size = "110" - vm_os_sku = "sg-byol" - vm_os_offer = "check-point-cg-r82" - os_version = "R82" - bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" - allow_upload_download = true - authentication_type = "Password" - availability_type = "Availability Zone" - enable_custom_metrics = true - enable_floating_ip = true - use_public_ip_prefix = false - create_public_ip_prefix = false - existing_public_ip_prefix_id = "" - admin_shell = "/etc/cli.sh" - serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - add_storage_account_ip_rules = false - storage_account_additional_ips = [] -} -``` - -## Conditional creation -- To deploy the solution based on Azure Availability Set and create a new Availability Set for the virtual machines: - ``` - availability_type = "Availability Set" - ``` - Otherwise, to deploy the solution based on Azure Availability Zone: - ``` - availability_type = "Availability Zone" - ``` - -- To enable CloudGuard metrics in order to send statuses and statistics collected from HA instances to the Azure Monitor service: - ``` - enable_custom_metrics = true - ``` - -- To create new public IP prefix for the public IP: - ``` - use_public_ip_prefix = true - create_public_ip_prefix = true - ``` -- To use an existing public IP prefix for the public IP: - ``` - use_public_ip_prefix = true - create_public_ip_prefix = false - existing_public_ip_prefix_id = "public IP prefix resource id" - ``` - -### Module's variables: - | Name | Description | Type | Allowed values | -|---------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | | -| **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | **Default:** "noCustomUri" | -| **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period
| -| **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions
| -| **cluster_name** | The name of the Check Point Cluster Object | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long
| -| **vnet_name** | Virtual Network name | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens
| -| **vnet_resource_group** | Resource Group of the existing virtual network | string | The exact name of the existing vnet's resource group
| -| **frontend_subnet_name** | Specifies the name of the external subnet | string | The exact name of the existing external subnet
| -| **backend_subnet_name** | Specifies the name of the internal subnet | string | The exact name of the existing internal subnet
| -| **frontend_IP_addresses** | A list of three whole numbers representing the private IP addresses of the members' eth0 NICs and the cluster VIP IP addresses | list(number) | | -| **backend_IP_addresses** | A list of three whole numbers representing the private IP addresses of the members' eth1 NICs and the backend LB IP addresses | list(number) | | -| **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character
| -| **smart_1_cloud_token_a** | Smart-1 Cloud token to connect automatically ***Member A*** to Check Point's Security Management as a Service. Follow these instructions to connect this member. | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal
| -| **smart_1_cloud_token_b** | Smart-1 Cloud token to connect automatically ***Member B*** to Check Point's Security Management as a Service. Follow these instructions to connect this member. | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal
| -| **sic_key** | The Secure Internal Communication one-time secret used to set up trust between the cluster object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long
| -| **vm_size** | Specifies the size of Virtual Machine | string | Various valid sizes (e.g., "Standard_D4ds_v5", "Standard_D8ds_v5", etc.)
| -| **disk_size** | Storage data disk size (GB) | string | A number in the range 100 - 3995 (GB)
| -| **vm_os_sku** | A SKU of the image to be deployed | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license
| -| **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r81.10";
"check-point-cg-r81.20";
"check-point-cg-r82";
| -| **os_version** | GAIA OS version | string | "R8110";
"R8120";
"R82";
| -| **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
| -| **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false;
| -| **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key";
| -| **availability_type** | Specifies whether to deploy the solution based on Azure Availability Set or based on Azure Availability Zone | string | "Availability Zone";
"Availability Set";
**Default:** "Availability Zone" | -| **enable_custom_metrics** | Indicates whether CloudGuard Metrics will be used for Cluster members monitoring | boolean | true;
false;
**Default:** true | -| **enable_floating_ip** | Indicates whether the load balancers will be deployed with floating IP | boolean | true;
false;
**Default:** true | -| **use_public_ip_prefix** | Indicates whether the public IP resources will be deployed with public IP prefix | boolean | true;
false;
**Default:** false | -| **create_public_ip_prefix** | Indicates whether the public IP prefix will be created or an existing one will be used | boolean | true;
false;
**Default:** false | -| **existing_public_ip_prefix_id** | The existing public IP prefix resource ID | string | Existing public IP prefix resource ID
| -| **vips_names** | Names for additional Virtual IP addresses beyond the primary cluster VIP. Each name creates a corresponding public IP resource. | list(string) | **Default:** [] | -| **admin_shell** | Enables selecting different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh;
| -| **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type | string | | -| **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions | string | | -| **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location | boolean | true;
false;
**Default:** false | -| **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs
**Default:** [] | -| **security_rules** | Security rules for the Network Security Group | list(any) | A security rule composed of: {name, priority, direction, access, protocol, source_port_ranges, destination_port_ranges, source_address_prefix, destination_address_prefix, description}
**Default:** [] | -| **admin_SSH_key** | The SSH public key for SSH connections to the instance. Used when the authentication_type is 'SSH Public Key' | string | **Default:** "" | -| **tags** | Tags can be associated either globally across all resources or scoped to specific resource types. For example, a global tag can be defined as: {"all": {"example": "example"}}.
Supported resource types for tag assignment include:
`all` (Applies tags universally to all resource instances)
`resource-group`
`network-interface`
`public-ip`
`public-ip-prefix`
`load-balancer`
`storage-account`
`virtual-machine`
`custom-image`
`availability-set`
**Important:** When identical tag keys are defined both globally under `all` and within a specific resource scope, the tag value specified under `all` overrides the resource-specific tag. | map(map(string)) | {} | \ No newline at end of file diff --git a/modules/high_availability_existing_vnet/cloud-init.sh b/modules/high_availability_existing_vnet/cloud-init.sh deleted file mode 100755 index 77bc6ab..0000000 --- a/modules/high_availability_existing_vnet/cloud-init.sh +++ /dev/null @@ -1,22 +0,0 @@ -#!/usr/bin/python3 /etc/cloud_config.py - -installationType="${installation_type}" -allowUploadDownload="${allow_upload_download}" -osVersion="${os_version}" -templateName="${module_name}" -templateVersion="${module_version}" -templateType="${template_type}" -isBlink="${is_blink}" -bootstrapScript64="${bootstrap_script64}" -location="${location}" -sicKey="${sic_key}" -tenantId="${tenant_id}" -virtualNetwork="${virtual_network}" -clusterName="${cluster_name}" -externalPrivateAddresses="${external_private_addresses}" -customMetrics="${enable_custom_metrics}" -adminShell="${admin_shell}" -smart1CloudToken="${smart_1_cloud_token}" -Vips='[{"name": "cluster-vip", "privateIPAddress": "${external_private_addresses}", "publicIPAddress": "${cluster_name}"}]' -passwordHash="${serial_console_password_hash}" -MaintenanceModePassword="${maintenance_mode_password_hash}" \ No newline at end of file diff --git a/modules/high_availability_existing_vnet/locals.tf b/modules/high_availability_existing_vnet/locals.tf deleted file mode 100755 index 598ec23..0000000 --- a/modules/high_availability_existing_vnet/locals.tf +++ /dev/null @@ -1,4 +0,0 @@ -locals { - module_name = "high_availability_terraform_registry" - module_version = "1.0.7" -} diff --git a/modules/high_availability_existing_vnet/main.tf b/modules/high_availability_existing_vnet/main.tf deleted file mode 100755 index ee53d2a..0000000 --- a/modules/high_availability_existing_vnet/main.tf +++ /dev/null @@ -1,572 +0,0 @@ -//********************** Basic Configuration **************************// -module "common" { - source = "../common" - resource_group_name = var.resource_group_name - location = var.location - admin_password = var.admin_password - installation_type = var.installation_type - module_name = local.module_name - module_version = local.module_version - number_of_vm_instances = var.number_of_vm_instances - allow_upload_download = var.allow_upload_download - vm_size = var.vm_size - disk_size = var.disk_size - is_blink = var.is_blink - os_version = var.os_version - vm_os_sku = var.vm_os_sku - vm_os_offer = var.vm_os_offer - authentication_type = var.authentication_type - serial_console_password_hash = var.serial_console_password_hash - maintenance_mode_password_hash = var.maintenance_mode_password_hash - storage_account_additional_ips = var.storage_account_additional_ips - tags = merge(lookup(var.tags, "resource-group", {}), lookup(var.tags, "all", {})) -} - -//********************** Networking **************************// -resource "random_id" "random_id" { - byte_length = 13 - keepers = { - rg_id = module.common.resource_group_id - } -} - -resource "azurerm_public_ip_prefix" "public_ip_prefix" { - count = var.use_public_ip_prefix && var.create_public_ip_prefix ? 1 : 0 - name = "${module.common.resource_group_name}-ipprefix" - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - prefix_length = length(var.vips_names) > 4 ? 28 : length(var.vips_names) > 0 ? 29 : 30 - tags = merge(lookup(var.tags, "public-ip-prefix", {}), lookup(var.tags, "all", {})) -} - -data "azurerm_subnet" "frontend" { - name = var.frontend_subnet_name - virtual_network_name = var.vnet_name - resource_group_name = var.vnet_resource_group -} - -data "azurerm_subnet" "backend" { - name = var.backend_subnet_name - virtual_network_name = var.vnet_name - resource_group_name = var.vnet_resource_group -} - -resource "azurerm_public_ip" "public-ip" { - count = 2 - name = "${var.cluster_name}${count.index+1}_IP" - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - allocation_method = var.vnet_allocation_method - sku = var.sku - domain_name_label = "${lower(var.cluster_name)}-${count.index+1}-${random_id.random_id.hex}" - public_ip_prefix_id = var.use_public_ip_prefix ? (var.create_public_ip_prefix ? azurerm_public_ip_prefix.public_ip_prefix[0].id : var.existing_public_ip_prefix_id) : null - tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_public_ip" "cluster-vip" { - name = var.cluster_name - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - allocation_method = var.vnet_allocation_method - sku = var.sku - domain_name_label = "${lower(var.cluster_name)}-vip-${random_id.random_id.hex}" - public_ip_prefix_id = var.use_public_ip_prefix ? (var.create_public_ip_prefix ? azurerm_public_ip_prefix.public_ip_prefix[0].id : var.existing_public_ip_prefix_id) : null - tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_public_ip" "vips" { - count = length(var.vips_names) - name = var.vips_names[count.index] - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - allocation_method = var.vnet_allocation_method - sku = var.sku - domain_name_label = "${lower(var.vips_names[count.index])}-${count.index}-vip-${random_id.random_id.hex}" - public_ip_prefix_id = var.use_public_ip_prefix ? (var.create_public_ip_prefix ? azurerm_public_ip_prefix.public_ip_prefix[0].id : var.existing_public_ip_prefix_id) : null - tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_network_interface" "nic_vip" { - depends_on = [ - azurerm_public_ip.cluster-vip, - azurerm_public_ip.public-ip, - azurerm_public_ip.vips, - ] - name = "${var.cluster_name}1-eth0" - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - enable_ip_forwarding = true - enable_accelerated_networking = true - - ip_configuration { - name = "ipconfig1" - primary = true - subnet_id = data.azurerm_subnet.frontend.id - private_ip_address_allocation = var.vnet_allocation_method - private_ip_address = cidrhost(data.azurerm_subnet.frontend.address_prefixes[0], var.frontend_IP_addresses[0]) - public_ip_address_id = azurerm_public_ip.public-ip.0.id - } - ip_configuration { - name = "cluster-vip" - subnet_id = data.azurerm_subnet.frontend.id - primary = false - private_ip_address_allocation = var.vnet_allocation_method - private_ip_address = cidrhost(data.azurerm_subnet.frontend.address_prefixes[0], var.frontend_IP_addresses[2]) - public_ip_address_id = azurerm_public_ip.cluster-vip.id - } - - dynamic "ip_configuration" { - for_each = var.vips_names - content { - name = "cluster-vip-${index(var.vips_names, ip_configuration.value) + 1}" - subnet_id = data.azurerm_subnet.frontend.id - primary = false - private_ip_address_allocation = var.vnet_allocation_method - private_ip_address = cidrhost(data.azurerm_subnet.frontend.address_prefixes[0], 7 + index(var.vips_names, ip_configuration.value) + 1) - public_ip_address_id = azurerm_public_ip.vips[index(var.vips_names, ip_configuration.value)].id - } - } - - lifecycle { - ignore_changes = [ - # Ignore changes to ip_configuration when Re-applying, e.g. because a cluster failover and associating the cluster- vip with the other member. - # updates these based on some ruleset managed elsewhere. - ip_configuration - ] - } - - tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_network_interface_backend_address_pool_association" "nic_vip_lb_association" { - depends_on = [azurerm_network_interface.nic_vip, azurerm_lb_backend_address_pool.frontend-lb-pool] - network_interface_id = azurerm_network_interface.nic_vip.id - ip_configuration_name = "ipconfig1" - backend_address_pool_id = azurerm_lb_backend_address_pool.frontend-lb-pool.id -} - -resource "azurerm_network_interface" "nic" { - depends_on = [ - azurerm_public_ip.public-ip, - azurerm_lb.frontend-lb] - name = "${var.cluster_name}2-eth0" - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - enable_ip_forwarding = true - enable_accelerated_networking = true - - ip_configuration { - name = "ipconfig1" - primary = true - subnet_id = data.azurerm_subnet.frontend.id - private_ip_address_allocation = var.vnet_allocation_method - private_ip_address = cidrhost(data.azurerm_subnet.frontend.address_prefixes[0], var.frontend_IP_addresses[1]) - public_ip_address_id = azurerm_public_ip.public-ip.1.id - } - lifecycle { - ignore_changes = [ - # Ignore changes to ip_configuration when Re-applying, e.g. because a cluster failover and associating the cluster- vip with the other member. - # updates these based on some ruleset managed elsewhere. - ip_configuration - ] - } - - tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_network_interface_backend_address_pool_association" "nic_lb_association" { - depends_on = [azurerm_network_interface.nic, azurerm_lb_backend_address_pool.frontend-lb-pool] - network_interface_id = azurerm_network_interface.nic.id - ip_configuration_name = "ipconfig1" - backend_address_pool_id = azurerm_lb_backend_address_pool.frontend-lb-pool.id -} - -resource "azurerm_network_interface" "nic1" { - depends_on = [ - azurerm_lb.backend-lb] - count = 2 - name = "${var.cluster_name}${count.index+1}-eth1" - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - enable_ip_forwarding = true - enable_accelerated_networking = true - - ip_configuration { - name = "ipconfig2" - subnet_id = data.azurerm_subnet.backend.id - private_ip_address_allocation = var.vnet_allocation_method - private_ip_address = cidrhost(data.azurerm_subnet.backend.address_prefixes[0], var.backend_IP_addresses[count.index+1]) - } - - tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_network_interface_backend_address_pool_association" "nic1_lb_association" { - depends_on = [azurerm_network_interface.nic1, azurerm_lb_backend_address_pool.backend-lb-pool] - count = 2 - network_interface_id = azurerm_network_interface.nic1[count.index].id - ip_configuration_name = "ipconfig2" - backend_address_pool_id = azurerm_lb_backend_address_pool.backend-lb-pool.id -} - -//********************** Load Balancers **************************// -resource "azurerm_public_ip" "public-ip-lb" { - name = "frontend_lb_ip" - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - allocation_method = var.vnet_allocation_method - sku = var.sku - domain_name_label = "${lower(var.cluster_name)}-${random_id.random_id.hex}" - public_ip_prefix_id = var.use_public_ip_prefix ? (var.create_public_ip_prefix ? azurerm_public_ip_prefix.public_ip_prefix[0].id : var.existing_public_ip_prefix_id) : null - tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_lb" "frontend-lb" { - depends_on = [ - azurerm_public_ip.public-ip-lb] - name = "frontend-lb" - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - sku = var.sku - - frontend_ip_configuration { - name = "LoadBalancerFrontend" - public_ip_address_id = azurerm_public_ip.public-ip-lb.id - } - - tags = merge(lookup(var.tags, "load-balancer", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_lb_backend_address_pool" "frontend-lb-pool" { - loadbalancer_id = azurerm_lb.frontend-lb.id - name = "frontend-lb-pool" -} - -resource "azurerm_lb" "backend-lb" { - name = "backend-lb" - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - sku = var.sku - frontend_ip_configuration { - name = "backend-lb" - subnet_id = data.azurerm_subnet.backend.id - private_ip_address_allocation = var.vnet_allocation_method - private_ip_address = cidrhost(data.azurerm_subnet.backend.address_prefixes[0], var.backend_IP_addresses[0]) - } - - tags = merge(lookup(var.tags, "load-balancer", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_lb_backend_address_pool" "backend-lb-pool" { - name = "backend-lb-pool" - loadbalancer_id = azurerm_lb.backend-lb.id -} - -resource "azurerm_lb_probe" "azure_lb_healprob" { - count = 2 - loadbalancer_id = count.index == 0 ? azurerm_lb.frontend-lb.id : azurerm_lb.backend-lb.id - name = var.lb_probe_name - protocol = var.lb_probe_protocol - port = var.lb_probe_port - interval_in_seconds = var.lb_probe_interval - number_of_probes = var.lb_probe_unhealthy_threshold -} - -resource "azurerm_lb_rule" "backend_lb_rules" { - loadbalancer_id = azurerm_lb.backend-lb.id - name = "backend-lb" - protocol = "All" - frontend_port = 0 - backend_port = 0 - frontend_ip_configuration_name = "backend-lb" - load_distribution = "Default" - backend_address_pool_ids = [azurerm_lb_backend_address_pool.backend-lb-pool.id] - probe_id = azurerm_lb_probe.azure_lb_healprob[1].id - enable_floating_ip = var.enable_floating_ip -} - -//********************** Availability Set **************************// -locals { - availability_set_condition = var.availability_type == "Availability Set" ? true : false - SSH_authentication_type_condition = var.authentication_type == "SSH Public Key" ? true : false -} -resource "azurerm_availability_set" "availability-set" { - count = local.availability_set_condition ? 1 : 0 - name = "${var.cluster_name}-AvailabilitySet" - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - platform_fault_domain_count = 2 - platform_update_domain_count = 5 - managed = true - tags = merge(lookup(var.tags, "availability-set", {}), lookup(var.tags, "all", {})) -} - -//********************** Storage accounts **************************// -// Generate random text for a unique storage account name -resource "random_id" "randomId" { - keepers = { - # Generate a new ID only when a new resource group is defined - resource_group = module.common.resource_group_name - } - byte_length = 8 -} -resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { - name = "bootdiag${random_id.randomId.hex}" - resource_group_name = module.common.resource_group_name - location = module.common.resource_group_location - account_tier = module.common.storage_account_tier - account_replication_type = module.common.account_replication_type - account_kind = "StorageV2" - min_tls_version = "TLS1_2" - network_rules { - default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" - ip_rules = module.common.storage_account_ip_rules - } - blob_properties { - delete_retention_policy { - days = "15" - } - } - tags = merge(lookup(var.tags, "storage-account", {}), lookup(var.tags, "all", {})) -} - -//********************** Virtual Machines **************************// -locals { - custom_image_condition = var.source_image_vhd_uri == "noCustomUri" ? false : true -} - -resource "azurerm_image" "custom-image" { - count = local.custom_image_condition ? 1 : 0 - name = "custom-image" - location = var.location - resource_group_name = module.common.resource_group_name - - os_disk { - os_type = "Linux" - os_state = "Generalized" - blob_uri = var.source_image_vhd_uri - } - - tags = merge(lookup(var.tags, "custom-image", {}), lookup(var.tags, "all", {})) -} -resource "azurerm_virtual_machine" "vm-instance-availability-set" { - depends_on = [ - azurerm_network_interface.nic, - azurerm_network_interface.nic1, - azurerm_network_interface.nic_vip] - count = local.availability_set_condition ? module.common.number_of_vm_instances : 0 - name = "${var.cluster_name}${count.index+1}" - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - availability_set_id = local.availability_set_condition ? azurerm_availability_set.availability-set[0].id : "" - vm_size = module.common.vm_size - network_interface_ids = count.index == 0 ? [ - azurerm_network_interface.nic_vip.id, - azurerm_network_interface.nic1.0.id] : [ - azurerm_network_interface.nic.id, - azurerm_network_interface.nic1.1.id] - delete_os_disk_on_termination = module.common.delete_os_disk_on_termination - primary_network_interface_id = count.index == 0 ? azurerm_network_interface.nic_vip.id : azurerm_network_interface.nic.id - identity { - type = module.common.vm_instance_identity - } - storage_image_reference { - id = local.custom_image_condition ? azurerm_image.custom-image[0].id : null - publisher = local.custom_image_condition ? null : module.common.publisher - offer = module.common.vm_os_offer - sku = module.common.vm_os_sku - version = module.common.vm_os_version - } - - storage_os_disk { - name = "${var.cluster_name}-${count.index+1}" - create_option = module.common.storage_os_disk_create_option - caching = module.common.storage_os_disk_caching - managed_disk_type = module.common.storage_account_type - disk_size_gb = module.common.disk_size - } - - dynamic "plan" { - for_each = local.custom_image_condition ? [ - ] : [1] - content { - name = module.common.vm_os_sku - publisher = module.common.publisher - product = module.common.vm_os_offer - } - } - - os_profile { - computer_name = "${lower(var.cluster_name)}${count.index+1}" - admin_username = module.common.admin_username - admin_password = module.common.admin_password - custom_data = templatefile("${path.module}/cloud-init.sh", { - installation_type = module.common.installation_type - allow_upload_download = module.common.allow_upload_download - os_version = module.common.os_version - module_name = module.common.module_name - module_version = module.common.module_version - template_type = "terraform" - is_blink = module.common.is_blink - bootstrap_script64 = base64encode(var.bootstrap_script) - location = module.common.resource_group_location - sic_key = var.sic_key - tenant_id = var.tenant_id - virtual_network = var.vnet_name - cluster_name = var.cluster_name - external_private_addresses = azurerm_network_interface.nic_vip.ip_configuration[1].private_ip_address - enable_custom_metrics = var.enable_custom_metrics ? "yes" : "no" - admin_shell = var.admin_shell - smart_1_cloud_token = count.index == 0 ? var.smart_1_cloud_token_a : var.smart_1_cloud_token_b - serial_console_password_hash = var.serial_console_password_hash - maintenance_mode_password_hash = var.maintenance_mode_password_hash - }) - } - - os_profile_linux_config { - disable_password_authentication = local.SSH_authentication_type_condition - - dynamic "ssh_keys" { - for_each = local.SSH_authentication_type_condition ? [ - 1] : [] - content { - path = "/home/notused/.ssh/authorized_keys" - key_data = var.admin_SSH_key - } - } - } - - boot_diagnostics { - enabled = module.common.boot_diagnostics - storage_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : "" - } - - tags = merge(lookup(var.tags, "virtual-machine", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_virtual_machine" "vm-instance-availability-zone" { - depends_on = [ - azurerm_network_interface.nic, - azurerm_network_interface.nic1, - azurerm_network_interface.nic_vip] - count = local.availability_set_condition ? 0 : module.common.number_of_vm_instances - name = "${var.cluster_name}${count.index+1}" - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - zones = [ - count.index+1] - vm_size = module.common.vm_size - network_interface_ids = count.index == 0 ? [ - azurerm_network_interface.nic_vip.id, - azurerm_network_interface.nic1.0.id] : [ - azurerm_network_interface.nic.id, - azurerm_network_interface.nic1.1.id] - delete_os_disk_on_termination = module.common.delete_os_disk_on_termination - primary_network_interface_id = count.index == 0 ? azurerm_network_interface.nic_vip.id : azurerm_network_interface.nic.id - identity { - type = module.common.vm_instance_identity - } - storage_image_reference { - id = local.custom_image_condition ? azurerm_image.custom-image[0].id : null - publisher = local.custom_image_condition ? null : module.common.publisher - offer = module.common.vm_os_offer - sku = module.common.vm_os_sku - version = module.common.vm_os_version - } - - storage_os_disk { - name = "${var.cluster_name}-${count.index+1}" - create_option = module.common.storage_os_disk_create_option - caching = module.common.storage_os_disk_caching - managed_disk_type = module.common.storage_account_type - disk_size_gb = module.common.disk_size - } - - dynamic "plan" { - for_each = local.custom_image_condition ? [ - ] : [1] - content { - name = module.common.vm_os_sku - publisher = module.common.publisher - product = module.common.vm_os_offer - } - } - - os_profile { - computer_name = "${lower(var.cluster_name)}${count.index+1}" - admin_username = module.common.admin_username - admin_password = module.common.admin_password - custom_data = templatefile("${path.module}/cloud-init.sh", { - installation_type = module.common.installation_type - allow_upload_download = module.common.allow_upload_download - os_version = module.common.os_version - module_name = module.common.module_name - module_version = module.common.module_version - template_type = "terraform" - is_blink = module.common.is_blink - bootstrap_script64 = base64encode(var.bootstrap_script) - location = module.common.resource_group_location - sic_key = var.sic_key - tenant_id = var.tenant_id - virtual_network = var.vnet_name - cluster_name = var.cluster_name - external_private_addresses = azurerm_network_interface.nic_vip.ip_configuration[1].private_ip_address - enable_custom_metrics = var.enable_custom_metrics ? "yes" : "no" - admin_shell = var.admin_shell - smart_1_cloud_token = count.index == 0 ? var.smart_1_cloud_token_a : var.smart_1_cloud_token_b - serial_console_password_hash = var.serial_console_password_hash - maintenance_mode_password_hash = var.maintenance_mode_password_hash - }) - } - - os_profile_linux_config { - disable_password_authentication = local.SSH_authentication_type_condition - - dynamic "ssh_keys" { - for_each = local.SSH_authentication_type_condition ? [ - 1] : [] - content { - path = "/home/notused/.ssh/authorized_keys" - key_data = var.admin_SSH_key - } - } - } - - boot_diagnostics { - enabled = module.common.boot_diagnostics - storage_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : "" - } - - tags = merge(lookup(var.tags, "virtual-machine", {}), lookup(var.tags, "all", {})) -} -//********************** Role Assigments **************************// -data "azurerm_role_definition" "virtual_machine_contributor_role_definition" { - name = "Virtual Machine Contributor" -} -data "azurerm_role_definition" "reader_role_definition" { - name = "Reader" -} -data "azurerm_client_config" "client_config" { -} -resource "azurerm_role_assignment" "cluster_virtual_machine_contributor_assignment" { - count = 2 - lifecycle { - ignore_changes = [ - role_definition_id, principal_id - ] - } - scope = module.common.resource_group_id - role_definition_id = data.azurerm_role_definition.virtual_machine_contributor_role_definition.id - principal_id = local.availability_set_condition ? lookup(azurerm_virtual_machine.vm-instance-availability-set[count.index].identity[0], "principal_id") : lookup(azurerm_virtual_machine.vm-instance-availability-zone[count.index].identity[0], "principal_id") -} -resource "azurerm_role_assignment" "cluster_reader_assigment" { - count = 2 - lifecycle { - ignore_changes = [ - role_definition_id, principal_id - ] - } - scope = module.common.resource_group_id - role_definition_id = data.azurerm_role_definition.reader_role_definition.id - principal_id = local.availability_set_condition ? lookup(azurerm_virtual_machine.vm-instance-availability-set[count.index].identity[0], "principal_id") : lookup(azurerm_virtual_machine.vm-instance-availability-zone[count.index].identity[0], "principal_id") -} \ No newline at end of file diff --git a/modules/high_availability_existing_vnet/variables.tf b/modules/high_availability_existing_vnet/variables.tf deleted file mode 100755 index de4f8e6..0000000 --- a/modules/high_availability_existing_vnet/variables.tf +++ /dev/null @@ -1,343 +0,0 @@ -//********************** Basic Configuration Variables **************************// - -variable "tenant_id" { - description = "Tenant ID" - type = string -} - -variable "cluster_name" { - description = "Cluster name" - type = string -} - -variable "resource_group_name" { - description = "Azure Resource Group name to build into" - type = string -} - -variable "location" { - description = "The location/region where resources will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions" - type = string -} - -//********************** Virtual Machine Instances Variables **************************// -variable "availability_type" { - description = "Specifies whether to deploy the solution based on Azure Availability Set or based on Azure Availability Zone." - type = string - default = "Availability Zone" -} - -locals { // locals for 'availability_type' allowed values - availability_type_allowed_values = [ - "Availability Zone", - "Availability Set" - ] - // will fail if [var.availability_type] is invalid: - validate_availability_type_value = index(local.availability_type_allowed_values, var.availability_type) -} - -variable "source_image_vhd_uri" { - type = string - description = "The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images." - default = "noCustomUri" -} - -variable "admin_username" { - description = "Administrator username of deployed VM. Due to Azure limitations 'notused' name can be used" - default = "notused" -} - -variable "admin_password" { - description = "Administrator password of deployed Virtual Machine. The password must meet the complexity requirements of Azure" - type = string -} - -variable "serial_console_password_hash" { - description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" - type = string - default = "" -} - -variable "maintenance_mode_password_hash" { - description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" - type = string - default = "" -} - -variable "smart_1_cloud_token_a" { - description = "Smart-1 Cloud Token, for configuring member A" - type = string -} - -variable "smart_1_cloud_token_b" { - description = "Smart-1 Cloud Token, for configuring member B" - type = string -} - -variable "sic_key" { - description = "Secure Internal Communication(SIC) key" - type = string -} -resource "null_resource" "sic_key_invalid" { - count = length(var.sic_key) >= 12 ? 0 : "SIC key must be at least 12 characters long" -} - -variable "installation_type" { - description = "Installation type" - type = string - default = "cluster" -} - -variable "number_of_vm_instances" { - description = "Number of VM instances to deploy " - type = string - default = "2" -} - -variable "vm_size" { - description = "Specifies size of Virtual Machine" - type = string -} - -variable "disk_size" { - description = "Storage data disk size size(GB). Select a number between 100 and 3995" - type = string -} - -variable "os_version" { - description = "GAIA OS version" - type = string -} - -locals { // locals for 'vm_os_offer' allowed values - os_version_allowed_values = [ - "R8110", - "R8120", - "R82" - ] - // will fail if [var.os_version] is invalid: - validate_os_version_value = index(local.os_version_allowed_values, var.os_version) -} - -variable "vm_os_sku" { - description = "The sku of the image to be deployed." - type = string -} - -variable "vm_os_offer" { - description = "The name of the image offer to be deployed.Choose from: check-point-cg-r8110, check-point-cg-r8120, check-point-cg-r82" - type = string -} - -locals { // locals for 'vm_os_offer' allowed values - vm_os_offer_allowed_values = [ - "check-point-cg-r8110", - "check-point-cg-r8120", - "check-point-cg-r82" - ] - // will fail if [var.vm_os_offer] is invalid: - validate_os_offer_value = index(local.vm_os_offer_allowed_values, var.vm_os_offer) -} - -variable "authentication_type" { - description = "Specifies whether a password authentication or SSH Public Key authentication should be used" - type = string -} -locals { // locals for 'authentication_type' allowed values - authentication_type_allowed_values = [ - "Password", - "SSH Public Key" - ] - // will fail if [var.authentication_type] is invalid: - validate_authentication_type_value = index(local.authentication_type_allowed_values, var.authentication_type) -} - -variable "allow_upload_download" { - description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" - type = bool -} - -variable "is_blink" { - description = "Define if blink image is used for deployment" - default = true -} - -variable "admin_shell" { - description = "The admin shell to configure on machine or the first time" - type = string - default = "/etc/cli.sh" -} - -locals { - admin_shell_allowed_values = [ - "/etc/cli.sh", - "/bin/bash", - "/bin/csh", - "/bin/tcsh" - ] - // Will fail if [var.admin_shell] is invalid - validate_admin_shell_value = index(local.admin_shell_allowed_values, var.admin_shell) -} - -//********************** Networking Variables **************************// -variable "vnet_name" { - description = "Virtual Network name" - type = string -} - -variable "vnet_resource_group" { - description = "Resource group of existing vnet" - type = string -} - -variable "frontend_subnet_name" { - description = "Frontend subnet name" - type = string -} - -variable "backend_subnet_name" { - description = "Backend subnet name" - type = string -} - -variable "frontend_IP_addresses" { - description = "A list of three whole numbers representing the private ip addresses of the members eth0 NICs and the cluster vip ip addresses. The numbers can be represented as binary integers with no more than the number of digits remaining in the address after the given frontend subnet prefix. The IP addresses are defined by their position in the frontend subnet." - type = list(number) -} - -variable "backend_IP_addresses" { - description = "A list of three whole numbers representing the private ip addresses of the members eth1 NICs and the backend lb ip addresses. The numbers can be represented as binary integers with no more than the number of digits remaining in the address after the given backend subnet prefix. The IP addresses are defined by their position in the backend subnet." - type = list(number) -} - -variable "vnet_allocation_method" { - description = "IP address allocation method" - type = string - default = "Static" -} - -variable "lb_probe_name" { - description = "Name to be used for lb health probe" - default = "health_prob_port" -} - -variable "lb_probe_port" { - description = "Port to be used for load balancer health probes and rules" - default = "8117" -} - -variable "lb_probe_protocol" { - description = "Protocols to be used for load balancer health probes and rules" - default = "Tcp" -} - -variable "lb_probe_unhealthy_threshold" { - description = "Number of times load balancer health probe has an unsuccessful attempt before considering the endpoint unhealthy." - default = 2 -} - -variable "lb_probe_interval" { - description = "Interval in seconds load balancer health probe rule performs a check" - default = 5 -} - -variable "bootstrap_script" { - description = "An optional script to run on the initial boot" - #example: - #"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" -} - -variable "add_storage_account_ip_rules" { - type = bool - default = false - description = "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location" -} - -variable "storage_account_additional_ips" { - type = list(string) - description = "IPs/CIDRs that are allowed access to the Storage Account" - default = [] -} - -variable "sku" { - description = "SKU" - type = string - default = "Standard" -} - -variable "enable_custom_metrics" { - description = "Indicates whether CloudGuard Metrics will be use for Cluster members monitoring." - type = bool - default = true -} - -variable "enable_floating_ip" { - description = "Indicates whether the load balancers will be deployed with floating IP." - type = bool - default = true -} - -variable "use_public_ip_prefix" { - description = "Indicates whether the public IP resources will be deployed with public IP prefix." - type = bool - default = false -} - -variable "create_public_ip_prefix" { - description = "Indicates whether the public IP prefix will created or an existing will be used." - type = bool - default = false -} - -variable "existing_public_ip_prefix_id" { - description = "The existing public IP prefix resource id." - type = string - default = "" -} - -locals{ - # Validate both s1c tokens are used or both empty - is_both_tokens_used = length(var.smart_1_cloud_token_a) > 0 == length(var.smart_1_cloud_token_b) > 0 - validation_message_both = "To connect to Smart-1 Cloud, you must provide two tokens (one per member)" - _ = regex("^$", (local.is_both_tokens_used ? "" : local.validation_message_both)) - - is_tokens_used = length(var.smart_1_cloud_token_a) > 0 - # Validate both s1c tokens are unqiue - token_parts_a = split(" ",var.smart_1_cloud_token_a) - token_parts_b = split(" ",var.smart_1_cloud_token_b) - acutal_token_a = local.token_parts_a[length(local.token_parts_a) - 1] - acutal_token_b = local.token_parts_b[length(local.token_parts_b) - 1] - is_both_tokens_the_same = local.acutal_token_a == local.acutal_token_b - validation_message_unique = "Same Smart-1 Cloud token used for both memeber, you must provide unique token for each member" - __ = local.is_tokens_used ? regex("^$", (local.is_both_tokens_the_same ? local.validation_message_unique : "")) : "" -} - -variable "admin_SSH_key" { - type = string - description = "Used when the authentication_type is 'SSH Public Key': The SSH public key for SSH authentication to the template instances." - default = "" -} - -variable "security_rules" { - description = "Security rules for the Network Security Group using this format [name, priority, direction, access, protocol, source_source_port_rangesport_range, destination_port_ranges, source_address_prefix, destination_address_prefix, description]" - type = list(any) - default = [] -} - -variable "tags" { - description = "Assign tags by resource." - type = map(map(string)) - default = {} -} - -variable "vips_names" { - description = "Names to be used for the VIPs" - type = list(string) - default = [] - - # More than 10 VIPs may result in not enough available IPs available in IpPrefix - validation { - condition = length(var.vips_names) < 10 - error_message = "The number of VIPs must be less than 10." - } -} \ No newline at end of file diff --git a/modules/high_availability_existing_vnet/versions.tf b/modules/high_availability_existing_vnet/versions.tf deleted file mode 100755 index 8827a9f..0000000 --- a/modules/high_availability_existing_vnet/versions.tf +++ /dev/null @@ -1,12 +0,0 @@ -terraform { - required_version = ">= 0.14.3" - required_providers { - azurerm = { - source = "hashicorp/azurerm" - version = "~> 3.90.0" - } - random = { - version = "~> 3.5.1" - } - } -} \ No newline at end of file diff --git a/modules/high_availability_new_vnet/README.md b/modules/high_availability_new_vnet/README.md deleted file mode 100755 index d7159d1..0000000 --- a/modules/high_availability_new_vnet/README.md +++ /dev/null @@ -1,135 +0,0 @@ -# Check Point CloudGuard High Availability Module - New VNet - -This Terraform module deploys Check Point CloudGuard Network Security High Availability solution into a new VNet in azure. -As part of the deployment the following resources are created: -- Resource group -- Virtual network -- Network security group -- System assigned identity -- Availability Set - conditional creation - -For additional information, -please see the [CloudGuard Network for Azure High Availability Cluster Deployment Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_Azure_HA_Cluster/Default.htm) - -This solution uses the following modules: -- common - used for creating a resource group and defining common variables. -- vnet - used for creating new virtual network and subnets. -- network_security_group - used for creating new network security groups and rules. - - -## Usage -Follow best practices for using CGNS modules on [the root page](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/azure/latest). - -**Example:** -``` -provider "azurerm" { - features {} -} - -module "example_module" { - - source = "CheckPointSW/cloudguard-network-security/azure//modules/high_availability_new_vnet" - version = "1.0.8" - - tenant_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - source_image_vhd_uri = "noCustomUri" - resource_group_name = "checkpoint-ha-terraform" - cluster_name = "checkpoint-ha-terraform" - location = "eastus" - vnet_name = "checkpoint-ha-vnet" - address_space = "10.0.0.0/16" - subnet_prefixes = ["10.0.1.0/24","10.0.2.0/24"] - admin_password = "xxxxxxxxxxxx" - smart_1_cloud_token_a = "xxxxxxxxxxxx" - smart_1_cloud_token_b = "xxxxxxxxxxxx" - sic_key = "xxxxxxxxxxxx" - vm_size = "Standard_D4ds_v5" - disk_size = "110" - vm_os_sku = "sg-byol" - vm_os_offer = "check-point-cg-r82" - os_version = "R82" - bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" - allow_upload_download = true - authentication_type = "Password" - availability_type = "Availability Zone" - enable_custom_metrics = true - enable_floating_ip = true - use_public_ip_prefix = false - create_public_ip_prefix = false - existing_public_ip_prefix_id = "" - vips_names = [] - admin_shell = "/etc/cli.sh" - serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - nsg_id = "" - add_storage_account_ip_rules = false - storage_account_additional_ips = [] -} -``` - -## Conditional creation -- To deploy the solution based on Azure Availability Set and create a new Availability Set for the virtual machines: - ``` - availability_type = "Availability Set" - ``` - Otherwise, to deploy the solution based on Azure Availability Zone: - ``` - availability_type = "Availability Zone" - ``` - -- To enable CloudGuard metrics in order to send statuses and statistics collected from HA instances to the Azure Monitor service: - ``` - enable_custom_metrics = true - ``` - -- To create new public IP prefix for the public IP: - ``` - use_public_ip_prefix = true - create_public_ip_prefix = true - ``` -- To use an existing public IP prefix for the public IP: - ``` - use_public_ip_prefix = true - create_public_ip_prefix = false - existing_public_ip_prefix_id = "public IP prefix resource id" - ``` - -### Module's variables: - | Name | Description | Type | Allowed values | -|-----------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | | -| **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | **Default:** "noCustomUri" | -| **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens, and parentheses and cannot end in a period
| -| **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions
| -| **cluster_name** | The name of the Check Point Cluster Object | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long
| -| **vnet_name** | The name of the virtual network that will be created | string | The name must begin with a letter or number, end with a letter, number, or underscore, and may contain only letters, numbers, underscores, periods, or hyphens
| -| **address_space** | The address prefixes of the virtual network | string | Valid CIDR block
**Default:** "10.0.0.0/16" | -| **subnet_prefixes** | The address prefixes to be used for created subnets | string | The subnets need to contain within the address space for this virtual network (defined by the `address_space` variable)
**Default:** ["10.0.0.0/24", "10.0.1.0/24"] | -| **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lowercase character, 1 uppercase character, 1 number, and 1 special character
| -| **smart_1_cloud_token_a** | Smart-1 Cloud token to connect automatically ***Member A*** to Check Point's Security Management as a Service. | string | A valid token copied from the Connect Gateway screen in the Smart-1 Cloud portal
| -| **smart_1_cloud_token_b** | Smart-1 Cloud token to connect automatically ***Member B*** to Check Point's Security Management as a Service. | string | A valid token copied from the Connect Gateway screen in the Smart-1 Cloud portal
| -| **sic_key** | The Secure Internal Communication one-time secret used to set up trust between the cluster object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long
| -| **vm_size** | Specifies the size of the Virtual Machine | string | Various valid sizes (e.g., "Standard_D4ds_v5", "Standard_D8ds_v5", etc.)
| -| **disk_size** | Storage data disk size (GB) | string | A number in the range 100 - 3995 (GB)
| -| **vm_os_sku** | A SKU of the image to be deployed | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license;
| -| **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8110";
"check-point-cg-r8120";
"check-point-cg-r82";
| -| **os_version** | GAIA OS version | string | "R8110";
"R8120";
"R82";
| -| **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
| -| **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false;
| -| **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key";
| -| **availability_type** | Specifies whether to deploy the solution based on Azure Availability Set or Azure Availability Zone | string | "Availability Zone";
"Availability Set";
**Default:** "Availability Zone" | -| **enable_custom_metrics** | Indicates whether CloudGuard Metrics will be used for Cluster members monitoring | boolean | true;
false;
**Default:** true | -| **enable_floating_ip** | Indicates whether the load balancers will be deployed with floating IP | boolean | true;
false;
**Default:** true | -| **use_public_ip_prefix** | Indicates whether the public IP resources will be deployed with public IP prefix | boolean | true;
false;
**Default:** false | -| **create_public_ip_prefix** | Indicates whether the public IP prefix will be created or an existing one will be used | boolean | true;
false;
**Default:** false | -| **existing_public_ip_prefix_id** | The existing public IP prefix resource ID | string | Existing public IP prefix resource ID
**Default:** "" | -| **vips_names** | Names for additional Virtual IP addresses beyond the primary cluster VIP. Each name creates a corresponding public IP resource. | list(string) | **Default:** [] | -| **admin_shell** | Enables selecting different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh;
**Default:** "/etc/cli.sh" | -| **serial_console_password_hash** | Optional parameter to enable serial console connection in case of SSH key as authentication type | string | | -| **maintenance_mode_password_hash**| Maintenance mode password hash, relevant only for R81.20 and higher versions | string | | -| **nsg_id** | Optional ID for a Network Security Group that already exists in Azure. If not provided, a default NSG will be created | string | Existing NSG resource ID
**Default:** "" | -| **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location | boolean | true;
false;
**Default:** false | -| **storage_account_additional_ips**| IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs
**Default:** [] | -| **security_rules** | Security rules for the Network Security Group | list(any) | A security rule composed of: {name, priority, direction, access, protocol, source_port_ranges, destination_port_ranges, source_address_prefix, destination_address_prefix, description}
**Default:** [] | -| **admin_SSH_key** | The SSH public key for SSH connections to the instance. Used when the authentication_type is 'SSH Public Key' | string | **Default:** "" | -| **tags** | Tags can be associated either globally across all resources or scoped to specific resource types. For example, a global tag can be defined as: {"all": {"example": "example"}}.
Supported resource types for tag assignment include:
`all` (Applies tags universally to all resource instances)
`resource-group`
`virtual-network`
`network-security-group`
`network-interface`
`public-ip`
`public-ip-prefix`
`load-balancer`
`route-table`
`storage-account`
`virtual-machine`
`custom-image`
`availability-set`
**Important:** When identical tag keys are defined both globally under `all` and within a specific resource scope, the tag value specified under `all` overrides the resource-specific tag. | map(map(string)) | {} | \ No newline at end of file diff --git a/modules/high_availability_new_vnet/locals.tf b/modules/high_availability_new_vnet/locals.tf deleted file mode 100755 index 598ec23..0000000 --- a/modules/high_availability_new_vnet/locals.tf +++ /dev/null @@ -1,4 +0,0 @@ -locals { - module_name = "high_availability_terraform_registry" - module_version = "1.0.7" -} diff --git a/modules/high_availability_new_vnet/main.tf b/modules/high_availability_new_vnet/main.tf deleted file mode 100755 index 705e5eb..0000000 --- a/modules/high_availability_new_vnet/main.tf +++ /dev/null @@ -1,582 +0,0 @@ -//********************** Basic Configuration **************************// -module "common" { - source = "../common" - resource_group_name = var.resource_group_name - location = var.location - admin_password = var.admin_password - installation_type = var.installation_type - module_name = local.module_name - module_version = local.module_version - number_of_vm_instances = var.number_of_vm_instances - allow_upload_download = var.allow_upload_download - vm_size = var.vm_size - disk_size = var.disk_size - is_blink = var.is_blink - os_version = var.os_version - vm_os_sku = var.vm_os_sku - vm_os_offer = var.vm_os_offer - authentication_type = var.authentication_type - serial_console_password_hash = var.serial_console_password_hash - maintenance_mode_password_hash = var.maintenance_mode_password_hash - storage_account_additional_ips = var.storage_account_additional_ips - tags = merge(lookup(var.tags, "resource-group", {}), lookup(var.tags, "all", {})) -} - -//********************** Networking **************************// -module "vnet" { - source = "../vnet" - vnet_name = var.vnet_name - resource_group_name = module.common.resource_group_name - location = module.common.resource_group_location - nsg_id = var.nsg_id == "" ? module.network_security_group[0].network_security_group_id: var.nsg_id - address_space = var.address_space - subnet_prefixes = var.subnet_prefixes - tags = var.tags -} - -module "network_security_group" { - source = "../network_security_group" - count = var.nsg_id == "" ? 1 : 0 - resource_group_name = module.common.resource_group_name - security_group_name = "${module.common.resource_group_name}_nsg" - location = module.common.resource_group_location - security_rules = var.security_rules - tags = merge(lookup(var.tags, "network-security-group", {}), lookup(var.tags, "all", {})) -} - -resource "random_id" "random_id" { - byte_length = 13 - keepers = { - rg_id = module.common.resource_group_id - } -} - -resource "azurerm_public_ip_prefix" "public_ip_prefix" { - count = var.use_public_ip_prefix && var.create_public_ip_prefix ? 1 : 0 - name = "${module.common.resource_group_name}-ipprefix" - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - prefix_length = length(var.vips_names) > 4 ? 28 : length(var.vips_names) > 0 ? 29 : 30 - tags = merge(lookup(var.tags, "public-ip-prefix", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_public_ip" "public-ip" { - count = 2 - name = "${var.cluster_name}${count.index+1}_IP" - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - allocation_method = module.vnet.allocation_method - sku = var.sku - domain_name_label = "${lower(var.cluster_name)}-${count.index+1}-${random_id.random_id.hex}" - public_ip_prefix_id = var.use_public_ip_prefix ? (var.create_public_ip_prefix ? azurerm_public_ip_prefix.public_ip_prefix[0].id : var.existing_public_ip_prefix_id) : null - tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_public_ip" "cluster-vip" { - name = var.cluster_name - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - allocation_method = module.vnet.allocation_method - sku = var.sku - domain_name_label = "${lower(var.cluster_name)}-vip-${random_id.random_id.hex}" - public_ip_prefix_id = var.use_public_ip_prefix ? (var.create_public_ip_prefix ? azurerm_public_ip_prefix.public_ip_prefix[0].id : var.existing_public_ip_prefix_id) : null - tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_public_ip" "vips" { - count = length(var.vips_names) - name = var.vips_names[count.index] - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - allocation_method = module.vnet.allocation_method - sku = var.sku - domain_name_label = "${lower(var.vips_names[count.index])}-${count.index}-vip-${random_id.random_id.hex}" - public_ip_prefix_id = var.use_public_ip_prefix ? (var.create_public_ip_prefix ? azurerm_public_ip_prefix.public_ip_prefix[0].id : var.existing_public_ip_prefix_id) : null - tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_network_interface" "nic_vip" { - depends_on = [ - azurerm_public_ip.cluster-vip, - azurerm_public_ip.public-ip, - azurerm_public_ip.vips, - ] - name = "${var.cluster_name}1-eth0" - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - enable_ip_forwarding = true - enable_accelerated_networking = true - - ip_configuration { - name = "ipconfig1" - primary = true - subnet_id = module.vnet.vnet_subnets[0] - private_ip_address_allocation = module.vnet.allocation_method - private_ip_address = cidrhost(module.vnet.subnet_prefixes[0], 5) - public_ip_address_id = azurerm_public_ip.public-ip.0.id - } - ip_configuration { - name = "cluster-vip" - subnet_id = module.vnet.vnet_subnets[0] - primary = false - private_ip_address_allocation = module.vnet.allocation_method - private_ip_address = cidrhost(module.vnet.subnet_prefixes[0], 7) - public_ip_address_id = azurerm_public_ip.cluster-vip.id - } - - dynamic "ip_configuration" { - for_each = var.vips_names - content { - name = "cluster-vip-${index(var.vips_names, ip_configuration.value) + 1}" - subnet_id = module.vnet.vnet_subnets[0] - primary = false - private_ip_address_allocation = module.vnet.allocation_method - private_ip_address = cidrhost(module.vnet.subnet_prefixes[0], 7 + index(var.vips_names, ip_configuration.value) + 1) - public_ip_address_id = azurerm_public_ip.vips[index(var.vips_names, ip_configuration.value)].id - } - } - - lifecycle { - ignore_changes = [ - # Ignore changes to ip_configuration when Re-applying, e.g. because a cluster failover and associating the cluster- vip with the other member. - # updates these based on some ruleset managed elsewhere. - ip_configuration - ] - } - - tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_network_interface_backend_address_pool_association" "nic_vip_lb_association" { - depends_on = [azurerm_network_interface.nic_vip, azurerm_lb_backend_address_pool.frontend-lb-pool] - network_interface_id = azurerm_network_interface.nic_vip.id - ip_configuration_name = "ipconfig1" - backend_address_pool_id = azurerm_lb_backend_address_pool.frontend-lb-pool.id -} - -resource "azurerm_network_interface" "nic" { - depends_on = [ - azurerm_public_ip.public-ip, - azurerm_lb.frontend-lb] - name = "${var.cluster_name}2-eth0" - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - enable_ip_forwarding = true - enable_accelerated_networking = true - - ip_configuration { - name = "ipconfig1" - primary = true - subnet_id = module.vnet.vnet_subnets[0] - private_ip_address_allocation = module.vnet.allocation_method - private_ip_address = cidrhost(module.vnet.subnet_prefixes[0], 6) - public_ip_address_id = azurerm_public_ip.public-ip.1.id - } - lifecycle { - ignore_changes = [ - # Ignore changes to ip_configuration when Re-applying, e.g. because a cluster failover and associating the cluster- vip with the other member. - # updates these based on some ruleset managed elsewhere. - ip_configuration - ] - } - - tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_network_interface_backend_address_pool_association" "nic_lb_association" { - depends_on = [azurerm_network_interface.nic, azurerm_lb_backend_address_pool.frontend-lb-pool] - network_interface_id = azurerm_network_interface.nic.id - ip_configuration_name = "ipconfig1" - backend_address_pool_id = azurerm_lb_backend_address_pool.frontend-lb-pool.id -} - -resource "azurerm_network_interface" "nic1" { - depends_on = [ - azurerm_lb.backend-lb] - count = 2 - name = "${var.cluster_name}${count.index+1}-eth1" - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - enable_ip_forwarding = true - enable_accelerated_networking = true - - ip_configuration { - name = "ipconfig2" - subnet_id = module.vnet.vnet_subnets[1] - private_ip_address_allocation = module.vnet.allocation_method - private_ip_address = cidrhost(module.vnet.subnet_prefixes[1], count.index+5) - } - - tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_network_interface_backend_address_pool_association" "nic1_lb_association" { - depends_on = [azurerm_network_interface.nic1, azurerm_lb_backend_address_pool.backend-lb-pool] - count = 2 - network_interface_id = azurerm_network_interface.nic1[count.index].id - ip_configuration_name = "ipconfig2" - backend_address_pool_id = azurerm_lb_backend_address_pool.backend-lb-pool.id -} - -//********************** Load Balancers **************************// -resource "azurerm_public_ip" "public-ip-lb" { - name = "frontend_lb_ip" - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - allocation_method = module.vnet.allocation_method - sku = var.sku - domain_name_label = "${lower(var.cluster_name)}-${random_id.random_id.hex}" - public_ip_prefix_id = var.use_public_ip_prefix ? (var.create_public_ip_prefix ? azurerm_public_ip_prefix.public_ip_prefix[0].id : var.existing_public_ip_prefix_id) : null - tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_lb" "frontend-lb" { -// depends_on = [ -// azurerm_public_ip.public-ip-lb] - name = "frontend-lb" - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - sku = var.sku - - frontend_ip_configuration { - name = "LoadBalancerFrontend" - public_ip_address_id = azurerm_public_ip.public-ip-lb.id - } - - tags = merge(lookup(var.tags, "load-balancer", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_lb_backend_address_pool" "frontend-lb-pool" { - loadbalancer_id = azurerm_lb.frontend-lb.id - name = "frontend-lb-pool" -} - -resource "azurerm_lb" "backend-lb" { - name = "backend-lb" - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - sku = var.sku - frontend_ip_configuration { - name = "backend-lb" - subnet_id = module.vnet.vnet_subnets[1] - private_ip_address_allocation = module.vnet.allocation_method - private_ip_address = cidrhost(module.vnet.subnet_prefixes[1], 4) - } - - tags = merge(lookup(var.tags, "load-balancer", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_lb_backend_address_pool" "backend-lb-pool" { - name = "backend-lb-pool" - loadbalancer_id = azurerm_lb.backend-lb.id -} - -resource "azurerm_lb_probe" "azure_lb_healprob" { - count = 2 - loadbalancer_id = count.index == 0 ? azurerm_lb.frontend-lb.id : azurerm_lb.backend-lb.id - name = var.lb_probe_name - protocol = var.lb_probe_protocol - port = var.lb_probe_port - interval_in_seconds = var.lb_probe_interval - number_of_probes = var.lb_probe_unhealthy_threshold -} - -resource "azurerm_lb_rule" "backend_lb_rules" { - loadbalancer_id = azurerm_lb.backend-lb.id - name = "backend-lb" - protocol = "All" - frontend_port = 0 - backend_port = 0 - frontend_ip_configuration_name = "backend-lb" - load_distribution = "Default" - backend_address_pool_ids = [azurerm_lb_backend_address_pool.backend-lb-pool.id] - probe_id = azurerm_lb_probe.azure_lb_healprob[1].id - enable_floating_ip = var.enable_floating_ip -} - -//********************** Availability Set **************************// -locals { - availability_set_condition = var.availability_type == "Availability Set" ? true : false - SSH_authentication_type_condition = var.authentication_type == "SSH Public Key" ? true : false -} -resource "azurerm_availability_set" "availability-set" { - count = local.availability_set_condition ? 1 : 0 - name = "${var.cluster_name}-AvailabilitySet" - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - platform_fault_domain_count = 2 - platform_update_domain_count = 5 - managed = true - - tags = merge(lookup(var.tags, "availability-set", {}), lookup(var.tags, "all", {})) -} - -//********************** Storage accounts **************************// -// Generate random text for a unique storage account name -resource "random_id" "randomId" { - keepers = { - # Generate a new ID only when a new resource group is defined - resource_group = module.common.resource_group_name - } - byte_length = 8 -} -resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { - name = "bootdiag${random_id.randomId.hex}" - resource_group_name = module.common.resource_group_name - location = module.common.resource_group_location - account_tier = module.common.storage_account_tier - account_replication_type = module.common.account_replication_type - account_kind = "StorageV2" - min_tls_version = "TLS1_2" - network_rules { - default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" - ip_rules = module.common.storage_account_ip_rules - } - blob_properties { - delete_retention_policy { - days = "15" - } - } - tags = merge(lookup(var.tags, "storage-account", {}), lookup(var.tags, "all", {})) -} - -//********************** Virtual Machines **************************// -locals { - custom_image_condition = var.source_image_vhd_uri == "noCustomUri" ? false : true -} - -resource "azurerm_image" "custom-image" { - count = local.custom_image_condition ? 1 : 0 - name = "custom-image" - location = var.location - resource_group_name = module.common.resource_group_name - - os_disk { - os_type = "Linux" - os_state = "Generalized" - blob_uri = var.source_image_vhd_uri - } - - tags = merge(lookup(var.tags, "custom-image", {}), lookup(var.tags, "all", {})) -} -resource "azurerm_virtual_machine" "vm-instance-availability-set" { - depends_on = [ - azurerm_network_interface.nic, - azurerm_network_interface.nic1, - azurerm_network_interface.nic_vip] - count = local.availability_set_condition ? module.common.number_of_vm_instances : 0 - name = "${var.cluster_name}${count.index+1}" - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - availability_set_id = local.availability_set_condition ? azurerm_availability_set.availability-set[0].id : "" - vm_size = module.common.vm_size - network_interface_ids = count.index == 0 ? [ - azurerm_network_interface.nic_vip.id, - azurerm_network_interface.nic1.0.id] : [ - azurerm_network_interface.nic.id, - azurerm_network_interface.nic1.1.id] - delete_os_disk_on_termination = module.common.delete_os_disk_on_termination - primary_network_interface_id = count.index == 0 ? azurerm_network_interface.nic_vip.id : azurerm_network_interface.nic.id - identity { - type = module.common.vm_instance_identity - } - storage_image_reference { - id = local.custom_image_condition ? azurerm_image.custom-image[0].id : null - publisher = local.custom_image_condition ? null : module.common.publisher - offer = module.common.vm_os_offer - sku = module.common.vm_os_sku - version = module.common.vm_os_version - } - - storage_os_disk { - name = "${var.cluster_name}-${count.index+1}" - create_option = module.common.storage_os_disk_create_option - caching = module.common.storage_os_disk_caching - managed_disk_type = module.common.storage_account_type - disk_size_gb = module.common.disk_size - } - - dynamic "plan" { - for_each = local.custom_image_condition ? [ - ] : [1] - content { - name = module.common.vm_os_sku - publisher = module.common.publisher - product = module.common.vm_os_offer - } - } - - os_profile { - computer_name = "${lower(var.cluster_name)}${count.index+1}" - admin_username = module.common.admin_username - admin_password = module.common.admin_password - custom_data = templatefile("${path.module}/cloud-init.sh", { - installation_type = module.common.installation_type - allow_upload_download = module.common.allow_upload_download - os_version = module.common.os_version - module_name = module.common.module_name - module_version = module.common.module_version - template_type = "terraform" - is_blink = module.common.is_blink - bootstrap_script64 = base64encode(var.bootstrap_script) - location = module.common.resource_group_location - sic_key = var.sic_key - tenant_id = var.tenant_id - virtual_network = module.vnet.vnet_name - cluster_name = var.cluster_name - external_private_addresses = azurerm_network_interface.nic_vip.ip_configuration[1].private_ip_address - enable_custom_metrics = var.enable_custom_metrics ? "yes" : "no" - admin_shell = var.admin_shell - smart_1_cloud_token = count.index == 0 ? var.smart_1_cloud_token_a : var.smart_1_cloud_token_b - serial_console_password_hash = var.serial_console_password_hash - maintenance_mode_password_hash = var.maintenance_mode_password_hash - }) - } - - os_profile_linux_config { - disable_password_authentication = local.SSH_authentication_type_condition - - dynamic "ssh_keys" { - for_each = local.SSH_authentication_type_condition ? [ - 1] : [] - content { - path = "/home/notused/.ssh/authorized_keys" - key_data = var.admin_SSH_key - } - } - } - - boot_diagnostics { - enabled = module.common.boot_diagnostics - storage_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : "" - } - - tags = merge(lookup(var.tags, "virtual-machine", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_virtual_machine" "vm-instance-availability-zone" { - depends_on = [ - azurerm_network_interface.nic, - azurerm_network_interface.nic1, - azurerm_network_interface.nic_vip] - count = local.availability_set_condition ? 0 : module.common.number_of_vm_instances - name = "${var.cluster_name}${count.index+1}" - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - zones = [ - count.index+1] - vm_size = module.common.vm_size - network_interface_ids = count.index == 0 ? [ - azurerm_network_interface.nic_vip.id, - azurerm_network_interface.nic1.0.id] : [ - azurerm_network_interface.nic.id, - azurerm_network_interface.nic1.1.id] - delete_os_disk_on_termination = module.common.delete_os_disk_on_termination - primary_network_interface_id = count.index == 0 ? azurerm_network_interface.nic_vip.id : azurerm_network_interface.nic.id - identity { - type = module.common.vm_instance_identity - } - storage_image_reference { - id = local.custom_image_condition ? azurerm_image.custom-image[0].id : null - publisher = local.custom_image_condition ? null : module.common.publisher - offer = module.common.vm_os_offer - sku = module.common.vm_os_sku - version = module.common.vm_os_version - } - - storage_os_disk { - name = "${var.cluster_name}-${count.index+1}" - create_option = module.common.storage_os_disk_create_option - caching = module.common.storage_os_disk_caching - managed_disk_type = module.common.storage_account_type - disk_size_gb = module.common.disk_size - } - - dynamic "plan" { - for_each = local.custom_image_condition ? [ - ] : [1] - content { - name = module.common.vm_os_sku - publisher = module.common.publisher - product = module.common.vm_os_offer - } - } - - os_profile { - computer_name = "${lower(var.cluster_name)}${count.index+1}" - admin_username = module.common.admin_username - admin_password = module.common.admin_password - custom_data = templatefile("${path.module}/cloud-init.sh", { - installation_type = module.common.installation_type - allow_upload_download = module.common.allow_upload_download - os_version = module.common.os_version - module_name = module.common.module_name - module_version = module.common.module_version - template_type = "terraform" - is_blink = module.common.is_blink - bootstrap_script64 = base64encode(var.bootstrap_script) - location = module.common.resource_group_location - sic_key = var.sic_key - tenant_id = var.tenant_id - virtual_network = module.vnet.vnet_name - cluster_name = var.cluster_name - external_private_addresses = cidrhost(module.vnet.subnet_prefixes[0], 7) - enable_custom_metrics = var.enable_custom_metrics ? "yes" : "no" - admin_shell = var.admin_shell - smart_1_cloud_token = count.index == 0 ? var.smart_1_cloud_token_a : var.smart_1_cloud_token_b - serial_console_password_hash = var.serial_console_password_hash - maintenance_mode_password_hash = var.maintenance_mode_password_hash - }) - } - - os_profile_linux_config { - disable_password_authentication = local.SSH_authentication_type_condition - - dynamic "ssh_keys" { - for_each = local.SSH_authentication_type_condition ? [ - 1] : [] - content { - path = "/home/notused/.ssh/authorized_keys" - key_data = var.admin_SSH_key - } - } - } - - boot_diagnostics { - enabled = module.common.boot_diagnostics - storage_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : "" - } - - tags = merge(lookup(var.tags, "virtual-machine", {}), lookup(var.tags, "all", {})) -} -//********************** Role Assigments **************************// -data "azurerm_role_definition" "virtual_machine_contributor_role_definition" { - name = "Virtual Machine Contributor" -} -data "azurerm_role_definition" "reader_role_definition" { - name = "Reader" -} -data "azurerm_client_config" "client_config" { -} -resource "azurerm_role_assignment" "cluster_virtual_machine_contributor_assignment" { - count = 2 - lifecycle { - ignore_changes = [ - role_definition_id, principal_id - ] - } - scope = module.common.resource_group_id - role_definition_id = data.azurerm_role_definition.virtual_machine_contributor_role_definition.id - principal_id = local.availability_set_condition ? lookup(azurerm_virtual_machine.vm-instance-availability-set[count.index].identity[0], "principal_id") : lookup(azurerm_virtual_machine.vm-instance-availability-zone[count.index].identity[0], "principal_id") -} -resource "azurerm_role_assignment" "cluster_reader_assigment" { - count = 2 - lifecycle { - ignore_changes = [ - role_definition_id, principal_id - ] - } - scope = module.common.resource_group_id - role_definition_id = data.azurerm_role_definition.reader_role_definition.id - principal_id = local.availability_set_condition ? lookup(azurerm_virtual_machine.vm-instance-availability-set[count.index].identity[0], "principal_id") : lookup(azurerm_virtual_machine.vm-instance-availability-zone[count.index].identity[0], "principal_id") -} \ No newline at end of file diff --git a/modules/high_availability_new_vnet/variables.tf b/modules/high_availability_new_vnet/variables.tf deleted file mode 100755 index 79ca718..0000000 --- a/modules/high_availability_new_vnet/variables.tf +++ /dev/null @@ -1,343 +0,0 @@ -//********************** Basic Configuration Variables **************************// -variable "tenant_id" { - description = "Tenant ID" - type = string -} - -variable "cluster_name" { - description = "Cluster name" - type = string -} - -variable "resource_group_name" { - description = "Azure Resource Group name to build into" - type = string -} - -variable "location" { - description = "The location/region where resources will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions" - type = string -} - -//********************** Virtual Machine Instances Variables **************************// -variable "availability_type" { - description = "Specifies whether to deploy the solution based on Azure Availability Set or based on Azure Availability Zone." - type = string - default = "Availability Zone" -} - -locals { // locals for 'availability_type' allowed values - availability_type_allowed_values = [ - "Availability Zone", - "Availability Set" - ] - // will fail if [var.availability_type] is invalid: - validate_availability_type_value = index(local.availability_type_allowed_values, var.availability_type) -} - -variable "source_image_vhd_uri" { - type = string - description = "The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images." - default = "noCustomUri" -} - -variable "admin_username" { - description = "Administrator username of deployed VM. Due to Azure limitations 'notused' name can be used" - default = "notused" -} - -variable "admin_password" { - description = "Administrator password of deployed Virtual Macine. The password must meet the complexity requirements of Azure" - type = string -} - -variable "serial_console_password_hash" { - description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" - type = string - default = "" -} - -variable "maintenance_mode_password_hash" { - description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" - type = string - default = "" -} - -variable "smart_1_cloud_token_a" { - description = "Smart-1 Cloud Token, for configuring member A" - type = string -} - -variable "smart_1_cloud_token_b" { - description = "Smart-1 Cloud Token, for configuring member B" - type = string -} - -variable "sic_key" { - description = "Secure Internal Communication(SIC) key" - type = string -} -resource "null_resource" "sic_key_invalid" { - count = length(var.sic_key) >= 12 ? 0 : "SIC key must be at least 12 characters long" -} - -variable "installation_type" { - description = "Installaiton type" - type = string - default = "cluster" -} - -variable "number_of_vm_instances" { - description = "Number of VM instances to deploy " - type = string - default = "2" -} - -variable "vm_size" { - description = "Specifies size of Virtual Machine" - type = string -} - -variable "disk_size" { - description = "Storage data disk size size(GB). Select a number between 100 and 3995" - type = string -} - -variable "os_version" { - description = "GAIA OS version" - type = string -} - -locals { // locals for 'vm_os_offer' allowed values - os_version_allowed_values = [ - "R8110", - "R8120", - "R82" - ] - // will fail if [var.os_version] is invalid: - validate_os_version_value = index(local.os_version_allowed_values, var.os_version) -} - -variable "vm_os_sku" { - description = "The sku of the image to be deployed." - type = string -} - -variable "vm_os_offer" { - description = "The name of the image offer to be deployed.Choose from: check-point-cg-r8110, check-point-cg-r8120, check-point-cg-r82" - type = string -} - -locals { // locals for 'vm_os_offer' allowed values - vm_os_offer_allowed_values = [ - "check-point-cg-r8110", - "check-point-cg-r8120", - "check-point-cg-r82" - ] - // will fail if [var.vm_os_offer] is invalid: - validate_os_offer_value = index(local.vm_os_offer_allowed_values, var.vm_os_offer) -} - -variable "authentication_type" { - description = "Specifies whether a password authentication or SSH Public Key authentication should be used" - type = string -} -locals { // locals for 'authentication_type' allowed values - authentication_type_allowed_values = [ - "Password", - "SSH Public Key" - ] - // will fail if [var.authentication_type] is invalid: - validate_authentication_type_value = index(local.authentication_type_allowed_values, var.authentication_type) -} - -variable "allow_upload_download" { - description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" - type = bool -} - -variable "is_blink" { - description = "Define if blink image is used for deployment" - default = true -} - -variable "admin_shell" { - description = "The admin shell to configure on machine or the first time" - type = string - default = "/etc/cli.sh" -} - -locals { - admin_shell_allowed_values = [ - "/etc/cli.sh", - "/bin/bash", - "/bin/csh", - "/bin/tcsh" - ] - // Will fail if [var.admin_shell] is invalid - validate_admin_shell_value = index(local.admin_shell_allowed_values, var.admin_shell) -} - -//********************** Natworking Variables **************************// -variable "vnet_name" { - description = "Virtual Network name" - type = string -} - -variable "address_space" { - description = "The address space that is used by a Virtual Network." - type = string - default = "10.0.0.0/16" -} - -variable "subnet_prefixes" { - description = "Address prefix to be used for netwok subnets" - type = list(string) - default = [ - "10.0.0.0/24", - "10.0.1.0/24"] -} - -variable "lb_probe_name" { - description = "Name to be used for lb health probe" - default = "health_prob_port" -} - -variable "lb_probe_port" { - description = "Port to be used for load balancer health probes and rules" - default = "8117" -} - -variable "lb_probe_protocol" { - description = "Protocols to be used for load balancer health probes and rules" - default = "Tcp" -} - -variable "lb_probe_unhealthy_threshold" { - description = "Number of times load balancer health probe has an unsuccessful attempt before considering the endpoint unhealthy." - default = 2 -} - -variable "lb_probe_interval" { - description = "Interval in seconds load balancer health probe rule perfoms a check" - default = 5 -} - -variable "bootstrap_script" { - description = "An optional script to run on the initial boot" - #example: - #"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" -} - -variable "nsg_id" { - description = "NSG ID - Optional - if empty use default NSG" - default = "" -} - -variable "add_storage_account_ip_rules" { - type = bool - default = false - description = "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location" -} - -variable "storage_account_additional_ips" { - type = list(string) - description = "IPs/CIDRs that are allowed access to the Storage Account" - default = [] -} - -variable "sku" { - description = "SKU" - type = string - default = "Standard" -} - -variable "enable_custom_metrics" { - description = "Indicates whether CloudGuard Metrics will be use for Cluster members monitoring." - type = bool - default = true -} - -variable "enable_floating_ip" { - description = "Indicates whether the load balancers will be deployed with floating IP." - type = bool - default = true -} - -variable "use_public_ip_prefix" { - description = "Indicates whether the public IP resources will be deployed with public IP prefix." - type = bool - default = false -} - -variable "create_public_ip_prefix" { - description = "Indicates whether the public IP prefix will created or an existing will be used." - type = bool - default = false -} - -variable "existing_public_ip_prefix_id" { - description = "The existing public IP prefix resource id." - type = string - default = "" -} - -locals{ - # Validate both s1c tokens are used or both empty - is_both_tokens_used = length(var.smart_1_cloud_token_a) > 0 == length(var.smart_1_cloud_token_b) > 0 - validation_message_both = "To connect to Smart-1 Cloud, you must provide two tokens (one per member)" - _ = regex("^$", (local.is_both_tokens_used ? "" : local.validation_message_both)) - - is_tokens_used = length(var.smart_1_cloud_token_a) > 0 - # Validate both s1c tokens are unqiue - token_parts_a = split(" ",var.smart_1_cloud_token_a) - token_parts_b = split(" ",var.smart_1_cloud_token_b) - acutal_token_a = local.token_parts_a[length(local.token_parts_a) - 1] - acutal_token_b = local.token_parts_b[length(local.token_parts_b) - 1] - is_both_tokens_the_same = local.acutal_token_a == local.acutal_token_b - validation_message_unique = "Same Smart-1 Cloud token used for both memeber, you must provide unique token for each member" - __ = local.is_tokens_used ? regex("^$", (local.is_both_tokens_the_same ? local.validation_message_unique : "")) : "" -} - -variable "admin_SSH_key" { - type = string - description = "(Optional) TheUsed when the authentication_type is 'SSH Public Key'. The SSH public key for SSH authentication to the template instances." - default = "" -} - -variable "security_rules" { - description = "Security rules for the Network Security Group using this format [name, priority, direction, access, protocol, source_source_port_rangesport_range, destination_port_ranges, source_address_prefix, destination_address_prefix, description]" - type = list(any) - default = [ - { - name = "AllowAllInBound" - priority = "100" - direction = "Inbound" - access = "Allow" - protocol = "*" - source_port_ranges = "*" - destination_port_ranges = "*" - description = "Allow all inbound connections" - source_address_prefix = "*" - destination_address_prefix = "*" - } - ] -} - -variable "tags" { - description = "Assign tags by resource." - type = map(map(string)) - default = {} -} - -variable "vips_names" { - description = "Names to be used for the VIPs" - type = list(string) - default = [] - - # More than 10 VIPs may result in not enough available IPs available in IpPrefix - validation { - condition = length(var.vips_names) < 10 - error_message = "The number of VIPs must be less than 10." - } -} \ No newline at end of file diff --git a/modules/high_availability_new_vnet/versions.tf b/modules/high_availability_new_vnet/versions.tf deleted file mode 100755 index 8827a9f..0000000 --- a/modules/high_availability_new_vnet/versions.tf +++ /dev/null @@ -1,12 +0,0 @@ -terraform { - required_version = ">= 0.14.3" - required_providers { - azurerm = { - source = "hashicorp/azurerm" - version = "~> 3.90.0" - } - random = { - version = "~> 3.5.1" - } - } -} \ No newline at end of file diff --git a/modules/management/README.md b/modules/management/README.md new file mode 100644 index 0000000..be44302 --- /dev/null +++ b/modules/management/README.md @@ -0,0 +1,151 @@ +# Check Point CloudGuard Management Module +This Terraform module deploys Check Point CloudGuard Network Security Management solution in azure. +As part of the deployment the following resources are created: +- Resource group +- Virtual network +- Network security group +- Virtual Machine +- System assigned identity +- Storage account + +This solution uses the following submodules: +- common - used for creating a resource group and defining common variables. +- vnet - used for creating new virtual network and subnets or using an existing virtual network. +- network-security-group - used for creating new network security groups and rules or using an existing network security group. +- storage-account - used for creating new storage account or using an existing one to use for the boot diagnostics. + +## Usage +Follow best practices for using CGNS modules on [the root page](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/azure/latest). + +**Example:** +```hcl +provider "azurerm" { + features {} +} + +module "example_module" { + source = "CheckPointSW/cloudguard-network-security/azure//modules/management" + version = "1.0.6" + + # Authentication Variables + client_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + client_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + tenant_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + subscription_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + + # Basic Configurations Variables + resource_group_name = "checkpoint-mgmt-terraform" + mgmt_name = "checkpoint-mgmt-terraform" + location = "eastus" + tags = {} + + # Virtual Machine Instances Variables + source_image_vhd_uri = "noCustomUri" + authentication_type = "Password" + admin_password = "xxxxxxxxxxxx" + serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + vm_size = "Standard_D4ds_v5" + disk_size = "110" + os_version = "R82" + vm_os_sku = "mgmt-byol" + vm_os_offer = "check-point-cg-r82" + allow_upload_download = true + admin_shell = "/etc/cli.sh" + bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" + zone = "" + + # Networking Variables + vnet_name = "checkpoint-mgmt-vnet" + subnet_name = "checkpoint-mgmt-vnet-subnet" + address_space = "10.0.0.0/16" + subnet_prefix = "10.0.0.0/24" + management_GUI_client_network = "0.0.0.0/0" + mgmt_enable_api = "disable" + nsg_id = "" + storage_account_deployment_mode = "New" + add_storage_account_ip_rules = false + storage_account_additional_ips = [] +} +``` + +## Conditional creation +### Virtual Network: +You can specify wether you want to create a new Virtual Network or use an existing one: +- To create a new Virtual Network: + ``` + address_space = "10.0.0.0/16" + ``` +- To use an existing Virtual Network: + ``` + address_space = "" + existing_vnet_resource_group = "EXISTING VIRTUAL NETWORK RESOURCE GROUP NAME" + ``` + When using an existing Virtual Network the variable `subnet_name` will be used as the name of the existing subnet inside the Virtual Network, you can also ignore the `address_prefix` when you use an existing Virtual Network. + +### Availability types deployment: +To define the zone for the Management deployment in Availability Zones supported regions: +``` +zone = "1" +``` +If the zone preference is not important, or the selected region does not support Availability Zones, leave the parameter as an empty string or omit it entirely: +``` +zone = "" +``` + +### Boot Diagnostics: +You can configure boot diagnostics by selecting the desired storage account deployment mode or disabling boot diagnostics entirely. The available options for `storage_account_deployment_mode` are: +- `New` Creates a new storage account to be used for boot diagnostics.
+Usage: `storage_account_deployment_mode = "New"` +- `Exists` Uses an existing storage account for boot diagnostics.
+Usages: + ``` + storage_account_deployment_mode = "Existing" + existing_storage_account_name = "EXISTING_STORAGE_ACCOUNT_NAME" + existing_storage_account_resource_group_name = "EXISTING_STORAGE_ACCOUNT_RESOURCE_GROUP_NAME" + ``` +- `Managed`: Uses a managed (automatically created) storage account for boot diagnostics.
+Usage: `storage_account_deployment_mode = "Managed"` +- `None`: Disables boot diagnostics.
+Usage: `storage_account_deployment_mode = "None"`
+ +## Module's variables: +| Name | Description | Type | Allowed values | +| ---- | ----------- | ---- | -------------- | +| **client_secret** | The client secret value of the Service Principal used to deploy the solution | string | N/A | +| **client_id** | The client ID of the Service Principal used to deploy the solution | string | N/A | +| **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | N/A | +| **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | N/A | +| **resource_group_name** | The name of the resource group that will contain the contents of the deployment. | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens, and parenthesis and cannot end in a period. | +| **mgmt_name** | Management name | string. | N/A | +| **location** | The region where the resources will be deployed. | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions. | +| **tags** | Tags can be associated either globally across all resources or scoped to specific resource types. For example, a global tag can be defined as: {"all": {"example": "example"}}.
Supported resource types for tag assignment include:
`all` (Applies tags universally to all resource instances)
`resource-group`
`virtual-network`
`network-security-group`
`network-interface`
`public-ip`
`route-table`
`storage-account`
`virtual-machine`
`custom-image`
**Important:** When identical tag keys are defined both globally under `all` and within a specific resource scope, the tag value specified under `all` overrides the resource-specific tag. | map(map(string)) | **Defaults:** {} | +| **source_image_vhd_uri** | The URI of the blob containing the development image. Please use `noCustomUri` if you want to use marketplace images. | string | **Default:** "noCustomUri" | +| **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used. | string | "Password";
"SSH Public Key"; | +| **admin_password**| The password associated with the local administrator account on each cluster member. | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character.| +| **admin_SSH_key** | The SSH public key for SSH connections to the instance. Used when the authentication_type is 'SSH Public Key'. | string | **Default:** "" | +| **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type. To generate a password hash, use the command `openssl passwd -6 PASSWORD` on Linux and paste it here. | string | N/A | +| **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions. To generate a password hash, use the command `grub2-mkpasswd-pbkdf2` on Linux and paste it here. | string | N/A | +| **vm_size** | Specifies the size of the Virtual Machine. | string | A list of valid VM sizes (e.g., "Standard_D4ds_v5", "Standard_D8ds_v5", etc). | +| **disk_size** | Storage data disk size (GB). | string | A number in the range 100 - 3995 (GB). | +| **os_version** | GAIA OS version. | string | "R8110";
"R8120";
"R82";
**Defaults:**R82 | +| **vm_os_sku** | A SKU of the image to be deployed. | string | "mgmt-byol" - BYOL license;
"mgmt-25" - PAYG;.| +| **vm_os_offer** | The name of the image offer to be deployed. | string | "check-point-cg-r8110";
"check-point-cg-r8120";
"check-point-cg-r82";. | +| **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point. | boolean | true;
false;| +| **admin_shell** | Enables selecting different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh;
**Default:** "/etc/cli.sh" | +| **bootstrap_script**. | An optional script to run on the initial boot. | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
**Default:** "" | +| **zone** | Optional parameter, specifies the Availability Zone the solution should be deployed in. | string | "1"
**Default:** "" | +| **vnet_name** | The name of the virtual network that will be created. | string | The name must begin with a letter or number, end with a letter, number, or underscore, and may contain only letters, numbers, underscores, periods, or hyphens. | +| **existing_vnet_resource_group** | The name of the resource group where the Virtual Network is located. Required when using an existing Virtual Network. | string | N/A | +| **subnet_name** | The Virtual Network subnet name used for creating a new subnet with that name when create a new Virtual Network or used as the existing subnet name when using an existing Vritual Network. | string | N/A | +| **address_space** | The address space that is used by a Virtual Network. | string | A valid address in CIDR notation
**Default:** "10.0.0.0/16" | +| **subnet_prefix** | Address prefix to be used for the network subnet. | string | A valid address in CIDR notation
**Default:** "10.0.0.0/24" | +| **management_GUI_client_network** | Allowed GUI clients - GUI clients network CIDR. | string | N/A | +| **mgmt_enable_api** | Enable API access to the management. | string | "all";
"management_only";
"gui_clients";
"disable";
**Default:** "disable" | +| **nsg_id** | Optional ID for a Network Security Group that already exists in Azure. If not provided, a default NSG will be created. | string | Existing NSG resource ID
**Default:** "" | +| **storage_account_deployment_mode** | Choose the boot diagnostics storage account type. | string | New;
Existing;
Managed;
None;
**Default:** New | +| **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location. If false, then access will be allowed from all networks.
Relevant only if `storage_account_deployment_mode = "New"`. | boolean | true;
false;
**Default:** false | +| **storage_account_additional_ips**| IPs/CIDRs that are allowed access to the Storage Account.
Relevant only if `storage_account_deployment_mode = "New"`. | list(string) | A list of valid IPs and CIDRs
**Default:** [] | +| **existing_strorage_account_name** | The existing storage account name.
Relevant only if `storage_account_deployment_mode = "Existing"`. | string | **Default:** "" | +| **existing_strorage_account_resource_group_name** | The existing storage account resource group name.
Relevant only if `storage_account_deployment_mode = "Existing"`. | string | **Default:** "" | +| **security_rules** | Security rules for the Network Security. | list(any) | A security rule is composed of: {name, priority, direction, access, protocol, source_port_ranges, destination_port_ranges, source_address_prefix, destination_address_prefix, description}
**Default:** [] | \ No newline at end of file diff --git a/modules/management_existing_vnet/cloud-init.sh b/modules/management/cloud-init.sh old mode 100755 new mode 100644 similarity index 100% rename from modules/management_existing_vnet/cloud-init.sh rename to modules/management/cloud-init.sh diff --git a/modules/management/locals.tf b/modules/management/locals.tf new file mode 100644 index 0000000..a08ad05 --- /dev/null +++ b/modules/management/locals.tf @@ -0,0 +1,104 @@ +locals { + module_name = "management_terraform_registry" + module_version = "1.0.6" + + // NSG base security rules + nsg_base_security_rules = [ + { + name = "SSH" + priority = "100" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "22" + description = "Allow inbound SSH connection" + source_address_prefix = var.management_GUI_client_network + destination_address_prefix = "*" + }, + { + name = "GAiA-portal" + priority = "110" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "443" + description = "Allow inbound HTTPS access to the GAiA portal" + source_address_prefix = var.management_GUI_client_network + destination_address_prefix = "*" + }, + { + name = "SmartConsole-1" + priority = "120" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "18190" + description = "Allow inbound access using the SmartConsole GUI client" + source_address_prefix = var.management_GUI_client_network + destination_address_prefix = "*" + }, + { + name = "SmartConsole-2" + priority = "130" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "19009" + description = "Allow inbound access using the SmartConsole GUI client" + source_address_prefix = var.management_GUI_client_network + destination_address_prefix = "*" + }, + { + name = "Logs" + priority = "140" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "257" + description = "Allow inbound logging connections from managed gateways" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "ICA-pull" + priority = "150" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "18210" + description = "Allow security gateways to pull a SIC certificate" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "CRL-fetch" + priority = "160" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "18264" + description = "Allow security gateways to fetch CRLs" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "Policy-fetch" + priority = "170" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "18191" + description = "Allow security gateways to fetch policy" + source_address_prefix = "*" + destination_address_prefix = "*" + } + ] +} diff --git a/modules/management/main.tf b/modules/management/main.tf new file mode 100644 index 0000000..6ff13e5 --- /dev/null +++ b/modules/management/main.tf @@ -0,0 +1,208 @@ +//********************** Basic Configuration **************************// +module "common" { + source = "../common/common" + resource_group_name = var.resource_group_name + location = var.location + is_zonal = var.zone != "" + availability_zones_num = "1" + availability_zones = var.zone == "" ? [] : [var.zone] + admin_password = var.admin_password + installation_type = "management" + module_name = local.module_name + module_version = local.module_version + number_of_vm_instances = 1 + allow_upload_download = var.allow_upload_download + vm_size = var.vm_size + disk_size = var.disk_size + is_blink = false + os_version = var.os_version + vm_os_sku = var.vm_os_sku + vm_os_offer = var.vm_os_offer + authentication_type = var.authentication_type + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + tags = merge(lookup(var.tags, "resource-group", {}), lookup(var.tags, "all", {})) +} + +//********************** Network Security Group **************************// +module "network_security_group" { + source = "../common/network-security-group" + nsg_id = var.nsg_id + resource_group_name = module.common.resource_group_name + security_group_name = "${module.common.resource_group_name}-nsg" + location = module.common.resource_group_location + security_rules = setunion(var.security_rules, local.nsg_base_security_rules) + tags = merge(lookup(var.tags, "network-security-group", {}), lookup(var.tags, "all", {})) +} + +//********************** Networking **************************// +module "vnet" { + depends_on = [ + module.network_security_group + ] + source = "../common/vnet" + vnet_name = var.vnet_name + resource_group_name = module.common.resource_group_name + existing_vnet_resource_group = var.existing_vnet_resource_group + location = module.common.resource_group_location + address_space = var.address_space + subnet_prefixes = [var.subnet_prefix] + subnet_names = [var.subnet_name] + nsg_id = module.network_security_group.id + tags = var.tags +} + +resource "random_id" "public_ip_suffix" { + keepers = { + # Generate a new ID only when a new resource group is defined + resource_group = module.common.resource_group_name + } + byte_length = 8 +} + +resource "azurerm_public_ip" "public_ip" { + name = var.mgmt_name + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + allocation_method = module.vnet.allocation_method + sku = var.sku + idle_timeout_in_minutes = 30 + domain_name_label = "${lower(var.mgmt_name)}-${random_id.public_ip_suffix.hex}" + tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {})) +} + +resource "azurerm_network_interface_security_group_association" "security_group_association" { + depends_on = [ + azurerm_network_interface.nic, + module.network_security_group + ] + network_interface_id = azurerm_network_interface.nic.id + network_security_group_id = module.network_security_group.id +} + +resource "azurerm_network_interface" "nic" { + depends_on = [ + azurerm_public_ip.public_ip, + module.vnet + ] + name = "${var.mgmt_name}-eth0" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + enable_ip_forwarding = false + + ip_configuration { + name = "ipconfig1" + subnet_id = module.vnet.subnets[0] + private_ip_address_allocation = module.vnet.allocation_method + private_ip_address = cidrhost(module.vnet.subnet_prefixes[0], 4) + public_ip_address_id = azurerm_public_ip.public_ip.id + } + + tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {})) +} + +//********************** Storage accounts **************************// +module "vm_boot_diagnostics_storage" { + source = "../common/storage-account" + storage_account_deployment_mode = var.storage_account_deployment_mode + existing_storage_account_name = var.existing_storage_account_name + existing_storage_account_resource_group_name = var.existing_storage_account_resource_group_name + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + add_storage_account_ip_rules = var.add_storage_account_ip_rules + storage_account_additional_ips = var.storage_account_additional_ips + tags = merge(lookup(var.tags, "storage-account", {}), lookup(var.tags, "all", {})) +} + +//********************** Virtual Machines **************************// +module "custom_image" { + source = "../common/custom-image" + source_image_vhd_uri = var.source_image_vhd_uri + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + tags = merge(lookup(var.tags, "custom-image", {}), lookup(var.tags, "all", {})) +} + +resource "azurerm_virtual_machine" "mgmt_vm_instance" { + depends_on = [ + azurerm_network_interface.nic + ] + location = module.common.resource_group_location + zones = var.zone == "" ? null : [var.zone] + name = var.mgmt_name + network_interface_ids = [azurerm_network_interface.nic.id] + resource_group_name = module.common.resource_group_name + vm_size = module.common.vm_size + delete_os_disk_on_termination = module.common.delete_os_disk_on_termination + primary_network_interface_id = azurerm_network_interface.nic.id + + identity { + type = module.common.vm_instance_identity + } + + dynamic "plan" { + for_each = module.custom_image.create_custom_image ? [] : [1] + content { + name = module.common.vm_os_sku + publisher = module.common.publisher + product = module.common.vm_os_offer + } + } + + boot_diagnostics { + enabled = module.vm_boot_diagnostics_storage.boot_diagnostics + storage_uri = module.vm_boot_diagnostics_storage.storage_account_primary_blob_endpoint + } + + os_profile { + computer_name = lower(var.mgmt_name) + admin_username = module.common.admin_username + admin_password = module.common.admin_password + custom_data = templatefile("${path.module}/cloud-init.sh", { + installation_type = module.common.installation_type + allow_upload_download = module.common.allow_upload_download + os_version = module.common.os_version + module_name = module.common.module_name + module_version = module.common.module_version + template_type = "terraform" + is_blink = module.common.is_blink + bootstrap_script64 = base64encode(var.bootstrap_script) + location = module.common.resource_group_location + management_GUI_client_network = var.management_GUI_client_network + enable_api = var.mgmt_enable_api + admin_shell = var.admin_shell + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + }) + } + + os_profile_linux_config { + disable_password_authentication = module.common.SSH_authentication_type_condition + + dynamic "ssh_keys" { + for_each = module.common.SSH_authentication_type_condition ? [1] : [] + content { + path = "/home/notused/.ssh/authorized_keys" + key_data = var.admin_SSH_key + } + } + } + + storage_image_reference { + id = module.custom_image.id + publisher = module.custom_image.create_custom_image ? null : module.common.publisher + offer = module.common.vm_os_offer + sku = module.common.vm_os_sku + version = module.common.vm_os_version + } + + storage_os_disk { + name = var.mgmt_name + create_option = module.common.storage_os_disk_create_option + caching = module.common.storage_os_disk_caching + managed_disk_type = module.vm_boot_diagnostics_storage.storage_account_type + disk_size_gb = module.common.disk_size + } + + tags = merge(lookup(var.tags, "virtual-machine", {}), lookup(var.tags, "all", {})) +} diff --git a/modules/management/variables.tf b/modules/management/variables.tf new file mode 100644 index 0000000..9fcd55a --- /dev/null +++ b/modules/management/variables.tf @@ -0,0 +1,231 @@ +//********************** Basic Configuration Variables **************************// +variable "subscription_id" { + description = "Subscription ID" + type = string +} + +variable "tenant_id" { + description = "Tenant ID" + type = string +} + +variable "client_id" { + description = "Application ID(Client ID)" + type = string +} + +variable "client_secret" { + description = "A secret string that the application uses to prove its identity when requesting a token. Also can be referred to as application password." + type = string +} + +variable "resource_group_name" { + description = "Azure Resource Group name to build into." + type = string +} + +variable "mgmt_name" { + description = "Management name." + type = string +} + +variable "location" { + description = "The location/region where resource will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions." + type = string +} + +variable "tags" { + description = "Assign tags by resource." + type = map(map(string)) + default = {} +} + +//********************** Virtual Machine Instances Variables **************************// +variable "source_image_vhd_uri" { + description = "The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images." + type = string + default = "noCustomUri" +} + +variable "admin_username" { + description = "Administrator username of deployed VM. Due to Azure limitations 'notused' name can be used." + type = string + default = "notused" +} + +variable "authentication_type" { + description = "Specifies whether a password authentication or SSH Public Key authentication should be used." + type = string +} + +variable "admin_password" { + description = "Administrator password of deployed Virtual Macine. The password must meet the complexity requirements of Azure." + type = string +} + +variable "admin_SSH_key" { + description = "(Optional) The SSH public key for SSH authentication to the template instances." + type = string + default = "" +} + +variable "serial_console_password_hash" { + description = "The serial console password hash used to enable serial console connection in case of SSH key as authentication type." + type = string +} + +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions." + type = string +} + +variable "vm_size" { + description = "Specifies size of Virtual Machine." + type = string +} + +variable "disk_size" { + description = "Storage data disk size size (GB). Select a number between 100 and 3995." + type = string +} + +variable "os_version" { + description = "GAIA OS version." + type = string +} + +variable "vm_os_sku" { + description = "The sku of the image to be deployed." + type = string +} + +variable "vm_os_offer" { + description = "The name of the image offer to be deployed." + type = string +} + +variable "allow_upload_download" { + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point." + type = bool +} + +variable "admin_shell" { + description = "The admin shell to configure on machine or the first time." + type = string + default = "/etc/cli.sh" +} + +variable "bootstrap_script" { + description = "An optional script to run on the initial boot." + type = string + default = "" +} + +variable "zone" { + description = "The availability zone to use for the Virtual Machine. Changing this forces a new resource to be created." + type = string + default = "" +} + +//********************** Networking Variables **************************// +variable "vnet_name" { + description = "Virtual Network name." + type = string +} + +variable "existing_vnet_resource_group" { + description = "The name of the resource group where the Virtual Network is located. Required when using an existing Virtual Network." + type = string + default = "" +} + +variable "subnet_name" { + description = "The Virtual Network subnet name." + type = string +} + +variable "address_space" { + description = "The address space that is used by a Virtual Network." + type = string + default = "10.0.0.0/16" +} + +variable "subnet_prefix" { + description = "Address prefix to be used for network subnet." + type = string + default = "10.0.0.0/24" +} + +variable "management_GUI_client_network" { + description = "Allowed GUI clients - GUI clients network CIDR." + type = string + + validation { + condition = can(regex("^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))$", var.management_GUI_client_network)) + error_message = "Variable [management_GUI_client_network] must be a valid IPv4 network CIDR." + } +} + +variable "mgmt_enable_api" { + description = "Enable api access to the management." + type = string + default = "disable" + + validation { + condition = contains([ + "disable", + "all", + "management_only", + "gui_clients" + ], var.mgmt_enable_api) + error_message = "Variable [mgmt_enable_api] must be one of the following: 'disable', 'all', 'management_only', 'gui_clients'." + } +} + +variable "nsg_id" { + description = "(Optional) The Network Security Group ID." + type = string + default = "" +} + +variable "storage_account_deployment_mode" { + description = "The deployment mode for the storage account. Options are 'New', 'Existing', 'Managed' and 'None'. If 'Existing', the storage account must be specified in the variable 'existing_storage_account_id'." + type = string + default = "New" +} + +variable "add_storage_account_ip_rules" { + description = "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location." + type = bool + default = false +} + +variable "storage_account_additional_ips" { + description = "IPs / CIDRs that are allowed access to the Storage Account." + type = list(string) + default = [] +} + +variable "existing_storage_account_name" { + description = "The name of an existing storage account to use if 'storage_account_deployment_mode' is set to 'Existing'." + type = string + default = "" +} + +variable "existing_storage_account_resource_group_name" { + description = "The resource group name of an existing storage account to use if 'storage_account_deployment_mode' is set to 'Existing'." + type = string + default = "" +} + +variable "sku" { + description = "SKU" + type = string + default = "Standard" +} + +variable "security_rules" { + description = "Security rules for the Network Security Group using this format [name, priority, direction, access, protocol, source_source_port_rangesport_range, destination_port_ranges, source_address_prefix, destination_address_prefix, description]." + type = list(any) + default = [] +} diff --git a/modules/management/versions.tf b/modules/management/versions.tf new file mode 100644 index 0000000..7e95d53 --- /dev/null +++ b/modules/management/versions.tf @@ -0,0 +1,30 @@ +terraform { + required_version = ">= 1.6" + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.90.0" + } + azapi = { + source = "Azure/azapi" + version = "~> 2.4.0" + } + random = { + version = "~> 3.6.0" + } + } +} +provider "azapi" { + subscription_id = var.subscription_id + client_id = var.client_id + client_secret = var.client_secret + tenant_id = var.tenant_id +} + +provider "azurerm" { + subscription_id = var.subscription_id + client_id = var.client_id + client_secret = var.client_secret + tenant_id = var.tenant_id + features {} +} diff --git a/modules/management_existing_vnet/README.md b/modules/management_existing_vnet/README.md deleted file mode 100755 index 3113b65..0000000 --- a/modules/management_existing_vnet/README.md +++ /dev/null @@ -1,88 +0,0 @@ -# Check Point CloudGuard Management Module - Existing VNet - -This Terraform module deploys Check Point CloudGuard Network Security Management solution into an existing VNet in azure. -As part of the deployment the following resources are created: -- Resource group -- Network security group -- Virtual Machine -- System assigned identity - -This solution uses the following modules: -- common - used for creating a resource group and defining common variables. -- network_security_group - used for creating new network security groups and rules. - - -## Usage -Follow best practices for using CGNS modules on [the root page](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/azure/latest). - -**Example:** -``` -provider "azurerm" { - features {} -} - -module "example_module" { - - source = "CheckPointSW/cloudguard-network-security/azure//modules/management_existing_vnet" - version = "1.0.8" - - source_image_vhd_uri = "noCustomUri" - resource_group_name = "checkpoint-mgmt-terraform" - mgmt_name = "checkpoint-mgmt-terraform" - location = "eastus" - vnet_name = "checkpoint-mgmt-vnet" - vnet_resource_group = "existing-vnet" - management_subnet_name = "mgmt-subnet" - subnet_1st_Address = "10.0.1.4" - management_GUI_client_network = "0.0.0.0/0" - mgmt_enable_api = "disable" - admin_password = "xxxxxxxxxxxx" - vm_size = "Standard_D4ds_v5" - disk_size = "110" - vm_os_sku = "mgmt-byol" - vm_os_offer = "check-point-cg-r82" - os_version = "R82" - bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" - allow_upload_download = true - authentication_type = "Password" - admin_shell = "/etc/cli.sh" - serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - nsg_id = "" - add_storage_account_ip_rules = false - storage_account_additional_ips = [] -} -``` - - -### Module's variables: - -| Name | Description | Type | Allowed values | -|------|-------------|------|----------------| -| **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | | -| **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | **Default:** "noCustomUri" | -| **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period. | -| **mgmt_name** | Management name | string | | -| **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions. | -| **vnet_name** | Virtual Network name | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens. | -| **vnet_resource_group** | Resource Group of the existing virtual network | string | The exact name of the existing vnet's resource group. | -| **management_subnet_name** | Management subnet name | string | The exact name of the existing subnet. | -| **subnet_1st_Address** | The first available address of the subnet | string | | -| **management_GUI_client_network** | Allowed GUI clients - GUI clients network CIDR | string | | -| **mgmt_enable_api** | Enable api access to the management | string | "all";
"management_only";
"gui_clients";
"disable".
**Default:** "disable" | -| **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character. | -| **vm_size** | Specifies the size of Virtual Machine | string | "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5". | -| **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB). | -| **vm_os_sku** | A sku of the image to be deployed | string | "mgmt-byol" - BYOL license;
"mgmt-25" - PAYG. | -| **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8110";
"check-point-cg-r8120";
"check-point-cg-r82". | -| **os_version** | GAIA OS version | string | "R8110";
"R8120";
"R82". | -| **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt".
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it.
**Default:** "" | -| **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false. | -| **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key". | -| **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh.
**Default:** "/etc/cli.sh" | -| **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here | string | | -| **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here | string | | -| **nsg_id** | Optional ID for a Network Security Group that already exists in Azure, if not provided, will create a default NSG | string | Existing NSG resource ID.
**Default:** "" | -| **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false.
**Default:** false | -| **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs.
**Default:** [] | -| **tags** | Tags can be associated either globally across all resources or scoped to specific resource types. For example, a global tag can be defined as: {"all": {"example": "example"}}.
Supported resource types for tag assignment include:
`all` (Applies tags universally to all resource instances)
`resource-group`
`network-security-group`
`network-interface`
`public-ip`
`storage-account`
`virtual-machine`
`custom-image`
**Important:** When identical tag keys are defined both globally under `all` and within a specific resource scope, the tag value specified under `all` overrides the resource-specific tag. | map(map(string)) | {} | \ No newline at end of file diff --git a/modules/management_existing_vnet/locals.tf b/modules/management_existing_vnet/locals.tf deleted file mode 100755 index 4af9887..0000000 --- a/modules/management_existing_vnet/locals.tf +++ /dev/null @@ -1,4 +0,0 @@ -locals { - module_name = "management_terraform_registry" - module_version = "1.0.7" -} diff --git a/modules/management_existing_vnet/main.tf b/modules/management_existing_vnet/main.tf deleted file mode 100755 index 4ffe493..0000000 --- a/modules/management_existing_vnet/main.tf +++ /dev/null @@ -1,314 +0,0 @@ - -//********************** Basic Configuration **************************// -module "common" { - source = "../common" - resource_group_name = var.resource_group_name - location = var.location - admin_password = var.admin_password - installation_type = var.installation_type - module_name = local.module_name - module_version = local.module_version - number_of_vm_instances = 1 - allow_upload_download = var.allow_upload_download - vm_size = var.vm_size - disk_size = var.disk_size - is_blink = false - os_version = var.os_version - vm_os_sku = var.vm_os_sku - vm_os_offer = var.vm_os_offer - authentication_type = var.authentication_type - serial_console_password_hash = var.serial_console_password_hash - maintenance_mode_password_hash = var.maintenance_mode_password_hash - storage_account_additional_ips = var.storage_account_additional_ips - tags = merge(lookup(var.tags, "resource-group", {}), lookup(var.tags, "all", {})) -} - -//********************** Networking **************************// -data "azurerm_subnet" "mgmt_subnet" { - name = var.management_subnet_name - virtual_network_name = var.vnet_name - resource_group_name = var.vnet_resource_group -} - -resource "azurerm_public_ip" "public-ip" { - name = var.mgmt_name - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - allocation_method = var.vnet_allocation_method - sku = var.sku - idle_timeout_in_minutes = 30 - domain_name_label = join("", [ - lower(var.mgmt_name), - "-", - random_id.randomId.hex]) - tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {})) -} - -module "network_security_group" { - source = "../network_security_group" - count = var.nsg_id == "" ? 1 : 0 - resource_group_name = module.common.resource_group_name - security_group_name = "${module.common.resource_group_name}-nsg" - location = module.common.resource_group_location - security_rules = setunion(var.security_rules, [ - { - name = "SSH" - priority = "100" - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_ranges = "*" - destination_port_ranges = "22" - description = "Allow inbound SSH connection" - source_address_prefix = var.management_GUI_client_network - destination_address_prefix = "*" - }, - { - name = "GAiA-portal" - priority = "110" - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_ranges = "*" - destination_port_ranges = "443" - description = "Allow inbound HTTPS access to the GAiA portal" - source_address_prefix = var.management_GUI_client_network - destination_address_prefix = "*" - }, - { - name = "SmartConsole-1" - priority = "120" - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_ranges = "*" - destination_port_ranges = "18190" - description = "Allow inbound access using the SmartConsole GUI client" - source_address_prefix = var.management_GUI_client_network - destination_address_prefix = "*" - }, - { - name = "SmartConsole-2" - priority = "130" - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_ranges = "*" - destination_port_ranges = "19009" - description = "Allow inbound access using the SmartConsole GUI client" - source_address_prefix = var.management_GUI_client_network - destination_address_prefix = "*" - }, - { - name = "Logs" - priority = "140" - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_ranges = "*" - destination_port_ranges = "257" - description = "Allow inbound logging connections from managed gateways" - source_address_prefix = "*" - destination_address_prefix = "*" - }, - { - name = "ICA-pull" - priority = "150" - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_ranges = "*" - destination_port_ranges = "18210" - description = "Allow security gateways to pull a SIC certificate" - source_address_prefix = "*" - destination_address_prefix = "*" - }, - { - name = "CRL-fetch" - priority = "160" - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_ranges = "*" - destination_port_ranges = "18264" - description = "Allow security gateways to fetch CRLs" - source_address_prefix = "*" - destination_address_prefix = "*" - }, - { - name = "Policy-fetch" - priority = "170" - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_ranges = "*" - destination_port_ranges = "18191" - description = "Allow security gateways to fetch policy" - source_address_prefix = "*" - destination_address_prefix = "*" - } - ]) - - tags = merge(lookup(var.tags, "network-security-group", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_network_interface_security_group_association" "security_group_association" { - depends_on = [azurerm_network_interface.nic] - network_interface_id = azurerm_network_interface.nic.id - network_security_group_id = var.nsg_id == "" ? module.network_security_group[0].network_security_group_id: var.nsg_id -} - -resource "azurerm_network_interface" "nic" { - depends_on = [ - azurerm_public_ip.public-ip] - name = "${var.mgmt_name}-eth0" - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - enable_ip_forwarding = false - - ip_configuration { - name = "ipconfig1" - subnet_id = data.azurerm_subnet.mgmt_subnet.id - private_ip_address_allocation = var.vnet_allocation_method - private_ip_address = var.subnet_1st_Address - public_ip_address_id = azurerm_public_ip.public-ip.id - } - - tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {})) -} - -//********************** Storage accounts **************************// -// Generate random text for a unique storage account name -resource "random_id" "randomId" { - keepers = { - # Generate a new ID only when a new resource group is defined - resource_group = module.common.resource_group_name - } - byte_length = 8 -} -resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { - name = "bootdiag${random_id.randomId.hex}" - resource_group_name = module.common.resource_group_name - location = module.common.resource_group_location - account_tier = module.common.storage_account_tier - account_replication_type = module.common.account_replication_type - account_kind = "StorageV2" - min_tls_version = "TLS1_2" - network_rules { - default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" - ip_rules = module.common.storage_account_ip_rules - } - blob_properties { - delete_retention_policy { - days = "15" - } - } - tags = merge(lookup(var.tags, "storage-account", {}), lookup(var.tags, "all", {})) -} - -//********************** Virtual Machines **************************// -locals { - SSH_authentication_type_condition = var.authentication_type == "SSH Public Key" ? true : false - custom_image_condition = var.source_image_vhd_uri == "noCustomUri" ? false : true -} - -resource "azurerm_image" "custom-image" { - count = local.custom_image_condition ? 1 : 0 - name = "custom-image" - location = var.location - resource_group_name = module.common.resource_group_name - - os_disk { - os_type = "Linux" - os_state = "Generalized" - blob_uri = var.source_image_vhd_uri - } - - tags = merge(lookup(var.tags, "custom-image", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_virtual_machine" "mgmt-vm-instance" { - depends_on = [ - azurerm_network_interface.nic] - location = module.common.resource_group_location - name = var.mgmt_name - network_interface_ids = [ - azurerm_network_interface.nic.id] - resource_group_name = module.common.resource_group_name - vm_size = module.common.vm_size - delete_os_disk_on_termination = module.common.delete_os_disk_on_termination - primary_network_interface_id = azurerm_network_interface.nic.id - - identity { - type = module.common.vm_instance_identity - } - - dynamic "plan" { - for_each = local.custom_image_condition ? [ - ] : [1] - content { - name = module.common.vm_os_sku - publisher = module.common.publisher - product = module.common.vm_os_offer - } - } - - boot_diagnostics { - enabled = module.common.boot_diagnostics - storage_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : "" - } - - os_profile { - computer_name = lower(var.mgmt_name) - admin_username = module.common.admin_username - admin_password = module.common.admin_password - custom_data = templatefile("${path.module}/cloud-init.sh", { - installation_type = module.common.installation_type - allow_upload_download = module.common.allow_upload_download - os_version = module.common.os_version - module_name = module.common.module_name - module_version = module.common.module_version - template_type = "terraform" - is_blink = module.common.is_blink - bootstrap_script64 = base64encode(var.bootstrap_script) - location = module.common.resource_group_location - management_GUI_client_network = var.management_GUI_client_network - enable_api = var.mgmt_enable_api - admin_shell = var.admin_shell - serial_console_password_hash = var.serial_console_password_hash - maintenance_mode_password_hash = var.maintenance_mode_password_hash - }) - } - - - os_profile_linux_config { - disable_password_authentication = local.SSH_authentication_type_condition - - dynamic "ssh_keys" { - for_each = local.SSH_authentication_type_condition ? [ - 1] : [] - content { - path = "/home/notused/.ssh/authorized_keys" - key_data = var.admin_SSH_key - } - } - } - - storage_image_reference { - id = local.custom_image_condition ? azurerm_image.custom-image[0].id : null - publisher = local.custom_image_condition ? null : module.common.publisher - offer = module.common.vm_os_offer - sku = module.common.vm_os_sku - version = module.common.vm_os_version - } - - storage_os_disk { - name = var.mgmt_name - create_option = module.common.storage_os_disk_create_option - caching = module.common.storage_os_disk_caching - managed_disk_type = module.common.storage_account_type - disk_size_gb = module.common.disk_size - } - - tags = merge(lookup(var.tags, "virtual-machine", {}), lookup(var.tags, "all", {})) -} \ No newline at end of file diff --git a/modules/management_existing_vnet/variables.tf b/modules/management_existing_vnet/variables.tf deleted file mode 100755 index ba60cb4..0000000 --- a/modules/management_existing_vnet/variables.tf +++ /dev/null @@ -1,236 +0,0 @@ -//********************** Basic Configuration Variables **************************// -variable "mgmt_name" { - description = "Management name" - type = string -} - -variable "resource_group_name" { - description = "Azure Resource Group name to build into" - type = string -} - -variable "location" { - description = "The location/region where resource will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions" - type = string -} - -//********************** Virtual Machine Instances Variables **************************// -variable "source_image_vhd_uri" { - type = string - description = "The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images." - default = "noCustomUri" -} - -variable "admin_username" { - description = "Administrator username of deployed VM. Due to Azure limitations 'notused' name can be used" - default = "notused" -} - -variable "admin_password" { - description = "Administrator password of deployed Virtual Machine. The password must meet the complexity requirements of Azure" - type = string -} - -variable "serial_console_password_hash" { - description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" - type = string - default = "" -} - -variable "maintenance_mode_password_hash" { - description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" - type = string - default = "" -} - -variable "authentication_type" { - description = "Specifies whether a password authentication or SSH Public Key authentication should be used" - type = string -} -locals { // locals for 'authentication_type' allowed values - authentication_type_allowed_values = [ - "Password", - "SSH Public Key" - ] - // will fail if [var.authentication_type] is invalid: - validate_authentication_type_value = index(local.authentication_type_allowed_values, var.authentication_type) -} - -variable "installation_type" { - description = "Installation type" - type = string - default = "management" -} - -variable "vm_size" { - description = "Specifies size of Virtual Machine" - type = string -} - -variable "disk_size" { - description = "Storage data disk size size(GB). Select a number between 100 and 3995" - type = string -} - -variable "os_version" { - description = "GAIA OS version" - type = string -} - -locals { // locals for 'vm_os_offer' allowed values - os_version_allowed_values = [ - "R8110", - "R8120", - "R82" - ] - // will fail if [var.os_version] is invalid: - validate_os_version_value = index(local.os_version_allowed_values, var.os_version) -} - -variable "vm_os_sku" { - description = "The sku of the image to be deployed." - type = string -} - -variable "vm_os_offer" { - description = "The name of the image offer to be deployed.Choose from: check-point-cg-r8110, check-point-cg-r8120, check-point-cg-r82" - type = string -} - -locals { // locals for 'vm_os_offer' allowed values - vm_os_offer_allowed_values = [ - "check-point-cg-r8110", - "check-point-cg-r8120", - "check-point-cg-r82", - ] - // will fail if [var.vm_os_offer] is invalid: - validate_os_offer_value = index(local.vm_os_offer_allowed_values, var.vm_os_offer) -} - -variable "allow_upload_download" { - description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" - type = bool -} - -variable "admin_shell" { - description = "The admin shell to configure on machine or the first time" - type = string - default = "/etc/cli.sh" -} - -locals { - admin_shell_allowed_values = [ - "/etc/cli.sh", - "/bin/bash", - "/bin/csh", - "/bin/tcsh" - ] - // Will fail if [var.admin_shell] is invalid - validate_admin_shell_value = index(local.admin_shell_allowed_values, var.admin_shell) -} - -//********************** Networking Variables **************************// -variable "vnet_name" { - description = "Virtual Network name" - type = string -} - -variable "management_subnet_name" { - description = "management subnet name" - type = string -} - -variable "subnet_1st_Address" { - description = "The first available address of the subnet" - type = string -} - -variable "vnet_resource_group" { - description = "Resource group of existing vnet" - type = string -} - -variable "vnet_allocation_method" { - description = "IP address allocation method" - type = string - default = "Static" -} - -variable "management_GUI_client_network" { - description = "Allowed GUI clients - GUI clients network CIDR" - type = string -} - -variable "mgmt_enable_api" { - description = "Enable api access to the management. allowed values: all, management_only, gui_clients, disable" - type = string - default = "disable" -} - -locals { - regex_valid_management_GUI_client_network = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))$" - // Will fail if var.management_GUI_client_network is invalid - regex_management_GUI_client_network = regex(local.regex_valid_management_GUI_client_network, var.management_GUI_client_network) == var.management_GUI_client_network ? 0 : "Variable [management_GUI_client_network] must be a valid IPv4 network CIDR." - - mgmt_enable_api_allowed_values = [ - "disable", - "all", - "management_only", - "gui_clients" - ] - // will fail if [var.mgmt_enable_api] is invalid: - validate_mgmt_enable_api_value = index(local.mgmt_enable_api_allowed_values, var.mgmt_enable_api) - - regex_valid_subnet_1st_Address = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$" - // Will fail if var.subnet_1st_Address is invalid - regex_subnet_1st_Address = regex(local.regex_valid_subnet_1st_Address, var.subnet_1st_Address) == var.subnet_1st_Address ? 0 : "Variable [subnet_1st_Address] must be a valid address." -} - -variable "bootstrap_script" { - description = "An optional script to run on the initial boot" - default = "" - type = string - #example: - #"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" -} - -variable "nsg_id" { - description = "NSG ID - Optional - if empty use default NSG" - default = "" -} - -variable "add_storage_account_ip_rules" { - type = bool - default = false - description = "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location" -} - -variable "storage_account_additional_ips" { - type = list(string) - description = "IPs/CIDRs that are allowed access to the Storage Account" - default = [] -} - -variable "sku" { - description = "SKU" - type = string - default = "Standard" -} - -variable "admin_SSH_key" { - type = string - description = "(Optional) TheUsed when the authentication_type is 'SSH Public Key'. The SSH public key for SSH authentication to the template instances." - default = "" -} - -variable "security_rules" { - description = "Security rules for the Network Security Group using this format [name, priority, direction, access, protocol, source_source_port_rangesport_range, destination_port_ranges, source_address_prefix, destination_address_prefix, description]" - type = list(any) - default = [] -} - -variable "tags" { - description = "Assign tags by resource." - type = map(map(string)) - default = {} -} diff --git a/modules/management_existing_vnet/versions.tf b/modules/management_existing_vnet/versions.tf deleted file mode 100755 index 8827a9f..0000000 --- a/modules/management_existing_vnet/versions.tf +++ /dev/null @@ -1,12 +0,0 @@ -terraform { - required_version = ">= 0.14.3" - required_providers { - azurerm = { - source = "hashicorp/azurerm" - version = "~> 3.90.0" - } - random = { - version = "~> 3.5.1" - } - } -} \ No newline at end of file diff --git a/modules/management_new_vnet/README.md b/modules/management_new_vnet/README.md deleted file mode 100755 index 11bd2bb..0000000 --- a/modules/management_new_vnet/README.md +++ /dev/null @@ -1,90 +0,0 @@ -# Check Point CloudGuard Management Module - New VNet - -This Terraform module deploys Check Point CloudGuard Network Security Management solution into a new VNet in azure. -As part of the deployment the following resources are created: -- Resource group -- Virtual network -- Network security group -- Virtual Machine -- System assigned identity - -This solution uses the following submodules: -- common - used for creating a resource group and defining common variables. -- VNet - used for creating new virtual network and subnets. -- network_security_group - used for creating new network security groups and rules. - - -## Usage -Follow best practices for using CGNS modules on [the root page](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/azure/latest). - -**Example:** -``` -provider "azurerm" { - features {} -} - -module "example_module" { - - source = "CheckPointSW/cloudguard-network-security/azure//modules/management_new_vnet" - version = "1.0.8" - - source_image_vhd_uri = "noCustomUri" - resource_group_name = "checkpoint-mgmt-terraform" - mgmt_name = "checkpoint-mgmt-terraform" - location = "eastus" - vnet_name = "checkpoint-mgmt-vnet" - address_space = "10.0.0.0/16" - subnet_prefix = "10.0.0.0/24" - management_GUI_client_network = "0.0.0.0/0" - mgmt_enable_api = "disable" - admin_password = "xxxxxxxxxxxx" - vm_size = "Standard_D4ds_v5" - disk_size = "110" - vm_os_sku = "mgmt-byol" - vm_os_offer = "check-point-cg-r82" - os_version = "R82" - bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" - allow_upload_download = true - authentication_type = "Password" - admin_shell = "/etc/cli.sh" - serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - nsg_id = "" - add_storage_account_ip_rules = false - storage_account_additional_ips = [] -} -``` - - - -### Module's variables: -| Name | Description | Type | Allowed values | -|-----------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | **Default:** "noCustomUri" | -| **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens, and parenthesis and cannot end in a period
| -| **mgmt_name** | Management name | string | | -| **location** | The region where the resources will be deployed | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions
| -| **VNet_name** | The name of the virtual network that will be created | string | The name must begin with a letter or number, end with a letter, number, or underscore, and may contain only letters, numbers, underscores, periods, or hyphens
| -| **address_space** | The address space that is used by a Virtual Network | string | A valid address in CIDR notation
**Default:** "10.0.0.0/16" | -| **subnet_prefix** | Address prefix to be used for the network subnet | string | A valid address in CIDR notation
**Default:** "10.0.0.0/24" | -| **management_GUI_client_network** | Allowed GUI clients - GUI clients network CIDR | string | | -| **mgmt_enable_api** | Enable API access to the management | string | "all";
"management_only";
"gui_clients";
"disable";
**Default:** "disable" | -| **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character
| -| **vm_size** | Specifies the size of the Virtual Machine | string | A list of valid VM sizes (e.g., "Standard_D4ds_v5", "Standard_D8ds_v5", etc.)
| -| **disk_size** | Storage data disk size (GB) | string | A number in the range 100 - 3995 (GB)
| -| **vm_os_sku** | A SKU of the image to be deployed | string | "mgmt-byol" - BYOL license;
"mgmt-25" - PAYG;
| -| **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8110";
"check-point-cg-r8120";
"check-point-cg-r82";
| -| **os_version** | GAIA OS version | string | "R8110";
"R8120";
"R82";
| -| **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
**Default:** "" | -| **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false;
| -| **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key";
| -| **admin_shell** | Enables selecting different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh;
**Default:** "/etc/cli.sh" | -| **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type. To generate a password hash, use the command `openssl passwd -6 PASSWORD` on Linux and paste it here | string | | -| **maintenance_mode_password_hash**| Maintenance mode password hash, relevant only for R81.20 and higher versions. To generate a password hash, use the command `grub2-mkpasswd-pbkdf2` on Linux and paste it here | string | | -| **nsg_id** | Optional ID for a Network Security Group that already exists in Azure. If not provided, a default NSG will be created | string | Existing NSG resource ID
**Default:** "" | -| **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location. If false, then access will be allowed from all networks | boolean | true;
false;
**Default:** false | -| **storage_account_additional_ips**| IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs
**Default:** [] | -| **security_rules** | SSecurity rules for the Network Security | list(any) | A security rule is composed of: {name, priority, direction, access, protocol, source_port_ranges, destination_port_ranges, source_address_prefix, destination_address_prefix, description}
**Default:** [] | -| **admin_SSH_key** | The SSH public key for SSH connections to the instance. Used when the authentication_type is 'SSH Public Key' | string | **Default:** "" -| **is_blink** | Define if blink image is used for deployment | boolean | true;
false;
**Default:** true | -| **tags** | Tags can be associated either globally across all resources or scoped to specific resource types. For example, a global tag can be defined as: {"all": {"example": "example"}}.
Supported resource types for tag assignment include:
`all` (Applies tags universally to all resource instances)
`resource-group`
`virtual-network`
`network-security-group`
`network-interface`
`public-ip`
`route-table`
`storage-account`
`virtual-machine`
`custom-image`
**Important:** When identical tag keys are defined both globally under `all` and within a specific resource scope, the tag value specified under `all` overrides the resource-specific tag. | map(map(string)) | {} | \ No newline at end of file diff --git a/modules/management_new_vnet/cloud-init.sh b/modules/management_new_vnet/cloud-init.sh deleted file mode 100755 index cd7c697..0000000 --- a/modules/management_new_vnet/cloud-init.sh +++ /dev/null @@ -1,16 +0,0 @@ -#!/usr/bin/python3 /etc/cloud_config.py - -installationType="${installation_type}" -allowUploadDownload="${allow_upload_download}" -osVersion="${os_version}" -templateName="${module_name}" -templateVersion="${module_version}" -templateType="${template_type}" -isBlink="${is_blink}" -bootstrapScript64="${bootstrap_script64}" -location="${location}" -managementGUIClientNetwork="${management_GUI_client_network}" -enableApi="${enable_api}" -adminShell="${admin_shell}" -passwordHash="${serial_console_password_hash}" -MaintenanceModePassword="${maintenance_mode_password_hash}" diff --git a/modules/management_new_vnet/locals.tf b/modules/management_new_vnet/locals.tf deleted file mode 100755 index 4af9887..0000000 --- a/modules/management_new_vnet/locals.tf +++ /dev/null @@ -1,4 +0,0 @@ -locals { - module_name = "management_terraform_registry" - module_version = "1.0.7" -} diff --git a/modules/management_new_vnet/main.tf b/modules/management_new_vnet/main.tf deleted file mode 100755 index 09a2607..0000000 --- a/modules/management_new_vnet/main.tf +++ /dev/null @@ -1,320 +0,0 @@ -//********************** Basic Configuration **************************// -module "common" { - source = "../common" - resource_group_name = var.resource_group_name - location = var.location - admin_password = var.admin_password - installation_type = var.installation_type - module_name = local.module_name - module_version = local.module_version - number_of_vm_instances = 1 - allow_upload_download = var.allow_upload_download - vm_size = var.vm_size - disk_size = var.disk_size - is_blink = false - os_version = var.os_version - vm_os_sku = var.vm_os_sku - vm_os_offer = var.vm_os_offer - authentication_type = var.authentication_type - serial_console_password_hash = var.serial_console_password_hash - maintenance_mode_password_hash = var.maintenance_mode_password_hash - storage_account_additional_ips = var.storage_account_additional_ips - tags = merge(lookup(var.tags, "resource-group", {}), lookup(var.tags, "all", {})) -} - -//********************** Networking **************************// -module "vnet" { - source = "../vnet" - - vnet_name = var.vnet_name - resource_group_name = module.common.resource_group_name - location = module.common.resource_group_location - address_space = var.address_space - subnet_prefixes = [var.subnet_prefix] - subnet_names = ["${var.mgmt_name}-subnet"] - nsg_id = var.nsg_id == "" ? module.network_security_group[0].network_security_group_id: var.nsg_id - tags = var.tags -} - -module "network_security_group" { - source = "../network_security_group" - count = var.nsg_id == "" ? 1 : 0 - resource_group_name = module.common.resource_group_name - security_group_name = "${module.common.resource_group_name}-nsg" - location = module.common.resource_group_location - security_rules = setunion(var.security_rules, [ - { - name = "SSH" - priority = "100" - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_ranges = "*" - destination_port_ranges = "22" - description = "Allow inbound SSH connection" - source_address_prefix = var.management_GUI_client_network - destination_address_prefix = "*" - }, - { - name = "GAiA-portal" - priority = "110" - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_ranges = "*" - destination_port_ranges = "443" - description = "Allow inbound HTTPS access to the GAiA portal" - source_address_prefix = var.management_GUI_client_network - destination_address_prefix = "*" - }, - { - name = "SmartConsole-1" - priority = "120" - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_ranges = "*" - destination_port_ranges = "18190" - description = "Allow inbound access using the SmartConsole GUI client" - source_address_prefix = var.management_GUI_client_network - destination_address_prefix = "*" - }, - { - name = "SmartConsole-2" - priority = "130" - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_ranges = "*" - destination_port_ranges = "19009" - description = "Allow inbound access using the SmartConsole GUI client" - source_address_prefix = var.management_GUI_client_network - destination_address_prefix = "*" - }, - { - name = "Logs" - priority = "140" - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_ranges = "*" - destination_port_ranges = "257" - description = "Allow inbound logging connections from managed gateways" - source_address_prefix = "*" - destination_address_prefix = "*" - }, - { - name = "ICA-pull" - priority = "150" - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_ranges = "*" - destination_port_ranges = "18210" - description = "Allow security gateways to pull a SIC certificate" - source_address_prefix = "*" - destination_address_prefix = "*" - }, - { - name = "CRL-fetch" - priority = "160" - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_ranges = "*" - destination_port_ranges = "18264" - description = "Allow security gateways to fetch CRLs" - source_address_prefix = "*" - destination_address_prefix = "*" - }, - { - name = "Policy-fetch" - priority = "170" - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_ranges = "*" - destination_port_ranges = "18191" - description = "Allow security gateways to fetch policy" - source_address_prefix = "*" - destination_address_prefix = "*" - } - ]) - - tags = merge(lookup(var.tags, "network-security-group", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_public_ip" "public-ip" { - name = var.mgmt_name - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - allocation_method = var.vnet_allocation_method - sku = var.sku - idle_timeout_in_minutes = 30 - domain_name_label = join("", [ - lower(var.mgmt_name), - "-", - random_id.randomId.hex]) - - tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_network_interface_security_group_association" "security_group_association" { - depends_on = [azurerm_network_interface.nic, module.network_security_group] - network_interface_id = azurerm_network_interface.nic.id - network_security_group_id = var.nsg_id == "" ? module.network_security_group[0].network_security_group_id: var.nsg_id -} - -resource "azurerm_network_interface" "nic" { - depends_on = [ - azurerm_public_ip.public-ip] - name = "${var.mgmt_name}-eth0" - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - enable_ip_forwarding = false - - ip_configuration { - name = "ipconfig1" - subnet_id = module.vnet.vnet_subnets[0] - private_ip_address_allocation = var.vnet_allocation_method - private_ip_address = cidrhost(var.subnet_prefix, 4) - public_ip_address_id = azurerm_public_ip.public-ip.id - } - - tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {})) -} - -//********************** Storage accounts **************************// -// Generate random text for a unique storage account name -resource "random_id" "randomId" { - keepers = { - # Generate a new ID only when a new resource group is defined - resource_group = module.common.resource_group_name - } - byte_length = 8 -} -resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { - name = "bootdiag${random_id.randomId.hex}" - resource_group_name = module.common.resource_group_name - location = module.common.resource_group_location - account_tier = module.common.storage_account_tier - account_replication_type = module.common.account_replication_type - account_kind = "StorageV2" - min_tls_version = "TLS1_2" - network_rules { - default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" - ip_rules = module.common.storage_account_ip_rules - } - blob_properties { - delete_retention_policy { - days = "15" - } - } - tags = merge(lookup(var.tags, "storage-account", {}), lookup(var.tags, "all", {})) -} - -//********************** Virtual Machines **************************// -locals { - SSH_authentication_type_condition = var.authentication_type == "SSH Public Key" ? true : false - custom_image_condition = var.source_image_vhd_uri == "noCustomUri" ? false : true -} - -resource "azurerm_image" "custom-image" { - count = local.custom_image_condition ? 1 : 0 - name = "custom-image" - location = var.location - resource_group_name = module.common.resource_group_name - - os_disk { - os_type = "Linux" - os_state = "Generalized" - blob_uri = var.source_image_vhd_uri - } - - tags = merge(lookup(var.tags, "custom-image", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_virtual_machine" "mgmt-vm-instance" { - depends_on = [ - azurerm_network_interface.nic] - location = module.common.resource_group_location - name = var.mgmt_name - network_interface_ids = [ - azurerm_network_interface.nic.id] - resource_group_name = module.common.resource_group_name - vm_size = module.common.vm_size - delete_os_disk_on_termination = module.common.delete_os_disk_on_termination - primary_network_interface_id = azurerm_network_interface.nic.id - - identity { - type = module.common.vm_instance_identity - } - - dynamic "plan" { - for_each = local.custom_image_condition ? [ - ] : [1] - content { - name = module.common.vm_os_sku - publisher = module.common.publisher - product = module.common.vm_os_offer - } - } - - boot_diagnostics { - enabled = module.common.boot_diagnostics - storage_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : "" - } - - os_profile { - computer_name = lower(var.mgmt_name) - admin_username = module.common.admin_username - admin_password = module.common.admin_password - custom_data = templatefile("${path.module}/cloud-init.sh", { - installation_type = module.common.installation_type - allow_upload_download = module.common.allow_upload_download - os_version = module.common.os_version - module_name = module.common.module_name - module_version = module.common.module_version - template_type = "terraform" - is_blink = module.common.is_blink - bootstrap_script64 = base64encode(var.bootstrap_script) - location = module.common.resource_group_location - management_GUI_client_network = var.management_GUI_client_network - enable_api = var.mgmt_enable_api - admin_shell = var.admin_shell - serial_console_password_hash = var.serial_console_password_hash - maintenance_mode_password_hash = var.maintenance_mode_password_hash - }) - } - - os_profile_linux_config { - disable_password_authentication = local.SSH_authentication_type_condition - - dynamic "ssh_keys" { - for_each = local.SSH_authentication_type_condition ? [ - 1] : [] - content { - path = "/home/notused/.ssh/authorized_keys" - key_data = var.admin_SSH_key - } - } - } - - storage_image_reference { - id = local.custom_image_condition ? azurerm_image.custom-image[0].id : null - publisher = local.custom_image_condition ? null : module.common.publisher - offer = module.common.vm_os_offer - sku = module.common.vm_os_sku - version = module.common.vm_os_version - } - - storage_os_disk { - name = var.mgmt_name - create_option = module.common.storage_os_disk_create_option - caching = module.common.storage_os_disk_caching - managed_disk_type = module.common.storage_account_type - disk_size_gb = module.common.disk_size - } - - tags = merge(lookup(var.tags, "virtual-machine", {}), lookup(var.tags, "all", {})) -} diff --git a/modules/management_new_vnet/variables.tf b/modules/management_new_vnet/variables.tf deleted file mode 100755 index f8f2bf3..0000000 --- a/modules/management_new_vnet/variables.tf +++ /dev/null @@ -1,235 +0,0 @@ -//********************** Basic Configuration Variables **************************// -variable "mgmt_name" { - description = "Management name" - type = string -} - -variable "resource_group_name" { - description = "Azure Resource Group name to build into" - type = string -} - -variable "location" { - description = "The location/region where resource will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions" - type = string -} - -//********************** Virtual Machine Instances Variables **************************// -variable "source_image_vhd_uri" { - type = string - description = "The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images." - default = "noCustomUri" -} - -variable "admin_username" { - description = "Administrator username of deployed VM. Due to Azure limitations 'notused' name can be used" - default = "notused" -} - -variable "admin_password" { - description = "Administrator password of deployed Virtual Macine. The password must meet the complexity requirements of Azure" - type = string -} - -variable "serial_console_password_hash" { - description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" - type = string - default = "" -} - -variable "maintenance_mode_password_hash" { - description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" - type = string - default = "" -} - -variable "authentication_type" { - description = "Specifies whether a password authentication or SSH Public Key authentication should be used" - type = string -} -locals { // locals for 'authentication_type' allowed values - authentication_type_allowed_values = [ - "Password", - "SSH Public Key" - ] - // will fail if [var.authentication_type] is invalid: - validate_authentication_type_value = index(local.authentication_type_allowed_values, var.authentication_type) -} - -variable "installation_type" { - description = "Installaiton type" - type = string - default = "management" -} - -variable "vm_size" { - description = "Specifies size of Virtual Machine" - type = string -} - -variable "disk_size" { - description = "Storage data disk size size(GB). Select a number between 100 and 3995" - type = string -} - -variable "os_version" { - description = "GAIA OS version" - type = string -} - -locals { // locals for 'vm_os_offer' allowed values - os_version_allowed_values = [ - "R8110", - "R8120", - "R82" - ] - // will fail if [var.os_version] is invalid: - validate_os_version_value = index(local.os_version_allowed_values, var.os_version) -} - -variable "vm_os_sku" { - description = "The sku of the image to be deployed." - type = string -} - -variable "vm_os_offer" { - description = "The name of the image offer to be deployed.Choose from: check-point-cg-r8110, check-point-cg-r8120, check-point-cg-r82" - type = string -} - -locals { // locals for 'vm_os_offer' allowed values - vm_os_offer_allowed_values = [ - "check-point-cg-r8110", - "check-point-cg-r8120", - "check-point-cg-r82" - ] - // will fail if [var.vm_os_offer] is invalid: - validate_os_offer_value = index(local.vm_os_offer_allowed_values, var.vm_os_offer) -} - -variable "allow_upload_download" { - description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" - type = bool -} - -variable "admin_shell" { - description = "The admin shell to configure on machine or the first time" - type = string - default = "/etc/cli.sh" -} - -locals { - admin_shell_allowed_values = [ - "/etc/cli.sh", - "/bin/bash", - "/bin/csh", - "/bin/tcsh" - ] - // Will fail if [var.admin_shell] is invalid - validate_admin_shell_value = index(local.admin_shell_allowed_values, var.admin_shell) -} - -//********************** Natworking Variables **************************// -variable "vnet_name" { - description = "Virtual Network name" - type = string -} - -variable "address_space" { - description = "The address space that is used by a Virtual Network." - type = string - default = "10.0.0.0/16" -} - -variable "subnet_prefix" { - description = "Address prefix to be used for network subnet" - type = string - default = "10.0.0.0/24" -} - -variable "vnet_allocation_method" { - description = "IP address allocation method" - type = string - default = "Static" -} - -variable "management_GUI_client_network" { - description = "Allowed GUI clients - GUI clients network CIDR" - type = string -} - -variable "mgmt_enable_api" { - description = "Enable api access to the management. allowed values: all, management_only, gui_clients, disable" - type = string - default = "disable" -} - -locals { - regex_valid_management_GUI_client_network = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))$" - // Will fail if var.management_GUI_client_network is invalid - regex_management_GUI_client_network = regex(local.regex_valid_management_GUI_client_network, var.management_GUI_client_network) == var.management_GUI_client_network ? 0 : "Variable [management_GUI_client_network] must be a valid IPv4 network CIDR." - - mgmt_enable_api_allowed_values = [ - "disable", - "all", - "management_only", - "gui_clients" - ] - // will fail if [var.mgmt_enable_api] is invalid: - validate_mgmt_enable_api_value = index(local.mgmt_enable_api_allowed_values, var.mgmt_enable_api) - - regex_valid_network_cidr = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))|$" - // Will fail if var.address_space is invalid - regex_address_space = regex(local.regex_valid_network_cidr, var.address_space) == var.address_space ? 0 : "Variable [address_space] must be a valid address in CIDR notation." - // Will fail if var.subnet_prefix is invalid - regex_subnet_prefix = regex(local.regex_valid_network_cidr, var.subnet_prefix) == var.subnet_prefix ? 0 : "Variable [subnet_prefix] must be a valid address in CIDR notation." -} - -variable "bootstrap_script" { - description = "An optional script to run on the initial boot" - default = "" - type = string - #example: - #"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" -} - -variable "nsg_id" { - description = "NSG ID - Optional - if empty use default NSG" - default = "" -} - -variable "add_storage_account_ip_rules" { - type = bool - default = false - description = "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location" -} - -variable "storage_account_additional_ips" { - type = list(string) - description = "IPs/CIDRs that are allowed access to the Storage Account" - default = [] -} - -variable "sku" { - description = "SKU" - type = string - default = "Standard" -} - -variable "security_rules" { - description = "Security rules for the Network Security Group using this format [name, priority, direction, access, protocol, source_source_port_rangesport_range, destination_port_ranges, source_address_prefix, destination_address_prefix, description]" - type = list(any) - default = [] -} - -variable "admin_SSH_key" { - type = string - description = "(Optional) TheUsed when the authentication_type is 'SSH Public Key'. The SSH public key for SSH authentication to the template instances." - default = "" -} - -variable "tags" { - description = "Assign tags by resource." - type = map(map(string)) - default = {} -} diff --git a/modules/management_new_vnet/versions.tf b/modules/management_new_vnet/versions.tf deleted file mode 100755 index 8827a9f..0000000 --- a/modules/management_new_vnet/versions.tf +++ /dev/null @@ -1,12 +0,0 @@ -terraform { - required_version = ">= 0.14.3" - required_providers { - azurerm = { - source = "hashicorp/azurerm" - version = "~> 3.90.0" - } - random = { - version = "~> 3.5.1" - } - } -} \ No newline at end of file diff --git a/modules/mds/README.md b/modules/mds/README.md new file mode 100644 index 0000000..42b86b6 --- /dev/null +++ b/modules/mds/README.md @@ -0,0 +1,158 @@ +# Check Point CloudGuard MDS Module +This Terraform module deploys Check Point CloudGuard Network Security MDS solution in azure. +As part of the deployment the following resources are created: +- Resource group +- Virtual network +- Network security group +- Virtual Machine +- System assigned identity +- Storage account + +This solution uses the following modules: +- common - used for creating a resource group and defining common variables. +- vnet - used for creating new virtual network and subnets or using an existing virtual network. +- network-security-group - used for creating new network security groups and rules or using an existing network security group. +- storage-account - used for creating new storage account or using an existing one to use for the boot diagnostics. + +## Usage +Follow best practices for using CGNS modules on [the root page](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/azure/latest). + +**Example:** +```hcl +provider "azurerm" { + features {} +} + +module "example_module" { + source = "CheckPointSW/cloudguard-network-security/azure//modules/mds" + version = "1.0.6" + + # Authentication Variables + client_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + client_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + tenant_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + subscription_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + + # Basic Configurations Variables + resource_group_name = "checkpoint-mds-rg-terraform" + mds_name = "checkpoint-mds-terraform" + location = "eastus" + tags = {} + + # Virtual Machine Instances Variables + source_image_vhd_uri = "noCustomUri" + authentication_type = "Password" + admin_password = "xxxxxxxxxxxx" + sic_key = "xxxxxxxxxxxx" + serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + installation_type = "mds-primary" + primary = "true" + secondary = "false" + logserver = "false" + vm_size = "Standard_D4ds_v5" + disk_size = "110" + os_version = "R82" + vm_os_sku = "mgmt-byol" + vm_os_offer = "check-point-cg-r82" + allow_upload_download = true + admin_shell = "/etc/cli.sh" + bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" + zone = "" + + # Networking Variables + vnet_name = "checkpoint-mds-vnet" + subnet_name = "checkpoint-mds-vnet-subnet" + address_space = "10.0.0.0/16" + subnet_prefix = "10.0.0.0/24" + management_GUI_client_network = "0.0.0.0/0" + mds_enable_api = "disable" + nsg_id = "" + storage_account_deployment_mode = "New" + add_storage_account_ip_rules = false + storage_account_additional_ips = [] +} +``` + +## Conditional creation +### Virtual Network: +You can specify wether you want to create a new Virtual Network or use an existing one: +- To create a new Virtual Network: + ``` + address_space = "10.0.0.0/16" + ``` +- To use an existing Virtual Network: + ``` + address_space = "" + existing_vnet_resource_group = "EXISTING VIRTUAL NETWORK RESOURCE GROUP NAME" + ``` + When using an existing Virtual Network the variable `subnet_name` will be used as the name of the existing subnet inside the Virtual Network, you can also ignore the `address_prefix` when you use an existing Virtual Network. + +### Availability types deployment: +To define the zone for MDS deployment in supported regions: + ``` + zone = "3" + ``` + Otherwise, to deploy the solution in regions not supporting Availability Zones: + ``` + zone = "" + ``` + +### Boot Diagnostics: +You can configure boot diagnostics by selecting the desired storage account deployment mode or disabling boot diagnostics entirely. The available options for `storage_account_deployment_mode` are: +- `New` Creates a new storage account to be used for boot diagnostics.
+Usage: `storage_account_deployment_mode = "New"` +- `Exists` Uses an existing storage account for boot diagnostics.
+Usages: + ``` + storage_account_deployment_mode = "Existing" + existing_storage_account_name = "EXISTING_STORAGE_ACCOUNT_NAME" + existing_storage_account_resource_group_name = "EXISTING_STORAGE_ACCOUNT_RESOURCE_GROUP_NAME" + ``` +- `Managed`: Uses a managed (automatically created) storage account for boot diagnostics.
+Usage: `storage_account_deployment_mode = "Managed"` +- `None`: Disables boot diagnostics.
+Usage: `storage_account_deployment_mode = "None"`
+ +## Module's variables: +| Name | Description | Type | Allowed values | +|------|-------------|------|----------------| +| **client_secret** | The client secret value of the Service Principal used to deploy the solution | string | N/A | +| **client_id** | The client ID of the Service Principal used to deploy the solution | string | N/A | +| **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | N/A | +| **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | N/A | +| **resource_group_name** | The name of the resource group that will contain the contents of the deployment. | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period. | +| **mds_name** | MDS name. | string | N/A | +| **location** | The region where the resources will be deployed at. | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions. | +| **tags** | Tags can be associated either globally across all resources or scoped to specific resource types. For example, a global tag can be defined as: {"all": {"example": "example"}}.
Supported resource types for tag assignment include:
`all` (Applies tags universally to all resource instances)
`resource-group`
`virtual-network`
`network-security-group`
`network-interface`
`public-ip`
`route-table`
`storage-account`
`virtual-machine`
`custom-image`
**Important:** When identical tag keys are defined both globally under `all` and within a specific resource scope, the tag value specified under `all` overrides the resource-specific tag. | map(map(string)) | **Default:** {} | +| **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images. | string | **Default:** "noCustomUri" | +| **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used. | string | "Password";
"SSH Public Key". | +| **admin_password** | The password associated with the local administrator account on the mds. | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character. | +| **admin_SSH_key** | The SSH public key for SSH connections to the instance.
Used when the authentication_type is 'SSH Public Key'. | string | **Default:** "" | +| **sic_key** | Set the Secure Internal Communication one time secret used to set up trust between the primary and secondary servers. SIC key must be provided if installing a secondary Multi-Domain Server or a Multi-Domain Log Server. | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long. | +| **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here. | string | N/A | +| **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here. | string | N/A | +| **installation_type** | Enables to select installation type- gateway/standalone | string | mds-primary;
mds-secondary;
mds-logserver. | +| **vm_size** | Specifies the size of Virtual Machine. | string | A list of valid VM sizes (e.g., "Standard_D4ds_v5", "Standard_D8ds_v5", etc). | +| **disk_size** | Storage data disk size size (GB). | string | A number in the range 100 - 3995 (GB). | +| **os_version** | GAIA OS version. | string | "R8110";
"R8120";. | +| **vm_os_sku** | A sku of the image to be deployed. | string | "mgmt-byol" - BYOL license;
"mgmt-25" - PAYG. | +| **vm_os_offer** | The name of the image offer to be deployed. | string | "check-point-cg-r8110";
"check-point-cg-r8120";
"check-point-cg-r82";. | +| **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point. | boolean | true;
false. | +| **admin_shell** | Enables to select different admin shells. | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh.
**Default:** "/etc/cli.sh" | +| **bootstrap_script** | An optional script to run on the initial boot. | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt".
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it.
**Default:** "" | +| **zone** | Specifies the Availability Zone the solution should be deployed in. | string | "1"
**Default:** "" | +| **vnet_name** | The name of virtual network that will be created. | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens. | +| **existing_vnet_resource_group** | The name of the resource group where the Virtual Network is located. Required when using an existing Virtual Network. | string | N/A | +| **subnet_name** | The Virtual Network subnet name used for creating a new subnet with that name when create a new Virtual Network or used as the existing subnet name when using an existing Vritual Network. | string | N/A | +| **address_space** | The address space that is used by a Virtual Network. | string | A valid address in CIDR notation.
**Default:** "10.0.0.0/16" | +| **subnet_prefix** | Address prefix to be used for network subnet. | string | A valid address in CIDR notation.
**Default:** "10.0.0.0/24" | +| **management_GUI_client_network** | Allowed GUI clients - GUI clients network CIDR. | string | N/A | +| **mds_enable_api** | Enable api access to the mds. | string | "all";
"management_only";
"gui_clients";
"disable".
**Default:** "disable" | +| **nsg_id** | Optional ID for a Network Security Group that already exists in Azure, if not provided, will create a default NSG. | string | Existing NSG resource ID.
**Default:** "" | +| **storage_account_deployment_mode** | Choose the boot diagnostics storage account type. | string | New;
Existing;
Managed;
None;
**Default:** New | +| **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks.
Relevant only if `storage_account_deployment_mode = "New"`. | boolean | true;
false.
**Default:** false | +| **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account.
Relevant only if `storage_account_deployment_mode = "New"`. | list(string) | A list of valid IPs and CIDRs.
**Default:** [] | +| **existing_strorage_account_name** | The existing storage account name.
Relevant only if `storage_account_deployment_mode = "Existing"`. | string | **Default:** "" | +| **existing_strorage_account_resource_group_name** | The existing storage account resource group name.
Relevant only if `storage_account_deployment_mode = "Existing"`. | string | **Default:** "" | +| **security_rules** | Security rules for the Network Security. | list(any) | A list of valid security rules values.
A security rule composed of:
{name, priority, direction, access, protocol, source_port_ranges, destination_port_ranges, source_address_prefix, destination_address_prefix, description}.
**Default:** [{"name":"AllowAllInBound", "priority":"100", "direction":"Inbound", "access":"Allow", "protocol":"*", "source_port_ranges":"*", "destination_port_ranges":"", "description":"Allow all inbound connections", "source_address_prefix":"*", "destination_address_prefix":""}]. | \ No newline at end of file diff --git a/modules/mds_existing_vnet/cloud-init.sh b/modules/mds/cloud-init.sh old mode 100755 new mode 100644 similarity index 100% rename from modules/mds_existing_vnet/cloud-init.sh rename to modules/mds/cloud-init.sh diff --git a/modules/mds/locals.tf b/modules/mds/locals.tf new file mode 100644 index 0000000..d4ba45b --- /dev/null +++ b/modules/mds/locals.tf @@ -0,0 +1,104 @@ +locals { + module_name = "mds_terraform_registry" + module_version = "1.0.6" + + // NSG base security rules + nsg_base_security_rules = [ + { + name = "SSH" + priority = "100" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "22" + description = "Allow inbound SSH connection" + source_address_prefix = var.management_GUI_client_network + destination_address_prefix = "*" + }, + { + name = "GAiA-portal" + priority = "110" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "443" + description = "Allow inbound HTTPS access to the GAiA portal" + source_address_prefix = var.management_GUI_client_network + destination_address_prefix = "*" + }, + { + name = "SmartConsole-1" + priority = "120" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "18190" + description = "Allow inbound access using the SmartConsole GUI client" + source_address_prefix = var.management_GUI_client_network + destination_address_prefix = "*" + }, + { + name = "SmartConsole-2" + priority = "130" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "19009" + description = "Allow inbound access using the SmartConsole GUI client" + source_address_prefix = var.management_GUI_client_network + destination_address_prefix = "*" + }, + { + name = "Logs" + priority = "140" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "257" + description = "Allow inbound logging connections from managed gateways" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "ICA-pull" + priority = "150" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "18210" + description = "Allow security gateways to pull a SIC certificate" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "CRL-fetch" + priority = "160" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "18264" + description = "Allow security gateways to fetch CRLs" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "Policy-fetch" + priority = "170" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "18191" + description = "Allow security gateways to fetch policy" + source_address_prefix = "*" + destination_address_prefix = "*" + } + ] +} diff --git a/modules/mds/main.tf b/modules/mds/main.tf new file mode 100644 index 0000000..5c3b9eb --- /dev/null +++ b/modules/mds/main.tf @@ -0,0 +1,212 @@ +//********************** Basic Configuration **************************// +module "common" { + source = "../common/common" + resource_group_name = var.resource_group_name + location = var.location + is_zonal = var.zone != "" + availability_zones_num = "1" + availability_zones = var.zone == "" ? [] : [var.zone] + admin_password = var.admin_password + installation_type = var.installation_type + module_name = local.module_name + module_version = local.module_version + number_of_vm_instances = 1 + allow_upload_download = var.allow_upload_download + vm_size = var.vm_size + disk_size = var.disk_size + is_blink = false + os_version = var.os_version + vm_os_sku = var.vm_os_sku + vm_os_offer = var.vm_os_offer + authentication_type = var.authentication_type + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + tags = merge(lookup(var.tags, "resource-group", {}), lookup(var.tags, "all", {})) +} + +//********************** Network Security Group **************************// +module "network_security_group" { + source = "../common/network-security-group" + nsg_id = var.nsg_id + resource_group_name = module.common.resource_group_name + security_group_name = "${module.common.resource_group_name}-nsg" + location = module.common.resource_group_location + security_rules = setunion(var.security_rules, local.nsg_base_security_rules) + tags = merge(lookup(var.tags, "network-security-group", {}), lookup(var.tags, "all", {})) +} + +//********************** Networking **************************// +module "vnet" { + depends_on = [ + module.network_security_group + ] + source = "../common/vnet" + vnet_name = var.vnet_name + resource_group_name = module.common.resource_group_name + existing_vnet_resource_group = var.existing_vnet_resource_group + location = module.common.resource_group_location + address_space = var.address_space + subnet_prefixes = [var.subnet_prefix] + subnet_names = [var.subnet_name] + nsg_id = module.network_security_group.id + tags = var.tags +} + +resource "random_id" "public_ip_suffix" { + keepers = { + # Generate a new ID only when a new resource group is defined + resource_group = module.common.resource_group_name + } + byte_length = 8 +} + +resource "azurerm_public_ip" "public_ip" { + name = var.mds_name + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + allocation_method = module.vnet.allocation_method + sku = var.sku + idle_timeout_in_minutes = 30 + domain_name_label = "${lower(var.mds_name)}-${random_id.public_ip_suffix.hex}" + tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {})) +} + +resource "azurerm_network_interface_security_group_association" "security_group_association" { + depends_on = [ + azurerm_network_interface.nic, + module.network_security_group + ] + network_interface_id = azurerm_network_interface.nic.id + network_security_group_id = module.network_security_group.id +} + +resource "azurerm_network_interface" "nic" { + depends_on = [ + azurerm_public_ip.public_ip, + module.vnet + ] + name = "${var.mds_name}-eth0" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + enable_ip_forwarding = false + + ip_configuration { + name = "ipconfig1" + subnet_id = module.vnet.subnets[0] + private_ip_address_allocation = module.vnet.allocation_method + private_ip_address = cidrhost(module.vnet.subnet_prefixes[0], 4) + public_ip_address_id = azurerm_public_ip.public_ip.id + } + + tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {})) +} + +//********************** Storage accounts **************************// +module "vm_boot_diagnostics_storage" { + source = "../common/storage-account" + storage_account_deployment_mode = var.storage_account_deployment_mode + existing_storage_account_name = var.existing_storage_account_name + existing_storage_account_resource_group_name = var.existing_storage_account_resource_group_name + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + add_storage_account_ip_rules = var.add_storage_account_ip_rules + storage_account_additional_ips = var.storage_account_additional_ips + tags = merge(lookup(var.tags, "storage-account", {}), lookup(var.tags, "all", {})) +} + +//********************** Virtual Machines **************************// +module "custom_image" { + source = "../common/custom-image" + source_image_vhd_uri = var.source_image_vhd_uri + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + tags = merge(lookup(var.tags, "custom-image", {}), lookup(var.tags, "all", {})) +} + +resource "azurerm_virtual_machine" "mds_vm_instance" { + depends_on = [ + azurerm_network_interface.nic + ] + location = module.common.resource_group_location + zones = var.zone == "" ? null : [var.zone] + name = var.mds_name + network_interface_ids = [azurerm_network_interface.nic.id] + resource_group_name = module.common.resource_group_name + vm_size = module.common.vm_size + delete_os_disk_on_termination = module.common.delete_os_disk_on_termination + primary_network_interface_id = azurerm_network_interface.nic.id + + identity { + type = module.common.vm_instance_identity + } + + dynamic "plan" { + for_each = module.custom_image.create_custom_image ? [] : [1] + content { + name = module.common.vm_os_sku + publisher = module.common.publisher + product = module.common.vm_os_offer + } + } + + boot_diagnostics { + enabled = module.vm_boot_diagnostics_storage.boot_diagnostics + storage_uri = module.vm_boot_diagnostics_storage.storage_account_primary_blob_endpoint + } + + os_profile { + computer_name = lower(var.mds_name) + admin_username = module.common.admin_username + admin_password = module.common.admin_password + custom_data = templatefile("${path.module}/cloud-init.sh", { + installation_type = var.installation_type + allow_upload_download = module.common.allow_upload_download + os_version = module.common.os_version + module_name = module.common.module_name + module_version = module.common.module_version + template_type = "terraform" + is_blink = module.common.is_blink + bootstrap_script64 = base64encode(var.bootstrap_script) + location = module.common.resource_group_location + management_GUI_client_network = var.management_GUI_client_network + enable_api = var.mds_enable_api + admin_shell = var.admin_shell + sic_key = var.sic_key + primary = var.primary + secondary = var.secondary + logserver = var.logserver + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + }) + } + + os_profile_linux_config { + disable_password_authentication = module.common.SSH_authentication_type_condition + + dynamic "ssh_keys" { + for_each = module.common.SSH_authentication_type_condition ? [1] : [] + content { + path = "/home/notused/.ssh/authorized_keys" + key_data = var.admin_SSH_key + } + } + } + + storage_image_reference { + id = module.custom_image.id + publisher = module.custom_image.create_custom_image ? null : module.common.publisher + offer = module.common.vm_os_offer + sku = module.common.vm_os_sku + version = module.common.vm_os_version + } + + storage_os_disk { + name = var.mds_name + create_option = module.common.storage_os_disk_create_option + caching = module.common.storage_os_disk_caching + managed_disk_type = module.vm_boot_diagnostics_storage.storage_account_type + disk_size_gb = module.common.disk_size + } + + tags = merge(lookup(var.tags, "virtual-machine", {}), lookup(var.tags, "all", {})) +} diff --git a/modules/mds/variables.tf b/modules/mds/variables.tf new file mode 100644 index 0000000..bab7e0f --- /dev/null +++ b/modules/mds/variables.tf @@ -0,0 +1,268 @@ +//********************** Basic Configuration Variables **************************// +variable "subscription_id" { + description = "Subscription ID" + type = string +} + +variable "tenant_id" { + description = "Tenant ID" + type = string +} + +variable "client_id" { + description = "Application ID(Client ID)" + type = string +} + +variable "client_secret" { + description = "A secret string that the application uses to prove its identity when requesting a token. Also can be referred to as application password." + type = string +} + +variable "resource_group_name" { + description = "Azure Resource Group name to build into." + type = string +} + +variable "mds_name" { + description = "MDS name." + type = string +} + +variable "location" { + description = "The location/region where resource will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions." + type = string +} + +variable "tags" { + description = "Assign tags by resource." + type = map(map(string)) + default = {} +} + +//********************** Virtual Machine Instances Variables **************************// +variable "source_image_vhd_uri" { + description = "The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images." + type = string + default = "noCustomUri" +} + +variable "admin_username" { + description = "Administrator username of deployed VM. Due to Azure limitations 'notused' name can be used." + type = string + default = "notused" +} + +variable "authentication_type" { + description = "Specifies whether a password authentication or SSH Public Key authentication should be used." + type = string +} + +variable "admin_password" { + description = "Administrator password of deployed Virtual Machine. The password must meet the complexity requirements of Azure." + type = string +} + +variable "admin_SSH_key" { + description = "(Optional) The SSH public key for SSH authentication to the template instances." + type = string + default = "" +} + +variable "sic_key" { + description = "Secure Internal Communication (SIC) key." + type = string + + validation { + condition = length(var.sic_key) >= 12 + error_message = "Variable [sic_key] must be at least 12 characters long." + } +} + +variable "serial_console_password_hash" { + description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type." + type = string +} + +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions." + type = string +} + +variable "installation_type" { + description = "Installaiton type." + type = string + default = "mds-primary" + + validation { + condition = contains([ + "mds-primary", + "mds-secondary", + "mds-logserver" + ], var.installation_type) + error_message = "Variable [installation_type] must be one of: 'mds-primary', 'mds-secondary', 'mds-logserver'." + } +} + +variable "primary" { + type = string +} + +variable "secondary" { + type = string +} + +variable "logserver" { + type = string +} + +variable "vm_size" { + description = "Specifies size of Virtual Machine." + type = string +} + +variable "disk_size" { + description = "Storage data disk size size(GB). Select a number between 100 and 3995." + type = string +} + +variable "os_version" { + description = "GAIA OS version." + type = string +} + +variable "vm_os_sku" { + description = "The sku of the image to be deployed." + type = string +} + +variable "vm_os_offer" { + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r8110, check-point-cg-r8120, check-point-cg-r82." + type = string +} + +variable "allow_upload_download" { + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point." + type = bool +} + +variable "admin_shell" { + description = "The admin shell to configure on machine or the first time." + type = string + default = "/etc/cli.sh" +} + +variable "bootstrap_script" { + description = "An optional script to run on the initial boot." + default = "" + type = string +} + +variable "zone" { + description = "The availability zone to use for the Virtual Machine. Changing this forces a new resource to be created." + type = string + default = "" +} + +//********************** Networking Variables **************************// +variable "vnet_name" { + description = "Virtual Network name." + type = string +} + +variable "existing_vnet_resource_group" { + description = "The name of the resource group where the Virtual Network is located. Required when using an existing Virtual Network." + type = string + default = "" +} + +variable "subnet_name" { + description = "The Virtual Network subnets names." + type = string +} + +variable "address_space" { + description = "The address space that is used by a Virtual Network." + type = string + default = "10.0.0.0/16" +} + +variable "subnet_prefix" { + description = "Address prefix to be used for network subnet." + type = string + default = "10.0.0.0/24" +} + +variable "management_GUI_client_network" { + description = "Allowed GUI clients - GUI clients network CIDR." + type = string + + validation { + condition = can(regex("(^0\\.0\\.0\\.0\\/0$)|(^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/32)?$)", var.management_GUI_client_network)) && var.management_GUI_client_network != "0.0.0.0/32" + error_message = "Variable [management_GUI_client_network] must be a valid IPv4 network CIDR." + } +} + +variable "mds_enable_api" { + description = "Enable api access to the management." + type = string + default = "disable" + + validation { + condition = contains([ + "disable", + "all", + "management_only", + "gui_clients" + ], var.mds_enable_api) + error_message = "Variable [mds_enable_api] must be one of the following: 'disable', 'all', 'management_only', 'gui_clients'." + } +} + +variable "nsg_id" { + description = "(Optional) The Network Security Group ID." + type = string + default = "" +} + +variable "storage_account_deployment_mode" { + description = "The deployment mode for the storage account. Options are 'New', 'Existing', 'Managed' and 'None'. If 'Existing', the storage account must be specified in the variable 'existing_storage_account_id'." + type = string + default = "New" +} + +variable "add_storage_account_ip_rules" { + description = "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location." + type = bool + default = false +} + +variable "storage_account_additional_ips" { + description = "IPs/CIDRs that are allowed access to the Storage Account." + type = list(string) + default = [] +} + +variable "existing_storage_account_name" { + description = "The name of an existing storage account to use if 'storage_account_deployment_mode' is set to 'Existing'." + type = string + default = "" +} + +variable "existing_storage_account_resource_group_name" { + description = "The resource group name of an existing storage account to use if 'storage_account_deployment_mode' is set to 'Existing'." + type = string + default = "" +} + +variable "sku" { + description = "SKU" + type = string + default = "Standard" +} + +variable "security_rules" { + description = "Security rules for the Network Security Group using this format [name, priority, direction, access, protocol, source_source_port_rangesport_range, destination_port_ranges, source_address_prefix, destination_address_prefix, description]." + type = list(any) + default = [] +} diff --git a/modules/mds/versions.tf b/modules/mds/versions.tf new file mode 100644 index 0000000..7e95d53 --- /dev/null +++ b/modules/mds/versions.tf @@ -0,0 +1,30 @@ +terraform { + required_version = ">= 1.6" + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.90.0" + } + azapi = { + source = "Azure/azapi" + version = "~> 2.4.0" + } + random = { + version = "~> 3.6.0" + } + } +} +provider "azapi" { + subscription_id = var.subscription_id + client_id = var.client_id + client_secret = var.client_secret + tenant_id = var.tenant_id +} + +provider "azurerm" { + subscription_id = var.subscription_id + client_id = var.client_id + client_secret = var.client_secret + tenant_id = var.tenant_id + features {} +} diff --git a/modules/mds_existing_vnet/README.md b/modules/mds_existing_vnet/README.md deleted file mode 100755 index a23a37c..0000000 --- a/modules/mds_existing_vnet/README.md +++ /dev/null @@ -1,100 +0,0 @@ -# Check Point CloudGuard MDS Module - Existing VNet - -This Terraform module deploys Check Point CloudGuard Network Security Management solution into an existing VNet in azure. -As part of the deployment the following resources are created: -- Resource group -- Network security group -- Virtual Machine -- System assigned identity - -This solution uses the following modules: -- common - used for creating a resource group and defining common variables. -- network_security_group - used for creating new network security groups and rules. - -## Usage -Follow best practices for using CGNS modules on [the root page](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/azure/latest). - -**Example:** -``` -provider "azurerm" { - features {} -} - -module "example_module" { - - source = "CheckPointSW/cloudguard-network-security/azure//modules/mds_existing_vnet" - version = "1.0.8" - - source_image_vhd_uri = "noCustomUri" - resource_group_name = "checkpoint-mds-rg-terraform" - mds_name = "checkpoint-mds-terraform" - location = "eastus" - vnet_name = "checkpoint-mds-vnet" - vnet_resource_group = "existing-vnet" - management_subnet_name = "mgmt-subnet" - subnet_1st_Address = "10.0.1.4" - management_GUI_client_network = "0.0.0.0/0" - mds_enable_api = "disable" - admin_password = "xxxxxxxxxxxx" - vm_size = "Standard_D4ds_v5" - disk_size = "110" - vm_os_sku = "mgmt-byol" - vm_os_offer = "check-point-cg-r82" - os_version = "R82" - bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" - allow_upload_download = true - authentication_type = "Password" - admin_shell = "/etc/cli.sh" - sic_key = "xxxxxxxxxxxx" - installation_type = "mds-primary" - primary = "true" - secondary = "false" - logserver = "false" - serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - nsg_id = "" - add_storage_account_ip_rules = false - storage_account_additional_ips = [] -} -``` - - -### Module's variables: - -# Parameters Description - -| Name | Description | Type | Allowed values | -|------|-------------|------|----------------| -| **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | **Default:** "noCustomUri" | -| **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period. | -| **mds_name** | MDS name | string | | -| **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions. | -| **vnet_name** | The name of virtual network that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens. | -| **vnet_resource_group** | Resource Group of the existing virtual network | string | The exact name of the existing vnet's resource group. | -| **management_subnet_name** | Specifies the name of the external subnet | string | The exact name of the existing external subnet. | -| **subnet_1st_Address** | First available address in management subnet | string | | -| **management_GUI_client_network** | Allowed GUI clients - GUI clients network CIDR | string | | -| **mds_enable_api** | Enable api access to the mds | string | "all";
"management_only";
"gui_clients";
"disable".
**Default:** "disable" | -| **admin_password** | The password associated with the local administrator account on the mds | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character. | -| **vm_size** | Specifies the size of Virtual Machine | string | "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5". | -| **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB). | -| **vm_os_sku** | A sku of the image to be deployed | string | "mgmt-byol" - BYOL license;
"mgmt-25" - PAYG. | -| **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8110";
"check-point-cg-r8120";
"check-point-cg-r82". | -| **os_version** | GAIA OS version | string | "R8110";
"R8120";
"R82". | -| **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt".
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it.
**Default:** "" | -| **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false. | -| **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key". | -| **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh.
**Default:** "/etc/cli.sh" | -| **sic_key** | Set the Secure Internal Communication one time secret used to set up trust between the primary and secondary servers. SIC key must be provided if installing a secondary Multi-Domain Server or a Multi-Domain Log Server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long. | -| **installation_type** | Enables to select installation type - gateway/standalone | string | mds-primary;
mds-secondary;
mds-logserver. | -| **primary** | Indicates if the installation type is mds-primary | boolean | true;
false. | -| **secondary** | Indicates if the installation type is mds-secondary | boolean | true;
false. | -| **logserver** | Indicates if the installation type is mds-logserver | boolean | true;
false. | -| **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here | string | | -| **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here | string | | -| **nsg_id** | Optional ID for a Network Security Group that already exists in Azure, if not provided, will create a default NSG | string | Existing NSG resource ID.
**Default:** "" | -| **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false.
**Default:** false | -| **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs.
**Default:** [] | -| **security_rules** | Security rules for the Network Security | list(any) | A list of valid security rules values.
A security rule composed of:
{name, priority, direction, access, protocol, source_port_ranges, destination_port_ranges, source_address_prefix, destination_address_prefix, description}.
**Default:** [{"name":"AllowAllInBound", "priority":"100", "direction":"Inbound", "access":"Allow", "protocol":"*", "source_port_ranges":"*", "destination_port_ranges":"", "description":"Allow all inbound connections", "source_address_prefix":"*", "destination_address_prefix":""}] | -| **admin_SSH_key** | The SSH public key for SSH connections to the instance.
Used when the authentication_type is 'SSH Public Key' | string | **Default:** "" | -| **tags** | Tags can be associated either globally across all resources or scoped to specific resource types. For example, a global tag can be defined as: {"all": {"example": "example"}}.
Supported resource types for tag assignment include:
`all` (Applies tags universally to all resource instances)
`resource-group`
`network-security-group`
`network-interface`
`public-ip`
`storage-account`
`virtual-machine`
`custom-image`
**Important:** When identical tag keys are defined both globally under `all` and within a specific resource scope, the tag value specified under `all` overrides the resource-specific tag. | map(map(string)) | {} | \ No newline at end of file diff --git a/modules/mds_existing_vnet/locals.tf b/modules/mds_existing_vnet/locals.tf deleted file mode 100755 index 5337008..0000000 --- a/modules/mds_existing_vnet/locals.tf +++ /dev/null @@ -1,4 +0,0 @@ -locals { - module_name = "mds_terraform_registry" - module_version = "1.0.7" -} diff --git a/modules/mds_existing_vnet/main.tf b/modules/mds_existing_vnet/main.tf deleted file mode 100755 index 623e54f..0000000 --- a/modules/mds_existing_vnet/main.tf +++ /dev/null @@ -1,318 +0,0 @@ -//********************** Basic Configuration **************************// -module "common" { - source = "../common" - resource_group_name = var.resource_group_name - location = var.location - admin_password = var.admin_password - module_name = local.module_name - installation_type = var.installation_type - module_version = local.module_version - number_of_vm_instances = 1 - allow_upload_download = var.allow_upload_download - vm_size = var.vm_size - disk_size = var.disk_size - is_blink = false - os_version = var.os_version - vm_os_sku = var.vm_os_sku - vm_os_offer = var.vm_os_offer - authentication_type = var.authentication_type - serial_console_password_hash = var.serial_console_password_hash - maintenance_mode_password_hash = var.maintenance_mode_password_hash - storage_account_additional_ips = var.storage_account_additional_ips - tags = merge(lookup(var.tags, "resource-group", {}), lookup(var.tags, "all", {})) -} - -//********************** Networking **************************// -data "azurerm_subnet" "mds_subnet" { - name = var.management_subnet_name - virtual_network_name = var.vnet_name - resource_group_name = var.vnet_resource_group -} - -resource "azurerm_public_ip" "public-ip" { - name = var.mds_name - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - allocation_method = var.vnet_allocation_method - sku = var.sku - idle_timeout_in_minutes = 30 - domain_name_label = join("", [ - lower(var.mds_name), - "-", - random_id.randomId.hex]) - - tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {})) -} - -module "network_security_group" { - source = "../network_security_group" - count = var.nsg_id == "" ? 1 : 0 - resource_group_name = module.common.resource_group_name - security_group_name = "${module.common.resource_group_name}-nsg" - location = module.common.resource_group_location - security_rules = setunion(var.security_rules, [ - { - name = "SSH" - priority = "100" - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_ranges = "*" - destination_port_ranges = "22" - description = "Allow inbound SSH connection" - source_address_prefix = var.management_GUI_client_network - destination_address_prefix = "*" - }, - { - name = "GAiA-portal" - priority = "110" - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_ranges = "*" - destination_port_ranges = "443" - description = "Allow inbound HTTPS access to the GAiA portal" - source_address_prefix = var.management_GUI_client_network - destination_address_prefix = "*" - }, - { - name = "SmartConsole-1" - priority = "120" - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_ranges = "*" - destination_port_ranges = "18190" - description = "Allow inbound access using the SmartConsole GUI client" - source_address_prefix = var.management_GUI_client_network - destination_address_prefix = "*" - }, - { - name = "SmartConsole-2" - priority = "130" - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_ranges = "*" - destination_port_ranges = "19009" - description = "Allow inbound access using the SmartConsole GUI client" - source_address_prefix = var.management_GUI_client_network - destination_address_prefix = "*" - }, - { - name = "Logs" - priority = "140" - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_ranges = "*" - destination_port_ranges = "257" - description = "Allow inbound logging connections from managed gateways" - source_address_prefix = "*" - destination_address_prefix = "*" - }, - { - name = "ICA-pull" - priority = "150" - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_ranges = "*" - destination_port_ranges = "18210" - description = "Allow security gateways to pull a SIC certificate" - source_address_prefix = "*" - destination_address_prefix = "*" - }, - { - name = "CRL-fetch" - priority = "160" - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_ranges = "*" - destination_port_ranges = "18264" - description = "Allow security gateways to fetch CRLs" - source_address_prefix = "*" - destination_address_prefix = "*" - }, - { - name = "Policy-fetch" - priority = "170" - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_ranges = "*" - destination_port_ranges = "18191" - description = "Allow security gateways to fetch policy" - source_address_prefix = "*" - destination_address_prefix = "*" - } - ]) - - tags = merge(lookup(var.tags, "network-security-group", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_network_interface_security_group_association" "security_group_association" { - depends_on = [azurerm_network_interface.nic] - network_interface_id = azurerm_network_interface.nic.id - network_security_group_id = var.nsg_id == "" ? module.network_security_group[0].network_security_group_id: var.nsg_id -} - -resource "azurerm_network_interface" "nic" { - depends_on = [ - azurerm_public_ip.public-ip] - name = "${var.mds_name}-eth0" - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - enable_ip_forwarding = false - - ip_configuration { - name = "ipconfig1" - subnet_id = data.azurerm_subnet.mds_subnet.id - private_ip_address_allocation = var.vnet_allocation_method - private_ip_address = var.subnet_1st_Address - public_ip_address_id = azurerm_public_ip.public-ip.id - } - - tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {})) -} - -//********************** Storage accounts **************************// -// Generate random text for a unique storage account name -resource "random_id" "randomId" { - keepers = { - # Generate a new ID only when a new resource group is defined - resource_group = module.common.resource_group_name - } - byte_length = 8 -} -resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { - name = "bootdiag${random_id.randomId.hex}" - resource_group_name = module.common.resource_group_name - location = module.common.resource_group_location - account_tier = module.common.storage_account_tier - account_replication_type = module.common.account_replication_type - account_kind = "StorageV2" - min_tls_version = "TLS1_2" - network_rules { - default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" - ip_rules = module.common.storage_account_ip_rules - } - blob_properties { - delete_retention_policy { - days = "15" - } - } - tags = merge(lookup(var.tags, "storage-account", {}), lookup(var.tags, "all", {})) -} - -//********************** Virtual Machines **************************// -locals { - SSH_authentication_type_condition = var.authentication_type == "SSH Public Key" ? true : false - custom_image_condition = var.source_image_vhd_uri == "noCustomUri" ? false : true -} - -resource "azurerm_image" "custom-image" { - count = local.custom_image_condition ? 1 : 0 - name = "custom-image" - location = var.location - resource_group_name = module.common.resource_group_name - - os_disk { - os_type = "Linux" - os_state = "Generalized" - blob_uri = var.source_image_vhd_uri - } - - tags = merge(lookup(var.tags, "custom-image", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_virtual_machine" "mds-vm-instance" { - depends_on = [ - azurerm_network_interface.nic] - location = module.common.resource_group_location - name = var.mds_name - network_interface_ids = [ - azurerm_network_interface.nic.id] - resource_group_name = module.common.resource_group_name - vm_size = module.common.vm_size - delete_os_disk_on_termination = module.common.delete_os_disk_on_termination - primary_network_interface_id = azurerm_network_interface.nic.id - - identity { - type = module.common.vm_instance_identity - } - - dynamic "plan" { - for_each = local.custom_image_condition ? [ - ] : [1] - content { - name = module.common.vm_os_sku - publisher = module.common.publisher - product = module.common.vm_os_offer - } - } - - boot_diagnostics { - enabled = module.common.boot_diagnostics - storage_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : "" - } - - os_profile { - computer_name = lower(var.mds_name) - admin_username = module.common.admin_username - admin_password = module.common.admin_password - custom_data = templatefile("${path.module}/cloud-init.sh", { - installation_type = var.installation_type - allow_upload_download = module.common.allow_upload_download - os_version = module.common.os_version - module_name = module.common.module_name - module_version = module.common.module_version - template_type = "terraform" - is_blink = module.common.is_blink - bootstrap_script64 = base64encode(var.bootstrap_script) - location = module.common.resource_group_location - management_GUI_client_network = var.management_GUI_client_network - enable_api = var.mds_enable_api - admin_shell = var.admin_shell - sic_key = var.sic_key - primary = var.primary - secondary = var.secondary - logserver = var.logserver - serial_console_password_hash = var.serial_console_password_hash - maintenance_mode_password_hash = var.maintenance_mode_password_hash - }) - } - - - os_profile_linux_config { - disable_password_authentication = local.SSH_authentication_type_condition - - dynamic "ssh_keys" { - for_each = local.SSH_authentication_type_condition ? [ - 1] : [] - content { - path = "/home/notused/.ssh/authorized_keys" - key_data = var.admin_SSH_key - } - } - } - - storage_image_reference { - id = local.custom_image_condition ? azurerm_image.custom-image[0].id : null - publisher = local.custom_image_condition ? null : module.common.publisher - offer = module.common.vm_os_offer - sku = module.common.vm_os_sku - version = module.common.vm_os_version - } - - storage_os_disk { - name = var.mds_name - create_option = module.common.storage_os_disk_create_option - caching = module.common.storage_os_disk_caching - managed_disk_type = module.common.storage_account_type - disk_size_gb = module.common.disk_size - } - - tags = merge(lookup(var.tags, "virtual-machine", {}), lookup(var.tags, "all", {})) -} \ No newline at end of file diff --git a/modules/mds_existing_vnet/variables.tf b/modules/mds_existing_vnet/variables.tf deleted file mode 100755 index 7b39036..0000000 --- a/modules/mds_existing_vnet/variables.tf +++ /dev/null @@ -1,265 +0,0 @@ -//********************** Basic Configuration Variables **************************// -variable "mds_name" { - description = "MDS name" - type = string -} - -variable "resource_group_name" { - description = "Azure Resource Group name to build into" - type = string -} - -variable "location" { - description = "The location/region where resource will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions" - type = string -} - -//********************** Virtual Machine Instances Variables **************************// -variable "source_image_vhd_uri" { - type = string - description = "The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images." - default = "noCustomUri" -} - -variable "admin_username" { - description = "Administrator username of deployed VM. Due to Azure limitations 'notused' name can be used" - default = "notused" -} - -variable "admin_password" { - description = "Administrator password of deployed Virtual Machine. The password must meet the complexity requirements of Azure" - type = string -} - -variable "serial_console_password_hash" { - description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" - type = string - default = "" -} - -variable "maintenance_mode_password_hash" { - description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" - type = string - default = "" -} - -variable "authentication_type" { - description = "Specifies whether a password authentication or SSH Public Key authentication should be used" - type = string -} -locals { // locals for 'authentication_type' allowed values - authentication_type_allowed_values = [ - "Password", - "SSH Public Key" - ] - // will fail if [var.authentication_type] is invalid: - validate_authentication_type_value = index(local.authentication_type_allowed_values, var.authentication_type) -} - -variable "installation_type" { - description = "Installaiton type" - type = string - default = "mds-primary" -} - -variable "primary" { - type = string -} - -variable "secondary" { - type = string -} - -variable "logserver" { - type = string -} - -locals { //locals for 'installation_type' - isntallation_type_allowed_values = [ - "mds-primary", - "mds-secondary", - "mds-logserver" - ] -} - -variable "vm_size" { - description = "Specifies size of Virtual Machine" - type = string -} - -variable "disk_size" { - description = "Storage data disk size size(GB). Select a number between 100 and 3995" - type = string -} - -variable "os_version" { - description = "GAIA OS version" - type = string -} - -locals { // locals for 'vm_os_offer' allowed values - os_version_allowed_values = [ - "R8110", - "R8120", - "R82" - ] - // will fail if [var.os_version] is invalid: - validate_os_version_value = index(local.os_version_allowed_values, var.os_version) -} - -variable "vm_os_sku" { - description = "The sku of the image to be deployed." - type = string -} - -variable "vm_os_offer" { - description = "The name of the image offer to be deployed.Choose from: check-point-cg-r8110, check-point-cg-r8120, check-point-cg-r82" - type = string -} - -locals { // locals for 'vm_os_offer' allowed values - vm_os_offer_allowed_values = [ - "check-point-cg-r8110", - "check-point-cg-r8120", - "check-point-cg-r82" - ] - // will fail if [var.vm_os_offer] is invalid: - validate_os_offer_value = index(local.vm_os_offer_allowed_values, var.vm_os_offer) -} - -variable "allow_upload_download" { - description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" - type = bool -} - -variable "admin_shell" { - description = "The admin shell to configure on machine or the first time" - type = string - default = "/etc/cli.sh" -} - -locals { - admin_shell_allowed_values = [ - "/etc/cli.sh", - "/bin/bash", - "/bin/csh", - "/bin/tcsh" - ] - // Will fail if [var.admin_shell] is invalid - validate_admin_shell_value = index(local.admin_shell_allowed_values, var.admin_shell) -} - -//********************** Networking Variables **************************// -variable "vnet_name" { - description = "Virtual Network name" - type = string -} - -variable "management_subnet_name" { - description = "management subnet name" - type = string -} - -variable "subnet_1st_Address" { - description = "The first available address of the subnet" - type = string -} - -variable "vnet_resource_group" { - description = "Resource group of existing vnet" - type = string -} - -variable "vnet_allocation_method" { - description = "IP address allocation method" - type = string - default = "Static" -} - -variable "management_GUI_client_network" { - description = "Allowed GUI clients - GUI clients network CIDR" - type = string - validation { - condition = can(regex("(^0\\.0\\.0\\.0\\/0$)|(^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/32)?$)", var.management_GUI_client_network)) && var.management_GUI_client_network != "0.0.0.0/32" - error_message = "Variable [management_GUI_client_network] must be a valid IPv4 network CIDR (only 0.0.0.0/0, X.X.X.X/32 or X.X.X.X are acceptable)." - } -} - -variable "mds_enable_api" { - description = "Enable api access to the management. allowed values: all, management_only, gui_clients, disable" - type = string - default = "disable" -} - -locals { - mds_enable_api_allowed_values = [ - "disable", - "all", - "management_only", - "gui_clients" - ] - // will fail if [var.mds_enable_api] is invalid: - validate_mds_enable_api_value = index(local.mds_enable_api_allowed_values, var.mds_enable_api) - - regex_valid_subnet_1st_Address = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$" - // Will fail if var.subnet_1st_Address is invalid - regex_subnet_1st_Address = regex(local.regex_valid_subnet_1st_Address, var.subnet_1st_Address) == var.subnet_1st_Address ? 0 : "Variable [subnet_1st_Address] must be a valid address." -} - -variable "bootstrap_script" { - description = "An optional script to run on the initial boot" - default = "" - type = string - #example: - #"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" -} - -variable "nsg_id" { - description = "NSG ID - Optional - if empty use default NSG" - default = "" -} - -variable "add_storage_account_ip_rules" { - type = bool - default = false - description = "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location" -} - -variable "storage_account_additional_ips" { - type = list(string) - description = "IPs/CIDRs that are allowed access to the Storage Account" - default = [] -} - -variable sic_key { - description = "sic_key" - type = string -} - -resource "null_resource" "sic_key_invalid" { - count = length(var.sic_key) >= 12 ? 0 : "SIC key must be at least 12 characters long" -} - -variable "sku" { - description = "SKU" - type = string - default = "Standard" -} - -variable "admin_SSH_key" { - type = string - description = "(Optional) TheUsed when the authentication_type is 'SSH Public Key'. The SSH public key for SSH authentication to the template instances." - default = "" -} - -variable "security_rules" { - description = "Security rules for the Network Security Group using this format [name, priority, direction, access, protocol, source_source_port_rangesport_range, destination_port_ranges, source_address_prefix, destination_address_prefix, description]" - type = list(any) - default = [] -} - -variable "tags" { - description = "Assign tags by resource." - type = map(map(string)) - default = {} -} diff --git a/modules/mds_existing_vnet/versions.tf b/modules/mds_existing_vnet/versions.tf deleted file mode 100755 index 8827a9f..0000000 --- a/modules/mds_existing_vnet/versions.tf +++ /dev/null @@ -1,12 +0,0 @@ -terraform { - required_version = ">= 0.14.3" - required_providers { - azurerm = { - source = "hashicorp/azurerm" - version = "~> 3.90.0" - } - random = { - version = "~> 3.5.1" - } - } -} \ No newline at end of file diff --git a/modules/mds_new_vnet/README.md b/modules/mds_new_vnet/README.md deleted file mode 100755 index 64ba4e5..0000000 --- a/modules/mds_new_vnet/README.md +++ /dev/null @@ -1,99 +0,0 @@ -# Check Point CloudGuard MDS Module - New VNet - -This Terraform module deploys Check Point CloudGuard Network Security Management solution into a new VNet in azure. -As part of the deployment the following resources are created: -- Resource group -- Virtual network -- Network security group -- Virtual Machine -- System assigned identity - -This solution uses the following modules: -- common - used for creating a resource group and defining common variables. -- vnet - used for creating new virtual network and subnets. -- network_security_group - used for creating new network security groups and rules. - - -## Usage -Follow best practices for using CGNS modules on [the root page](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/azure/latest). - -**Example:** -``` -provider "azurerm" { - features {} -} - -module "example_module" { - - source = "CheckPointSW/cloudguard-network-security/azure//modules/mds_new_vnet" - version = "1.0.8" - - - source_image_vhd_uri = "noCustomUri" - resource_group_name = "checkpoint-mds-rg-terraform" - mds_name = "checkpoint-mds-terraform" - location = "eastus" - vnet_name = "checkpoint-mds-vnet" - address_space = "10.0.0.0/16" - subnet_prefix = "10.0.0.0/24" - management_GUI_client_network = "0.0.0.0/0" - mds_enable_api = "disable" - admin_password = "xxxxxxxxxxxx" - vm_size = "Standard_D4ds_v5" - disk_size = "110" - vm_os_sku = "mgmt-byol" - vm_os_offer = "check-point-cg-r82" - os_version = "R82" - bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" - allow_upload_download = true - authentication_type = "Password" - admin_shell = "/etc/cli.sh" - sic_key = "xxxxxxxxxxxx" - installation_type = "mds-primary" - primary = "true" - secondary = "false" - logserver = "false" - serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - nsg_id = "" - add_storage_account_ip_rules = false - storage_account_additional_ips = [] -} -``` - - -### Module's variables: - -# Parameters Description - -| Name | Description | Type | Allowed values | -|------|-------------|------|----------------| -| **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | **Default:** "noCustomUri" | -| **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period. | -| **mds_name** | MDS name | string | | -| **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions. | -| **vnet_name** | The name of virtual network that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens. | -| **address_space** | The address space that is used by a Virtual Network | string | A valid address in CIDR notation.
**Default:** "10.0.0.0/16" | -| **subnet_prefix** | Address prefix to be used for network subnet | string | A valid address in CIDR notation.
**Default:** "10.0.0.0/24" | -| **management_GUI_client_network** | Allowed GUI clients - GUI clients network CIDR | string | | -| **mds_enable_api** | Enable api access to the mds | string | "all";
"management_only";
"gui_clients";
"disable".
**Default:** "disable" | -| **admin_password** | The password associated with the local administrator account on the mds | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character. | -| **vm_size** | Specifies the size of Virtual Machine | string | "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5". | -| **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB). | -| **vm_os_sku** | A sku of the image to be deployed | string | "mgmt-byol" - BYOL license;
"mgmt-25" - PAYG. | -| **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8110";
"check-point-cg-r8120";
"check-point-cg-r82". | -| **os_version** | GAIA OS version | string | "R8110";
"R8120";
"R82". | -| **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt".
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it.
**Default:** "" | -| **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false. | -| **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key". | -| **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh.
**Default:** "/etc/cli.sh" | -| **sic_key** | Set the Secure Internal Communication one time secret used to set up trust between the primary and secondary servers. SIC key must be provided if installing a secondary Multi-Domain Server or a Multi-Domain Log Server| string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long. | -| **installation_type** | Enables to select installation type- gateway/standalone | string | mds-primary;
mds-secondary;
mds-logserver. | -| **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here | string | | -| **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here | string | | -| **nsg_id** | Optional ID for a Network Security Group that already exists in Azure, if not provided, will create a default NSG | string | Existing NSG resource ID.
**Default:** "" | -| **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false.
**Default:** false | -| **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs.
**Default:** [] | -| **security_rules** | Security rules for the Network Security | list(any) | A list of valid security rules values.
A security rule composed of:
{name, priority, direction, access, protocol, source_port_ranges, destination_port_ranges, source_address_prefix, destination_address_prefix, description}.
**Default:** [{"name":"AllowAllInBound", "priority":"100", "direction":"Inbound", "access":"Allow", "protocol":"*", "source_port_ranges":"*", "destination_port_ranges":"", "description":"Allow all inbound connections", "source_address_prefix":"*", "destination_address_prefix":""}] | -| **admin_SSH_key** | The SSH public key for SSH connections to the instance.
Used when the authentication_type is 'SSH Public Key' | string | **Default:** "" | -| **tags** | Tags can be associated either globally across all resources or scoped to specific resource types. For example, a global tag can be defined as: {"all": {"example": "example"}}.
Supported resource types for tag assignment include:
`all` (Applies tags universally to all resource instances)
`resource-group`
`virtual-network`
`network-security-group`
`network-interface`
`public-ip`
`route-table`
`storage-account`
`virtual-machine`
`custom-image`
**Important:** When identical tag keys are defined both globally under `all` and within a specific resource scope, the tag value specified under `all` overrides the resource-specific tag. | map(map(string)) | {} | \ No newline at end of file diff --git a/modules/mds_new_vnet/cloud-init.sh b/modules/mds_new_vnet/cloud-init.sh deleted file mode 100755 index 2f25a58..0000000 --- a/modules/mds_new_vnet/cloud-init.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/usr/bin/python3 /etc/cloud_config.py - -installationType="${installation_type}" -allowUploadDownload="${allow_upload_download}" -osVersion="${os_version}" -templateName="${module_name}" -templateVersion="${module_version}" -templateType="${template_type}" -isBlink="${is_blink}" -bootstrapScript64="${bootstrap_script64}" -location="${location}" -managementGUIClientNetwork="${management_GUI_client_network}" -enableApi="${enable_api}" -adminShell="${admin_shell}" -sicKey="${sic_key}" -primary="${primary}" -secondary="${secondary}" -logserver="${logserver}" -passwordHash="${serial_console_password_hash}" -MaintenanceModePassword="${maintenance_mode_password_hash}" diff --git a/modules/mds_new_vnet/locals.tf b/modules/mds_new_vnet/locals.tf deleted file mode 100755 index 5337008..0000000 --- a/modules/mds_new_vnet/locals.tf +++ /dev/null @@ -1,4 +0,0 @@ -locals { - module_name = "mds_terraform_registry" - module_version = "1.0.7" -} diff --git a/modules/mds_new_vnet/main.tf b/modules/mds_new_vnet/main.tf deleted file mode 100755 index ff1050b..0000000 --- a/modules/mds_new_vnet/main.tf +++ /dev/null @@ -1,324 +0,0 @@ -//********************** Basic Configuration **************************// -module "common" { - source = "../common" - resource_group_name = var.resource_group_name - location = var.location - admin_password = var.admin_password - installation_type = var.installation_type - module_name = local.module_name - module_version = local.module_version - number_of_vm_instances = 1 - allow_upload_download = var.allow_upload_download - vm_size = var.vm_size - disk_size = var.disk_size - is_blink = false - os_version = var.os_version - vm_os_sku = var.vm_os_sku - vm_os_offer = var.vm_os_offer - authentication_type = var.authentication_type - serial_console_password_hash = var.serial_console_password_hash - maintenance_mode_password_hash = var.maintenance_mode_password_hash - storage_account_additional_ips = var.storage_account_additional_ips - tags = merge(lookup(var.tags, "resource-group", {}), lookup(var.tags, "all", {})) -} - -//********************** Networking **************************// -module "vnet" { - source = "../vnet" - - vnet_name = var.vnet_name - resource_group_name = module.common.resource_group_name - location = module.common.resource_group_location - address_space = var.address_space - subnet_prefixes = [var.subnet_prefix] - subnet_names = ["${var.mds_name}-subnet"] - nsg_id = var.nsg_id == "" ? module.network_security_group[0].network_security_group_id: var.nsg_id - tags = var.tags -} - -module "network_security_group" { - source = "../network_security_group" - count = var.nsg_id == "" ? 1 : 0 - resource_group_name = module.common.resource_group_name - security_group_name = "${module.common.resource_group_name}-nsg" - location = module.common.resource_group_location - security_rules = setunion(var.security_rules ,[ - { - name = "SSH" - priority = "100" - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_ranges = "*" - destination_port_ranges = "22" - description = "Allow inbound SSH connection" - source_address_prefix = var.management_GUI_client_network - destination_address_prefix = "*" - }, - { - name = "GAiA-portal" - priority = "110" - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_ranges = "*" - destination_port_ranges = "443" - description = "Allow inbound HTTPS access to the GAiA portal" - source_address_prefix = var.management_GUI_client_network - destination_address_prefix = "*" - }, - { - name = "SmartConsole-1" - priority = "120" - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_ranges = "*" - destination_port_ranges = "18190" - description = "Allow inbound access using the SmartConsole GUI client" - source_address_prefix = var.management_GUI_client_network - destination_address_prefix = "*" - }, - { - name = "SmartConsole-2" - priority = "130" - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_ranges = "*" - destination_port_ranges = "19009" - description = "Allow inbound access using the SmartConsole GUI client" - source_address_prefix = var.management_GUI_client_network - destination_address_prefix = "*" - }, - { - name = "Logs" - priority = "140" - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_ranges = "*" - destination_port_ranges = "257" - description = "Allow inbound logging connections from managed gateways" - source_address_prefix = "*" - destination_address_prefix = "*" - }, - { - name = "ICA-pull" - priority = "150" - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_ranges = "*" - destination_port_ranges = "18210" - description = "Allow security gateways to pull a SIC certificate" - source_address_prefix = "*" - destination_address_prefix = "*" - }, - { - name = "CRL-fetch" - priority = "160" - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_ranges = "*" - destination_port_ranges = "18264" - description = "Allow security gateways to fetch CRLs" - source_address_prefix = "*" - destination_address_prefix = "*" - }, - { - name = "Policy-fetch" - priority = "170" - direction = "Inbound" - access = "Allow" - protocol = "Tcp" - source_port_ranges = "*" - destination_port_ranges = "18191" - description = "Allow security gateways to fetch policy" - source_address_prefix = "*" - destination_address_prefix = "*" - } - ]) - - tags = merge(lookup(var.tags, "network-security-group", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_public_ip" "public-ip" { - name = var.mds_name - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - allocation_method = var.vnet_allocation_method - sku = var.sku - idle_timeout_in_minutes = 30 - domain_name_label = join("", [ - lower(var.mds_name), - "-", - random_id.randomId.hex]) - - tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_network_interface_security_group_association" "security_group_association" { - depends_on = [azurerm_network_interface.nic, module.network_security_group] - network_interface_id = azurerm_network_interface.nic.id - network_security_group_id = var.nsg_id == "" ? module.network_security_group[0].network_security_group_id: var.nsg_id -} - -resource "azurerm_network_interface" "nic" { - depends_on = [ - azurerm_public_ip.public-ip] - name = "${var.mds_name}-eth0" - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - enable_ip_forwarding = false - - ip_configuration { - name = "ipconfig1" - subnet_id = module.vnet.vnet_subnets[0] - private_ip_address_allocation = var.vnet_allocation_method - private_ip_address = cidrhost(var.subnet_prefix, 4) - public_ip_address_id = azurerm_public_ip.public-ip.id - } - - tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {})) -} - -//********************** Storage accounts **************************// -// Generate random text for a unique storage account name -resource "random_id" "randomId" { - keepers = { - # Generate a new ID only when a new resource group is defined - resource_group = module.common.resource_group_name - } - byte_length = 8 -} -resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { - name = "bootdiag${random_id.randomId.hex}" - resource_group_name = module.common.resource_group_name - location = module.common.resource_group_location - account_tier = module.common.storage_account_tier - account_replication_type = module.common.account_replication_type - account_kind = "StorageV2" - min_tls_version = "TLS1_2" - network_rules { - default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" - ip_rules = module.common.storage_account_ip_rules - } - blob_properties { - delete_retention_policy { - days = "15" - } - } - tags = merge(lookup(var.tags, "storage-account", {}), lookup(var.tags, "all", {})) -} - -//********************** Virtual Machines **************************// -locals { - SSH_authentication_type_condition = var.authentication_type == "SSH Public Key" ? true : false - custom_image_condition = var.source_image_vhd_uri == "noCustomUri" ? false : true -} - -resource "azurerm_image" "custom-image" { - count = local.custom_image_condition ? 1 : 0 - name = "custom-image" - location = var.location - resource_group_name = module.common.resource_group_name - - os_disk { - os_type = "Linux" - os_state = "Generalized" - blob_uri = var.source_image_vhd_uri - } - - tags = merge(lookup(var.tags, "custom-image", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_virtual_machine" "mds-vm-instance" { - depends_on = [ - azurerm_network_interface.nic] - location = module.common.resource_group_location - name = var.mds_name - network_interface_ids = [ - azurerm_network_interface.nic.id] - resource_group_name = module.common.resource_group_name - vm_size = module.common.vm_size - delete_os_disk_on_termination = module.common.delete_os_disk_on_termination - primary_network_interface_id = azurerm_network_interface.nic.id - - identity { - type = module.common.vm_instance_identity - } - - dynamic "plan" { - for_each = local.custom_image_condition ? [ - ] : [1] - content { - name = module.common.vm_os_sku - publisher = module.common.publisher - product = module.common.vm_os_offer - } - } - - boot_diagnostics { - enabled = module.common.boot_diagnostics - storage_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : "" - } - - os_profile { - computer_name = lower(var.mds_name) - admin_username = module.common.admin_username - admin_password = module.common.admin_password - custom_data = templatefile("${path.module}/cloud-init.sh", { - installation_type = var.installation_type - allow_upload_download = module.common.allow_upload_download - os_version = module.common.os_version - module_name = module.common.module_name - module_version = module.common.module_version - template_type = "terraform" - is_blink = module.common.is_blink - bootstrap_script64 = base64encode(var.bootstrap_script) - location = module.common.resource_group_location - management_GUI_client_network = var.management_GUI_client_network - enable_api = var.mds_enable_api - admin_shell = var.admin_shell - sic_key = var.sic_key - primary = var.primary - secondary = var.secondary - logserver = var.logserver - serial_console_password_hash = var.serial_console_password_hash - maintenance_mode_password_hash = var.maintenance_mode_password_hash - }) - } - - os_profile_linux_config { - disable_password_authentication = local.SSH_authentication_type_condition - - dynamic "ssh_keys" { - for_each = local.SSH_authentication_type_condition ? [ - 1] : [] - content { - path = "/home/notused/.ssh/authorized_keys" - key_data = var.admin_SSH_key - } - } - } - - storage_image_reference { - id = local.custom_image_condition ? azurerm_image.custom-image[0].id : null - publisher = local.custom_image_condition ? null : module.common.publisher - offer = module.common.vm_os_offer - sku = module.common.vm_os_sku - version = module.common.vm_os_version - } - - storage_os_disk { - name = var.mds_name - create_option = module.common.storage_os_disk_create_option - caching = module.common.storage_os_disk_caching - managed_disk_type = module.common.storage_account_type - disk_size_gb = module.common.disk_size - } - - tags = merge(lookup(var.tags, "virtual-machine", {}), lookup(var.tags, "all", {})) -} diff --git a/modules/mds_new_vnet/variables.tf b/modules/mds_new_vnet/variables.tf deleted file mode 100755 index 291f847..0000000 --- a/modules/mds_new_vnet/variables.tf +++ /dev/null @@ -1,263 +0,0 @@ -//********************** Basic Configuration Variables **************************// -variable "mds_name" { - description = "MDS name" - type = string -} - -variable "resource_group_name" { - description = "Azure Resource Group name to build into" - type = string -} - -variable "location" { - description = "The location/region where resource will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions" - type = string -} - -//********************** Virtual Machine Instances Variables **************************// -variable "source_image_vhd_uri" { - type = string - description = "The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images." - default = "noCustomUri" -} - -variable "admin_username" { - description = "Administrator username of deployed VM. Due to Azure limitations 'notused' name can be used" - default = "notused" -} - -variable "admin_password" { - description = "Administrator password of deployed Virtual Machine. The password must meet the complexity requirements of Azure" - type = string -} - -variable "serial_console_password_hash" { - description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" - type = string - default = "" -} - -variable "maintenance_mode_password_hash" { - description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" - type = string - default = "" -} - -variable "authentication_type" { - description = "Specifies whether a password authentication or SSH Public Key authentication should be used" - type = string -} -locals { // locals for 'authentication_type' allowed values - authentication_type_allowed_values = [ - "Password", - "SSH Public Key" - ] - // will fail if [var.authentication_type] is invalid: - validate_authentication_type_value = index(local.authentication_type_allowed_values, var.authentication_type) -} - -variable "installation_type" { - description = "Installaiton type" - type = string - default = "mds-primary" -} - -variable "primary" { - type = string -} - -variable "secondary" { - type = string -} - -variable "logserver" { - type = string -} - -locals { //locals for 'installation_type' - isntallation_type_allowed_values = [ - "mds-primary", - "mds-secondary", - "mds-logserver" - ] -} - -variable "vm_size" { - description = "Specifies size of Virtual Machine" - type = string -} - -variable "disk_size" { - description = "Storage data disk size size(GB). Select a number between 100 and 3995" - type = string -} - -variable "os_version" { - description = "GAIA OS version" - type = string -} - -locals { // locals for 'vm_os_offer' allowed values - os_version_allowed_values = [ - "R8110", - "R8120", - "R82" - ] - // will fail if [var.os_version] is invalid: - validate_os_version_value = index(local.os_version_allowed_values, var.os_version) -} - -variable "vm_os_sku" { - description = "The sku of the image to be deployed." - type = string -} - -variable "vm_os_offer" { - description = "The name of the image offer to be deployed.Choose from: check-point-cg-r8110, check-point-cg-r8120, check-point-cg-r82" - type = string -} - -locals { // locals for 'vm_os_offer' allowed values - vm_os_offer_allowed_values = [ - "check-point-cg-r8110", - "check-point-cg-r8120", - "check-point-cg-r82" - ] - // will fail if [var.vm_os_offer] is invalid: - validate_os_offer_value = index(local.vm_os_offer_allowed_values, var.vm_os_offer) -} - -variable "allow_upload_download" { - description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" - type = bool -} - -variable "admin_shell" { - description = "The admin shell to configure on machine or the first time" - type = string - default = "/etc/cli.sh" -} - -locals { - admin_shell_allowed_values = [ - "/etc/cli.sh", - "/bin/bash", - "/bin/csh", - "/bin/tcsh" - ] - // Will fail if [var.admin_shell] is invalid - validate_admin_shell_value = index(local.admin_shell_allowed_values, var.admin_shell) -} - -//********************** Networking Variables **************************// -variable "vnet_name" { - description = "Virtual Network name" - type = string -} - -variable "address_space" { - description = "The address space that is used by a Virtual Network." - type = string - default = "10.0.0.0/16" -} - -variable "subnet_prefix" { - description = "Address prefix to be used for network subnet" - type = string - default = "10.0.0.0/24" -} - -variable "vnet_allocation_method" { - description = "IP address allocation method" - type = string - default = "Static" -} - -variable "management_GUI_client_network" { - description = "Allowed GUI clients - GUI clients network CIDR" - type = string - validation { - condition = can(regex("(^0\\.0\\.0\\.0\\/0$)|(^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/32)?$)", var.management_GUI_client_network)) && var.management_GUI_client_network != "0.0.0.0/32" - error_message = "Variable [management_GUI_client_network] must be a valid IPv4 network CIDR (only 0.0.0.0/0, X.X.X.X/32 or X.X.X.X are acceptable)." - } -} - -variable "mds_enable_api" { - description = "Enable api access to the management. allowed values: all, management_only, gui_clients, disable" - type = string - default = "disable" -} - -locals { - mds_enable_api_allowed_values = [ - "disable", - "all", - "management_only", - "gui_clients" - ] - // will fail if [var.mds_enable_api] is invalid: - validate_mds_enable_api_value = index(local.mds_enable_api_allowed_values, var.mds_enable_api) - - regex_valid_network_cidr = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))|$" - // Will fail if var.address_space is invalid - regex_address_space = regex(local.regex_valid_network_cidr, var.address_space) == var.address_space ? 0 : "Variable [address_space] must be a valid address in CIDR notation." - // Will fail if var.subnet_prefix is invalid - regex_subnet_prefix = regex(local.regex_valid_network_cidr, var.subnet_prefix) == var.subnet_prefix ? 0 : "Variable [subnet_prefix] must be a valid address in CIDR notation." -} - -variable "bootstrap_script" { - description = "An optional script to run on the initial boot" - default = "" - type = string - #example: - #"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" -} - -variable "nsg_id" { - description = "NSG ID - Optional - if empty use default NSG" - default = "" -} - -variable "add_storage_account_ip_rules" { - type = bool - default = false - description = "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location" -} - -variable "storage_account_additional_ips" { - type = list(string) - description = "IPs/CIDRs that are allowed access to the Storage Account" - default = [] -} - -variable "sic_key" { - description = "sic key" - type = string -} - -resource "null_resource" "sic_key_invalid" { - count = length(var.sic_key) >= 12 ? 0 : "SIC key must be at least 12 characters long" -} - -variable "sku" { - description = "SKU" - type = string - default = "Standard" -} - -variable "admin_SSH_key" { - type = string - description = "(Optional) TheUsed when the authentication_type is 'SSH Public Key'. The SSH public key for SSH authentication to the template instances." - default = "" -} - -variable "security_rules" { - description = "Security rules for the Network Security Group using this format [name, priority, direction, access, protocol, source_source_port_rangesport_range, destination_port_ranges, source_address_prefix, destination_address_prefix, description]" - type = list(any) - default = [] -} -variable "tags" { - description = "Assign tags by resource." - type = map(map(string)) - default = {} -} diff --git a/modules/mds_new_vnet/versions.tf b/modules/mds_new_vnet/versions.tf deleted file mode 100755 index 0018913..0000000 --- a/modules/mds_new_vnet/versions.tf +++ /dev/null @@ -1,12 +0,0 @@ -terraform { - required_version = ">= 0.14.3" - required_providers { - azurerm = { - source = "hashicorp/azurerm" - version = "~> 3.90.0" - } - random = { - version = "~> 3.5.1" - } - } -} diff --git a/modules/network_security_group/main.tf b/modules/network_security_group/main.tf deleted file mode 100755 index 1beeaf1..0000000 --- a/modules/network_security_group/main.tf +++ /dev/null @@ -1,23 +0,0 @@ -resource "azurerm_network_security_group" "nsg" { - name = var.security_group_name - location = var.location - resource_group_name = var.resource_group_name - tags = var.tags - } - -//************ Security Rule Example **************// -resource "azurerm_network_security_rule" "security_rule" { - count = length(var.security_rules) - name = lookup(var.security_rules[count.index], "name") - priority = lookup(var.security_rules[count.index], "priority", 4096 - length(var.security_rules) + count.index) - direction = lookup(var.security_rules[count.index], "direction") - access = lookup(var.security_rules[count.index], "access") - protocol = lookup(var.security_rules[count.index], "protocol") - source_port_range = lookup(var.security_rules[count.index], "source_port_ranges") - destination_port_range = lookup(var.security_rules[count.index], "destination_port_ranges") - description = lookup(var.security_rules[count.index], "description") - source_address_prefix = lookup(var.security_rules[count.index], "source_address_prefix") - destination_address_prefix = lookup(var.security_rules[count.index], "destination_address_prefix") - resource_group_name = var.resource_group_name - network_security_group_name = azurerm_network_security_group.nsg.name -} diff --git a/modules/network_security_group/output.tf b/modules/network_security_group/output.tf deleted file mode 100755 index c1aa127..0000000 --- a/modules/network_security_group/output.tf +++ /dev/null @@ -1,7 +0,0 @@ -output "network_security_group_id" { - value = azurerm_network_security_group.nsg.id -} - -output "network_security_group_name" { - value = azurerm_network_security_group.nsg.name -} \ No newline at end of file diff --git a/modules/nva/README.md b/modules/nva/README.md new file mode 100644 index 0000000..89105b1 --- /dev/null +++ b/modules/nva/README.md @@ -0,0 +1,126 @@ +# Check Point CloudGuard Virtual WAN Module +This Terraform module deploys Check Point CloudGuard Network Security Virtual WAN NVA solution in Azure. +As part of the deployment the following resources are created: +- Resource groups +- Virtual WAN +- Virtual WAN Hub +- Azure Managed Application: + - NVA + - Managed identity + +For additional information, +please see the [CloudGuard Network for Azure Virtual WAN Deployment Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_Azure_vWAN/Default.htm) + +## Usage +Follow best practices for using CGNS modules on [the root page](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/azure/latest). + +**Example:** +```hcl +provider "azurerm" { + features {} +} + +module "example_module" { + source = "CheckPointSW/cloudguard-network-security/azure//modules/nva" + version = "1.0.6" + + # Authentication Variables + authentication_method = "Service Principal" + client_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + client_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + tenant_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + subscription_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + + # Basic Configurations Variables + resource_group_name = "tf-managed-app-resource-group" + location = "westcentralus" + tags = {} + + # Virtual WAN Configurations Variables + vwan_name = "tf-vwan" + vwan_hub_name = "tf-vwan-hub" + vwan_hub_address_prefix = "10.0.0.0/16" + + # Network Virtual Appliance Configurations Variables + managed_app_name = "tf-vwan-managed-app-nva" + nva_rg_name = "tf-vwan-nva-rg" + nva_name = "tf-vwan-nva" + os_version = "R82" + license_type = "Security Enforcement (NGTP)" + scale_unit = "2" + bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" + admin_shell = "/etc/cli.sh" + sic_key = "xxxxxxxxxxxx" + admin_SSH_key = "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" + maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + bgp_asn = "64512" + custom_metrics = "yes" + routing_intent_internet_traffic = "yes" + routing_intent_private_traffic = "yes" + existing_public_ip = "" + new_public_ip = "yes" + + # Smart-1 Cloud Configurations Variables + smart1_cloud_token_a = "" + smart1_cloud_token_b = "" + smart1_cloud_token_c = "" + smart1_cloud_token_d = "" + smart1_cloud_token_e = "" +} +``` + +## Conditional Creation +### New or Existing Virtual WAN Deployment: +You can define if you want to deploy the NVA along side a new Virtual WAN or to use an existing Virtual WAN. +- To create a new VWAN, specify the `vwan_hub_address_prefix` variable: + ``` + vwan_name = "tf-vwan" + vwan_hub_name = "tf-vwan-hub" + vwan_hub_address_prefix = "10.0.0.0/16 + ``` +- To deploy using an existing Virtual WAN, leave the `vwan_hub_address_prefix` empty: + ``` + vwan_hub_name = "tf-vwan-hub" + vwan_hub_resource_group = "tf-vwan-hub-resource-group-name" + vwan_hub_address_prefix = "" + ``` + +## Module's variables: +| Name | Description | Type | Allowed values | +|------|-------------|------|----------------| +| **authentication_method** | The authentication method used to deploy the solution. | string | "Service Principal";
"Azure CLI"; | +| **subscription_id** | The subscription ID is used to pay for Azure cloud services. | string | N/A | +| **tenant_id** | The tenant ID of the Service Principal used to deploy the solution. | string | N/A | +| **client_id** | The client ID of the Service Principal used to deploy the solution. | string | N/A | +| **client_secret** | The client secret value of the Service Principal used to deploy the solution. | string | N/A | +| **resource_group_name** | The name of the resource group that will contain the managed application. | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period.
**Default:** "managed-app-resource-group" | +| **location** | The region where the resources will be deployed at. | string | The full list of supported Azure regions can be found at https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-locations-partners#locations.
**Default:** "westcentralus" | +| **tags** | Tags can be associated either globally across all resources or scoped to specific resource types. For example, a global tag can be defined as: {"all": {"example": "example"}}.
Supported resource types for tag assignment include:
`all` (Applies tags universally to all resource instances)
`resource-group` (Applies tags to managed application resource group)
`virtual-wan`
`virtual-hub`
`managed-identity` (Applies tags to the managed identity of the managed application)
`managed-application`
`routing-intent`
`network-virtual-appliance`
**Important:** When identical tag keys are defined both globally under `all` and within a specific resource scope, the tag value specified under `all` overrides the resource-specific tag. | map(map(string)) | **Defaults:** {} | +| **vwan_name** | The name of the virtual WAN that will be created. | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens.
**Default:** "tf-vwan" | +| **vwan_hub_name** | The name of the virtual WAN hub that will be created, or the name of the Virtual WAN hub inside an existing Virtual WAN. | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens.
**Default:** "tf-vwan-hub" | +| **vwan_hub_resource_group** | The resource group name for the Virtual Hub when using an existing VWAN. | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens.
**Default:** "tf-vwan-hub" | +| **vwan_hub_address_prefix** | The address prefixes of the virtual WAN hub, used for determining if deploying an new Virtual WAN or an existing Virtual WAN. | string | Valid CIDR block, or an empty string in case you want to use an existing Virtual WAN
**Default:** "10.0.0.0/16" | +| **managed_app_name** | The name of the managed application that will be created. | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens.
**Default:** tf-vwan-managed-app | +| **nva_rg_name** | The name of the resource group that will contain the NVA. | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period.
**Default:** tf-vwan-nva-rg | +| **nva_name** | The name of the NVA that will be created. | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens.
**Default:** tf-vwan-nva | +| **os_version** | The GAIA os version. | string | "R8110";
"R8120";
**Default:** "R82" | +| **license_type** | The Check Point licence type. | string | "Security Enforcement (NGTP)";
"Full Package (NGTX and Smart1-Cloud)";
"Full Package Premium (NGTX and Smart1-Cloud Premium)".
**Default:** "Security Enforcement (NGTP)" | +| **scale_unit** | The scale unit determines the size and number of resources deployed. The higher the scale unit, the greater the amount of traffic that can be handled. | string | "2";
"4";
"10";
"20";
"30";
"60";
"80";
**Default:** "2" | +| **bootstrap_script** | An optional script to run on the initial boot. | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt".
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it.
**Default:** "" | +| **admin_shell** | Enables to select different admin shells. | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh.
**Default:** "/etc/cli.sh" | +| **sic_key** | The Secure Internal Communication one time secret used to set up trust between the gateway object and the management server. | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long. | +| **admin_SSH_key** | The public ssh key used for ssh connection to the NVA GW instances. | string | ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx generated-by-azure. | +| **serial_console_password_hash** | Optional parameter, used to enable serial console connection. In R81.10 and below, the serial console password is also used as the maintenance mode password. To generate password hash use the command `openssl passwd -6 PASSWORD` on Linux.
**Note:** In Azure Virtual Wan there is currently no serial console on the Network Virtual Appliance, the serial console password will be used as a maintenance mode password in R81.10 and below. | string | N/A | +| **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions. To generate a password hash, use the command `grub2-mkpasswd-pbkdf2` on Linux. | string | N/A | +| **bgp_asn** | The BGP autonomous system number. | string | 64512.
**Default:** "64512" | +| **custom_metrics** | Indicates whether CloudGuard Metrics will be use for gateway monitoring. | string | yes;
no;
**Default:** "yes" | +| **routing_intent_internet_traffic** | Set routing intent policy to allow internet traffic through the new nva. | string | yes;
no.
Please verify routing-intent is configured successfully post-deployment.
**Default:** "yes" | +| **routing_intent_private_traffic** | Set routing intent policy to allow private traffic through the new nva. | string | yes;
no.
Please verify routing-intent is configured successfully post-deployment.
**Default:** "yes" | +| **existing_public_ip** | Existing public IP reosurce to attach to the newly deployed NVA. | string | A resource ID of the public IP resource. | +| **new_public_ip** | Deploy a new public IP resource as part of the managed app and attach to the NVA. | string | yes;
no;
**Defaults:** "no" | +| **smart1_cloud_token_a** | Smart-1 Cloud token to connect automatically ***NVA instance a*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501). | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal. | +| **smart1_cloud_token_b** | Smart-1 Cloud token to connect automatically ***NVA instance b*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501). | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal. | +| **smart1_cloud_token_c** | Smart-1 Cloud token to connect automatically ***NVA instance c*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501). | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal. | +| **smart1_cloud_token_d** | Smart-1 Cloud token to connect automatically ***NVA instance d*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501). | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal. | +| **smart1_cloud_token_e** | Smart-1 Cloud token to connect automatically ***NVA instance e*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501). | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal. | \ No newline at end of file diff --git a/modules/nva/locals.tf b/modules/nva/locals.tf new file mode 100644 index 0000000..2e34b84 --- /dev/null +++ b/modules/nva/locals.tf @@ -0,0 +1,7 @@ +locals { + license_types = { + "Security Enforcement (NGTP)" = "" + "Full Package (NGTX and Smart-1 Cloud)" = "-ngtx" + "Full Package Premium (NGTX and Smart-1 Cloud Premium)" = "-premium" + } +} diff --git a/modules/nva_into_new_vwan/main.tf b/modules/nva/main.tf old mode 100755 new mode 100644 similarity index 56% rename from modules/nva_into_new_vwan/main.tf rename to modules/nva/main.tf index f2d90f1..e78fe29 --- a/modules/nva_into_new_vwan/main.tf +++ b/modules/nva/main.tf @@ -1,28 +1,23 @@ //********************** Basic Configuration **************************// -resource "azurerm_resource_group" "managed-app-rg" { - name = var.resource-group-name +resource "azurerm_resource_group" "managed_app_rg" { + name = var.resource_group_name location = var.location tags = merge(lookup(var.tags, "resource-group", {}), lookup(var.tags, "all", {})) } -resource "azurerm_virtual_wan" "vwan" { - name = var.vwan-name - resource_group_name = azurerm_resource_group.managed-app-rg.name - location = var.location - tags = merge(lookup(var.tags, "virtual-wan", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_virtual_hub" "vwan-hub" { - name = var.vwan-hub-name - resource_group_name = azurerm_resource_group.managed-app-rg.name - location = azurerm_resource_group.managed-app-rg.location - address_prefix = var.vwan-hub-address-prefix - virtual_wan_id = azurerm_virtual_wan.vwan.id - tags = merge(lookup(var.tags, "virtual-hub", {}), lookup(var.tags, "all", {})) +//********************** Virtual WAN **************************// +module "vwan" { + source = "../common/vwan" + vwan_name = var.vwan_name + vwan_hub_name = var.vwan_hub_name + vwan_hub_address_prefix = var.vwan_hub_address_prefix + vwan_hub_resource_group = var.vwan_hub_resource_group + resource_group_name = azurerm_resource_group.managed_app_rg.name + location = azurerm_resource_group.managed_app_rg.location + tags = var.tags } //********************** Image Version **************************// - data "external" "az_access_token" { count = var.authentication_method == "Azure CLI" ? 1 : 0 program = ["az", "account", "get-access-token", "--resource=https://management.azure.com", "--query={accessToken: accessToken}", "--output=json"] @@ -42,9 +37,9 @@ locals { access_token = var.authentication_method == "Service Principal" ? jsondecode(data.http.azure_auth[0].response_body).access_token : data.external.az_access_token[0].result.accessToken } -data "http" "image-versions" { +data "http" "image_versions" { method = "GET" - url = "https://management.azure.com/subscriptions/${var.subscription_id}/providers/Microsoft.Network/networkVirtualApplianceSKUs/checkpoint${var.license-type == "Full Package (NGTX and Smart1-Cloud)" ? "-ngtx" : var.license-type == "Full Package Premium (NGTX and Smart1-Cloud Premium)" ? "-premium" : ""}?api-version=2020-05-01" + url = "https://management.azure.com/subscriptions/${var.subscription_id}/providers/Microsoft.Network/networkVirtualApplianceSKUs/checkpoint${local.license_types[var.license_type]}?api-version=2020-05-01" request_headers = { Accept = "application/json" "Authorization" = "Bearer ${local.access_token}" @@ -52,28 +47,31 @@ data "http" "image-versions" { } locals { - image_versions = tolist([for version in jsondecode(data.http.image-versions.response_body).properties.availableVersions : version if substr(version, 0, 4) == substr(lower(length(var.os-version) > 3 ? var.os-version : "${var.os-version}00"), 1, 4)]) - routing_intent-internet-policy = { + image_versions = tolist([for version in jsondecode(data.http.image_versions.response_body).properties.availableVersions : version if substr(version, 0, 4) == substr(lower(length(var.os_version) > 3 ? var.os_version : "${var.os_version}00"), 1, 4)]) + + routing_intent_internet_policy = { "name" : "InternetTraffic", "destinations" : [ "Internet" ], - "nextHop" : "/subscriptions/${var.subscription_id}/resourcegroups/${var.nva-rg-name}/providers/Microsoft.Network/networkVirtualAppliances/${var.nva-name}" + "nextHop" : "/subscriptions/${var.subscription_id}/resourcegroups/${var.nva_rg_name}/providers/Microsoft.Network/networkVirtualAppliances/${var.nva_name}" } - routing_intent-private-policy = { + + routing_intent_private_policy = { "name" : "PrivateTrafficPolicy", "destinations" : [ "PrivateTraffic" ], - "nextHop" : "/subscriptions/${var.subscription_id}/resourcegroups/${var.nva-rg-name}/providers/Microsoft.Network/networkVirtualAppliances/${var.nva-name}" + "nextHop" : "/subscriptions/${var.subscription_id}/resourcegroups/${var.nva_rg_name}/providers/Microsoft.Network/networkVirtualAppliances/${var.nva_name}" } - routing-intent-policies = var.routing-intent-internet-traffic == "yes" ? (var.routing-intent-private-traffic == "yes" ? tolist([local.routing_intent-internet-policy, local.routing_intent-private-policy]) : tolist([local.routing_intent-internet-policy])) : (var.routing-intent-private-traffic == "yes" ? tolist([local.routing_intent-private-policy]) : []) - public_ip_resource_group = "/subscriptions/${var.subscription_id}/resourceGroups/${var.new-public-ip == "yes" ? azurerm_resource_group.managed-app-rg.name : var.existing-public-ip != "" ? split("/", var.existing-public-ip)[4] : ""}" + + routing_intent_policies = var.routing_intent_internet_traffic == "yes" ? (var.routing_intent_private_traffic == "yes" ? tolist([local.routing_intent_internet_policy, local.routing_intent_private_policy]) : tolist([local.routing_intent_internet_policy])) : (var.routing_intent_private_traffic == "yes" ? tolist([local.routing_intent_private_policy]) : []) + public_ip_resource_group = "/subscriptions/${var.subscription_id}/resourceGroups/${var.new_public_ip == "yes" ? azurerm_resource_group.managed_app_rg.name : var.existing_public_ip != "" ? split("/", var.existing_public_ip)[4] : ""}" } //********************** Marketplace Terms & Solution Registration **************************// -data "http" "accept-marketplace-terms-existing-agreement" { +data "http" "accept_marketplace_terms_existing_agreement" { method = "GET" url = "https://management.azure.com/subscriptions/${var.subscription_id}/providers/Microsoft.MarketplaceOrdering/agreements/checkpoint/offers/cp-vwan-managed-app/plans/vwan-app?api-version=2021-01-01" request_headers = { @@ -82,15 +80,15 @@ data "http" "accept-marketplace-terms-existing-agreement" { } } -resource "azurerm_marketplace_agreement" "accept-marketplace-terms" { - count = can(jsondecode(data.http.accept-marketplace-terms-existing-agreement.response_body).id) ? (jsondecode(data.http.accept-marketplace-terms-existing-agreement.response_body).properties.state == "Active" ? 0 : 1) : 1 +resource "azurerm_marketplace_agreement" "accept_marketplace_terms" { + count = can(jsondecode(data.http.accept_marketplace_terms_existing_agreement.response_body).id) ? (jsondecode(data.http.accept_marketplace_terms_existing_agreement.response_body).properties.state == "Active" ? 0 : 1) : 1 publisher = "checkpoint" offer = var.plan_product plan = "vwan-app" } -data "http" "azurerm_resource_provider_registration-exist" { +data "http" "azurerm_resource_provider_registration_exist" { method = "GET" url = "https://management.azure.com/subscriptions/${var.subscription_id}/providers/Microsoft.Solutions?api-version=2021-01-01" request_headers = { @@ -100,35 +98,35 @@ data "http" "azurerm_resource_provider_registration-exist" { } resource "azurerm_resource_provider_registration" "solutions" { - count = jsondecode(data.http.azurerm_resource_provider_registration-exist.response_body).registrationState == "Registered" ? 0 : 1 + count = jsondecode(data.http.azurerm_resource_provider_registration_exist.response_body).registrationState == "Registered" ? 0 : 1 name = "Microsoft.Solutions" } //********************** Managed Identity **************************// resource "azurerm_user_assigned_identity" "managed_app_identity" { - location = azurerm_resource_group.managed-app-rg.location + location = azurerm_resource_group.managed_app_rg.location name = "managed_app_identity" - resource_group_name = azurerm_resource_group.managed-app-rg.name + resource_group_name = azurerm_resource_group.managed_app_rg.name tags = merge(lookup(var.tags, "managed-identity", {}), lookup(var.tags, "all", {})) } resource "azurerm_role_assignment" "reader" { depends_on = [azurerm_user_assigned_identity.managed_app_identity] - scope = azurerm_virtual_hub.vwan-hub.id + scope = module.vwan.hub_id role_definition_name = "Reader" principal_id = azurerm_user_assigned_identity.managed_app_identity.principal_id } -resource "random_id" "randomId" { +resource "random_id" "random_id" { keepers = { - resource_group = azurerm_resource_group.managed-app-rg.name + resource_group = azurerm_resource_group.managed_app_rg.name } byte_length = 8 } -resource "azurerm_role_definition" "public-ip-join-role" { - count = var.new-public-ip == "yes" || length(var.existing-public-ip) > 0 ? 1 : 0 - name = "Managed Application Public IP Join Role - ${random_id.randomId.hex}" +resource "azurerm_role_definition" "public_ip_join_role" { + count = var.new_public_ip == "yes" || length(var.existing_public_ip) > 0 ? 1 : 0 + name = "Managed Application Public IP Join Role - ${random_id.random_id.hex}" scope = local.public_ip_resource_group permissions { actions = ["Microsoft.Network/publicIPAddresses/join/action"] @@ -137,20 +135,23 @@ resource "azurerm_role_definition" "public-ip-join-role" { assignable_scopes = [local.public_ip_resource_group] } -resource "azurerm_role_assignment" "public-ip-join-role-assignment" { - count = var.new-public-ip == "yes" || length(var.existing-public-ip) > 0 ? 1 : 0 +resource "azurerm_role_assignment" "public_ip_join_role_assignment" { + count = var.new_public_ip == "yes" || length(var.existing_public_ip) > 0 ? 1 : 0 scope = local.public_ip_resource_group - role_definition_id = azurerm_role_definition.public-ip-join-role[0].role_definition_resource_id + role_definition_id = azurerm_role_definition.public_ip_join_role[0].role_definition_resource_id principal_id = azurerm_user_assigned_identity.managed_app_identity.principal_id } //********************** Managed Application Configuration **************************// -resource "azapi_resource" "managed-app" { - depends_on = [azurerm_marketplace_agreement.accept-marketplace-terms, azurerm_resource_provider_registration.solutions] - type = "Microsoft.Solutions/applications@2019-07-01" - name = var.managed-app-name - location = azurerm_resource_group.managed-app-rg.location - parent_id = azurerm_resource_group.managed-app-rg.id +resource "azapi_resource" "managed_app" { + depends_on = [ + azurerm_marketplace_agreement.accept_marketplace_terms, + azurerm_resource_provider_registration.solutions + ] + type = "Microsoft.Solutions/applications@2019-07-01" + name = var.managed_app_name + location = azurerm_resource_group.managed_app_rg.location + parent_id = azurerm_resource_group.managed_app_rg.id body = { kind = "MarketPlace", plan = { @@ -168,31 +169,31 @@ resource "azapi_resource" "managed-app" { properties = { parameters = { location = { - value = azurerm_resource_group.managed-app-rg.location + value = azurerm_resource_group.managed_app_rg.location }, hubId = { - value = azurerm_virtual_hub.vwan-hub.id + value = module.vwan.hub_id }, osVersion = { - value = var.os-version + value = var.os_version }, LicenseType = { - value = var.license-type + value = var.license_type }, imageVersion = { value = element(local.image_versions, length(local.image_versions) - 1) }, scaleUnit = { - value = var.scale-unit + value = var.scale_unit }, bootstrapScript = { - value = var.bootstrap-script + value = var.bootstrap_script }, adminShell = { - value = var.admin-shell + value = var.admin_shell }, sicKey = { - value = var.sic-key + value = var.sic_key }, sshPublicKey = { value = var.admin_SSH_key @@ -204,43 +205,43 @@ resource "azapi_resource" "managed-app" { value = var.serial_console_password_hash }, BGP = { - value = var.bgp-asn + value = var.bgp_asn }, NVA = { - value = var.nva-name + value = var.nva_name }, customMetrics = { - value = var.custom-metrics + value = var.custom_metrics }, hubASN = { - value = azurerm_virtual_hub.vwan-hub.virtual_router_asn + value = module.vwan.hub_virtual_router_asn }, hubPeers = { - value = azurerm_virtual_hub.vwan-hub.virtual_router_ips + value = module.vwan.hub_virtual_router_ips }, smart1CloudTokenA = { - value = var.smart1-cloud-token-a + value = var.smart1_cloud_token_a }, smart1CloudTokenB = { - value = var.smart1-cloud-token-b + value = var.smart1_cloud_token_b }, smart1CloudTokenC = { - value = var.smart1-cloud-token-c + value = var.smart1_cloud_token_c }, smart1CloudTokenD = { - value = var.smart1-cloud-token-d + value = var.smart1_cloud_token_d }, smart1CloudTokenE = { - value = var.smart1-cloud-token-e + value = var.smart1_cloud_token_e }, publicIPIngress = { - value = (var.new-public-ip == "yes" || length(var.existing-public-ip) > 0) ? "yes" : "no" + value = (var.new_public_ip == "yes" || length(var.existing_public_ip) > 0) ? "yes" : "no" }, createNewIPIngress = { - value = var.new-public-ip + value = var.new_public_ip }, ipIngressExistingResourceId = { - value = var.existing-public-ip + value = var.existing_public_ip }, templateName = { value = "wan_terraform_registry" @@ -249,28 +250,31 @@ resource "azapi_resource" "managed-app" { value = { "Microsoft.Network/networkVirtualAppliances" = merge(lookup(var.tags, "network-virtual-appliance", {}), lookup(var.tags, "all", {})) } + }, + customLicenseType = { + value = var.custom_license_type } }, - managedResourceGroupId = "/subscriptions/${var.subscription_id}/resourcegroups/${var.nva-rg-name}" + managedResourceGroupId = "/subscriptions/${var.subscription_id}/resourcegroups/${var.nva_rg_name}" } } tags = merge(lookup(var.tags, "managed-application", {}), lookup(var.tags, "all", {})) } - //********************** Routing Intent **************************// - resource "azapi_resource" "routing_intent" { - count = length(local.routing-intent-policies) != 0 ? 1 : 0 - depends_on = [azapi_resource.managed-app] - type = "Microsoft.Network/virtualHubs/routingIntent@2024-05-01" - name = "hubRoutingIntent" - parent_id = azurerm_virtual_hub.vwan-hub.id + depends_on = [ + azapi_resource.managed_app + ] + count = length(local.routing_intent_policies) != 0 ? 1 : 0 + type = "Microsoft.Network/virtualHubs/routingIntent@2024-05-01" + name = "hubRoutingIntent" + parent_id = module.vwan.hub_id body = { properties = { - routingPolicies = local.routing-intent-policies + routingPolicies = local.routing_intent_policies } } diff --git a/modules/nva/variables.tf b/modules/nva/variables.tf new file mode 100644 index 0000000..eaa812c --- /dev/null +++ b/modules/nva/variables.tf @@ -0,0 +1,351 @@ +//********************** Authentication Variables **************************// +variable "authentication_method" { + description = "Azure authentication method" + type = string + validation { + condition = contains(["Azure CLI", + "Service Principal"], var.authentication_method) + error_message = "Valid values for authentication_method are 'Azure CLI','Service Principal'" + } +} + +variable "subscription_id" { + description = "Subscription ID" + type = string +} + +variable "tenant_id" { + description = "Tenant ID" + type = string +} + +variable "client_id" { + description = "Application ID(Client ID)" + type = string +} + +variable "client_secret" { + description = "A secret string that the application uses to prove its identity when requesting a token. Also can be referred to as application password." + type = string +} + +//********************** Basic Configurations Variables **************************// +variable "resource_group_name" { + description = "The name of the resource group in which to create the resources." + type = string +} + +variable "location" { + description = "The Azure region where the resources will be created." + type = string +} + +variable "tags" { + description = "Assign tags by resource." + type = map(map(string)) + default = {} +} + +//********************** Virtual WAN Configurations Variables **************************// +variable "vwan_name" { + description = "The name of the Virtual WAN." + type = string + default = "tf-vwan" + + validation { + condition = var.vwan_hub_address_prefix != "" ? var.vwan_name != "" : true + error_message = "When creating a new VWAN, you must provide a name for the VWAN." + } +} + +variable "vwan_hub_name" { + description = "The name of the Virtual Hub." + type = string + default = "tf-vwan-hub" + + validation { + condition = var.vwan_hub_name != "" + error_message = "You must provide a name for the VWAN hub." + } +} + +variable "vwan_hub_resource_group" { + description = "The resource group name for the Virtual Hub when using an existing VWAN." + type = string + default = "" + + validation { + condition = var.vwan_hub_address_prefix == "" ? var.vwan_hub_resource_group != "" : true + error_message = "When using an existing VWAN, you must provide the resource group name of the VWAN hub." + } +} + +variable "vwan_hub_address_prefix" { + description = "The address prefix for the Virtual Hub." + type = string + default = "10.0.0.0/16" + + validation { + condition = var.vwan_hub_address_prefix != "" ? can(cidrhost(var.vwan_hub_address_prefix, 0)) : true + error_message = "Please provide a valid CIDR specification for the VWAN address space" + } +} + +//********************** Network Virtual Appliance Configurations Variables **************************// +variable "managed_app_name" { + description = "The name of the managed application." + type = string + default = "tf-vwan-managed-app" +} + +variable "nva_rg_name" { + description = "The name of the resource group in which to create the Network Virtual Appliance." + type = string + default = "tf-vwan-nva-rg" +} + +variable "nva_name" { + description = "The name of the Network Virtual Appliance." + type = string + default = "tf-vwan-nva" +} + +variable "os_version" { + description = "GAIA OS version." + type = string + default = "R82" + + validation { + condition = contains([ + "R8110", + "R8120", + "R82" + ], var.os_version) + error_message = "Variable [os_version] must be one of the following: 'R8110', 'R8120', 'R82'." + } +} + +variable "license_type" { + description = "License type." + type = string + default = "Security Enforcement (NGTP)" + + validation { + condition = contains([ + "Security Enforcement (NGTP)", + "Full Package (NGTX and Smart-1 Cloud)", + "Full Package Premium (NGTX and Smart-1 Cloud Premium)" + ], var.license_type) + error_message = "Variable [license_type] must be one of the following: 'Security Enforcement (NGTP)', 'Full Package (NGTX and Smart-1 Cloud)', 'Full Package Premium (NGTX and Smart-1 Cloud Premium)'." + } +} + +variable "scale_unit" { + description = "The scale unit of the CloudGuard Gateway." + type = string + default = "2" + + validation { + condition = contains([ + "2", + "4", + "10", + "20", + "30", + "60", + "80" + ], var.scale_unit) + error_message = "Variable [scale_unit] must be one of the following: '2', '4', '10', '20', '30', '60', '80'." + } +} + +variable "bootstrap_script" { + description = "An optional script to run on the initial boot." + type = string + default = "" +} + +variable "admin_shell" { + description = "The admin shell to configure on machine or the first time." + type = string + default = "/etc/cli.sh" + + validation { + condition = contains([ + "/etc/cli.sh", + "/bin/bash", + "/bin/tcsh", + "/bin/csh" + ], var.admin_shell) + error_message = "Variable [admin_shell] must be one of the following: '/etc/cli.sh', '/bin/bash', '/bin/tcsh', '/bin/csh'." + } +} + +variable "sic_key" { + description = "Secure Internal Communication (SIC) key." + type = string + default = "" + sensitive = true + + validation { + condition = can(regex("^[a-z0-9A-Z]{8,30}$", + var.sic_key)) + error_message = "Only alphanumeric characters are allowed, and the value must be 8-30 characters long." + } +} + +variable "admin_SSH_key" { + description = "The SSH public key for SSH authentication to the template instances." + type = string + default = "" +} + +variable "serial_console_password_hash" { + description = "Serial console connection password hash. In R81.10 and below, the serial console password is also used as the maintenance mode password." + type = string + default = "" +} + +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions." + type = string + default = "" +} + +variable "bgp_asn" { + type = string + default = "64512" + + validation { + condition = tonumber(var.bgp_asn) >= 64512 && tonumber(var.bgp_asn) <= 65534 && !contains([65515, 65520], tonumber(var.bgp_asn)) + error_message = "Variable [bgp_asn] must be in the range 64512-65534, excluding 65515 and 65520." + } +} + +variable "custom_metrics" { + description = "Enable/Disable custom metrics on the CloudGuard Gateway." + type = string + default = "yes" + + validation { + condition = contains([ + "yes", + "no" + ], var.custom_metrics) + error_message = "Variable [custom_metrics] must be either 'yes' or 'no'." + } +} + +//********************** Networking Configurations **************************// +variable "routing_intent_internet_traffic" { + description = "Enable/Disable routing intent for internet traffic." + type = string + default = "yes" + + validation { + condition = contains([ + "yes", + "no" + ], var.routing_intent_internet_traffic) + error_message = "Variable [routing_intent_internet_traffic] must be either 'yes' or 'no'." + } +} + +variable "routing_intent_private_traffic" { + description = "Enable/Disable routing intent for private traffic." + type = string + default = "yes" + + validation { + condition = contains([ + "yes", + "no" + ], var.routing_intent_private_traffic) + error_message = "Variable [routing_intent_private_traffic] must be either 'yes' or 'no'." + } +} + +variable "existing_public_ip" { + description = "The ID of an existing public IP to be used for the CloudGuard Gateway." + type = string + default = "" +} + +variable "new_public_ip" { + description = "Create a new public IP for the CloudGuard Gateway." + type = string + default = "no" + + validation { + condition = contains([ + "yes", + "no" + ], var.new_public_ip) + error_message = "Variable [new_public_ip] must be either 'yes' or 'no'." + } + + validation { + condition = var.existing_public_ip != "" && var.new_public_ip == "no" ? true : var.existing_public_ip == "" && var.new_public_ip == "yes" + error_message = "To assign a public IP to the CloudGuard Gateway, you must either provide an existing public IP or set new_public_ip to 'yes' to create a new one." + } +} + +//********************** Smart-1 Cloud Configurations Variables **************************// +variable "smart1_cloud_token_a" { + description = "Smart-1 Cloud Token, for configuring member A." + type = string + default = "" +} + +variable "smart1_cloud_token_b" { + description = "Smart-1 Cloud Token, for configuring member B." + type = string + default = "" +} + +variable "smart1_cloud_token_c" { + description = "Smart-1 Cloud Token, for configuring member C." + type = string + default = "" +} + +variable "smart1_cloud_token_d" { + description = "Smart-1 Cloud Token, for configuring member D." + type = string + default = "" +} + +variable "smart1_cloud_token_e" { + description = "Smart-1 Cloud Token, for configuring member E." + type = string + default = "" +} + +//********************** Marketplace Plan Configurations Variables **************************// +variable "plan_product" { + description = "Use the following plan when deploying with terraform: cp-vwan-managed-app." + type = string + default = "cp-vwan-managed-app" +} + +variable "plan_version" { + description = "Use the latest version of the managed application (e.g., 1.0.24) for best results. Full version list: https://support.checkpoint.com/results/sk/sk132192." + type = string + default = "1.0.24" +} + +variable "custom_license_type" { + description = "License type when using staged image." + type = string + default = "" + + validation { + condition = contains([ + "", + "ngtp", + "ngtx", + "premium" + ], var.custom_license_type) + error_message = "Valid options are 'ngtp', 'ngtx', or 'premium' or empty." + } +} diff --git a/modules/nva_into_existing_hub/versions.tf b/modules/nva/versions.tf old mode 100755 new mode 100644 similarity index 100% rename from modules/nva_into_existing_hub/versions.tf rename to modules/nva/versions.tf diff --git a/modules/nva_into_existing_hub/README.md b/modules/nva_into_existing_hub/README.md deleted file mode 100755 index eed6b5b..0000000 --- a/modules/nva_into_existing_hub/README.md +++ /dev/null @@ -1,99 +0,0 @@ -# Check Point CloudGuard Virtual WAN Module - Existing Hub - -This Terraform module deploys Check Point CloudGuard Network Security Virtual WAN NVA solution into an existing vWAN Hub in Azure. -As part of the deployment the following resources are created: -- Resource groups -- Azure Managed Application: - - NVA - - Managed identity - -For additional information, -please see the [CloudGuard Network for Azure Virtual WAN Deployment Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_Azure_vWAN/Default.htm) - -## Usage -Follow best practices for using CGNS modules on [the root page](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/azure/latest). - -**Example:** -``` -provider "azurerm" { - features {} -} - -module "example_module" { - - source = "CheckPointSW/cloudguard-network-security/azure//modules/nva_into_existing_hub" - version = "1.0.8" - - authentication_method = "Service Principal" - client_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - client_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - tenant_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - subscription_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - resource-group-name = "tf-managed-app-resource-group" - location = "westcentralus" - vwan-hub-name = "tf-vwan-hub" - vwan-hub-resource-group = "tf-vwan-hub-rg" - managed-app-name = "tf-vwan-managed-app-nva" - nva-rg-name = "tf-vwan-nva-rg" - nva-name = "tf-vwan-nva" - os-version = "R82" - license-type = "Security Enforcement (NGTP)" - scale-unit = "2" - bootstrap-script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" - admin-shell = "/etc/cli.sh" - sic-key = "xxxxxxxxxxxx" - admin_SSH_key = "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" - maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - bgp-asn = "64512" - custom-metrics = "yes" - routing-intent-internet-traffic = "yes" - routing-intent-private-traffic = "yes" - smart1-cloud-token-a = "" - smart1-cloud-token-b = "" - smart1-cloud-token-c = "" - smart1-cloud-token-d = "" - smart1-cloud-token-e = "" - existing-public-ip = "" - new-public-ip = "yes" -} -``` - -## Known limitations -1. 'terraform destroy' doesn't work if routing-intent is configured. To destroy the deployment, the routing-intent should be deleted manually first. - -### Module's variables: - -| Name | Description | Type | Allowed values | -|------|-------------|------|----------------| -| **authentication_method** | The authentication method used to deploy the solution | string | "Service Principal";
"Azure CLI". | -| **client_secret** | The client secret value of the Service Principal used to deploy the solution | string | | -| **client_id** | The client ID of the Service Principal used to deploy the solution | string | | -| **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | | -| **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | | -| **resource-group-name** | The name of the resource group that will contain the managed application | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period.
**Default:** "tf-managed-app-resource-group" | -| **location** | The region where the resources will be deployed at | string | The full list of supported Azure regions can be found at https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-locations-partners#locations.
**Default:** "westcentralus" | -| **vwan-hub-name** | The name of the virtual WAN hub that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens. | -| **vwan-hub-resource-group** | The virtual WAN hub resource group name | string | | -| **managed-app-name** | The name of the managed application that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens.
**Default:** "tf-vwan-managed-app-nva" | -| **nva-name** | The name of the NVA that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens.
**Default:** "tf-vwan-nva" | -| **nva-rg-name** | The name of the resource group that will contain the NVA | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period.
**Default:** "tf-vwan-nva-rg" | -| **os-version** | The GAIA os version | string | "R8110";
"R8120";
"R82";
**Default:** "R82" | -| **license-type** | The Check Point licence type | string | "Security Enforcement (NGTP)";
"Full Package (NGTX and Smart1-Cloud)";
"Full Package Premium (NGTX and Smart1-Cloud Premium)".
**Default:** "Security Enforcement (NGTP)" | -| **scale-unit** | The scale unit determines the size and number of resources deployed. The higher the scale unit, the greater the amount of traffic that can be handled | string | "2";
"4";
"10";
"20";
"30";
"60";
"80".
**Default:** "2" | -| **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt".
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it.
**Default:** "" | -| **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh.
**Default:** "/etc/cli.sh" | -| **sic-key** | The Secure Internal Communication one time secret used to set up trust between the gateway object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long. | -| **admin_SSH_key** | The public ssh key used for ssh connection to the NVA GW instances | string | ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx generated-by-azure. | -| **serial_console_password_hash** | Optional parameter, used to enable serial console connection. In R81.10 and below, the serial console password is also used as the maintenance mode password. To generate password hash use the command `openssl passwd -6 PASSWORD` on Linux.
**Note:** In Azure Virtual Wan there is currently no serial console on the Network Virtual Appliance, the serial console password will be used as a maintenance mode password in R81.10 and below. | string | | -| **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions. To generate a password hash, use the command `grub2-mkpasswd-pbkdf2` on Linux. | string | | -| **bgp-asn** | The BGP autonomous system number | string | 64512.
**Default:** "64512" | -| **custom-metrics** | Indicates whether CloudGuard Metrics will be use for gateway monitoring | string | yes;
no.
**Default:** "yes" | -| **routing-intent-internet-traffic** | Set routing intent policy to allow internet traffic through the new nva | string | yes;
no.
Please verify routing-intent is configured successfully post-deployment.
**Default:** "yes" | -| **routing-intent-private-traffic** | Set routing intent policy to allow private traffic through the new nva | string | yes;
no.
Please verify routing-intent is configured successfully post-deployment.
**Default:** "yes" | -| **smart1-cloud-token-a** | Smart-1 Cloud token to connect automatically ***NVA instance a*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal. | -| **smart1-cloud-token-b** | Smart-1 Cloud token to connect automatically ***NVA instance b*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal. | -| **smart1-cloud-token-c** | Smart-1 Cloud token to connect automatically ***NVA instance c*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal. | -| **smart1-cloud-token-d** | Smart-1 Cloud token to connect automatically ***NVA instance d*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal. | -| **smart1-cloud-token-e** | Smart-1 Cloud token to connect automatically ***NVA instance e*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal. | -| **tags** | Tags can be associated either globally across all resources or scoped to specific resource types. For example, a global tag can be defined as: {"all": {"example": "example"}}.
Supported resource types for tag assignment include:
`all` (Applies tags universally to all resource instances)
`resource-group` (Applies tags to managed application resource group)
`managed-identity` (Applies tags to the managed identity of the managed application)
`managed-application`
`routing-intent`
`network-virtual-appliance`
**Important:** When identical tag keys are defined both globally under `all` and within a specific resource scope, the tag value specified under `all` overrides the resource-specific tag. | map(map(string)) | {} | \ No newline at end of file diff --git a/modules/nva_into_existing_hub/main.tf b/modules/nva_into_existing_hub/main.tf deleted file mode 100755 index 11e7f57..0000000 --- a/modules/nva_into_existing_hub/main.tf +++ /dev/null @@ -1,295 +0,0 @@ -//********************** Basic Configuration **************************// -resource "azurerm_resource_group" "managed-app-rg" { - name = var.resource-group-name - location = var.location - tags = merge(lookup(var.tags, "resource-group", {}), lookup(var.tags, "all", {})) -} - -data "azurerm_virtual_hub" "vwan-hub" { - name = var.vwan-hub-name - resource_group_name = var.vwan-hub-resource-group -} - -//********************** Image Version **************************// - -data "external" "az_access_token" { - count = var.authentication_method == "Azure CLI" ? 1 : 0 - program = ["az", "account", "get-access-token", "--resource=https://management.azure.com", "--query={accessToken: accessToken}", "--output=json"] -} - -data "http" "azure_auth" { - count = var.authentication_method == "Service Principal" ? 1 : 0 - url = "https://login.microsoftonline.com/${var.tenant_id}/oauth2/v2.0/token" - method = "POST" - request_headers = { - "Content-Type" = "application/x-www-form-urlencoded" - } - request_body = "grant_type=client_credentials&client_id=${var.client_id}&client_secret=${var.client_secret}&scope=https://management.azure.com/.default" -} - -locals { - access_token = var.authentication_method == "Service Principal" ? jsondecode(data.http.azure_auth[0].response_body).access_token : data.external.az_access_token[0].result.accessToken -} - -data "http" "image-versions" { - method = "GET" - url = "https://management.azure.com/subscriptions/${var.subscription_id}/providers/Microsoft.Network/networkVirtualApplianceSKUs/checkpoint${var.license-type == "Full Package (NGTX and Smart1-Cloud)" ? "-ngtx" : var.license-type == "Full Package Premium (NGTX and Smart1-Cloud Premium)" ? "-premium" : ""}?api-version=2020-05-01" - request_headers = { - Accept = "application/json" - "Authorization" = "Bearer ${local.access_token}" - } -} - -locals { - image_versions = tolist([for version in jsondecode(data.http.image-versions.response_body).properties.availableVersions : version if substr(version, 0, 4) == substr(lower(length(var.os-version) > 3 ? var.os-version : "${var.os-version}00"), 1, 4)]) - routing_intent-internet-policy = { - "name": "InternetTraffic", - "destinations": [ - "Internet" - ], - "nextHop": "/subscriptions/${var.subscription_id}/resourcegroups/${var.nva-rg-name}/providers/Microsoft.Network/networkVirtualAppliances/${var.nva-name}" - } - routing_intent-private-policy = { - "name": "PrivateTrafficPolicy", - "destinations": [ - "PrivateTraffic" - ], - "nextHop": "/subscriptions/${var.subscription_id}/resourcegroups/${var.nva-rg-name}/providers/Microsoft.Network/networkVirtualAppliances/${var.nva-name}" - } - routing-intent-policies = var.routing-intent-internet-traffic == "yes" ? (var.routing-intent-private-traffic == "yes" ? tolist([local.routing_intent-internet-policy, local.routing_intent-private-policy]) : tolist([local.routing_intent-internet-policy])) : (var.routing-intent-private-traffic == "yes" ? tolist([local.routing_intent-private-policy]) : []) - public_ip_resource_group = "/subscriptions/${var.subscription_id}/resourceGroups/${var.new-public-ip == "yes" ? azurerm_resource_group.managed-app-rg.name : var.existing-public-ip != "" ? split("/", var.existing-public-ip)[4] : ""}" -} - -//********************** Marketplace Terms & Solution Registration **************************// -data "http" "accept-marketplace-terms-existing-agreement" { - method = "GET" - url = "https://management.azure.com/subscriptions/${var.subscription_id}/providers/Microsoft.MarketplaceOrdering/agreements/checkpoint/offers/cp-vwan-managed-app/plans/vwan-app?api-version=2021-01-01" - request_headers = { - Accept = "application/json" - "Authorization" = "Bearer ${local.access_token}" - } -} - -resource "azurerm_marketplace_agreement" "accept-marketplace-terms" { - count = can(jsondecode(data.http.accept-marketplace-terms-existing-agreement.response_body).id) ? (jsondecode(data.http.accept-marketplace-terms-existing-agreement.response_body).properties.state == "Active" ? 0 : 1) : 1 - publisher = "checkpoint" - offer = var.plan_product - plan = "vwan-app" -} - -data "http" "azurerm_resource_provider_registration-exist" { - method = "GET" - url = "https://management.azure.com/subscriptions/${var.subscription_id}/providers/Microsoft.Solutions?api-version=2021-01-01" - request_headers = { - Accept = "application/json" - "Authorization" = "Bearer ${local.access_token}" - } -} - -resource "azurerm_resource_provider_registration" "solutions" { - count = jsondecode(data.http.azurerm_resource_provider_registration-exist.response_body).registrationState == "Registered" ? 0 : 1 - name = "Microsoft.Solutions" -} - -//********************** Managed Identity **************************// -resource "azurerm_user_assigned_identity" "managed_app_identity" { - location = azurerm_resource_group.managed-app-rg.location - name = "managed_app_identity" - resource_group_name = azurerm_resource_group.managed-app-rg.name - tags = merge(lookup(var.tags, "managed-identity", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_role_assignment" "reader" { - depends_on = [azurerm_user_assigned_identity.managed_app_identity] - scope = data.azurerm_virtual_hub.vwan-hub.id - role_definition_name = "Reader" - principal_id = azurerm_user_assigned_identity.managed_app_identity.principal_id -} - -resource "random_id" "randomId" { - keepers = { - resource_group = azurerm_resource_group.managed-app-rg.name - } - byte_length = 8 -} - -resource "azurerm_role_definition" "public-ip-join-role" { - count = var.new-public-ip == "yes" || length(var.existing-public-ip) > 0 ? 1 : 0 - name = "Managed Application Public IP Join Role - ${random_id.randomId.hex}" - scope = local.public_ip_resource_group - permissions { - actions = ["Microsoft.Network/publicIPAddresses/join/action"] - not_actions = [] - } - assignable_scopes = [local.public_ip_resource_group] -} - -resource "azurerm_role_assignment" "public-ip-join-role-assignment" { - count = var.new-public-ip == "yes" || length(var.existing-public-ip) > 0 ? 1 : 0 - scope = local.public_ip_resource_group - role_definition_id = azurerm_role_definition.public-ip-join-role[0].role_definition_resource_id - principal_id = azurerm_user_assigned_identity.managed_app_identity.principal_id -} - -//********************** Managed Application Configuration **************************// -resource "azapi_resource" "managed-app" { - depends_on = [azurerm_marketplace_agreement.accept-marketplace-terms, azurerm_resource_provider_registration.solutions] - type = "Microsoft.Solutions/applications@2019-07-01" - name = var.managed-app-name - location = azurerm_resource_group.managed-app-rg.location - parent_id = azurerm_resource_group.managed-app-rg.id - body = { - kind = "MarketPlace", - plan = { - name = "vwan-app" - product = var.plan_product - publisher = "checkpoint" - version = var.plan_version - }, - identity = { - type = "UserAssigned" - userAssignedIdentities = { - (azurerm_user_assigned_identity.managed_app_identity.id) = {} - } - }, - properties = { - parameters = { - location = { - value = azurerm_resource_group.managed-app-rg.location - }, - hubId = { - value = data.azurerm_virtual_hub.vwan-hub.id - }, - osVersion = { - value = var.os-version - }, - LicenseType = { - value = var.license-type - }, - imageVersion = { - value = element(local.image_versions, length(local.image_versions) -1) - }, - scaleUnit = { - value = var.scale-unit - }, - bootstrapScript = { - value = var.bootstrap-script - }, - adminShell = { - value = var.admin-shell - }, - sicKey = { - value = var.sic-key - }, - sshPublicKey = { - value = var.admin_SSH_key - }, - MaintenanceModePasswordHash = { - value = var.maintenance_mode_password_hash - }, - SerialConsolePasswordHash = { - value = var.serial_console_password_hash - }, - BGP = { - value = var.bgp-asn - }, - NVA = { - value = var.nva-name - }, - customMetrics = { - value = var.custom-metrics - }, - hubASN = { - value = data.azurerm_virtual_hub.vwan-hub.virtual_router_asn - }, - hubPeers = { - value = data.azurerm_virtual_hub.vwan-hub.virtual_router_ips - }, - smart1CloudTokenA = { - value = var.smart1-cloud-token-a - }, - smart1CloudTokenB = { - value = var.smart1-cloud-token-b - }, - smart1CloudTokenC = { - value = var.smart1-cloud-token-c - }, - smart1CloudTokenD = { - value = var.smart1-cloud-token-d - }, - smart1CloudTokenE = { - value = var.smart1-cloud-token-e - }, - publicIPIngress = { - value = (var.new-public-ip == "yes" || length(var.existing-public-ip) > 0) ? "yes" : "no" - }, - createNewIPIngress = { - value = var.new-public-ip - }, - ipIngressExistingResourceId = { - value = var.existing-public-ip - }, - templateName = { - value = "wan_terraform_registry" - }, - tags = { - value = { - "Microsoft.Network/networkVirtualAppliances" = merge(lookup(var.tags, "network-virtual-appliance", {}), lookup(var.tags, "all", {})) - } - } - }, - managedResourceGroupId = "/subscriptions/${var.subscription_id}/resourcegroups/${var.nva-rg-name}" - } - } - - tags = merge(lookup(var.tags, "managed-application", {}), lookup(var.tags, "all", {})) -} - -//********************** Routing Intent **************************// - -data "azapi_resource_list" "existing_routing_intent" { - type = "Microsoft.Network/virtualHubs/routingIntent@2024-05-01" - parent_id = data.azurerm_virtual_hub.vwan-hub.id - response_export_values = { - "values" = "value[].{routingPolicies: properties.routingPolicies}" - } - -} - -locals { - routing_intent_exists = length([for intent in data.azapi_resource_list.existing_routing_intent.output.values : intent]) > 0 - existing_policies = try(data.azapi_resource_list.existing_routing_intent.output.values[0].routingPolicies, []) - merged_policies = concat( - local.routing-intent-policies, - [for policy in local.existing_policies : policy if !contains([for p in local.routing-intent-policies : p.destinations[0]], policy.destinations[0])] - ) -} - -resource "azapi_resource" "routing_intent" { - count = length(local.routing-intent-policies) != 0 && !local.routing_intent_exists ? 1 : 0 - depends_on = [azapi_resource.managed-app] - type = "Microsoft.Network/virtualHubs/routingIntent@2024-05-01" - name = "hubRoutingIntent" - parent_id = data.azurerm_virtual_hub.vwan-hub.id - - body = { - properties = { - routingPolicies = local.routing-intent-policies - } -} - - tags = merge(lookup(var.tags, "routing-intent", {}), lookup(var.tags, "all", {})) -} - -resource "azapi_update_resource" "update_routing_intent" { - count = length(local.routing-intent-policies) != 0 && local.routing_intent_exists ? 1 : 0 - depends_on = [azapi_resource.managed-app] - type = "Microsoft.Network/virtualHubs/routingIntent@2024-05-01" - resource_id = "${data.azurerm_virtual_hub.vwan-hub.id}/routingIntent/hubRoutingIntent" - - body = { - properties = { - routingPolicies = local.merged_policies - } - } -} diff --git a/modules/nva_into_existing_hub/variables.tf b/modules/nva_into_existing_hub/variables.tf deleted file mode 100755 index d090105..0000000 --- a/modules/nva_into_existing_hub/variables.tf +++ /dev/null @@ -1,238 +0,0 @@ -variable "authentication_method" { - description = "Azure authentication method" - type = string - validation { - condition = contains(["Azure CLI", "Service Principal"], var.authentication_method) - error_message = "Valid values for authentication_method are 'Azure CLI','Service Principal'" - } -} - -variable "subscription_id" { - description = "Subscription ID" - type = string -} - -variable "tenant_id" { - description = "Tenant ID" - type = string -} - -variable "client_id" { - description = "Application ID(Client ID)" - type = string -} - -variable "client_secret" { - description = "A secret string that the application uses to prove its identity when requesting a token. Also can be referred to as application password." - type = string -} - -variable "resource-group-name" { - type = string - default = "tf-managed-app-resource-group" -} - -variable "location" { - type = string - default = "westcentralus" -} - -variable "managed-app-name" { - type = string - default = "tf-vwan-managed-app-nva" -} - -variable "vwan-hub-name" { - type = string -} - -variable "vwan-hub-resource-group" { - type = string -} - -variable "nva-rg-name" { - type = string - default = "tf-vwan-nva-rg" -} - -variable "nva-name" { - type = string - default = "tf-vwan-nva" -} - -variable "os-version" { - description = "GAIA OS version" - type = string - default = "R82" - validation { - condition = contains(["R8110", "R8120", "R82"], var.os-version) - error_message = "Allowed values for os-version are 'R8110', 'R8120', 'R82'" - } -} - -variable "license-type" { - type = string - default = "Security Enforcement (NGTP)" - validation { - condition = contains(["Security Enforcement (NGTP)", "Full Package (NGTX and Smart1-Cloud)", "Full Package Premium (NGTX and Smart1-Cloud Premium)"], var.license-type) - error_message = "Allowed values for License Type are 'Security Enforcement (NGTP)', 'Full Package (NGTX and Smart1-Cloud)', 'Full Package Premium (NGTX and Smart1-Cloud Premium)'" - } -} - -variable "scale-unit" { - type = string - default = "2" - validation { - condition = contains(["2", "4", "10", "20", "30", "60", "80"], var.scale-unit) - error_message = "Valid values for CloudGuard version are '2', '4', '10', '20', '30', '60', '80'" - } -} - -variable "bootstrap-script" { - type = string - default = "" -} - -variable "admin-shell" { - type = string - default = "/etc/cli.sh" - validation { - condition = contains(["/etc/cli.sh", "/bin/bash", "/bin/tcsh", "/bin/csh"], var.admin-shell) - error_message = "Valid shells are '/etc/cli.sh', '/bin/bash', '/bin/tcsh', '/bin/csh'" - } -} - -variable "sic-key" { - type = string - default = "" - sensitive = true - validation { - condition = can(regex("^[a-z0-9A-Z]{8,30}$", var.sic-key)) - error_message = "Only alphanumeric characters are allowed, and the value must be 8-30 characters long." - } -} - -variable "admin_SSH_key" { - type = string - default = "" -} - -variable "serial_console_password_hash" { - description = "Optional parameter, used to enable serial console connection. In R81.10 and below, the serial console password is also used as the maintenance mode password." - type = string - default = "" -} - -variable "maintenance_mode_password_hash" { - description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" - type = string - default = "" -} - -variable "bgp-asn" { - type = string - default = "64512" - validation { - condition = tonumber(var.bgp-asn) >= 64512 && tonumber(var.bgp-asn) <= 65534 && !contains([65515, 65520], tonumber(var.bgp-asn)) - error_message = "Only numbers between 64512 to 65534 are allowed excluding 65515, 65520." - } -} - -variable "custom-metrics" { - type = string - default = "yes" - validation { - condition = contains(["yes", "no"], var.custom-metrics) - error_message = "Valid options are string('yes' or 'no')" - } -} - -variable "routing-intent-internet-traffic" { - default = "yes" - validation { - condition = contains(["yes", "no"], var.routing-intent-internet-traffic) - error_message = "Valid options are string('yes' or 'no')" - } -} - -variable "routing-intent-private-traffic" { - default = "yes" - validation { - condition = contains(["yes", "no"], var.routing-intent-private-traffic) - error_message = "Valid options are string('yes' or 'no')" - } -} - -variable "smart1-cloud-token-a" { - type = string - default = "" -} - -variable "smart1-cloud-token-b" { - type = string - default = "" -} - -variable "smart1-cloud-token-c" { - type = string - default = "" -} - -variable "smart1-cloud-token-d" { - type = string - default = "" -} - -variable "smart1-cloud-token-e" { - type = string - default = "" -} - -variable "existing-public-ip" { - type = string - default = "" -} - -variable "new-public-ip" { - type = string - default = "no" - validation { - condition = contains(["yes", "no"], var.new-public-ip) - error_message = "Valid options are string('yes' or 'no')" - } -} - -locals { - # Validate that new-public-ip is false when existing-public-ip is used - is_both_params_used = length(var.existing-public-ip) > 0 && var.new-public-ip == "yes" - validation_message_both = "Only one parameter of existing-public-ip or new-public-ip can be used" - _ = regex("^$", (!local.is_both_params_used ? "" : local.validation_message_both)) -} - -variable "tags" { - description = "Assign tags by resource." - type = map(map(string)) - default = {} -} - -variable "plan_product" { - description = "Use the following plan when deploying with terraform: cp-vwan-managed-app" - type = string - default = "cp-vwan-managed-app" -} - -variable "plan_version" { - description = "Use the latest version of the managed application (e.g., 1.0.24) for best results. Full version list: https://support.checkpoint.com/results/sk/sk132192" - type = string - default = "1.0.24" -} - -variable "custom_license_type" { - description = "License type when using staged image." - type = string - default = "" - validation { - condition = contains(["", "ngtp", "ngtx", "premium"], var.custom_license_type) - error_message = "Valid options are 'ngtp', 'ngtx', or 'premium' or empty." - } -} diff --git a/modules/nva_into_new_vwan/README.md b/modules/nva_into_new_vwan/README.md deleted file mode 100755 index 183d9cf..0000000 --- a/modules/nva_into_new_vwan/README.md +++ /dev/null @@ -1,107 +0,0 @@ -# Check Point CloudGuard Virtual WAN Module - New Virtual WAN - -This Terraform module deploys Check Point CloudGuard Network Security Virtual WAN NVA solution into a new vWAN Hub in Azure. -As part of the deployment the following resources are created: -- Resource groups -- Virtual WAN -- Virtual WAN Hub -- Azure Managed Application: - - NVA - - Managed identity - -For additional information, -please see the [CloudGuard Network for Azure Virtual WAN Deployment Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_Azure_vWAN/Default.htm) - -## Usage -Follow best practices for using CGNS modules on [the root page](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/azure/latest). - -**Example:** -``` -provider "azurerm" { - features {} -} - -module "example_module" { - - source = "CheckPointSW/cloudguard-network-security/azure//modules/nva_into_new_vwan" - version = "1.0.8" - - authentication_method = "Service Principal" - client_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - client_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - tenant_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - subscription_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - resource-group-name = "tf-managed-app-resource-group" - location = "westcentralus" - vwan-name = "tf-vwan" - vwan-hub-name = "tf-vwan-hub" - vwan-hub-address-prefix = "10.0.0.0/16" - managed-app-name = "tf-vwan-managed-app-nva" - nva-rg-name = "tf-vwan-nva-rg" - nva-name = "tf-vwan-nva" - os-version = "R82" - license-type = "Security Enforcement (NGTP)" - scale-unit = "2" - bootstrap-script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" - admin-shell = "/etc/cli.sh" - sic-key = "xxxxxxxxxxxx" - admin_SSH_key = "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" - maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - bgp-asn = "64512" - custom-metrics = "yes" - routing-intent-internet-traffic = "yes" - routing-intent-private-traffic = "yes" - smart1-cloud-token-a = "" - smart1-cloud-token-b = "" - smart1-cloud-token-c = "" - smart1-cloud-token-d = "" - smart1-cloud-token-e = "" - existing-public-ip = "" - new-public-ip = "yes" -} -``` - -## Known limitations -1. 'terraform destroy' doesn't work if routing-intent is configured. To destroy the deployment, the routing-intent should be deleted manually first. - - -### Module's variables: - - -| Name | Description | Type | Allowed values | -|------|-------------|------|----------------| -| **authentication_method** | The authentication method used to deploy the solution | string | "Service Principal";
"Azure CLI". | -| **client_secret** | The client secret value of the Service Principal used to deploy the solution | string | | -| **client_id** | The client ID of the Service Principal used to deploy the solution | string | | -| **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | | -| **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | | -| **resource-group-name** | The name of the resource group that will contain the managed application | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period.
**Default:** "managed-app-resource-group" | -| **location** | The region where the resources will be deployed at | string | The full list of supported Azure regions can be found at https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-locations-partners#locations.
**Default:** "westcentralus" | -| **vwan-name** | The name of the virtual WAN that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens.
**Default:** "tf-vwan" | -| **vwan-hub-name** | The name of the virtual WAN hub that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens.
**Default:** "tf-vwan-hub" | -| **vwan-hub-address-prefix** | The address prefixes of the virtual hub | string | Valid CIDR block.
**Default:** "10.0.0.0/16" | -| **managed-app-name** | The name of the managed application that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens.
**Default:** tf-vwan-managed-app | -| **nva-name** | The name of the NVA that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens.
**Default:** tf-vwan-nva | -| **nva-rg-name** | The name of the resource group that will contain the NVA | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period.
**Default:** tf-vwan-nva-rg | -| **os-version** | The GAIA os version | string | "R8110";
"R8120";
"R82";
**Default:** "R82" | -| **license-type** | The Check Point licence type | string | "Security Enforcement (NGTP)";
"Full Package (NGTX and Smart1-Cloud)";
"Full Package Premium (NGTX and Smart1-Cloud Premium)".
**Default:** "Security Enforcement (NGTP)" | -| **scale-unit** | The scale unit determines the size and number of resources deployed. The higher the scale unit, the greater the amount of traffic that can be handled | string | "2";
"4";
"10";
"20";
"30";
"60";
"80".
**Default:** "2" | -| **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt".
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it.
**Default:** "" | -| **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh.
**Default:** "/etc/cli.sh" | -| **sic-key** | The Secure Internal Communication one time secret used to set up trust between the gateway object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long. | -| **admin_SSH_key** | The public ssh key used for ssh connection to the NVA GW instances | string | ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx generated-by-azure. | -| **serial_console_password_hash** | Optional parameter, used to enable serial console connection. In R81.10 and below, the serial console password is also used as the maintenance mode password. To generate password hash use the command `openssl passwd -6 PASSWORD` on Linux.
**Note:** In Azure Virtual Wan there is currently no serial console on the Network Virtual Appliance, the serial console password will be used as a maintenance mode password in R81.10 and below. | string | | -| **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions. To generate a password hash, use the command `grub2-mkpasswd-pbkdf2` on Linux. | string | | -| **bgp-asn** | The BGP autonomous system number | string | 64512.
**Default:** "64512" | -| **custom-metrics** | Indicates whether CloudGuard Metrics will be use for gateway monitoring | string | yes;
no.
**Default:** "yes" | -| **routing-intent-internet-traffic** | Set routing intent policy to allow internet traffic through the new nva | string | yes;
no.
Please verify routing-intent is configured successfully post-deployment.
**Default:** "yes" | -| **routing-intent-private-traffic** | Set routing intent policy to allow private traffic through the new nva | string | yes;
no.
Please verify routing-intent is configured successfully post-deployment.
**Default:** "yes" | -| **smart1-cloud-token-a** | Smart-1 Cloud token to connect automatically ***NVA instance a*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal. | -| **smart1-cloud-token-b** | Smart-1 Cloud token to connect automatically ***NVA instance b*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal. | -| **smart1-cloud-token-c** | Smart-1 Cloud token to connect automatically ***NVA instance c*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal. | -| **smart1-cloud-token-d** | Smart-1 Cloud token to connect automatically ***NVA instance d*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal. | -| **smart1-cloud-token-e** | Smart-1 Cloud token to connect automatically ***NVA instance e*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal. | -| **existing-public-ip** | Existing public IP reosurce to attach to the newly deployed NVA | string | A resource ID of the public IP resource. | -| **new-public-ip** | Deploy a new public IP resource as part of the managed app and attach to the NVA | string | yes;
no. | -| **tags** | Tags can be associated either globally across all resources or scoped to specific resource types. For example, a global tag can be defined as: {"all": {"example": "example"}}.
Supported resource types for tag assignment include:
`all` (Applies tags universally to all resource instances)
`resource-group` (Applies tags to managed application resource group)
`virtual-wan`
`virtual-hub`
`managed-identity` (Applies tags to the managed identity of the managed application)
`managed-application`
`routing-intent`
`network-virtual-appliance`
**Important:** When identical tag keys are defined both globally under `all` and within a specific resource scope, the tag value specified under `all` overrides the resource-specific tag. | map(map(string)) | {} | \ No newline at end of file diff --git a/modules/nva_into_new_vwan/variables.tf b/modules/nva_into_new_vwan/variables.tf deleted file mode 100755 index 000db66..0000000 --- a/modules/nva_into_new_vwan/variables.tf +++ /dev/null @@ -1,249 +0,0 @@ -variable "authentication_method" { - description = "Azure authentication method" - type = string - validation { - condition = contains(["Azure CLI", "Service Principal"], var.authentication_method) - error_message = "Valid values for authentication_method are 'Azure CLI','Service Principal'" - } -} - -variable "subscription_id" { - description = "Subscription ID" - type = string -} - -variable "tenant_id" { - description = "Tenant ID" - type = string -} - -variable "client_id" { - description = "Application ID(Client ID)" - type = string -} - -variable "client_secret" { - description = "A secret string that the application uses to prove its identity when requesting a token. Also can be referred to as application password." - type = string -} - -variable "resource-group-name" { - type = string - default = "managed-app-resource-group" -} - -variable "location" { - type = string - default = "westcentralus" -} - -variable "vwan-name" { - type = string - default = "tf-vwan" -} - -variable "vwan-hub-name" { - type = string - default = "tf-vwan-hub" -} - -variable "vwan-hub-address-prefix" { - type = string - default = "10.0.0.0/16" - validation { - condition = can(cidrhost(var.vwan-hub-address-prefix, 0)) - error_message = "Please provide a valid CIDR specification for the VWAN address space" - } -} - -variable "managed-app-name" { - type = string - default = "tf-vwan-managed-app" -} - -variable "nva-rg-name" { - type = string - default = "tf-vwan-nva-rg" -} - -variable "nva-name" { - type = string - default = "tf-vwan-nva" -} - -variable "os-version" { - description = "GAIA OS version" - type = string - default = "R82" - validation { - condition = contains(["R8110", "R8120", "R82"], var.os-version) - error_message = "Allowed values for os-version are 'R8110', 'R8120', 'R82'" - } -} - -variable "license-type" { - type = string - default = "Security Enforcement (NGTP)" - validation { - condition = contains(["Security Enforcement (NGTP)", "Full Package (NGTX and Smart1-Cloud)", "Full Package Premium (NGTX and Smart1-Cloud Premium)"], var.license-type) - error_message = "Allowed values for License Type are 'Security Enforcement (NGTP)', 'Full Package (NGTX and Smart1-Cloud)', 'Full Package Premium (NGTX and Smart1-Cloud Premium)'" - } -} - -variable "scale-unit" { - type = string - default = "2" - validation { - condition = contains(["2", "4", "10", "20", "30", "60", "80"], var.scale-unit) - error_message = "Valid values for CloudGuard version are '2', '4', '10', '20', '30', '60', '80'" - } -} - -variable "bootstrap-script" { - type = string - default = "" -} - -variable "admin-shell" { - type = string - default = "/etc/cli.sh" - validation { - condition = contains(["/etc/cli.sh", "/bin/bash", "/bin/tcsh", "/bin/csh"], var.admin-shell) - error_message = "Valid shells are '/etc/cli.sh', '/bin/bash', '/bin/tcsh', '/bin/csh'" - } -} - -variable "sic-key" { - type = string - default = "" - sensitive = true - validation { - condition = can(regex("^[a-z0-9A-Z]{8,30}$", var.sic-key)) - error_message = "Only alphanumeric characters are allowed, and the value must be 8-30 characters long." - } -} - -variable "admin_SSH_key" { - type = string - default = "" -} - -variable "serial_console_password_hash" { - description = "Optional parameter, used to enable serial console connection. In R81.10 and below, the serial console password is also used as the maintenance mode password." - type = string - default = "" -} - -variable "maintenance_mode_password_hash" { - description = "Maintenance mode password hash, relevant only for R81.20 and higher versions." - type = string - default = "" -} - -variable "bgp-asn" { - type = string - default = "64512" - validation { - condition = tonumber(var.bgp-asn) >= 64512 && tonumber(var.bgp-asn) <= 65534 && !contains([65515, 65520], tonumber(var.bgp-asn)) - error_message = "Only numbers between 64512 to 65534 are allowed excluding 65515, 65520." - } -} - -variable "custom-metrics" { - type = string - default = "yes" - validation { - condition = contains(["yes", "no"], var.custom-metrics) - error_message = "Valid options are string('yes' or 'no')" - } -} - -variable "routing-intent-internet-traffic" { - default = "yes" - validation { - condition = contains(["yes", "no"], var.routing-intent-internet-traffic) - error_message = "Valid options are string('yes' or 'no')" - } -} - -variable "routing-intent-private-traffic" { - default = "yes" - validation { - condition = contains(["yes", "no"], var.routing-intent-private-traffic) - error_message = "Valid options are string('yes' or 'no')" - } -} - -variable "smart1-cloud-token-a" { - type = string - default = "" -} - -variable "smart1-cloud-token-b" { - type = string - default = "" -} - -variable "smart1-cloud-token-c" { - type = string - default = "" -} - -variable "smart1-cloud-token-d" { - type = string - default = "" -} - -variable "smart1-cloud-token-e" { - type = string - default = "" -} - -variable "existing-public-ip" { - type = string - default = "" -} - -variable "new-public-ip" { - type = string - default = "no" - validation { - condition = contains(["yes", "no"], var.new-public-ip) - error_message = "Valid options are string('yes' or 'no')" - } -} - -locals { - # Validate that new-public-ip is false when existing-public-ip is used - is_both_params_used = length(var.existing-public-ip) > 0 && var.new-public-ip == "yes" - validation_message_both = "Only one parameter of existing-public-ip or new-public-ip can be used" - _ = regex("^$", (!local.is_both_params_used ? "" : local.validation_message_both)) -} - -variable "tags" { - description = "Assign tags by resource." - type = map(map(string)) - default = {} -} - -variable "plan_product" { - description = "Use the following plan when deploying with terraform: cp-vwan-managed-app" - type = string - default = "cp-vwan-managed-app" -} - -variable "plan_version" { - description = "Use the latest version of the managed application (e.g., 1.0.24) for best results. Full version list: https://support.checkpoint.com/results/sk/sk132192" - type = string - default = "1.0.24" -} - -variable "custom_license_type" { - description = "License type when using staged image." - type = string - default = "" - validation { - condition = contains(["", "ngtp", "ngtx", "premium"], var.custom_license_type) - error_message = "Valid options are 'ngtp', 'ngtx', or 'premium' or empty." - } -} diff --git a/modules/single-gateway/README.md b/modules/single-gateway/README.md new file mode 100644 index 0000000..72fc697 --- /dev/null +++ b/modules/single-gateway/README.md @@ -0,0 +1,163 @@ +# Check Point CloudGuard Single Gateway Module + +This Terraform module deploys Check Point CloudGuard Network Security Single Gateway solution in azure. +As part of the deployment the following resources are created: +- Resource group +- Virtual network +- Network security group +- System assigned identity +- Storage account + + +This solution uses the following submodules: +- common - used for creating a resource group and defining common variables. +- vnet - used for creating new virtual network and subnets. +- network_security_group - used for creating new network security groups and rules. +- storage-account - used for creating new storage account or using an existing one to use for the boot diagnostics. + +## Usage +Follow best practices for using CGNS modules on [the root page](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/azure/latest). + +**Example:** +```hcl +provider "azurerm" { + features {} +} + +module "example_module" { + source = "CheckPointSW/cloudguard-network-security/azure//modules/single-gateway" + version = "1.0.6" + + # Authentication Variables + client_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + client_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + tenant_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + subscription_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + + # Basic Configurations Variables + resource_group_name = "checkpoint-mds-rg-terraform" + single_gateway_name = "checkpoint-mds-terraform" + location = "eastus" + tags = {} + + # Virtual Machine Instances Variables + source_image_vhd_uri = "noCustomUri" + authentication_type = "Password" + admin_password = "xxxxxxxxxxxx" + sic_key = "xxxxxxxxxxxx" + serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + installation_type = "gateway" + vm_size = "Standard_D4ds_v5" + disk_size = "110" + os_version = "R82" + vm_os_sku = "sg-byol" + vm_os_offer = "check-point-cg-r82" + allow_upload_download = true + admin_shell = "/etc/cli.sh" + bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" + enable_custom_metrics = true + zone = "" + + # Smart-1 Cloud Variables + smart_1_cloud_token = "xxxxxxxxxxxx" + + # Management Variables + management_GUI_client_network = "0.0.0.0/0" + + # Networking Variables + vnet_name = "checkpoint-single-gw-vnet" + frontend_subnet_name = "Frontend" + backend_subnet_name = "Backend" + address_space = "10.0.0.0/16" + subnet_prefixes = ["10.0.1.0/24", "10.0.2.0/24"] + nsg_id = "" + storage_account_deployment_mode = "New" + add_storage_account_ip_rules = false + storage_account_additional_ips = [] +} +``` + +## Conditional creation +### Virtual Network: +You can specify wether you want to create a new Virtual Network or use an existing one: +- To create a new Virtual Network: + ``` + address_space = "10.0.0.0/16" + ``` +- To use an existing Virtual Network: + ``` + address_space = "" + existing_vnet_resource_group = "EXISTING VIRTUAL NETWORK RESOURCE GROUP NAME" + ``` + When using an existing Virtual Network the variable `frontend_subnet_name` and `backend_subnet_name` will be used as the name of the existing subnets inside the Virtual Network, you can also ignore the `address_prefixes` when you use an existing Virtual Network. + +### Cloud Metrics: +To enable CloudGuard metrics in order to send statuses and statistics collected from the gateway instance to the Azure Monitor service: +``` +enable_custom_metrics = true +``` + +### Boot Diagnostics: +You can configure boot diagnostics by selecting the desired storage account deployment mode or disabling boot diagnostics entirely. The available options for `storage_account_deployment_mode` are: +- `New` Creates a new storage account to be used for boot diagnostics.
+Usage: `storage_account_deployment_mode = "New"` +- `Exists` Uses an existing storage account for boot diagnostics.
+Usages: + ``` + storage_account_deployment_mode = "Existing" + existing_storage_account_name = "EXISTING_STORAGE_ACCOUNT_NAME" + existing_storage_account_resource_group_name = "EXISTING_STORAGE_ACCOUNT_RESOURCE_GROUP_NAME" + ``` +- `Managed`: Uses a managed (automatically created) storage account for boot diagnostics.
+Usage: `storage_account_deployment_mode = "Managed"` +- `None`: Disables boot diagnostics.
+Usage: `storage_account_deployment_mode = "None"`
+ +## Module's variables: +| Name | Description | Type | Allowed values | +| ---- | ----------- | ---- | -------------- | +| **client_secret** | The client secret value of the Service Principal used to deploy the solution | string | N/A | +| **client_id** | The client ID of the Service Principal used to deploy the solution | string | N/A | +| **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | N/A | +| **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | N/A | +| **resource_group_name** | The name of the resource group that will contain the contents of the deployment. | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period. | +| **single_gateway_name** | The name of the Check Point single GW Object. | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long. | +| **location** | The region where the resources will be deployed at. | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions. | +| **tags** | Tags can be associated either globally across all resources or scoped to specific resource types. For example, a global tag can be defined as: {"all": {"example": "example"}}.
Supported resource types for tag assignment include:
`all` (Applies tags universally to all resource instances)
`resource-group`
`virtual-network`
`network-security-group`
`network-interface`
`public-ip`
`route-table`
`storage-account`
`virtual-machine`
`custom-image`
**Important:** When identical tag keys are defined both globally under `all` and within a specific resource scope, the tag value specified under `all` overrides the resource-specific tag. | map(map(string)) | **Default:** {} | +| **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images. | string | **Default:** "noCustomUri" | +| **admin_username** | Administrator username of deployed VM. Due to Azure limitations 'notused' name can be used. | string | **Default:** "notused" | +| **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used. | string | "Password";
"SSH Public Key"; | +| **admin_password** | The password associated with the local administrator account on the gateway. | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character. | +| **admin_SSH_key** | The SSH public key for SSH connections to the instance. Used when the authentication_type is 'SSH Public Key'. | string | **Default:** "" | +| **sic_key** | The Secure Internal Communication one-time secret used to set up trust between the gateway object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long. | +| **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type. | string | N/A | +| **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions. | string | N/A | +| **installation_type** | Enables selecting installation type (gateway/standalone). | string | gateway;
standalone; | +| **vm_size** | Specifies the size of Virtual Machine. | string | A list of valid VM sizes (e.g., "Standard_D4ds_v5", "Standard_D8ds_v5", etc). | +| **disk_size** | Storage data disk size (GB). | string | A number in the range 100 - 3995 (GB). | +| **os_version** | GAIA OS version. | string | "R8110";
"R8120";
"R82"; | +| **vm_os_sku** | A SKU of the image to be deployed. | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license; | +| **vm_os_offer** | The name of the image offer to be deployed. | string | "check-point-cg-r8110";
"check-point-cg-r8120";
"check-point-cg-r82"; | +| **allow_upload_download**| Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point. | boolean | true;
false; | +| **admin_shell** | Enables selecting different admin shells. | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh;
**Default:** "/etc/cli.sh" | +| **bootstrap_script** | An optional script to run on the initial boot. | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
**Default:** "" | +| **is_blink** | Define if blink image is used for deployment. | boolean | true;
false;
**Default:** true | +| **enable_custom_metrics**| Indicates whether CloudGuard Metrics will be used for gateway monitoring. | boolean | true;
false;
**Default:** true | +| **zone** | Optional parameter, specifies the Availability Zone the solution should be deployed in. | string | "1"
**Default:** "" | +| **smart_1_cloud_token** | Smart-1 Cloud token to connect automatically ***Gateway*** to Check Point's Security Management as a Service. Follow these instructions to quickly connect this member to Smart-1 Cloud. | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal. | +| **management_GUI_client_network** | Allowed GUI clients - GUI clients network CIDR | string | N/A | +| **vnet_name** | The name of virtual network that will be created. | string | The name must beginn with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens. | +| **existing_vnet_resource_group** | The name of the resource group where the Virtual Network is located. Required when using an existing Virtual Network. | string | **Default:** "" | +| **frontend_subnet_name** | The Virtual Network subnet name for the frontend interface. | string | N/A | +| **backend_subnet_name** | The Virtual Network subnet name for the backend interface. | string | N/A | +| **address_space** | The address prefixes of the virtual network. | string | Valid CIDR block
**Default:** "10.12.0.0/16" | +| **subnet_prefixes** | Address prefix to be used for network subnets. | list(string) | The subnets need to be contained within the address space for this virtual network (defined by the address_space variable).
**Default:** ["10.0.0.0/24", "10.0.1.0/24"] | +| **nsg_id** | Optional ID for a Network Security Group that already exists in Azure. If not provided, a **Default** NSG will be created. | string | Existing NSG resource ID
**Default:** "" | +| **storage_account_deployment_mode** | Choose the boot diagnostics storage account type. | string | New;
Existing;
Managed;
None;
**Default:** New | +| **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location.
Relevant only if `storage_account_deployment_mode = "New"`. | boolean | true;
false;
**Default:** false | +| **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account.
Relevant only if `storage_account_deployment_mode = "New"`. | list(string) | A list of valid IPs and CIDRs
**Default:** [] | +| **existing_storage_account_name** | The existing storage account name.
Relevant only if `storage_account_deployment_mode = "Existing"`. | string | **Default:** "" | +| **existing_storage_account_resource_group_name** | The existing storage account resource group name.
Relevant only if `storage_account_deployment_mode = "Existing"`. | string | **Default:** "" | +| **sku** | SKU | string | **Default:** "Standard" | +| **security_rules** | Security rules for the Network Security. | list(any) | A security rule composed of: {name, priority, direction, access, protocol, source_port_ranges, destination_port_ranges, source_address_prefix, destination_address_prefix, description}
**Default:** [] | \ No newline at end of file diff --git a/modules/single_gateway_existing_vnet/cloud-init.sh b/modules/single-gateway/cloud-init.sh old mode 100755 new mode 100644 similarity index 100% rename from modules/single_gateway_existing_vnet/cloud-init.sh rename to modules/single-gateway/cloud-init.sh diff --git a/modules/single_gateway_existing_vnet/locals.tf b/modules/single-gateway/locals.tf old mode 100755 new mode 100644 similarity index 100% rename from modules/single_gateway_existing_vnet/locals.tf rename to modules/single-gateway/locals.tf diff --git a/modules/single-gateway/main.tf b/modules/single-gateway/main.tf new file mode 100644 index 0000000..d7e16c3 --- /dev/null +++ b/modules/single-gateway/main.tf @@ -0,0 +1,234 @@ +//********************** Basic Configuration **************************// +module "common" { + source = "../common/common" + resource_group_name = var.resource_group_name + location = var.location + is_zonal = var.zone != "" + availability_zones_num = "1" + availability_zones = var.zone == "" ? [] : [var.zone] + admin_password = var.admin_password + installation_type = var.installation_type + module_name = local.module_name + module_version = local.module_version + number_of_vm_instances = 1 + allow_upload_download = var.allow_upload_download + vm_size = var.vm_size + disk_size = var.disk_size + os_version = var.os_version + vm_os_sku = var.vm_os_sku + vm_os_offer = var.vm_os_offer + is_blink = var.is_blink + authentication_type = var.authentication_type + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + tags = merge(lookup(var.tags, "resource-group", {}), lookup(var.tags, "all", {})) +} + +//********************** Network Security Group **************************// +module "network_security_group" { + source = "../common/network-security-group" + nsg_id = var.nsg_id + resource_group_name = module.common.resource_group_name + security_group_name = "${module.common.resource_group_name}-nsg" + location = module.common.resource_group_location + security_rules = var.security_rules + tags = merge(lookup(var.tags, "network-security-group", {}), lookup(var.tags, "all", {})) +} + +//********************** Networking **************************// +module "vnet" { + depends_on = [ + module.network_security_group + ] + source = "../common/vnet" + vnet_name = var.vnet_name + resource_group_name = module.common.resource_group_name + existing_vnet_resource_group = var.existing_vnet_resource_group + location = module.common.resource_group_location + address_space = var.address_space + subnet_prefixes = var.subnet_prefixes + subnet_names = [var.frontend_subnet_name, var.backend_subnet_name] + nsg_id = module.network_security_group.id + tags = var.tags +} + +resource "random_id" "public_ip_suffix" { + keepers = { + # Generate a new ID only when a new resource group is defined + resource_group = module.common.resource_group_name + } + byte_length = 8 +} + +resource "azurerm_public_ip" "public_ip" { + name = var.single_gateway_name + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + allocation_method = module.vnet.allocation_method + sku = var.sku + idle_timeout_in_minutes = 30 + domain_name_label = "${lower(var.single_gateway_name)}-${random_id.public_ip_suffix.hex}" + tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {})) +} + +resource "azurerm_network_interface_security_group_association" "security_group_association" { + depends_on = [ + azurerm_network_interface.nic, + module.network_security_group + ] + network_interface_id = azurerm_network_interface.nic.id + network_security_group_id = module.network_security_group.id +} + +resource "azurerm_network_interface" "nic" { + depends_on = [ + azurerm_public_ip.public_ip, + module.vnet + ] + name = "${var.single_gateway_name}-eth0" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + enable_ip_forwarding = true + enable_accelerated_networking = true + + + ip_configuration { + name = "ipconfig1" + subnet_id = module.vnet.subnets[0] + private_ip_address_allocation = module.vnet.allocation_method + private_ip_address = cidrhost(module.vnet.subnet_prefixes[0], 4) + public_ip_address_id = azurerm_public_ip.public_ip.id + } + + tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {})) +} + +resource "azurerm_network_interface" "nic1" { + depends_on = [ + module.vnet + ] + name = "${var.single_gateway_name}-eth1" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + enable_ip_forwarding = true + enable_accelerated_networking = true + + + ip_configuration { + name = "ipconfig2" + subnet_id = module.vnet.subnets[1] + private_ip_address_allocation = module.vnet.allocation_method + private_ip_address = cidrhost(module.vnet.subnet_prefixes[1], 4) + } + + tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {})) +} + +//********************** Storage accounts **************************// +module "vm_boot_diagnostics_storage" { + source = "../common/storage-account" + storage_account_deployment_mode = var.storage_account_deployment_mode + existing_storage_account_name = var.existing_storage_account_name + existing_storage_account_resource_group_name = var.existing_storage_account_resource_group_name + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + add_storage_account_ip_rules = var.add_storage_account_ip_rules + storage_account_additional_ips = var.storage_account_additional_ips + tags = merge(lookup(var.tags, "storage-account", {}), lookup(var.tags, "all", {})) +} + +//********************** Virtual Machines **************************// +module "custom_image" { + source = "../common/custom-image" + source_image_vhd_uri = var.source_image_vhd_uri + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + tags = merge(lookup(var.tags, "custom-image", {}), lookup(var.tags, "all", {})) +} + +resource "azurerm_virtual_machine" "single_gateway_vm_instance" { + depends_on = [ + azurerm_network_interface.nic, + azurerm_network_interface.nic1 + ] + location = module.common.resource_group_location + zones = var.zone == "" ? null : [var.zone] + name = var.single_gateway_name + network_interface_ids = [azurerm_network_interface.nic.id, azurerm_network_interface.nic1.id] + resource_group_name = module.common.resource_group_name + vm_size = module.common.vm_size + delete_os_disk_on_termination = module.common.delete_os_disk_on_termination + primary_network_interface_id = azurerm_network_interface.nic.id + + identity { + type = module.common.vm_instance_identity + } + + dynamic "plan" { + for_each = module.custom_image.create_custom_image ? [] : [1] + content { + name = module.common.vm_os_sku + publisher = module.common.publisher + product = module.common.vm_os_offer + } + } + + boot_diagnostics { + enabled = module.vm_boot_diagnostics_storage.boot_diagnostics + storage_uri = module.vm_boot_diagnostics_storage.storage_account_primary_blob_endpoint + } + + os_profile { + computer_name = lower(var.single_gateway_name) + admin_username = module.common.admin_username + admin_password = module.common.admin_password + custom_data = templatefile("${path.module}/cloud-init.sh", { + installation_type = module.common.installation_type + allow_upload_download = module.common.allow_upload_download + os_version = module.common.os_version + module_name = module.common.module_name + module_version = module.common.module_version + template_type = "terraform" + is_blink = module.common.is_blink + bootstrap_script64 = base64encode(var.bootstrap_script) + location = module.common.resource_group_location + admin_shell = var.admin_shell + sic_key = var.sic_key + management_GUI_client_network = var.management_GUI_client_network + smart_1_cloud_token = var.smart_1_cloud_token + enable_custom_metrics = var.enable_custom_metrics ? "yes" : "no" + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + }) + } + + os_profile_linux_config { + disable_password_authentication = module.common.SSH_authentication_type_condition + + dynamic "ssh_keys" { + for_each = module.common.SSH_authentication_type_condition ? [1] : [] + content { + path = "/home/notused/.ssh/authorized_keys" + key_data = var.admin_SSH_key + } + } + } + + storage_image_reference { + id = module.custom_image.id + publisher = module.custom_image.create_custom_image ? null : module.common.publisher + offer = module.common.vm_os_offer + sku = module.common.vm_os_sku + version = module.common.vm_os_version + } + + storage_os_disk { + name = var.single_gateway_name + create_option = module.common.storage_os_disk_create_option + caching = module.common.storage_os_disk_caching + managed_disk_type = module.vm_boot_diagnostics_storage.storage_account_type + disk_size_gb = module.common.disk_size + } + + tags = merge(lookup(var.tags, "virtual-machine", {}), lookup(var.tags, "all", {})) +} diff --git a/modules/single-gateway/variables.tf b/modules/single-gateway/variables.tf new file mode 100644 index 0000000..d4a8958 --- /dev/null +++ b/modules/single-gateway/variables.tf @@ -0,0 +1,276 @@ +//********************** Basic Configuration Variables **************************// +variable "subscription_id" { + description = "Subscription ID" + type = string +} + +variable "tenant_id" { + description = "Tenant ID" + type = string +} + +variable "client_id" { + description = "Application ID(Client ID)" + type = string +} + +variable "client_secret" { + description = "A secret string that the application uses to prove its identity when requesting a token. Also can be referred to as application password." + type = string +} + +variable "resource_group_name" { + description = "Azure Resource Group name to build into." + type = string +} + +variable "single_gateway_name" { + description = "Single Gateway name." + type = string +} + +variable "location" { + description = "The location/region where resource will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions." + type = string +} + +variable "tags" { + description = "Assign tags by resource." + type = map(map(string)) + default = {} +} + +//********************** Virtual Machine Instances Variables **************************// +variable "source_image_vhd_uri" { + description = "The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images." + type = string + default = "noCustomUri" +} + +variable "admin_username" { + description = "Administrator username of deployed VM. Due to Azure limitations 'notused' name can be used." + type = string + default = "notused" +} + +variable "authentication_type" { + description = "Specifies whether a password authentication or SSH Public Key authentication should be used." + type = string +} + +variable "admin_password" { + description = "Administrator password of deployed Virtual Machine. The password must meet the complexity requirements of Azure." + type = string +} + +variable "admin_SSH_key" { + description = "(Optional) The SSH public key for SSH authentication to the template instances." + type = string + default = "" +} + +variable "sic_key" { + description = "Secure Internal Communication (SIC) key." + type = string + + validation { + condition = length(var.sic_key) >= 12 + error_message = "Variable [sic_key] must be at least 12 characters long." + } +} + +variable "serial_console_password_hash" { + description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type." + type = string +} + +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions." + type = string +} + +variable "installation_type" { + description = "Installation type." + type = string + default = "gateway" + + validation { + condition = contains([ + "gateway", + "standalone" + ], var.installation_type) + error_message = "Variable [installation_type] must be one of the following: 'gateway', 'standalone'." + } +} + +variable "vm_size" { + description = "Specifies size of Virtual Machine." + type = string +} + +variable "disk_size" { + description = "Storage data disk size size(GB). Select a number between 100 and 3995." + type = string +} + +variable "os_version" { + description = "GAIA OS version." + type = string +} + +variable "vm_os_sku" { + description = "The sku of the image to be deployed." + type = string +} + +variable "vm_os_offer" { + description = "The name of the image offer to be deployed." + type = string +} + +variable "allow_upload_download" { + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point." + type = bool +} + +variable "admin_shell" { + description = "The admin shell to configure on machine or the first time." + type = string + default = "/etc/cli.sh" +} + +variable "bootstrap_script" { + description = "An optional script to run on the initial boot." + type = string + default = "" +} + +variable "is_blink" { + description = "Define if blink image is used for deployment." + default = true +} + + +variable "enable_custom_metrics" { + description = "Indicates whether CloudGuard Metrics will be use for Cluster members monitoring." + type = bool + default = true +} + +variable "zone" { + description = "The availability zone to use for the Virtual Machine. Changing this forces a new resource to be created." + type = string + default = "" +} + +//********************** Smart-1 Cloud Variables **************************// +variable "smart_1_cloud_token" { + description = "Smart-1 Cloud Token." + type = string +} + +//********************** Management Variables **************************// +variable "management_GUI_client_network" { + description = "Allowed GUI clients - GUI clients network CIDR." + type = string + + validation { + condition = can(regex("(^0\\.0\\.0\\.0\\/0$)|(^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/32)?$)", var.management_GUI_client_network)) && var.management_GUI_client_network != "0.0.0.0/32" + error_message = "Variable [management_GUI_client_network] must be a valid IPv4 network CIDR." + } +} + +//********************** Networking Variables **************************// +variable "vnet_name" { + description = "Virtual Network name." + type = string +} + +variable "existing_vnet_resource_group" { + description = "The name of the resource group where the Virtual Network is located. Required when using an existing Virtual Network." + type = string + default = "" +} + +variable "frontend_subnet_name" { + description = "The Virtual Network subnet name for the frontend interface." + type = string +} + +variable "backend_subnet_name" { + description = "The Virtual Network subnet name for the backend interface." + type = string +} + +variable "address_space" { + description = "The address space that is used by a Virtual Network." + type = string + default = "10.12.0.0/16" +} + +variable "subnet_prefixes" { + description = "Address prefix to be used for network subnets." + type = list(string) + default = ["10.0.0.0/24", "10.0.1.0/24"] +} + +variable "nsg_id" { + description = "(Optional) The Network Security Group ID." + type = string + default = "" +} + +variable "storage_account_deployment_mode" { + description = "The deployment mode for the storage account. Options are 'New', 'Existing', 'Managed' and 'None'. If 'Existing', the storage account must be specified in the variable 'existing_storage_account_id'." + type = string + default = "New" +} + +variable "add_storage_account_ip_rules" { + description = "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location" + type = bool + default = false +} + +variable "storage_account_additional_ips" { + description = "IPs/CIDRs that are allowed access to the Storage Account" + type = list(string) + default = [] +} + +variable "existing_storage_account_name" { + description = "The name of an existing storage account to use if 'storage_account_deployment_mode' is set to 'Existing'." + type = string + default = "" +} + +variable "existing_storage_account_resource_group_name" { + description = "The resource group name of an existing storage account to use if 'storage_account_deployment_mode' is set to 'Existing'." + type = string + default = "" +} + +variable "sku" { + description = "SKU" + type = string + default = "Standard" +} + +variable "security_rules" { + description = "Security rules for the Network Security Group using this format [name, priority, direction, access, protocol, source_source_port_rangesport_range, destination_port_ranges, source_address_prefix, destination_address_prefix, description]." + type = list(any) + default = [ + { + name = "AllowAllInBound" + priority = "100" + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_ranges = "*" + destination_port_ranges = "*" + description = "Allow all inbound connections" + source_address_prefix = "*" + destination_address_prefix = "*" + } + ] +} diff --git a/modules/single-gateway/versions.tf b/modules/single-gateway/versions.tf new file mode 100644 index 0000000..7e95d53 --- /dev/null +++ b/modules/single-gateway/versions.tf @@ -0,0 +1,30 @@ +terraform { + required_version = ">= 1.6" + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.90.0" + } + azapi = { + source = "Azure/azapi" + version = "~> 2.4.0" + } + random = { + version = "~> 3.6.0" + } + } +} +provider "azapi" { + subscription_id = var.subscription_id + client_id = var.client_id + client_secret = var.client_secret + tenant_id = var.tenant_id +} + +provider "azurerm" { + subscription_id = var.subscription_id + client_id = var.client_id + client_secret = var.client_secret + tenant_id = var.tenant_id + features {} +} diff --git a/modules/single_gateway_existing_vnet/README.md b/modules/single_gateway_existing_vnet/README.md deleted file mode 100755 index a633453..0000000 --- a/modules/single_gateway_existing_vnet/README.md +++ /dev/null @@ -1,103 +0,0 @@ - -# Check Point CloudGuard Network Security Single Gateway Module - Existing VNet - -This Terraform module deploys Check Point CloudGuard Network Security Single Gateway solution into an existing VNet in azure. -As part of the deployment the following resources are created: -- Resource group -- System assigned identity - - -This solution uses the following modules: -- common - used for creating a resource group and defining common variables. - - -## Usage -Follow best practices for using CGNS modules on [the root page](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/azure/latest). - -**Example:** -``` -provider "azurerm" { - features {} -} - -module "example_module" { - - source = "CheckPointSW/cloudguard-network-security/azure//modules/single_gateway_existing_vnet" - version = "1.0.8" - - source_image_vhd_uri = "noCustomUri" - resource_group_name = "checkpoint-single-gw-terraform" - single_gateway_name = "checkpoint-single-gw-terraform" - location = "eastus" - vnet_name = "checkpoint-single-gw-vnet" - vnet_resource_group = "existing-vnet-rg" - subnet_frontend_name = "frontend" - subnet_backend_name = "backend" - subnet_frontend_1st_Address = "10.0.1.4" - subnet_backend_1st_Address = "10.12.1.5" - management_GUI_client_network = "0.0.0.0/0" - admin_password = "xxxxxxxxxxxx" - smart_1_cloud_token = "xxxxxxxxxxxx" - sic_key = "xxxxxxxxxxxx" - vm_size = "Standard_D4ds_v5" - disk_size = "110" - vm_os_sku = "sg-byol" - vm_os_offer = "check-point-cg-r82" - os_version = "R82" - bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" - allow_upload_download = true - authentication_type = "Password" - enable_custom_metrics = true - admin_shell = "/etc/cli.sh" - installation_type = "gateway" - serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - nsg_id = "" - add_storage_account_ip_rules = false - storage_account_additional_ips = [] - -} -``` - -## Conditional creation -- To enable CloudGuard metrics in order to send statuses and statistics collected from the gateway instance to the Azure Monitor service: - ``` - enable_custom_metrics = true - ``` - -### Module's variables: - - -| Name | Description | Type | Allowed values | -|------|-------------|------|----------------| -| **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | **Default:** "noCustomUri" | -| **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period. | -| **single_gateway_name** | The name of the Check Point single GW Object | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long. | -| **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions. | -| **vnet_name** | The name of virtual network that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens. | -| **vnet_resource_group** | Resource Group of the existing virtual network | string | The exact name of the existing vnet's resource group. | -| **frontend_subnet_name** | Specifies the name of the external subnet | string | The exact name of the existing external subnet. | -| **backend_subnet_name** | Specifies the name of the internal subnet | string | The exact name of the existing internal subnet. | -| **subnet_frontend_1st_Address** | First available address in frontend subnet | string | | -| **subnet_backend_1st_Address** | First available address in backend subnet | string | | -| **management_GUI_client_network** | Allowed GUI clients - GUI clients network CIDR | string | | -| **admin_password** | The password associated with the local administrator account on the gateway | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character. | -| **smart_1_cloud_token** | Smart-1 Cloud token to connect automatically ***Gateway*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal. | -| **sic_key** | The Secure Internal Communication one time secret used to set up trust between the gateway object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long. | -| **vm_size** | Specifies the size of Virtual Machine | string | "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5". | -| **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB). | -| **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license. | -| **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8110";
"check-point-cg-r8120";
"check-point-cg-r82". | -| **os_version** | GAIA OS version | string | "R8110";
"R8120";
"R82". | -| **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt".
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it.
**Default:** "" | -| **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false. | -| **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key". | -| **enable_custom_metrics** | Indicates whether CloudGuard Metrics will be use for gateways monitoring | boolean | true;
false.
**Default:** true | -| **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh.
**Default:** "/etc/cli.sh" | -| **installation_type** | Enables to select installation type- gateway/standalone | string | gateway;
standalone. | -| **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here | string | | -| **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here | string | | -| **nsg_id** | Optional ID for a Network Security Group that already exists in Azure, if not provided, will create a default NSG | string | Existing NSG resource ID.
**Default:** "" | -| **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false.
**Default:** false | -| **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs.
**Default:** [] | -| **tags** | Tags can be associated either globally across all resources or scoped to specific resource types. For example, a global tag can be defined as: {"all": {"example": "example"}}.
Supported resource types for tag assignment include:
`all` (Applies tags universally to all resource instances)
`resource-group`
`network-security-group`
`network-interface`
`public-ip`
`storage-account`
`virtual-machine`
`custom-image`
**Important:** When identical tag keys are defined both globally under `all` and within a specific resource scope, the tag value specified under `all` overrides the resource-specific tag. | map(map(string)) | {} | \ No newline at end of file diff --git a/modules/single_gateway_existing_vnet/main.tf b/modules/single_gateway_existing_vnet/main.tf deleted file mode 100755 index d269fa7..0000000 --- a/modules/single_gateway_existing_vnet/main.tf +++ /dev/null @@ -1,248 +0,0 @@ -//********************** Basic Configuration **************************// -module "common" { - source = "../common" - resource_group_name = var.resource_group_name - location = var.location - admin_password = var.admin_password - installation_type = var.installation_type - module_name = local.module_name - module_version = local.module_version - number_of_vm_instances = 1 - allow_upload_download = var.allow_upload_download - vm_size = var.vm_size - disk_size = var.disk_size - is_blink = var.is_blink - os_version = var.os_version - vm_os_sku = var.vm_os_sku - vm_os_offer = var.vm_os_offer - authentication_type = var.authentication_type - serial_console_password_hash = var.serial_console_password_hash - maintenance_mode_password_hash = var.maintenance_mode_password_hash - storage_account_additional_ips = var.storage_account_additional_ips - tags = merge(lookup(var.tags, "resource-group", {}), lookup(var.tags, "all", {})) -} - -//********************** Networking **************************// -data "azurerm_subnet" "frontend_subnet" { - name = var.subnet_frontend_name - virtual_network_name = var.vnet_name - resource_group_name = var.vnet_resource_group -} - -data "azurerm_subnet" "backend_subnet" { - name = var.subnet_backend_name - virtual_network_name = var.vnet_name - resource_group_name = var.vnet_resource_group -} - -resource "azurerm_public_ip" "public-ip" { - name = var.single_gateway_name - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - allocation_method = var.vnet_allocation_method - sku = var.sku - idle_timeout_in_minutes = 30 - domain_name_label = join("", [ - lower(var.single_gateway_name), - "-", - random_id.randomId.hex]) - - tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {})) -} - -module "network_security_group" { - source = "../network_security_group" - count = var.nsg_id == "" ? 1 : 0 - resource_group_name = module.common.resource_group_name - security_group_name = "${module.common.resource_group_name}-nsg" - location = module.common.resource_group_location - security_rules = var.security_rules - tags = merge(lookup(var.tags, "network-security-group", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_network_interface_security_group_association" "security_group_association" { - depends_on = [azurerm_network_interface.nic] - network_interface_id = azurerm_network_interface.nic.id - network_security_group_id = var.nsg_id == "" ? module.network_security_group[0].network_security_group_id: var.nsg_id -} - -resource "azurerm_network_interface" "nic" { - depends_on = [ - azurerm_public_ip.public-ip] - name = "${var.single_gateway_name}-eth0" - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - enable_ip_forwarding = true - enable_accelerated_networking = true - - - ip_configuration { - name = "ipconfig1" - subnet_id = data.azurerm_subnet.frontend_subnet.id - private_ip_address_allocation = var.vnet_allocation_method - private_ip_address = var.subnet_frontend_1st_Address - public_ip_address_id = azurerm_public_ip.public-ip.id - } - - tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_network_interface" "nic1" { - depends_on = [] - name = "${var.single_gateway_name}-eth1" - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - enable_ip_forwarding = true - enable_accelerated_networking = true - - - ip_configuration { - name = "ipconfig2" - subnet_id = data.azurerm_subnet.backend_subnet.id - private_ip_address_allocation = var.vnet_allocation_method - private_ip_address = var.subnet_backend_1st_Address - } - - tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {})) -} - -//********************** Storage accounts **************************// -// Generate random text for a unique storage account name -resource "random_id" "randomId" { - keepers = { - # Generate a new ID only when a new resource group is defined - resource_group = module.common.resource_group_name - } - byte_length = 8 -} -resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { - name = "bootdiag${random_id.randomId.hex}" - resource_group_name = module.common.resource_group_name - location = module.common.resource_group_location - account_tier = module.common.storage_account_tier - account_replication_type = module.common.account_replication_type - account_kind = "StorageV2" - min_tls_version = "TLS1_2" - network_rules { - default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" - ip_rules = module.common.storage_account_ip_rules - } - blob_properties { - delete_retention_policy { - days = "15" - } - } - - tags = merge(lookup(var.tags, "storage-account", {}), lookup(var.tags, "all", {})) -} - -//********************** Virtual Machines **************************// -locals { - SSH_authentication_type_condition = var.authentication_type == "SSH Public Key" ? true : false - custom_image_condition = var.source_image_vhd_uri == "noCustomUri" ? false : true -} - -resource "azurerm_image" "custom-image" { - count = local.custom_image_condition ? 1 : 0 - name = "custom-image" - location = var.location - resource_group_name = module.common.resource_group_name - - os_disk { - os_type = "Linux" - os_state = "Generalized" - blob_uri = var.source_image_vhd_uri - } - - tags = merge(lookup(var.tags, "custom-image", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_virtual_machine" "single-gateway-vm-instance" { - depends_on = [ - azurerm_network_interface.nic, - azurerm_network_interface.nic1] - location = module.common.resource_group_location - name = var.single_gateway_name - network_interface_ids = [ - azurerm_network_interface.nic.id, - azurerm_network_interface.nic1.id] - resource_group_name = module.common.resource_group_name - vm_size = module.common.vm_size - delete_os_disk_on_termination = module.common.delete_os_disk_on_termination - primary_network_interface_id = azurerm_network_interface.nic.id - - identity { - type = module.common.vm_instance_identity - } - - dynamic "plan" { - for_each = local.custom_image_condition ? [ - ] : [1] - content { - name = module.common.vm_os_sku - publisher = module.common.publisher - product = module.common.vm_os_offer - } - } - - boot_diagnostics { - enabled = module.common.boot_diagnostics - storage_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : "" - } - - os_profile { - computer_name = lower(var.single_gateway_name) - admin_username = module.common.admin_username - admin_password = module.common.admin_password - custom_data = templatefile("${path.module}/cloud-init.sh", { - installation_type = module.common.installation_type - allow_upload_download = module.common.allow_upload_download - os_version = module.common.os_version - module_name = module.common.module_name - module_version = module.common.module_version - template_type = "terraform" - is_blink = module.common.is_blink - bootstrap_script64 = base64encode(var.bootstrap_script) - location = module.common.resource_group_location - admin_shell = var.admin_shell - sic_key = var.sic_key - management_GUI_client_network = var.management_GUI_client_network - smart_1_cloud_token = var.smart_1_cloud_token - enable_custom_metrics = var.enable_custom_metrics ? "yes" : "no" - serial_console_password_hash = var.serial_console_password_hash - maintenance_mode_password_hash = var.maintenance_mode_password_hash - }) - } - - - os_profile_linux_config { - disable_password_authentication = local.SSH_authentication_type_condition - - dynamic "ssh_keys" { - for_each = local.SSH_authentication_type_condition ? [ - 1] : [] - content { - path = "/home/notused/.ssh/authorized_keys" - key_data = var.admin_SSH_key - } - } - } - - storage_image_reference { - id = local.custom_image_condition ? azurerm_image.custom-image[0].id : null - publisher = local.custom_image_condition ? null : module.common.publisher - offer = module.common.vm_os_offer - sku = module.common.vm_os_sku - version = module.common.vm_os_version - } - - storage_os_disk { - name = var.single_gateway_name - create_option = module.common.storage_os_disk_create_option - caching = module.common.storage_os_disk_caching - managed_disk_type = module.common.storage_account_type - disk_size_gb = module.common.disk_size - } - - tags = merge(lookup(var.tags, "virtual-machine", {}), lookup(var.tags, "all", {})) -} diff --git a/modules/single_gateway_existing_vnet/variables.tf b/modules/single_gateway_existing_vnet/variables.tf deleted file mode 100755 index 4c56d1c..0000000 --- a/modules/single_gateway_existing_vnet/variables.tf +++ /dev/null @@ -1,279 +0,0 @@ -//********************** Basic Configuration Variables **************************// -variable "single_gateway_name" { - description = "Single gateway name" - type = string -} - -variable "resource_group_name" { - description = "Azure Resource Group name to build into" - type = string -} - -variable "location" { - description = "The location/region where resource will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions" - type = string -} - - -//********************** Virtual Machine Instances Variables **************************// -variable "source_image_vhd_uri" { - type = string - description = "The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images." - default = "noCustomUri" -} - -variable "admin_username" { - description = "Administrator username of deployed VM. Due to Azure limitations 'notused' name can be used" - default = "notused" -} - -variable "admin_password" { - description = "Administrator password of deployed Virtual Machine. The password must meet the complexity requirements of Azure" - type = string -} - -variable "serial_console_password_hash" { - description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" - type = string - default = "" -} - -variable "maintenance_mode_password_hash" { - description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" - type = string - default = "" -} - -variable "smart_1_cloud_token" { - description = "Smart-1 Cloud Token" - type = string -} - -variable "authentication_type" { - description = "Specifies whether a password authentication or SSH Public Key authentication should be used" - type = string -} -locals { // locals for 'authentication_type' allowed values - authentication_type_allowed_values = [ - "Password", - "SSH Public Key" - ] - // will fail if [var.authentication_type] is invalid: - validate_authentication_type_value = index(local.authentication_type_allowed_values, var.authentication_type) -} - -variable "installation_type" { - description = "Installation type" - type = string - default = "gateway" -} - -locals { // locals for 'installation_type' allowed values - installation_type_allowed_values = [ - "gateway", - "standalone" - ] -} - -variable "vm_size" { - description = "Specifies size of Virtual Machine" - type = string -} - -variable "disk_size" { - description = "Storage data disk size size(GB). Select a number between 100 and 3995" - type = string -} - -variable "os_version" { - description = "GAIA OS version" - type = string -} - -locals { // locals for 'vm_os_offer' allowed values - os_version_allowed_values = [ - "R8110", - "R8120", - "R82" - ] - // will fail if [var.os_version] is invalid: - validate_os_version_value = index(local.os_version_allowed_values, var.os_version) -} - -variable "vm_os_sku" { - description = "The sku of the image to be deployed." - type = string -} - -variable "vm_os_offer" { - description = "The name of the image offer to be deployed.Choose from: check-point-cg-r8110, check-point-cg-r8120, check-point-cg-r82" - type = string -} - -locals { // locals for 'vm_os_offer' allowed values - vm_os_offer_allowed_values = [ - "check-point-cg-r8110", - "check-point-cg-r8120", - "check-point-cg-r82" - ] - // will fail if [var.vm_os_offer] is invalid: - validate_os_offer_value = index(local.vm_os_offer_allowed_values, var.vm_os_offer) -} - -variable "allow_upload_download" { - description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" - type = bool -} - -variable "enable_custom_metrics" { - description = "Indicates whether CloudGuard Metrics will be use for Cluster members monitoring." - type = bool - default = true -} - -variable "is_blink" { - description = "Define if blink image is used for deployment" - default = true -} - -variable "admin_shell" { - description = "The admin shell to configure on machine or the first time" - type = string - default = "/etc/cli.sh" -} - -locals { - admin_shell_allowed_values = [ - "/etc/cli.sh", - "/bin/bash", - "/bin/csh", - "/bin/tcsh" - ] - // Will fail if [var.admin_shell] is invalid - validate_admin_shell_value = index(local.admin_shell_allowed_values, var.admin_shell) -} - -//********************** Networking Variables **************************// -variable "vnet_name" { - description = "Virtual Network name" - type = string -} - -variable "subnet_frontend_name" { - description = "management subnet name" - type = string -} - -variable "subnet_backend_name" { - description = "management subnet name" - type = string -} - -variable "subnet_frontend_1st_Address" { - description = "The first available address of the frontend subnet" - type = string -} - -variable "subnet_backend_1st_Address" { - description = "The first available address of the backend subnet" - type = string -} - -variable "vnet_resource_group" { - description = "Resource group of existing vnet" - type = string -} - -variable "vnet_allocation_method" { - description = "IP address allocation method" - type = string - default = "Static" -} - -variable "management_GUI_client_network" { - description = "Allowed GUI clients - GUI clients network CIDR" - type = string -} - -locals { - regex_valid_single_GUI_client_network = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))$" - // Will fail if var.management_GUI_client_network is invalid - regex_single_GUI_client_network = regex(local.regex_valid_single_GUI_client_network, var.management_GUI_client_network) == var.management_GUI_client_network ? 0 : "Variable [management_GUI_client_network] must be a valid IPv4 network CIDR." - - - regex_valid_subnet_1st_Address = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$" - // Will fail if var.subnet_1st_Address is invalid - regex_subnet_frontend_1st_Address = regex(local.regex_valid_subnet_1st_Address, var.subnet_frontend_1st_Address) == var.subnet_frontend_1st_Address ? 0 : "Variable [subnet_1st_Address] must be a valid address." - - regex_subnet_backend_1st_Address = regex(local.regex_valid_subnet_1st_Address, var.subnet_backend_1st_Address) == var.subnet_backend_1st_Address ? 0 : "Variable [subnet_1st_Address] must be a valid address." -} - -variable "bootstrap_script" { - description = "An optional script to run on the initial boot" - default = "" - type = string - #example: - #"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" -} - -variable "nsg_id" { - description = "NSG ID - Optional - if empty use default NSG" - default = "" -} - -variable "add_storage_account_ip_rules" { - type = bool - default = false - description = "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location" -} - -variable "storage_account_additional_ips" { - type = list(string) - description = "IPs/CIDRs that are allowed access to the Storage Account" - default = [] -} - -variable "sic_key" { - type = string -} - -resource "null_resource" "sic_key_invalid" { - count = length(var.sic_key) >= 12 ? 0 : "SIC key must be at least 12 characters long" -} - -variable "sku" { - description = "SKU" - type = string - default = "Standard" -} - -variable "admin_SSH_key" { - type = string - description = "(Optional) TheUsed when the authentication_type is 'SSH Public Key'. The SSH public key for SSH authentication to the template instances." - default = "" -} - -variable "security_rules" { - description = "Security rules for the Network Security Group using this format [name, priority, direction, access, protocol, source_source_port_rangesport_range, destination_port_ranges, source_address_prefix, destination_address_prefix, description]" - type = list(any) - default = [ - { - name = "AllowAllInBound" - priority = "100" - direction = "Inbound" - access = "Allow" - protocol = "*" - source_port_ranges = "*" - destination_port_ranges = "" - description = "Allow all inbound connections" - source_address_prefix = "*" - destination_address_prefix = "" - } - ] -} - -variable "tags" { - description = "Assign tags by resource." - type = map(map(string)) - default = {} -} diff --git a/modules/single_gateway_existing_vnet/versions.tf b/modules/single_gateway_existing_vnet/versions.tf deleted file mode 100755 index 8827a9f..0000000 --- a/modules/single_gateway_existing_vnet/versions.tf +++ /dev/null @@ -1,12 +0,0 @@ -terraform { - required_version = ">= 0.14.3" - required_providers { - azurerm = { - source = "hashicorp/azurerm" - version = "~> 3.90.0" - } - random = { - version = "~> 3.5.1" - } - } -} \ No newline at end of file diff --git a/modules/single_gateway_new_vnet/README.md b/modules/single_gateway_new_vnet/README.md deleted file mode 100755 index 685dd01..0000000 --- a/modules/single_gateway_new_vnet/README.md +++ /dev/null @@ -1,102 +0,0 @@ -# Check Point CloudGuard Single Gateway Module - New VNet - -This Terraform module deploys Check Point CloudGuard Network Security Single Gateway solution into a new VNet in azure. -As part of the deployment the following resources are created: -- Resource group -- Virtual network -- Network security group -- System assigned identity - - -This solution uses the following submodules: -- common - used for creating a resource group and defining common variables. -- vnet - used for creating new virtual network and subnets. -- network_security_group - used for creating new network security groups and rules. - -## Usage -Follow best practices for using CGNS modules on [the root page](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/azure/latest). - -**Example:** -``` -provider "azurerm" { - features {} -} - -module "example_module" { - - source = "CheckPointSW/cloudguard-network-security/azure//modules/single_gateway_new_vnet" - version = "1.0.8" - - source_image_vhd_uri = "noCustomUri" - resource_group_name = "checkpoint-single-gw-terraform" - single_gateway_name = "checkpoint-single-gw-terraform" - location = "eastus" - vnet_name = "checkpoint-single-gw-vnet" - address_space = "10.0.0.0/16" - frontend_subnet_prefix = "10.0.1.0/24" - backend_subnet_prefix = "10.0.2.0/24" - management_GUI_client_network = "0.0.0.0/0" - admin_password = "xxxxxxxxxxxx" - smart_1_cloud_token = "xxxxxxxxxxxx" - sic_key = "xxxxxxxxxxxx" - vm_size = "Standard_D4ds_v5" - disk_size = "110" - vm_os_sku = "sg-byol" - vm_os_offer = "check-point-cg-r82" - os_version = "R82" - bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" - allow_upload_download = true - authentication_type = "Password" - enable_custom_metrics = true - admin_shell = "/etc/cli.sh" - installation_type = "gateway" - serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - nsg_id = "" - add_storage_account_ip_rules = false - storage_account_additional_ips = [] -} -``` - -## Conditional creation -- To enable CloudGuard metrics in order to send statuses and statistics collected from the gateway instance to the Azure Monitor service: - ``` - enable_custom_metrics = true - ``` - - -### Module's variables: - | Name | Description | Type | Allowed values | -|---------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | **Default:** "noCustomUri" | -| **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | -| **single_gateway_name** | The name of the Check Point single GW Object | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long | -| **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | -| **vnet_name** | The name of virtual network that will be created | string | The name must beginn with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | -| **address_space** | The address prefixes of the virtual network | string | Valid CIDR block
**Default:** "10.12.0.0/16" | -| **frontend_subnet_prefix** | The address prefix to be used for created frontend subnet | string | The subnets need to contain within the address space for this virtual network (defined by address_space variable)
**Default:** "10.12.0.0/24" | -| **backend_subnet_prefix** | The address prefix to be used for created backend subnet | string | The subnets need to contain within the address space for this virtual network (defined by address_space variable)
**Default:** "10.12.1.0/24" | -| **management_GUI_client_network** | Allowed GUI clients - GUI clients network CIDR | string | | -| **admin_password** | The password associated with the local administrator account on the gateway | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | -| **smart_1_cloud_token** | Smart-1 Cloud token to connect automatically ***Gateway*** to Check Point's Security Management as a Service. Follow these instructions to quickly connect this member to Smart-1 Cloud | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | -| **sic_key** | The Secure Internal Communication one-time secret used to set up trust between the gateway object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | -| **vm_size** | Specifies the size of Virtual Machine | string | Various valid sizes (e.g., "Standard_D4ds_v5", "Standard_D8ds_v5", etc.) | -| **disk_size** | Storage data disk size (GB) | string | A number in the range 100 - 3995 (GB) | -| **vm_os_sku** | A SKU of the image to be deployed | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license | -| **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8110";
"check-point-cg-r8120";
"check-point-cg-r82"; | -| **os_version** | GAIA OS version | string | "R8110";
"R8120";
"R82"; | -| **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
**Default:** "" | -| **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | -| **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | -| **enable_custom_metrics** | Indicates whether CloudGuard Metrics will be used for gateway monitoring | boolean | true;
false;
**Default:** true | -| **admin_shell** | Enables selecting different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh;
**Default:** "/etc/cli.sh" | -| **installation_type** | Enables selecting installation type (gateway/standalone) | string | gateway;
standalone; | -| **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type | string | | -| **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions | string | | -| **nsg_id** | Optional ID for a Network Security Group that already exists in Azure. If not provided, a **Default** NSG will be created | string | Existing NSG resource ID
**Default:** "" | -| **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location | boolean | true;
false;
**Default:** false | -| **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs
**Default:** [] | -| **security_rules** | SSecurity rules for the Network Security | list(any) | A security rule composed of: {name, priority, direction, access, protocol, source_port_ranges, destination_port_ranges, source_address_prefix, destination_address_prefix, description}
**Default:** [] | -| **admin_SSH_key** | The SSH public key for SSH connections to the instance. Used when the authentication_type is 'SSH Public Key' | string | **Default:** "" | -| **is_blink** | Define if blink image is used for deployment | boolean | true;
false;
**Default:** true | -| **tags** | Tags can be associated either globally across all resources or scoped to specific resource types. For example, a global tag can be defined as: {"all": {"example": "example"}}.
Supported resource types for tag assignment include:
`all` (Applies tags universally to all resource instances)
`resource-group`
`virtual-network`
`network-security-group`
`network-interface`
`public-ip`
`route-table`
`storage-account`
`virtual-machine`
`custom-image`
**Important:** When identical tag keys are defined both globally under `all` and within a specific resource scope, the tag value specified under `all` overrides the resource-specific tag. | map(map(string)) | {} | \ No newline at end of file diff --git a/modules/single_gateway_new_vnet/cloud-init.sh b/modules/single_gateway_new_vnet/cloud-init.sh deleted file mode 100755 index ff60d82..0000000 --- a/modules/single_gateway_new_vnet/cloud-init.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/usr/bin/python3 /etc/cloud_config.py - -installationType="${installation_type}" -allowUploadDownload="${allow_upload_download}" -osVersion="${os_version}" -templateName="${module_name}" -templateVersion="${module_version}" -templateType="${template_type}" -isBlink="${is_blink}" -bootstrapScript64="${bootstrap_script64}" -location="${location}" -adminShell="${admin_shell}" -sicKey="${sic_key}" -managementGUIClientNetwork="${management_GUI_client_network}" -smart1CloudToken="${smart_1_cloud_token}" -customMetrics="${enable_custom_metrics}" -passwordHash="${serial_console_password_hash}" -MaintenanceModePassword="${maintenance_mode_password_hash}" \ No newline at end of file diff --git a/modules/single_gateway_new_vnet/locals.tf b/modules/single_gateway_new_vnet/locals.tf deleted file mode 100755 index 0c8fc01..0000000 --- a/modules/single_gateway_new_vnet/locals.tf +++ /dev/null @@ -1,4 +0,0 @@ -locals { - module_name = "single_terraform_registry" - module_version = "1.0.7" -} diff --git a/modules/single_gateway_new_vnet/main.tf b/modules/single_gateway_new_vnet/main.tf deleted file mode 100755 index bb9f003..0000000 --- a/modules/single_gateway_new_vnet/main.tf +++ /dev/null @@ -1,248 +0,0 @@ -//********************** Basic Configuration **************************// -module "common" { - source = "../common" - resource_group_name = var.resource_group_name - location = var.location - admin_password = var.admin_password - installation_type = var.installation_type - module_name = local.module_name - module_version = local.module_version - number_of_vm_instances = 1 - allow_upload_download = var.allow_upload_download - vm_size = var.vm_size - disk_size = var.disk_size - os_version = var.os_version - vm_os_sku = var.vm_os_sku - vm_os_offer = var.vm_os_offer - is_blink = var.is_blink - authentication_type = var.authentication_type - serial_console_password_hash = var.serial_console_password_hash - maintenance_mode_password_hash = var.maintenance_mode_password_hash - storage_account_additional_ips = var.storage_account_additional_ips - tags = merge(lookup(var.tags, "resource-group", {}), lookup(var.tags, "all", {})) -} - -//********************** Networking **************************// -module "vnet" { - source = "../vnet" - - vnet_name = var.vnet_name - resource_group_name = module.common.resource_group_name - location = module.common.resource_group_location - address_space = var.address_space - subnet_prefixes = [var.frontend_subnet_prefix, var.backend_subnet_prefix] - subnet_names = ["${var.single_gateway_name}-frontend-subnet", "${var.single_gateway_name}-backend-subnet"] - nsg_id = var.nsg_id == "" ? module.network_security_group[0].network_security_group_id : var.nsg_id - tags = var.tags -} - -module "network_security_group" { - source = "../network_security_group" - count = var.nsg_id == "" ? 1 : 0 - resource_group_name = module.common.resource_group_name - security_group_name = "${module.common.resource_group_name}-nsg" - location = module.common.resource_group_location - security_rules = var.security_rules - tags = merge(lookup(var.tags, "network-security-group", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_public_ip" "public-ip" { - name = var.single_gateway_name - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - allocation_method = var.vnet_allocation_method - sku = var.sku - idle_timeout_in_minutes = 30 - domain_name_label = join("", [ - lower(var.single_gateway_name), - "-", - random_id.randomId.hex]) - - tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_network_interface_security_group_association" "security_group_association" { - depends_on = [azurerm_network_interface.nic, module.network_security_group] - network_interface_id = azurerm_network_interface.nic.id - network_security_group_id = var.nsg_id == "" ? module.network_security_group[0].network_security_group_id: var.nsg_id -} - -resource "azurerm_network_interface" "nic" { - depends_on = [ - azurerm_public_ip.public-ip] - name = "${var.single_gateway_name}-eth0" - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - enable_ip_forwarding = true - enable_accelerated_networking = true - - - ip_configuration { - name = "ipconfig1" - subnet_id = module.vnet.vnet_subnets[0] - private_ip_address_allocation = var.vnet_allocation_method - private_ip_address = cidrhost(var.frontend_subnet_prefix, 4) - public_ip_address_id = azurerm_public_ip.public-ip.id - } - - tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_network_interface" "nic1" { - depends_on = [] - name = "${var.single_gateway_name}-eth1" - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - enable_ip_forwarding = true - enable_accelerated_networking = true - - - ip_configuration { - name = "ipconfig2" - subnet_id = module.vnet.vnet_subnets[1] - private_ip_address_allocation = var.vnet_allocation_method - private_ip_address = cidrhost(var.backend_subnet_prefix, 4) - } - - tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {})) -} - -//********************** Storage accounts **************************// -// Generate random text for a unique storage account name -resource "random_id" "randomId" { - keepers = { - # Generate a new ID only when a new resource group is defined - resource_group = module.common.resource_group_name - } - byte_length = 8 -} -resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { - name = "bootdiag${random_id.randomId.hex}" - resource_group_name = module.common.resource_group_name - location = module.common.resource_group_location - account_tier = module.common.storage_account_tier - account_replication_type = module.common.account_replication_type - account_kind = "StorageV2" - min_tls_version = "TLS1_2" - network_rules { - default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" - ip_rules = module.common.storage_account_ip_rules - } - blob_properties { - delete_retention_policy { - days = "15" - } - } - - tags = merge(lookup(var.tags, "storage-account", {}), lookup(var.tags, "all", {})) -} - -//********************** Virtual Machines **************************// -locals { - SSH_authentication_type_condition = var.authentication_type == "SSH Public Key" ? true : false - custom_image_condition = var.source_image_vhd_uri == "noCustomUri" ? false : true -} - -resource "azurerm_image" "custom-image" { - count = local.custom_image_condition ? 1 : 0 - name = "custom-image" - location = var.location - resource_group_name = module.common.resource_group_name - - os_disk { - os_type = "Linux" - os_state = "Generalized" - blob_uri = var.source_image_vhd_uri - } - - tags = merge(lookup(var.tags, "custom-image", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_virtual_machine" "single-gateway-vm-instance" { - depends_on = [ - azurerm_network_interface.nic, - azurerm_network_interface.nic1] - location = module.common.resource_group_location - name = var.single_gateway_name - network_interface_ids = [ - azurerm_network_interface.nic.id, - azurerm_network_interface.nic1.id] - resource_group_name = module.common.resource_group_name - vm_size = module.common.vm_size - delete_os_disk_on_termination = module.common.delete_os_disk_on_termination - primary_network_interface_id = azurerm_network_interface.nic.id - - identity { - type = module.common.vm_instance_identity - } - - dynamic "plan" { - for_each = local.custom_image_condition ? [ - ] : [1] - content { - name = module.common.vm_os_sku - publisher = module.common.publisher - product = module.common.vm_os_offer - } - } - - boot_diagnostics { - enabled = module.common.boot_diagnostics - storage_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : "" - } - - os_profile { - computer_name = lower(var.single_gateway_name) - admin_username = module.common.admin_username - admin_password = module.common.admin_password - custom_data = templatefile("${path.module}/cloud-init.sh", { - installation_type = module.common.installation_type - allow_upload_download = module.common.allow_upload_download - os_version = module.common.os_version - module_name = module.common.module_name - module_version = module.common.module_version - template_type = "terraform" - is_blink = module.common.is_blink - bootstrap_script64 = base64encode(var.bootstrap_script) - location = module.common.resource_group_location - admin_shell = var.admin_shell - sic_key = var.sic_key - management_GUI_client_network = var.management_GUI_client_network - smart_1_cloud_token = var.smart_1_cloud_token - enable_custom_metrics = var.enable_custom_metrics ? "yes" : "no" - serial_console_password_hash = var.serial_console_password_hash - maintenance_mode_password_hash = var.maintenance_mode_password_hash - }) - } - - os_profile_linux_config { - disable_password_authentication = local.SSH_authentication_type_condition - - dynamic "ssh_keys" { - for_each = local.SSH_authentication_type_condition ? [ - 1] : [] - content { - path = "/home/notused/.ssh/authorized_keys" - key_data = var.admin_SSH_key - } - } - } - - storage_image_reference { - id = local.custom_image_condition ? azurerm_image.custom-image[0].id : null - publisher = local.custom_image_condition ? null : module.common.publisher - offer = module.common.vm_os_offer - sku = module.common.vm_os_sku - version = module.common.vm_os_version - } - - storage_os_disk { - name = var.single_gateway_name - create_option = module.common.storage_os_disk_create_option - caching = module.common.storage_os_disk_caching - managed_disk_type = module.common.storage_account_type - disk_size_gb = module.common.disk_size - } - - tags = merge(lookup(var.tags, "virtual-machine", {}), lookup(var.tags, "all", {})) -} diff --git a/modules/single_gateway_new_vnet/variables.tf b/modules/single_gateway_new_vnet/variables.tf deleted file mode 100755 index b599d04..0000000 --- a/modules/single_gateway_new_vnet/variables.tf +++ /dev/null @@ -1,279 +0,0 @@ -//********************** Basic Configuration Variables **************************// -variable "single_gateway_name" { - description = "Single gateway name" - type = string -} - -variable "resource_group_name" { - description = "Azure Resource Group name to build into" - type = string -} - -variable "location" { - description = "The location/region where resource will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions" - type = string -} - -//********************** Virtual Machine Instances Variables **************************// -variable "source_image_vhd_uri" { - type = string - description = "The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images." - default = "noCustomUri" -} - -variable "admin_username" { - description = "Administrator username of deployed VM. Due to Azure limitations 'notused' name can be used" - default = "notused" -} - -variable "admin_password" { - description = "Administrator password of deployed Virtual Machine. The password must meet the complexity requirements of Azure" - type = string -} - -variable "smart_1_cloud_token" { - description = "Smart-1 Cloud Token" - type = string -} - -variable "serial_console_password_hash" { - description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" - type = string - default = "" -} - -variable "maintenance_mode_password_hash" { - description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" - type = string - default = "" -} - -variable "authentication_type" { - description = "Specifies whether a password authentication or SSH Public Key authentication should be used" - type = string -} -locals { // locals for 'authentication_type' allowed values - authentication_type_allowed_values = [ - "Password", - "SSH Public Key" - ] - // will fail if [var.authentication_type] is invalid: - validate_authentication_type_value = index(local.authentication_type_allowed_values, var.authentication_type) -} - -variable "installation_type" { - description = "Installation type" - type = string - default = "gateway" -} - -locals { // locals for 'installation_type' allowed values - installation_type_allowed_values = [ - "gateway", - "standalone" - ] -} - -variable "vm_size" { - description = "Specifies size of Virtual Machine" - type = string -} - -variable "disk_size" { - description = "Storage data disk size size(GB). Select a number between 100 and 3995" - type = string -} - -variable "os_version" { - description = "GAIA OS version" - type = string -} - -locals { // locals for 'vm_os_offer' allowed values - os_version_allowed_values = [ - "R8110", - "R8120", - "R82" - ] - // will fail if [var.os_version] is invalid: - validate_os_version_value = index(local.os_version_allowed_values, var.os_version) -} - -variable "vm_os_sku" { - description = "The sku of the image to be deployed." - type = string -} - -variable "vm_os_offer" { - description = "The name of the image offer to be deployed.Choose from: check-point-cg-r8110, check-point-cg-r8120, check-point-cg-r82" - type = string -} - -locals { // locals for 'vm_os_offer' allowed values - vm_os_offer_allowed_values = [ - "check-point-cg-r8110", - "check-point-cg-r8120", - "check-point-cg-r82" - ] - // will fail if [var.vm_os_offer] is invalid: - validate_os_offer_value = index(local.vm_os_offer_allowed_values, var.vm_os_offer) -} - -variable "allow_upload_download" { - description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" - type = bool -} - -variable "enable_custom_metrics" { - description = "Indicates whether CloudGuard Metrics will be use for Cluster members monitoring." - type = bool - default = true -} - -variable "is_blink" { - description = "Define if blink image is used for deployment" - default = true -} - -variable "admin_shell" { - description = "The admin shell to configure on machine or the first time" - type = string - default = "/etc/cli.sh" -} - -locals { - admin_shell_allowed_values = [ - "/etc/cli.sh", - "/bin/bash", - "/bin/csh", - "/bin/tcsh" - ] - // Will fail if [var.admin_shell] is invalid - validate_admin_shell_value = index(local.admin_shell_allowed_values, var.admin_shell) -} - -//********************** Networking Variables **************************// -variable "vnet_name" { - description = "Virtual Network name" - type = string -} - -variable "address_space" { - description = "The address space that is used by a Virtual Network." - type = string - default = "10.12.0.0/16" -} - -variable "frontend_subnet_prefix" { - description = "Address prefix to be used for network frontend subnet" - type = string - default = "10.12.0.0/24" -} - -variable "backend_subnet_prefix" { - description = "Address prefix to be used for network backend subnet" - type = string - default = "10.12.1.0/24" -} - -variable "vnet_subnets" { - description = "Subnets in vnet" - type = list(string) - default = ["10.12.0.0/24", "10.12.1.0/24"] -} - -variable "vnet_allocation_method" { - description = "IP address allocation method" - type = string - default = "Static" -} - -variable "management_GUI_client_network" { - description = "Allowed GUI clients - GUI clients network CIDR" - type = string -} - -variable "nsg_id" { - description = "NSG ID - Optional - if empty use default NSG" - default = "" -} - -variable "add_storage_account_ip_rules" { - type = bool - default = false - description = "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location" -} - -variable "storage_account_additional_ips" { - type = list(string) - description = "IPs/CIDRs that are allowed access to the Storage Account" - default = [] -} -locals { - regex_valid_management_GUI_client_network = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))$" - // Will fail if var.management_GUI_client_network is invalid - regex_management_GUI_client_network = regex(local.regex_valid_management_GUI_client_network, var.management_GUI_client_network) == var.management_GUI_client_network ? 0 : "Variable [management_GUI_client_network] must be a valid IPv4 network CIDR." - - - regex_valid_network_cidr = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))|$" - // Will fail if var.address_space is invalid - regex_address_space = regex(local.regex_valid_network_cidr, var.address_space) == var.address_space ? 0 : "Variable [address_space] must be a valid address in CIDR notation." - // Will fail if var.subnet_prefix is invalid - regex_frontend_subnet_prefix = regex(local.regex_valid_network_cidr, var.frontend_subnet_prefix) == var.frontend_subnet_prefix ? 0 : "Variable [subnet_prefix] must be a valid address in CIDR notation." - // Will fail if var.subnet_prefix is invalid - regex_backend_subnet_prefix = regex(local.regex_valid_network_cidr, var.backend_subnet_prefix) == var.backend_subnet_prefix ? 0 : "Variable [subnet_prefix] must be a valid address in CIDR notation." -} - -variable "bootstrap_script" { - description = "An optional script to run on the initial boot" - default = "" - type = string - #example: - #"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" -} - -variable "security_rules" { - description = "Security rules for the Network Security Group using this format [name, priority, direction, access, protocol, source_source_port_rangesport_range, destination_port_ranges, source_address_prefix, destination_address_prefix, description]" - type = list(any) - default = [ - { - name = "AllowAllInBound" - priority = "100" - direction = "Inbound" - access = "Allow" - protocol = "*" - source_port_ranges = "*" - destination_port_ranges = "*" - description = "Allow all inbound connections" - source_address_prefix = "*" - destination_address_prefix = "*" - } - ] -} -//********************** Credentials **************************// - -variable "sic_key" { - type = string -} - -resource "null_resource" "sic_key_invalid" { - count = length(var.sic_key) >= 12 ? 0 : "SIC key must be at least 12 characters long" -} - -variable "sku" { - description = "SKU" - type = string - default = "Standard" -} - -variable "admin_SSH_key" { - type = string - description = "(Optional) TheUsed when the authentication_type is 'SSH Public Key'. The SSH public key for SSH authentication to the template instances." - default = "" -} - -variable "tags" { - description = "Assign tags by resource." - type = map(map(string)) - default = {} -} diff --git a/modules/single_gateway_new_vnet/versions.tf b/modules/single_gateway_new_vnet/versions.tf deleted file mode 100755 index 8827a9f..0000000 --- a/modules/single_gateway_new_vnet/versions.tf +++ /dev/null @@ -1,12 +0,0 @@ -terraform { - required_version = ">= 0.14.3" - required_providers { - azurerm = { - source = "hashicorp/azurerm" - version = "~> 3.90.0" - } - random = { - version = "~> 3.5.1" - } - } -} \ No newline at end of file diff --git a/modules/vmss/README.md b/modules/vmss/README.md new file mode 100644 index 0000000..ce9f0e3 --- /dev/null +++ b/modules/vmss/README.md @@ -0,0 +1,228 @@ +# Check Point CloudGuard VMSS Module +This Terraform module deploys Check Point CloudGuard VMSS solution in azure. +As part of the deployment the following resources are created: +- Resource group +- Virtual network +- Network security group +- Storage account +- Role assignment - conditional creation + +This solution uses the following modules: +- common - used for creating a resource group and defining common variables. +- vnet - used for creating new virtual network and subnets or using an existing virtual network. +- network-security-group - used for creating new network security groups and rules or using an existing network security group. +- storage-account - used for creating new storage account or using an existing one to use for the boot diagnostics. + +For additional information, +please see the [CloudGuard Network for Azure Virtual Machine Scale Sets (VMSS) Deployment Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_VMSS_for_Azure/Default.htm) + +## Usage +Follow best practices for using CGNS modules on [the root page](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/azure/latest). + +**Example:** +```hcl +provider "azurerm" { + features {} +} + +module "example_module" { + source = "CheckPointSW/cloudguard-network-security/azure//modules/vmss" + version = "1.0.6" + + # Authentication Variables + client_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + client_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + tenant_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + subscription_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + + # Basic Configurations Variables + vmss_name = "checkpoint-vmss-terraform" + resource_group_name = "checkpoint-vmss-terraform" + location = "eastus" + tags = {} + + # Virtual Machine Instances Variables + source_image_vhd_uri = "noCustomUri" + authentication_type = "Password" + admin_password = "xxxxxxxxxxxx" + sic_key = "xxxxxxxxxxxx" + serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + vm_size = "Standard_D4ds_v5" + disk_size = "100" + os_version = "R82" + vm_os_sku = "sg-byol" + vm_os_offer = "check-point-cg-r82" + allow_upload_download = true + admin_shell = "/etc/cli.sh" + bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" + availability_zones_num = "3" + availability_zones = ["1", "2", "3"] + configuration_template_name = "vmss_template" + enable_custom_metrics = true + + # Management Variables + management_name = "mgmt" + management_IP = "13.92.42.181" + management_interface = "eth1-private" + + # Networking Variables + vnet_name = "checkpoint-vmss-vnet" + frontend_subnet_name = "Frontend" + backend_subnet_name = "Backend" + address_space = "10.0.0.0/16" + subnet_prefixes = ["10.0.1.0/24", "10.0.2.0/24"] + nsg_id = "" + storage_account_deployment_mode = "New" + add_storage_account_ip_rules = false + storage_account_additional_ips = [] + + # Load Balancers Variables + deployment_mode = "Standard" + backend_lb_IP_address = 4 + frontend_load_distribution = "Default" + backend_load_distribution = "Default" + enable_floating_ip = true + use_public_ip_prefix = false + create_public_ip_prefix = false + existing_public_ip_prefix_id = "" + + # Scale Set variables + number_of_vm_instances = 2 + minimum_number_of_vm_instances = 2 + maximum_number_of_vm_instances = 10 + notification_email = "" +} +``` + +## Conditional creation +### Virtual Network: +You can specify wether you want to create a new Virtual Network or use an existing one: +- To create a new Virtual Network: + ``` + address_space = "10.0.0.0/16" + ``` +- To use an existing Virtual Network: + ``` + address_space = "" + existing_vnet_resource_group = "EXISTING VIRTUAL NETWORK RESOURCE GROUP NAME" + ``` + When using an existing Virtual Network the variable `frontend_subnet_name` and `backend_subnet_name` will be used as the name of the existing subnets inside the Virtual Network, you can also ignore the `address_prefixes` when you use an existing Virtual Network. + +### Availability types deployment: +- To define the number of zones for VMSS instances deployment in supported regions: + ``` + availability_zones_num = "3" + ``` + Otherwise, to deploy the solution in regions not supporting Availability Zones, or if the zone preference is not important: + ``` + availability_zones_num = "0" + ``` +- To specify which zones to deploy into, set: + ``` + availability_zones = ["1", "2", "3"] + ``` + If availability_zones is not provided or is set to an empty list ([]), the deployment will still use multiple zones by default. + +### Public IP Prefix: +To create new public IP prefix for the public IP: + ``` + use_public_ip_prefix = true + create_public_ip_prefix = true + ``` +To use an existing public IP prefix for the public IP: + ``` + use_public_ip_prefix = true + create_public_ip_prefix = false + existing_public_ip_prefix_id = "public IP prefix resource id" + ``` + +### Cloud Metrics: +To create role assignment and enable CloudGuard metrics in order to send statuses and statistics collected from VMSS instances to the Azure Monitor service: +``` +enable_custom_metrics = true +``` + +### Boot Diagnostics: +To use boot diagnostics you can choose the storage account type or you can disable the boot diagnostics entirely.
+You can configure boot diagnostics by selecting the desired storage account deployment mode or disabling boot diagnostics entirely. The available options for `storage_account_deployment_mode` are: +- `New` Creates a new storage account to be used for boot diagnostics.
+Usage: `storage_account_deployment_mode = "New"` +- `Exists` Uses an existing storage account for boot diagnostics.
+Usages: + ``` + storage_account_deployment_mode= "Existing" + existing_storage_account_name = "EXISTING_STORAGE_ACCOUNT_NAME" + existing_storage_account_resource_group_name = "EXISTING_STORAGE_ACCOUNT_RESOURCE_GROUP_NAME" + ``` +- `Managed`: Uses a managed (automatically created) storage account for boot diagnostics.
+Usage: `storage_account_deployment_mode = "Managed"` +- `None`: Disables boot diagnostics.
+Usage: `storage_account_deployment_mode = "None"`
+**Note:** When deploying a Virtual Machine Scale Set (VMSS) using Terraform, Azure does not currently support deployment without boot diagnostics. Therefore, setting storage_account_deployment_mode = "None" behaves the same as "Managed" — a managed storage account will still be created automatically. +For more information, refer to the official - [Checkout the Azure Terraform documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/windows_virtual_machine_scale_set#boot_diagnostics-1) + +## Module's variables: +| Name | Description | Type | Allowed values | +| ---- | ----------- | ---- | -------------- | +| **client_secret** | The client secret value of the Service Principal used to deploy the solution | string | N/A | +| **client_id** | The client ID of the Service Principal used to deploy the solution | string | N/A | +| **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | N/A | +| **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | N/A | +| **resource_group_name** | The name of the resource group that will contain the contents of the deployment. | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period.
Note: Resource group name must not contain reserved words based on: sk40179. | +| **vmss_name** | The name of the Check Point VMSS Object. | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long.
Note: VMSS name must not contain reserved words based on: sk40179. | +| **location** | The region where the resources will be deployed at. | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions. | +| **tags** | Tags can be associated either globally across all resources or scoped to specific resource types. For example, a global tag can be defined as: {"all": {"example": "example"}}.
Supported resource types for tag assignment include:
`all` (Applies tags universally to all resource instances)
`resource-group`
`virtual-network`
`network-security-group`
`network-interface`
`public-ip`
`public-ip-prefix`
`load-balancer`
`route-table`
`storage-account`
`virtual-machine-scale-set`
`custom-image`
`autoscale-setting`
**Important:** When identical tag keys are defined both globally under `all` and within a specific resource scope, the tag value specified under `all` overrides the resource-specific tag. | map(map(string)) | **Default:** {} | +| **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images. | string | **Default:** "noCustomUri" | +| **admin_username** | The username of the local administrator used for the Virtual Machines. | string | **Default:** "azureuser" | +| **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used. | string | "Password";
"SSH Public Key"; | +| **admin_password** | The password associated with the local administrator account on each cluster member. | string | Password must have 3 of the following: 1 lowercase character, 1 uppercase character, 1 number, and 1 special character. | +| **admin_SSH_key** | The SSH public key for SSH connections to the instance. Used when the authentication_type is 'SSH Public Key'. | string | **Default:** "" | +| **sic_key** | The Secure Internal Communication one-time secret used to set up trust between the cluster object and the management server. | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long. | +| **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type. | string | N/A | +| **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions. | string | N/A | +| **vm_size** | Specifies the size of Virtual Machine. | string | A list of valid VM sizes (e.g., "Standard_D4ds_v5", "Standard_D8ds_v5", etc). | +| **disk_size** | Storage data disk size (GB) must be 100 for versions R81.20 and below. | string | A number in the range 100 - 3995 (GB).
**Default:** 100 | +| **os_version** | GAIA OS version. | string | "R8110";
"R8120";
"R82";
| +| **vm_os_sku** | A SKU of the image to be deployed. | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license; | +| **vm_os_offer** | The name of the image offer to be deployed. | string | "check-point-cg-r8110";
"check-point-cg-r8120";
"check-point-cg-r82"; | +| **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point. | boolean | true;
false; | +| **admin_shell** | Enables selecting different admin shells. | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh;
**Default:** "/etc/cli.sh" | +| **bootstrap_script** | An optional script to run on the initial boot. | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" | +| **availability_zones_num** | An optional string specifying the amount of Availability Zones where the Virtual Machines should be allocated. | string | "centralus", "eastus2", "francecentral", "northeurope", "southeastasia", "westeurope", "westus2", "eastus", "uksouth" | +| **availability_zones** | An optional parameter specifying the Availability Zones where the Virtual Machines should be allocated. | list(string) | ["1", "2", "3"];
["1"] | +| **is_blink** | Define if blink image is used for deployment. | boolean | true;
false;
**Default:** true | +| **configuration_template_name** | The configuration template name as it appears in the configuration file. | string | Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long. | +| **enable_custom_metrics** | Indicates whether Custom Metrics will be used for VMSS Scaling policy and VM monitoring. | boolean | true;
false; | +| **management_name** | The name of the management server as it appears in the configuration file. | string | Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long. | +| **management_IP** | The IP address used to manage the VMSS instances. | string | A valid IP address. | +| **management_interface** | Management option for the Gateways in the VMSS. | string | "eth0-public" - Manages the GWs using their external NIC's public IP address;
"eth0-private" - Manages the GWs using their external NIC's private IP address;
"eth1-private" - Manages the GWs using their internal NIC's private IP address;
**Default:** "eth1-private" | +| **vnet_name** | The name of the virtual network that will be created. | string | The name must begin with a letter or number, end with a letter, number, or underscore, and may contain only letters, numbers, underscores, periods, or hyphens. | +| **existing_vnet_resource_group** | The name of the resource group where the Virtual Network is located. Required when using an existing Virtual Network. | string | N/A | +| **frontend_subnet_name** | The Virtual Network frontend subnet name used for creating a new subnet with that name when create a new Virtual Network or used as the existing subnet name when using an existing Vritual Network. | string | N/A | +| **backend_subnet_name** | The Virtual Network backend subnet name used for creating a new subnet with that name when create a new Virtual Network or used as the existing subnet name when using an existing Vritual Network. | string | N/A | +| **address_space** | The address prefixes of the virtual network. | string | Valid CIDR block.
**Default:** "10.0.0.0/16" | +| **subnet_prefixes** | The address prefixes to be used for created subnets. | string | The subnets need to be contained within the address space for this virtual network (defined by the address_space variable).
**Default:** ["10.0.0.0/24", "10.0.1.0/24"] | +| **nsg_id** | Optional ID for a Network Security Group that already exists in Azure. If not provided, will create a default NSG. | string | Existing NSG resource ID
**Default:** "" | +| **storage_account_deployment_mode** | Choose the boot diagnostics storage account type. | string | New;
Existing;
Managed;
None;
**Default:** New | +| **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location.
Relevant only if `storage_account_deployment_mode = "New"` | boolean | true;
false;
**Default:** false | +| **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account.
Relevant only if `storage_account_deployment_mode = "New"`. | list(string) | A list of valid IPs and CIDRs
**Default:** [] | +| **existing_strorage_account_name** | The existing storage account name.
Relevant only if `storage_account_deployment_mode = "Existing"`. | string | **Default:** "" | +| **existing_strorage_account_resource_group_name** | The existing storage account resource group name.
Relevant only if `storage_account_deployment_mode = "Existing"`. | string | **Default:** "" | +| **deployment_mode** | Indicates which load balancer needs to be deployed. External + Internal (Standard), only External, only Internal. | string | Standard;
External;
Internal;
**Default:** "Standard" | +| **backend_lb_IP_address** | A whole number that can be represented as a binary integer with no more than the number of digits remaining in the address after the given prefix | number| Starting from the 5th IP address in a subnet. For example: subnet - 10.0.1.0/24, backend_lb_IP_address = 4, the LB IP is 10.0.1.4. | +| **lb_probe_port** | Port to be used for load balancer health probes and rules. | string | **Default:** "8117" | +| **lb_probe_protocol** | Protocols to be used for load balancer health probes and rules. | string | "TCP";
"HTTP";
"HTTPS";
**Default:** "TCP" | +| **lb_probe_unhealthy_threshold** | Number of consecutive failed health probes that must occur before a virtual machine is marked unhealthy. | number | **Default:** 2 | +| **lb_probe_interval** | Interval of load balancer health probes in seconds. | number | **Default:** 5 | +| **frontend_load_distribution** | The load balancing distribution method for the External Load Balancer. | string | "Default" - None (5-tuple);
"SourceIP" - ClientIP (2-tuple);
"SourceIPProtocol" - ClientIP and protocol (3-tuple). | +| **backend_load_distribution** | The load balancing distribution method for the Internal Load Balancer. | string | "Default" - None (5-tuple);
"SourceIP" - ClientIP (2-tuple);
"SourceIPProtocol" - ClientIP and protocol (3-tuple). | +| **enable_floating_ip** | Indicates whether the load balancers will be deployed with floating IP. | boolean | true;
false;
**Default:** true | +| **use_public_ip_prefix** | Indicates whether the public IP resources will be deployed with public IP prefix. | boolean | true;
false;
**Default:** false | +| **create_public_ip_prefix** | Indicates whether the public IP prefix will be created or an existing one will be used. | boolean | true;
false;
**Default:** false | +| **existing_public_ip_prefix_id** | The existing public IP prefix resource ID. | string | Existing public IP prefix resource ID
**Default:** "" | +| **security_rules** | Security rules for the Network Security. | list(any) | A security rule composed of: {name, priority, direction, access, protocol, source_port_ranges, destination_port_ranges, source_address_prefix, destination_address_prefix, description}
**Default:** [] | +| **number_of_vm_instances** | The default number of VMSS instances to deploy. | number | The number of VMSS instances must not be less then `minimum_number_of_vm_instances`. If the number of VMSS is greater then the `maximum_number_of_vm_instances` use the maximum number by default.
**Default**: 2; | +| **minimum_number_of_vm_instances** | The minimum number of VMSS instances for this resource. | number | Valid values are in the range 0 - 10. | +| **maximum_number_of_vm_instances** | The maximum number of VMSS instances for this resource. | number | Valid values are in the range 0 - 10. | +| **notification_email** | An email address to notify about scaling operations. | string | Leave empty double quotes or enter a valid email address. | \ No newline at end of file diff --git a/modules/vmss_existing_vnet/cloud-init.sh b/modules/vmss/cloud-init.sh old mode 100755 new mode 100644 similarity index 100% rename from modules/vmss_existing_vnet/cloud-init.sh rename to modules/vmss/cloud-init.sh diff --git a/modules/vmss_existing_vnet/locals.tf b/modules/vmss/locals.tf old mode 100755 new mode 100644 similarity index 56% rename from modules/vmss_existing_vnet/locals.tf rename to modules/vmss/locals.tf index 406c280..5c46b4c --- a/modules/vmss_existing_vnet/locals.tf +++ b/modules/vmss/locals.tf @@ -1,5 +1,5 @@ locals { - module_name = "vmss_terraform_registry" + module_name = "vmss_terraform_registry" module_version = "1.0.7" // Validate that the minimum number of VM instances is at least 0. @@ -16,24 +16,27 @@ locals { // Validate the number of VM instances against the minimum requirement. // If the number of instances is less than the minimum, return an error message. - validate_number_of_vm_instances = local.number_of_vm_instances >= var.minimum_number_of_vm_instances? 0 : index("error: The number of VM instances must be at least ${var.minimum_number_of_vm_instances}.") + validate_number_of_vm_instances = local.number_of_vm_instances >= var.minimum_number_of_vm_instances ? 0 : index("error: The number of VM instances must be at least ${var.minimum_number_of_vm_instances}.") + + management_interface_name = split("-", var.management_interface)[0] + management_ip_address_type = split("-", var.management_interface)[1] vmss_tags = var.management_interface == "eth0" ? { - x-chkp-management = var.management_name, - x-chkp-template = var.configuration_template_name, - x-chkp-ip-address = local.management_ip_address_type, + x-chkp-management = var.management_name, + x-chkp-template = var.configuration_template_name, + x-chkp-ip-address = local.management_ip_address_type, x-chkp-management-interface = local.management_interface_name, - x-chkp-management-address = var.management_IP, - x-chkp-topology = "eth0:external,eth1:internal", - x-chkp-anti-spoofing = "eth0:false,eth1:false", - x-chkp-srcImageUri = var.source_image_vhd_uri - } : { - x-chkp-management = var.management_name, - x-chkp-template = var.configuration_template_name, - x-chkp-ip-address = local.management_ip_address_type, + x-chkp-management-address = var.management_IP, + x-chkp-topology = "eth0:external,eth1:internal", + x-chkp-anti-spoofing = "eth0:false,eth1:false", + x-chkp-srcImageUri = var.source_image_vhd_uri + } : { + x-chkp-management = var.management_name, + x-chkp-template = var.configuration_template_name, + x-chkp-ip-address = local.management_ip_address_type, x-chkp-management-interface = local.management_interface_name, - x-chkp-topology = "eth0:external,eth1:internal", - x-chkp-anti-spoofing = "eth0:false,eth1:false", - x-chkp-srcImageUri = var.source_image_vhd_uri + x-chkp-topology = "eth0:external,eth1:internal", + x-chkp-anti-spoofing = "eth0:false,eth1:false", + x-chkp-srcImageUri = var.source_image_vhd_uri } } diff --git a/modules/vmss/main.tf b/modules/vmss/main.tf new file mode 100644 index 0000000..60c3f7d --- /dev/null +++ b/modules/vmss/main.tf @@ -0,0 +1,417 @@ +//********************** Basic Configuration **************************// +module "common" { + source = "../common/common" + resource_group_name = var.resource_group_name + location = var.location + is_zonal = var.availability_zones_num != "0" + availability_zones_num = var.availability_zones_num + availability_zones = var.availability_zones + admin_password = var.authentication_type == "SSH Public Key" ? random_id.random_id.hex : var.admin_password + installation_type = "vmss" + module_name = local.module_name + module_version = local.module_version + number_of_vm_instances = local.number_of_vm_instances + allow_upload_download = var.allow_upload_download + vm_size = var.vm_size + disk_size = var.disk_size + is_blink = var.is_blink + os_version = var.os_version + vm_os_sku = var.vm_os_sku + vm_os_offer = var.vm_os_offer + authentication_type = var.authentication_type + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + tags = merge(lookup(var.tags, "resource-group", {}), lookup(var.tags, "all", {})) +} + +//********************** Network Security Group **************************// +module "network_security_group" { + source = "../common/network-security-group" + nsg_id = var.nsg_id + resource_group_name = module.common.resource_group_name + security_group_name = "${module.common.resource_group_name}-nsg" + location = module.common.resource_group_location + security_rules = var.security_rules + tags = merge(lookup(var.tags, "network-security-group", {}), lookup(var.tags, "all", {})) +} + +//********************** Networking **************************// +module "vnet" { + depends_on = [ + module.network_security_group + ] + source = "../common/vnet" + vnet_name = var.vnet_name + resource_group_name = module.common.resource_group_name + existing_vnet_resource_group = var.existing_vnet_resource_group + location = module.common.resource_group_location + address_space = var.address_space + subnet_prefixes = var.subnet_prefixes + subnet_names = [var.frontend_subnet_name, var.backend_subnet_name] + nsg_id = module.network_security_group.id + tags = var.tags +} + +//********************** Load Balancers **************************// +resource "random_id" "random_id" { + byte_length = 13 + keepers = { + rg_id = module.common.resource_group_id + } +} + +resource "azurerm_public_ip_prefix" "public_ip_prefix" { + count = var.use_public_ip_prefix && var.create_public_ip_prefix ? 1 : 0 + name = "${module.common.resource_group_name}-ipprefix" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + prefix_length = 30 + tags = merge(lookup(var.tags, "public-ip-prefix", {}), lookup(var.tags, "all", {})) +} + +resource "azurerm_public_ip" "public_ip_lb" { + count = var.deployment_mode != "Internal" ? 1 : 0 + name = "${var.vmss_name}-app-1" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + allocation_method = module.vnet.allocation_method + sku = var.sku + domain_name_label = "${lower(var.vmss_name)}-${random_id.random_id.hex}" + public_ip_prefix_id = var.use_public_ip_prefix ? (var.create_public_ip_prefix ? azurerm_public_ip_prefix.public_ip_prefix[0].id : var.existing_public_ip_prefix_id) : null + tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {})) +} + +resource "azurerm_lb" "frontend_lb" { + depends_on = [ + azurerm_public_ip.public_ip_lb + ] + count = var.deployment_mode != "Internal" ? 1 : 0 + name = "frontend-lb" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + sku = var.sku + + frontend_ip_configuration { + name = "${var.vmss_name}-app-1" + public_ip_address_id = azurerm_public_ip.public_ip_lb[0].id + } + + tags = merge(lookup(var.tags, "load-balancer", {}), lookup(var.tags, "all", {})) +} + +resource "azurerm_lb_backend_address_pool" "frontend_lb_pool" { + count = var.deployment_mode != "Internal" ? 1 : 0 + loadbalancer_id = azurerm_lb.frontend_lb[0].id + name = "${var.vmss_name}-app-1" +} + +resource "azurerm_lb" "backend_lb" { + count = var.deployment_mode != "External" ? 1 : 0 + name = "backend-lb" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + sku = var.sku + frontend_ip_configuration { + name = "backend-lb" + subnet_id = module.vnet.subnets[1] + private_ip_address_allocation = module.vnet.allocation_method + private_ip_address = cidrhost(module.vnet.subnet_prefixes[1], var.backend_lb_IP_address) + } + + tags = merge(lookup(var.tags, "load-balancer", {}), lookup(var.tags, "all", {})) +} + +resource "azurerm_lb_backend_address_pool" "backend_lb_pool" { + count = var.deployment_mode != "External" ? 1 : 0 + name = "backend-lb-pool" + loadbalancer_id = azurerm_lb.backend_lb[0].id +} + +resource "azurerm_lb_probe" "azure_lb_healprob" { + depends_on = [ + azurerm_lb.frontend_lb, azurerm_lb.backend_lb + ] + count = var.deployment_mode == "Standard" ? 2 : 1 + loadbalancer_id = var.deployment_mode == "Standard" ? (count.index == 0 ? azurerm_lb.frontend_lb[0].id : azurerm_lb.backend_lb[0].id) : (var.deployment_mode == "External" ? azurerm_lb.frontend_lb[0].id : azurerm_lb.backend_lb[0].id) + name = var.deployment_mode == "Standard" ? (count.index == 0 ? "${var.vmss_name}-app-1" : "backend-lb") : (var.deployment_mode == "External" ? "${var.vmss_name}-app-1" : "backend-lb") + protocol = var.lb_probe_protocol + port = var.lb_probe_port + interval_in_seconds = var.lb_probe_interval + number_of_probes = var.lb_probe_unhealthy_threshold +} + +// Standard deployment +resource "azurerm_lb_rule" "lbnatrule_standard" { + depends_on = [ + azurerm_lb.frontend_lb[0], azurerm_lb_probe.azure_lb_healprob, azurerm_lb.backend_lb[0] + ] + count = var.deployment_mode == "Standard" ? 2 : 0 + loadbalancer_id = count.index == 0 ? azurerm_lb.frontend_lb[0].id : azurerm_lb.backend_lb[0].id + name = count.index == 0 ? "${var.vmss_name}-app-1" : "backend-lb" + protocol = count.index == 0 ? "Tcp" : "All" + frontend_port = count.index == 0 ? var.frontend_port : "0" + backend_port = count.index == 0 ? var.backend_port : "0" + backend_address_pool_ids = count.index == 0 ? [azurerm_lb_backend_address_pool.frontend_lb_pool[0].id] : [azurerm_lb_backend_address_pool.backend_lb_pool[0].id] + frontend_ip_configuration_name = count.index == 0 ? azurerm_lb.frontend_lb[0].frontend_ip_configuration[0].name : azurerm_lb.backend_lb[0].frontend_ip_configuration[0].name + probe_id = azurerm_lb_probe.azure_lb_healprob[count.index].id + load_distribution = count.index == 0 ? var.frontend_load_distribution : var.backend_load_distribution + enable_floating_ip = var.enable_floating_ip +} + +// External deployment +resource "azurerm_lb_rule" "lbnatrule_external" { + depends_on = [ + azurerm_lb.frontend_lb[0], azurerm_lb_probe.azure_lb_healprob + ] + count = var.deployment_mode == "External" ? 1 : 0 + loadbalancer_id = azurerm_lb.frontend_lb[0].id + name = "${var.vmss_name}-app-1" + protocol = "Tcp" + frontend_port = var.frontend_port + backend_port = var.backend_port + backend_address_pool_ids = [azurerm_lb_backend_address_pool.frontend_lb_pool[0].id] + frontend_ip_configuration_name = azurerm_lb.frontend_lb[0].frontend_ip_configuration[0].name + probe_id = azurerm_lb_probe.azure_lb_healprob[0].id + load_distribution = var.frontend_load_distribution + enable_floating_ip = var.enable_floating_ip +} + +// Internal deployment +resource "azurerm_lb_rule" "lbnatrule_internal" { + depends_on = [ + azurerm_lb_probe.azure_lb_healprob, azurerm_lb.backend_lb[0] + ] + count = var.deployment_mode == "Internal" ? 1 : 0 + loadbalancer_id = azurerm_lb.backend_lb[0].id + name = "backend-lb" + protocol = "All" + frontend_port = "0" + backend_port = "0" + backend_address_pool_ids = [azurerm_lb_backend_address_pool.backend_lb_pool[0].id] + frontend_ip_configuration_name = azurerm_lb.backend_lb[0].frontend_ip_configuration[0].name + probe_id = azurerm_lb_probe.azure_lb_healprob[0].id + load_distribution = var.backend_load_distribution + enable_floating_ip = var.enable_floating_ip +} + +//********************** Storage accounts **************************// +module "vm_boot_diagnostics_storage" { + source = "../common/storage-account" + storage_account_deployment_mode = var.storage_account_deployment_mode + existing_storage_account_name = var.existing_storage_account_name + existing_storage_account_resource_group_name = var.existing_storage_account_resource_group_name + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + add_storage_account_ip_rules = var.add_storage_account_ip_rules + storage_account_additional_ips = var.storage_account_additional_ips + tags = merge(lookup(var.tags, "storage-account", {}), lookup(var.tags, "all", {})) +} + +//********************** Virtual Machines **************************// +module "custom_image" { + source = "../common/custom-image" + source_image_vhd_uri = var.source_image_vhd_uri + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + tags = merge(lookup(var.tags, "custom-image", {}), lookup(var.tags, "all", {})) +} + +resource "azurerm_linux_virtual_machine_scale_set" "vmss" { + name = var.vmss_name + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + sku = module.common.vm_size + instances = local.number_of_vm_instances + overprovision = false + zones = var.availability_zones_num == "0" ? null : ( + length(var.availability_zones) == 0 ? [for i in range(1, tonumber(var.availability_zones_num) + 1) : tostring(i)] : var.availability_zones + ) + + dynamic "identity" { + for_each = var.enable_custom_metrics ? [1] : [] + content { + type = "SystemAssigned" + } + } + + dynamic "source_image_reference" { + for_each = module.custom_image.create_custom_image ? [] : [1] + content { + publisher = module.common.publisher + offer = module.common.vm_os_offer + sku = module.common.vm_os_sku + version = module.common.vm_os_version + } + } + + source_image_id = module.custom_image.id + + os_disk { + disk_size_gb = module.common.disk_size + caching = module.common.storage_os_disk_caching + storage_account_type = module.vm_boot_diagnostics_storage.storage_account_type + } + + dynamic "plan" { + for_each = module.custom_image.create_custom_image ? [] : [1] + content { + name = module.common.vm_os_sku + publisher = module.common.publisher + product = module.common.vm_os_offer + } + } + + computer_name_prefix = lower(var.vmss_name) + admin_username = module.common.admin_username + admin_password = module.common.admin_password + custom_data = base64encode(templatefile("${path.module}/cloud-init.sh", { + installation_type = module.common.installation_type + allow_upload_download = module.common.allow_upload_download + os_version = module.common.os_version + module_name = module.common.module_name + module_version = module.common.module_version + template_type = "terraform" + is_blink = module.common.is_blink + bootstrap_script64 = base64encode(var.bootstrap_script) + location = module.common.resource_group_location + sic_key = var.sic_key + vnet = module.vnet.subnet_prefixes[0] + enable_custom_metrics = var.enable_custom_metrics ? "yes" : "no" + admin_shell = var.admin_shell + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + })) + + disable_password_authentication = module.common.SSH_authentication_type_condition + + dynamic "admin_ssh_key" { + for_each = module.common.SSH_authentication_type_condition ? [1] : [] + content { + public_key = var.admin_SSH_key + username = "notused" + } + } + + + boot_diagnostics { + storage_account_uri = module.vm_boot_diagnostics_storage.storage_account_primary_blob_endpoint + } + + upgrade_mode = "Manual" + + network_interface { + name = "eth0" + primary = true + enable_ip_forwarding = true + enable_accelerated_networking = true + network_security_group_id = module.network_security_group.id + ip_configuration { + name = "ipconfig1" + subnet_id = module.vnet.subnets[0] + load_balancer_backend_address_pool_ids = var.deployment_mode != "Internal" ? [azurerm_lb_backend_address_pool.frontend_lb_pool[0].id] : null + primary = true + public_ip_address { + name = "${var.vmss_name}-public-ip" + idle_timeout_in_minutes = 15 + domain_name_label = "${lower(var.vmss_name)}-dns-name" + } + } + } + + network_interface { + name = "eth1" + primary = false + enable_ip_forwarding = true + enable_accelerated_networking = true + ip_configuration { + name = "ipconfig2" + subnet_id = module.vnet.subnets[1] + load_balancer_backend_address_pool_ids = var.deployment_mode != "External" ? [azurerm_lb_backend_address_pool.backend_lb_pool[0].id] : null + primary = true + } + } + + tags = merge(lookup(var.tags, "virtual-machine-scale-set", {}), lookup(var.tags, "all", {}), local.vmss_tags) +} + +resource "azurerm_monitor_autoscale_setting" "vmss_settings" { + depends_on = [azurerm_linux_virtual_machine_scale_set.vmss] + name = var.vmss_name + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + target_resource_id = azurerm_linux_virtual_machine_scale_set.vmss.id + + profile { + name = "Profile1" + + capacity { + default = module.common.number_of_vm_instances + minimum = var.minimum_number_of_vm_instances + maximum = var.maximum_number_of_vm_instances + } + + rule { + metric_trigger { + metric_name = "Percentage CPU" + metric_resource_id = azurerm_linux_virtual_machine_scale_set.vmss.id + time_grain = "PT1M" + statistic = "Average" + time_window = "PT5M" + time_aggregation = "Average" + operator = "GreaterThan" + threshold = 80 + } + + scale_action { + direction = "Increase" + type = "ChangeCount" + value = "1" + cooldown = "PT5M" + } + } + + rule { + metric_trigger { + metric_name = "Percentage CPU" + metric_resource_id = azurerm_linux_virtual_machine_scale_set.vmss.id + time_grain = "PT1M" + statistic = "Average" + time_window = "PT5M" + time_aggregation = "Average" + operator = "LessThan" + threshold = 60 + } + + scale_action { + direction = "Decrease" + type = "ChangeCount" + value = "1" + cooldown = "PT5M" + } + } + } + + notification { + email { + send_to_subscription_administrator = false + send_to_subscription_co_administrator = false + custom_emails = var.notification_email == "" ? [] : [var.notification_email] + } + } + + tags = merge(lookup(var.tags, "autoscale-setting", {}), lookup(var.tags, "all", {})) +} + +resource "azurerm_role_assignment" "custom_metrics_role_assignment" { + depends_on = [azurerm_linux_virtual_machine_scale_set.vmss] + count = var.enable_custom_metrics ? 1 : 0 + role_definition_id = join("", ["/subscriptions/", var.subscription_id, "/providers/Microsoft.Authorization/roleDefinitions/", "3913510d-42f4-4e42-8a64-420c390055eb"]) + principal_id = lookup(azurerm_linux_virtual_machine_scale_set.vmss.identity[0], "principal_id") + scope = module.common.resource_group_id + + lifecycle { + ignore_changes = [ + role_definition_id, principal_id + ] + } +} diff --git a/modules/vmss/variables.tf b/modules/vmss/variables.tf new file mode 100644 index 0000000..20a3171 --- /dev/null +++ b/modules/vmss/variables.tf @@ -0,0 +1,419 @@ +//********************** Basic Configuration Variables **************************// +variable "subscription_id" { + description = "Subscription ID" + type = string +} + +variable "tenant_id" { + description = "Tenant ID" + type = string +} + +variable "client_id" { + description = "Application ID(Client ID)" + type = string +} + +variable "client_secret" { + description = "A secret string that the application uses to prove its identity when requesting a token. Also can be referred to as application password." + type = string +} + +variable "resource_group_name" { + description = "Azure Resource Group name to build into." + type = string +} + +variable "vmss_name" { + description = "VMSS name." + type = string +} + +variable "location" { + description = "The location/region where resources will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions." + type = string +} + +variable "tags" { + description = "Assign tags by resource." + type = map(map(string)) + default = {} +} + +//********************** Virtual Machine Instances Variables **************************// +variable "source_image_vhd_uri" { + description = "The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images." + type = string + default = "noCustomUri" +} + +variable "admin_username" { + description = "Administrator username of deployed VM. Due to Azure limitations 'notused' name can be used." + default = "notused" +} + +variable "authentication_type" { + description = "Specifies whether a password authentication or SSH Public Key authentication should be used." + type = string +} + +variable "admin_password" { + description = "Administrator password of deployed Virtual Machine. The password must meet the complexity requirements of Azure" + type = string +} + +variable "admin_SSH_key" { + description = "(Optional) The SSH public key for SSH authentication to the template instances." + type = string + default = "" +} + +variable "sic_key" { + description = "Secure Internal Communication (SIC) key." + type = string + + validation { + condition = length(var.sic_key) >= 12 + error_message = "Variable [sic_key] must be at least 12 characters long." + } +} + +variable "serial_console_password_hash" { + description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type." + type = string + default = "" +} + +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions." + type = string + default = "" +} + +variable "vm_size" { + description = "Specifies size of Virtual Machine." + type = string +} + +variable "disk_size" { + description = "Storage data disk size size (GB). Select a number between 100 and 3995." + type = string + default = "100" + + validation { + condition = tonumber(var.disk_size) != 100 && contains(["R8110", "R8120"], var.os_version) ? false : true + error_message = "Variable [disk_size] cannot be changed if the OS version is R81.20 or below." + } +} + +variable "os_version" { + description = "GAIA OS version." + type = string +} + +variable "vm_os_sku" { + description = "The sku of the image to be deployed." + type = string +} + +variable "vm_os_offer" { + description = "The name of the offer of the image that you want to deploy." + type = string +} + +variable "allow_upload_download" { + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point." + type = bool +} + +variable "admin_shell" { + description = "The admin shell to configure on machine or the first time." + type = string + default = "/etc/cli.sh" +} + +variable "bootstrap_script" { + description = "An optional script to run on the initial boot." + type = string + default = "value" +} + +variable "availability_zones_num" { + description = "The number of availability zones to use for Scale Set. Note that the load balancers and their IP addresses will be redundant in any case." + type = string + default = "0" +} + +variable "availability_zones" { + description = "A list of availability zones to use for Scale Set." + type = list(string) + default = [] +} + +variable "is_blink" { + description = "Define if blink image is used for deployment." + default = true +} + +variable "configuration_template_name" { + description = "The configuration template name as it appears in the configuration file." + type = string +} + +variable "enable_custom_metrics" { + description = "Enable CloudGuard metrics in order to send statuses and statistics collected from VMSS instances to the Azure Monitor service." + type = bool + default = true +} + +//*********************** Management Variables **************************// +variable "management_name" { + description = "The name of the management server as it appears in the configuration file." + type = string +} + +variable "management_IP" { + description = "The IP address used to manage the VMSS instances." + type = string +} + +variable "management_interface" { + description = "Manage the Gateways in the Scale Set via the instance's external (eth0) or internal (eth1) NIC's private IP address." + type = string + default = "eth1-private" + + validation { + condition = contains([ + "eth0-public", + "eth0-private", + "eth1-private" + ], var.management_interface) + error_message = "Variable [management_interface] must be one of the following: 'eth0-public', 'eth0-private', 'eth1-private'." + } +} + +//********************** Networking Variables **************************// +variable "vnet_name" { + description = "Virtual Network name." + type = string +} + +variable "existing_vnet_resource_group" { + description = "The name of the resource group where the Virtual Network is located. Required when using an existing Virtual Network." + type = string + default = "" +} + +variable "frontend_subnet_name" { + description = "The Virtual Network subnet name for the frontend interface." + type = string +} + +variable "backend_subnet_name" { + description = "The Virtual Network subnet name for the backend interface." + type = string +} + +variable "address_space" { + description = "The address space that is used by a Virtual Network." + type = string + default = "10.0.0.0/16" +} + +variable "subnet_prefixes" { + description = "Address prefix to be used for network subnets." + type = list(string) + default = ["10.0.0.0/24", "10.0.1.0/24"] +} + +variable "nsg_id" { + description = "(Optional) The Network Security Group ID." + type = string + default = "" +} + +variable "storage_account_deployment_mode" { + description = "The deployment mode for the storage account. Options are 'New', 'Existing', 'Managed' and 'None'. If 'Existing', the storage account must be specified in the variable 'existing_storage_account_id'." + type = string + default = "New" +} + +variable "add_storage_account_ip_rules" { + description = "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location." + type = bool + default = false +} + +variable "storage_account_additional_ips" { + description = "IPs/CIDRs that are allowed access to the Storage Account." + type = list(string) + default = [] +} + +variable "existing_storage_account_name" { + description = "The name of an existing storage account to use if 'storage_account_deployment_mode' is set to 'Existing'." + type = string + default = "" +} + +variable "existing_storage_account_resource_group_name" { + description = "The resource group name of an existing storage account to use if 'storage_account_deployment_mode' is set to 'Existing'." + type = string + default = "" +} + +variable "sku" { + description = "SKU" + type = string + default = "Standard" +} + +variable "security_rules" { + description = "Security rules for the Network Security Group using this format [name, priority, direction, access, protocol, source_source_port_rangesport_range, destination_port_ranges, source_address_prefix, destination_address_prefix, description]." + type = list(any) + default = [ + { + name = "AllowAllInBound" + priority = "100" + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_ranges = "*" + destination_port_ranges = "*" + description = "Allow all inbound connections" + source_address_prefix = "*" + destination_address_prefix = "*" + } + ] +} + +//********************* Load Balancers Variables **********************// +variable "deployment_mode" { + description = "The type of the deployment, can be 'Standard' for both load balancers or 'External' for external load balancer or 'Internal for internal load balancer." + type = string + default = "Standard" + + validation { + condition = contains([ + "Standard", + "External", + "Internal" + ], var.deployment_mode) + error_message = "Variable [deployment_mode] must be one of the following: 'Standard', 'External', 'Internal'." + } +} + +variable "backend_lb_IP_address" { + description = "The IP address is defined by its position in the subnet." + type = number +} + +variable "lb_probe_port" { + description = "Port to be used for load balancer health probes and rules." + type = string + default = "8117" +} + +variable "lb_probe_protocol" { + description = "Protocols to be used for load balancer health probes and rules." + type = string + default = "Tcp" +} + +variable "lb_probe_unhealthy_threshold" { + description = "Number of times load balancer health probe has an unsuccessful attempt before considering the endpoint unhealthy." + type = number + default = 2 +} + +variable "lb_probe_interval" { + description = "Interval in seconds load balancer health probe rule performs a check." + type = number + default = 5 +} + +variable "frontend_port" { + description = "Port that will be exposed to the external Load Balancer." + type = string + default = "80" +} + +variable "backend_port" { + description = "Port that will be exposed to the external Load Balance." + type = string + default = "80" +} + +variable "frontend_load_distribution" { + description = "Specifies the load balancing distribution type to be used by the frontend load balancer." + type = string + + validation { + condition = contains([ + "Default", + "SourceIP", + "SourceIPProtocol" + ], var.frontend_load_distribution) + error_message = "Variable [frontend_load_distribution] must be one of the following: 'Default', 'SourceIP', 'SourceIPProtocol'." + } +} + +variable "backend_load_distribution" { + description = "Specifies the load balancing distribution type to be used by the backend load balancer" + type = string + + validation { + condition = contains([ + "Default", + "SourceIP", + "SourceIPProtocol" + ], var.backend_load_distribution) + error_message = "Variable [backend_load_distribution] must be one of the following: 'Default', 'SourceIP', 'SourceIPProtocol'." + } +} + +variable "enable_floating_ip" { + description = "Indicates whether the load balancers will be deployed with floating IP." + type = bool + default = true +} + +variable "use_public_ip_prefix" { + description = "Indicates whether the public IP resources will be deployed with public IP prefix." + type = bool + default = false +} + +variable "create_public_ip_prefix" { + description = "Indicates whether the public IP prefix will created or an existing will be used." + type = bool + default = false +} + +variable "existing_public_ip_prefix_id" { + description = "The existing public IP prefix resource id." + type = string + default = "" +} + +//********************** Scale Set variables *******************// +variable "number_of_vm_instances" { + description = "Default number of VM instances to deploy." + type = string + default = "2" +} + +variable "minimum_number_of_vm_instances" { + description = "Minimum number of VM instances to deploy." + type = string +} + +variable "maximum_number_of_vm_instances" { + description = "Maximum number of VM instances to deploy." + type = string +} + +variable "notification_email" { + description = "Specifies a list of custom email addresses to which the email notifications will be sent." + type = string +} diff --git a/modules/vmss/versions.tf b/modules/vmss/versions.tf new file mode 100644 index 0000000..7e95d53 --- /dev/null +++ b/modules/vmss/versions.tf @@ -0,0 +1,30 @@ +terraform { + required_version = ">= 1.6" + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.90.0" + } + azapi = { + source = "Azure/azapi" + version = "~> 2.4.0" + } + random = { + version = "~> 3.6.0" + } + } +} +provider "azapi" { + subscription_id = var.subscription_id + client_id = var.client_id + client_secret = var.client_secret + tenant_id = var.tenant_id +} + +provider "azurerm" { + subscription_id = var.subscription_id + client_id = var.client_id + client_secret = var.client_secret + tenant_id = var.tenant_id + features {} +} diff --git a/modules/vmss_existing_vnet/README.md b/modules/vmss_existing_vnet/README.md deleted file mode 100755 index fc0ae3d..0000000 --- a/modules/vmss_existing_vnet/README.md +++ /dev/null @@ -1,148 +0,0 @@ -# Check Point CloudGuard VMSS Module - Existing VNet - -This Terraform module deploys Check Point CloudGuard Network Security VMSS solution into an existing VNet in azure. -As part of the deployment the following resources are created: -- Resource group -- Role assignment - conditional creation - - -For additional information, -please see the [CloudGuard Network for Azure Virtual Machine Scale Sets (VMSS) Deployment Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_VMSS_for_Azure/Default.htm) - -This solution uses the following modules: -- common - used for creating a resource group and defining common variables. - -## Usage -Follow best practices for using CGNS modules on [the root page](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/azure/latest). - -**Example:** -``` -provider "azurerm" { - features {} -} - -module "example_module" { - - source = "CheckPointSW/cloudguard-network-security/azure//modules/vmss_existing_vnet" - version = "1.0.8" - - subscription_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - source_image_vhd_uri = "noCustomUri" - resource_group_name = "checkpoint-vmss-terraform" - location = "eastus" - vmss_name = "checkpoint-vmss-terraform" - vnet_name = "checkpoint-vmss-vnet" - vnet_resource_group = "existing-vnet" - frontend_subnet_name = "frontend" - backend_subnet_name = "backend" - backend_lb_IP_address = 4 - admin_password = "xxxxxxxxxxxx" - sic_key = "xxxxxxxxxxxx" - vm_size = "Standard_D4ds_v5" - disk_size = "100" - vm_os_sku = "sg-byol" - vm_os_offer = "check-point-cg-r82" - os_version = "R82" - bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" - allow_upload_download = true - authentication_type = "Password" - availability_zones_num = "1" - minimum_number_of_vm_instances = 2 - maximum_number_of_vm_instances = 10 - number_of_vm_instances = 2 - management_name = "mgmt" - management_IP = "13.92.42.181" - management_interface = "eth1-private" - configuration_template_name = "vmss_template" - notification_email = "" - frontend_load_distribution = "Default" - backend_load_distribution = "Default" - enable_custom_metrics = true - enable_floating_ip = true - use_public_ip_prefix = false - create_public_ip_prefix = false - existing_public_ip_prefix_id = "" - deployment_mode = "Standard" - admin_shell = "/etc/cli.sh" - serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - nsg_id = "" - add_storage_account_ip_rules = false - storage_account_additional_ips = [] -} -``` - -## Deploy Without Public IP - -1. By default, the VMSS is deployed with public IP -2. To deploy without public IP, remove the "public_ip_address_configuration" block in main.tf - -## Conditional creation -- To create role assignment and enable CloudGuard metrics in order to send statuses and statistics collected from VMSS instances to the Azure Monitor service: - ``` - enable_custom_metrics = true - ``` -- To create new public IP prefix for the public IP: - ``` - use_public_ip_prefix = true - create_public_ip_prefix = true - ``` -- To use an existing public IP prefix for the public IP: - ``` - use_public_ip_prefix = true - create_public_ip_prefix = false - existing_public_ip_prefix_id = "public IP prefix resource id" - ``` - -### Module's variables: - -# Parameters Description - -| Name | Description | Type | Allowed values | -|------|-------------|------|----------------| -| **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | | -| **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | **Default:** "noCustomUri" | -| **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period.
Note: Resource group name must not contain reserved words based on: sk40179. | -| **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions. | -| **vmss_name** | The name of the Check Point VMSS Object | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long.
Note: vmss_name name must not contain reserved words based on: sk40179. | -| **vnet_name** | Virtual Network name | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens. | -| **vnet_resource_group** | Resource Group of the existing virtual network | string | The exact name of the existing vnet's resource group. | -| **frontend_subnet_name** | Specifies the name of the external subnet | string | The exact name of the existing external subnet. | -| **backend_subnet_name** | Specifies the name of the internal subnet | string | The exact name of the existing internal subnet. | -| **backend_lb_IP_address** | Is a whole number that can be represented as a binary integer with no more than the number of digits remaining in the address after the given prefix | string | Starting from 5-th IP address in a subnet. For example: subnet - 10.0.1.0/24, backend_lb_IP_address = 4 , the LB IP is 10.0.1.4. | -| **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character. | -| **sic_key** | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long. | -| **vm_size** | Specifies the size of Virtual Machine | string | "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5". | -| **disk_size** | Storage data disk size size(GB) must be 100 for versions R81.20 and below | string | A number in the range 100 - 3995 (GB).
**Default:** 100 | -| **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license. | -| **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8110";
"check-point-cg-r8120";
"check-point-cg-r82". | -| **os_version** | GAIA OS version | string | "R8110";
"R8120";
"R82". | -| **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt".
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it. | -| **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false. | -| **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key". | -| **availability_zones_num** | A list of a single item of the Availability Zone which the Virtual Machine should be allocated in | string | "centralus", "eastus2", "francecentral", "northeurope", "southeastasia", "westeurope", "westus2", "eastus", "uksouth". | -| **minimum_number_of_vm_instances** | The minimum number of VMSS instances for this resource | number | Valid values are in the range 0 - 10. | -| **maximum_number_of_vm_instances** | The maximum number of VMSS instances for this resource | number | Valid values are in the range 0 - 10. | -| **number_of_vm_instances** | The default number of VMSS instances to deploy. | number | The number of VMSS instances must not be less then `minimum_number_of_vm_instances`. If the number of VMSS is greater then the `maximum_number_of_vm_instances` use the maximum number as default.
**Default**: 2; | -| **management_name** | The name of the management server as it appears in the configuration file | string | Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long. | -| **management_IP** | The IP address used to manage the VMSS instances | string | A valid IP address. | -| **management_interface** | Management option for the Gateways in the VMSS | string | "eth0-public" - Manages the GWs using their external NIC's public IP address;
"eth0-private" - Manages the GWs using their external NIC's private IP address;
"eth1-private" - Manages the GWs using their internal NIC's private IP address.
**Default:** "eth1-private" | -| **configuration_template_name** | The configuration template name as it appears in the configuration file | string | Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long. | -| **frontend_load_distribution** | The load balancing distribution method for the External Load Balancer | string | "Default" - None(5-tuple);
"SourceIP" - ClientIP(2-tuple);
"SourceIPProtocol" - ClientIP and protocol(3-tuple). | -| **backend_load_distribution** | The load balancing distribution method for the Internal Load Balancer | string | "Default" - None(5-tuple);
"SourceIP" - ClientIP(2-tuple);
"SourceIPProtocol" - ClientIP and protocol(3-tuple). | -| **notification_email** | An email address to notify about scaling operations | string | Leave empty double quotes or enter a valid email address. | -| **enable_custom_metrics** | Indicates whether Custom Metrics will be used for VMSS Scaling policy and VM monitoring | boolean | true;
false.
**Default:** true | -| **enable_floating_ip** | Indicates whether the load balancers will be deployed with floating IP | boolean | true;
false.
**Default:** true | -| **use_public_ip_prefix** | Indicates whether the public IP resources will be deployed with public IP prefix. | boolean | true;
false;
**Default:** false | -| **create_public_ip_prefix** | Indicates whether the public IP prefix will be created or an existing one will be used. | boolean | true;
false;
**Default:** false | -| **existing_public_ip_prefix_id** | The existing public IP prefix resource ID. | string | Existing public IP prefix resource ID
**Default:** "" | -| **deployment_mode** | Indicates which load balancer need to be deployed. External + Internal(Standard), only External, only Internal | string | Standard;
External;
Internal.
**Default:** "Standard" | -| **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh.
**Default:** "/etc/cli.sh" | -| **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here | string | | -| **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here | string | | -| **nsg_id** | Optional ID for a Network Security Group that already exists in Azure, if not provided, will create a default NSG | string | Existing NSG resource ID.
**Default:** "" | -| **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false.
**Default:** false | -| **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs.
**Default:** [] | -| **security_rules** | Security rules for the Network Security | list(any) | A list of valid security rules values.
A security rule composed of:
{name, priority, direction, access, protocol, source_port_ranges, destination_port_ranges, source_address_prefix, destination_address_prefix, description}.
**Default:** [{"name":"AllowAllInBound", "priority":"100", "direction":"Inbound", "access":"Allow", "protocol":"*", "source_port_ranges":"*", "destination_port_ranges":"", "description":"Allow all inbound connections", "source_address_prefix":"*", "destination_address_prefix":""}] | -| **admin_SSH_key** | The SSH public key for SSH connections to the instance.
Used when the authentication_type is 'SSH Public Key' | string | **Default:** "" | -| **tags** | Tags can be associated either globally across all resources or scoped to specific resource types. For example, a global tag can be defined as: {"all": {"example": "example"}}.
Supported resource types for tag assignment include:
`all` (Applies tags universally to all resource instances)
`resource-group`
`network-security-group`
`network-interface`
`public-ip`
`public-ip-prefix`
`load-balancer`
`storage-account`
`virtual-machine-scale-set`
`custom-image`
`autoscale-setting`
**Important:** When identical tag keys are defined both globally under `all` and within a specific resource scope, the tag value specified under `all` overrides the resource-specific tag. | map(map(string)) | {} | \ No newline at end of file diff --git a/modules/vmss_existing_vnet/main.tf b/modules/vmss_existing_vnet/main.tf deleted file mode 100755 index acf8b00..0000000 --- a/modules/vmss_existing_vnet/main.tf +++ /dev/null @@ -1,433 +0,0 @@ -//********************** Basic Configuration **************************// -module "common" { - source = "../common" - resource_group_name = var.resource_group_name - location = var.location - admin_password = var.authentication_type == "SSH Public Key" ? random_id.random_id.hex : var.admin_password - installation_type = var.installation_type - module_name = local.module_name - module_version = local.module_version - number_of_vm_instances = local.number_of_vm_instances - allow_upload_download = var.allow_upload_download - vm_size = var.vm_size - disk_size = var.disk_size - is_blink = var.is_blink - os_version = var.os_version - vm_os_sku = var.vm_os_sku - vm_os_offer = var.vm_os_offer - authentication_type = var.authentication_type - serial_console_password_hash = var.serial_console_password_hash - maintenance_mode_password_hash = var.maintenance_mode_password_hash - storage_account_additional_ips = var.storage_account_additional_ips - tags = merge(lookup(var.tags, "resource-group", {}), lookup(var.tags, "all", {}), local.vmss_tags) -} - -//********************** Networking **************************// - -data "azurerm_subnet" "frontend" { - name = var.frontend_subnet_name - virtual_network_name = var.vnet_name - resource_group_name = var.vnet_resource_group -} - -data "azurerm_subnet" "backend" { - name = var.backend_subnet_name - virtual_network_name = var.vnet_name - resource_group_name = var.vnet_resource_group -} - -module "network_security_group" { - source = "../network_security_group" - count = var.nsg_id == "" ? 1 : 0 - resource_group_name = module.common.resource_group_name - security_group_name = "${module.common.resource_group_name}_nsg" - location = module.common.resource_group_location - security_rules = var.security_rules - tags = merge(lookup(var.tags, "network-security-group", {}), lookup(var.tags, "all", {})) -} - -//********************** Load Balancers **************************// -resource "random_id" "random_id" { - byte_length = 13 - keepers = { - rg_id = module.common.resource_group_id - } -} - -resource "azurerm_public_ip_prefix" "public_ip_prefix" { - count = var.use_public_ip_prefix && var.create_public_ip_prefix ? 1 : 0 - name = "${module.common.resource_group_name}-ipprefix" - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - prefix_length = 30 - tags = merge(lookup(var.tags, "public-ip-prefix", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_public_ip" "public-ip-lb" { - count = var.deployment_mode != "Internal" ? 1 : 0 - name = "${var.vmss_name}-app-1" - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - allocation_method = var.vnet_allocation_method - sku = var.sku - domain_name_label = "${lower(var.vmss_name)}-${random_id.random_id.hex}" - public_ip_prefix_id = var.use_public_ip_prefix ? (var.create_public_ip_prefix ? azurerm_public_ip_prefix.public_ip_prefix[0].id : var.existing_public_ip_prefix_id) : null - tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_lb" "frontend-lb" { - count = var.deployment_mode != "Internal" ? 1 : 0 - depends_on = [azurerm_public_ip.public-ip-lb] - name = "frontend-lb" - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - sku = var.sku - - frontend_ip_configuration { - name = "${var.vmss_name}-app-1" - public_ip_address_id = azurerm_public_ip.public-ip-lb[0].id - } - - tags = merge(lookup(var.tags, "load-balancer", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_lb_backend_address_pool" "frontend-lb-pool" { - count = var.deployment_mode != "Internal" ? 1 : 0 - loadbalancer_id = azurerm_lb.frontend-lb[0].id - name = "${var.vmss_name}-app-1" -} - -resource "azurerm_lb" "backend-lb" { - count = var.deployment_mode != "External" ? 1 : 0 - name = "backend-lb" - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - sku = var.sku - frontend_ip_configuration { - name = "backend-lb" - subnet_id = data.azurerm_subnet.backend.id - private_ip_address_allocation = "Static" - private_ip_address = cidrhost(data.azurerm_subnet.backend.address_prefixes[0],var.backend_lb_IP_address) - } - - tags = merge(lookup(var.tags, "load-balancer", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_lb_backend_address_pool" "backend-lb-pool" { - count = var.deployment_mode != "External" ? 1 : 0 - name = "backend-lb-pool" - loadbalancer_id = azurerm_lb.backend-lb[0].id -} - -resource "azurerm_lb_probe" "azure_lb_healprob" { - count = var.deployment_mode == "Standard" ? 2 : 1 - depends_on = [azurerm_lb.frontend-lb, azurerm_lb.backend-lb] - loadbalancer_id = var.deployment_mode == "Standard" ? (count.index == 0 ? azurerm_lb.frontend-lb[0].id : azurerm_lb.backend-lb[0].id) : (var.deployment_mode == "External" ? azurerm_lb.frontend-lb[0].id : azurerm_lb.backend-lb[0].id) - name = var.deployment_mode == "Standard" ? (count.index == 0 ? "${var.vmss_name}-app-1" : "backend-lb") : (var.deployment_mode == "External" ? "${var.vmss_name}-app-1" : "backend-lb") - protocol = var.lb_probe_protocol - port = var.lb_probe_port - interval_in_seconds = var.lb_probe_interval - number_of_probes = var.lb_probe_unhealthy_threshold -} - -// Standard deployment -resource "azurerm_lb_rule" "lbnatrule-standard" { - count = var.deployment_mode == "Standard" ? 2 : 0 - depends_on = [azurerm_lb.frontend-lb[0],azurerm_lb_probe.azure_lb_healprob,azurerm_lb.backend-lb[0]] - loadbalancer_id = count.index == 0 ? azurerm_lb.frontend-lb[0].id : azurerm_lb.backend-lb[0].id - name = count.index == 0 ? "${var.vmss_name}-app-1" : "backend-lb" - protocol = count.index == 0 ? "Tcp" : "All" - frontend_port = count.index == 0 ? var.frontend_port : "0" - backend_port = count.index == 0 ? var.backend_port : "0" - backend_address_pool_ids = count.index == 0 ? [azurerm_lb_backend_address_pool.frontend-lb-pool[0].id] : [azurerm_lb_backend_address_pool.backend-lb-pool[0].id] - frontend_ip_configuration_name = count.index == 0 ? azurerm_lb.frontend-lb[0].frontend_ip_configuration[0].name : azurerm_lb.backend-lb[0].frontend_ip_configuration[0].name - probe_id = azurerm_lb_probe.azure_lb_healprob[count.index].id - load_distribution = count.index == 0 ? var.frontend_load_distribution : var.backend_load_distribution - enable_floating_ip = var.enable_floating_ip -} - -// External deployment -resource "azurerm_lb_rule" "lbnatrule-external" { - count = var.deployment_mode == "External" ? 1 : 0 - depends_on = [azurerm_lb.frontend-lb[0],azurerm_lb_probe.azure_lb_healprob] - loadbalancer_id = azurerm_lb.frontend-lb[0].id - name = "${var.vmss_name}-app-1" - protocol = "Tcp" - frontend_port = var.frontend_port - backend_port = var.backend_port - backend_address_pool_ids = [azurerm_lb_backend_address_pool.frontend-lb-pool[0].id] - frontend_ip_configuration_name = azurerm_lb.frontend-lb[0].frontend_ip_configuration[0].name - probe_id = azurerm_lb_probe.azure_lb_healprob[0].id - load_distribution = var.frontend_load_distribution - enable_floating_ip = var.enable_floating_ip -} - -// Internal deployment -resource "azurerm_lb_rule" "lbnatrule-internal" { - count = var.deployment_mode == "Internal" ? 1 : 0 - depends_on = [azurerm_lb_probe.azure_lb_healprob,azurerm_lb.backend-lb[0]] - loadbalancer_id = azurerm_lb.backend-lb[0].id - name = "backend-lb" - protocol = "All" - frontend_port = "0" - backend_port = "0" - backend_address_pool_ids = [azurerm_lb_backend_address_pool.backend-lb-pool[0].id] - frontend_ip_configuration_name = azurerm_lb.backend-lb[0].frontend_ip_configuration[0].name - probe_id = azurerm_lb_probe.azure_lb_healprob[0].id - load_distribution = var.backend_load_distribution - enable_floating_ip = var.enable_floating_ip -} - -//********************** Storage accounts **************************// -// Generate random text for a unique storage account name -resource "random_id" "randomId" { - keepers = { - # Generate a new ID only when a new resource group is defined - resource_group = module.common.resource_group_name - } - byte_length = 8 -} -resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { - name = "diag${random_id.randomId.hex}" - resource_group_name = module.common.resource_group_name - location = module.common.resource_group_location - account_tier = module.common.storage_account_tier - account_replication_type = module.common.account_replication_type - account_kind = "StorageV2" - min_tls_version = "TLS1_2" - network_rules { - default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" - ip_rules = module.common.storage_account_ip_rules - } - blob_properties { - delete_retention_policy { - days = "15" - } - } - - tags = merge(lookup(var.tags, "storage-account", {}), lookup(var.tags, "all", {})) -} - - -//********************** Virtual Machines **************************// -locals { - SSH_authentication_type_condition = var.authentication_type == "SSH Public Key" ? true : false - availability_zones_num_condition = var.availability_zones_num == "0" ? null : var.availability_zones_num == "1" ? ["1"] : var.availability_zones_num == "2" ? ["1", "2"] : ["1", "2", "3"] - custom_image_condition = var.source_image_vhd_uri == "noCustomUri" ? false : true - management_interface_name = split("-", var.management_interface)[0] - management_ip_address_type = split("-", var.management_interface)[1] -} - -resource "azurerm_image" "custom-image" { - count = local.custom_image_condition ? 1 : 0 - name = "custom-image" - location = var.location - resource_group_name = module.common.resource_group_name - - os_disk { - os_type = "Linux" - os_state = "Generalized" - blob_uri = var.source_image_vhd_uri - } - - tags = merge(lookup(var.tags, "custom-image", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_linux_virtual_machine_scale_set" "vmss" { - name = var.vmss_name - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - sku = module.common.vm_size - zones = local.availability_zones_num_condition - instances = local.number_of_vm_instances - overprovision = false - - dynamic "identity" { - for_each = var.enable_custom_metrics ? [1] : [] - content { - type = "SystemAssigned" - } - } - - dynamic "source_image_reference" { - for_each = local.custom_image_condition ? [] : [1] - content { - publisher = module.common.publisher - offer = module.common.vm_os_offer - sku = module.common.vm_os_sku - version = module.common.vm_os_version - } - } - source_image_id = local.custom_image_condition? azurerm_image.custom-image[0].id : null - - os_disk { - disk_size_gb = module.common.disk_size - caching = module.common.storage_os_disk_caching - storage_account_type = module.common.storage_account_type - } - - dynamic "plan" { - for_each = local.custom_image_condition ? [] : [1] - content { - name = module.common.vm_os_sku - publisher = module.common.publisher - product = module.common.vm_os_offer - } - } - - computer_name_prefix = lower(var.vmss_name) - admin_username = module.common.admin_username - admin_password = module.common.admin_password - custom_data = base64encode(templatefile("${path.module}/cloud-init.sh", { - installation_type = module.common.installation_type - allow_upload_download = module.common.allow_upload_download - os_version = module.common.os_version - module_name = module.common.module_name - module_version = module.common.module_version - template_type = "terraform" - is_blink = module.common.is_blink - bootstrap_script64 = base64encode(var.bootstrap_script) - location = module.common.resource_group_location - sic_key = var.sic_key - vnet = data.azurerm_subnet.frontend.address_prefixes[0] - enable_custom_metrics = var.enable_custom_metrics ? "yes" : "no" - admin_shell = var.admin_shell - serial_console_password_hash = var.serial_console_password_hash - maintenance_mode_password_hash = var.maintenance_mode_password_hash - })) - - - - disable_password_authentication = local.SSH_authentication_type_condition - - dynamic "admin_ssh_key" { - for_each = local.SSH_authentication_type_condition ? [ - 1] : [] - content { - public_key = var.admin_SSH_key - username = "notused" - } - } - - - boot_diagnostics { - storage_account_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : "" - } - - upgrade_mode = "Manual" - - network_interface { - name = "eth0" - primary = true - enable_ip_forwarding = true - enable_accelerated_networking = true - network_security_group_id = module.network_security_group[0].network_security_group_id - ip_configuration { - name = "ipconfig1" - subnet_id = data.azurerm_subnet.frontend.id - load_balancer_backend_address_pool_ids = var.deployment_mode != "Internal" ? [azurerm_lb_backend_address_pool.frontend-lb-pool[0].id]: null - primary = true - public_ip_address { - name = "${var.vmss_name}-public-ip" - idle_timeout_in_minutes = 15 - domain_name_label = "${lower(var.vmss_name)}-dns-name" - } - } - } - - network_interface { - name = "eth1" - primary = false - enable_ip_forwarding = true - enable_accelerated_networking = true - ip_configuration { - name = "ipconfig2" - subnet_id = data.azurerm_subnet.backend.id - load_balancer_backend_address_pool_ids = var.deployment_mode != "External" ? [azurerm_lb_backend_address_pool.backend-lb-pool[0].id] : null - primary = true - } - } - - tags = merge(lookup(var.tags, "virtual-machine-scale-set", {}), lookup(var.tags, "all", {}), local.vmss_tags) -} - -resource "azurerm_monitor_autoscale_setting" "vmss_settings" { - depends_on = [azurerm_linux_virtual_machine_scale_set.vmss] - name = var.vmss_name - resource_group_name = module.common.resource_group_name - location = module.common.resource_group_location - target_resource_id = azurerm_linux_virtual_machine_scale_set.vmss.id - - profile { - name = "Profile1" - - capacity { - default = module.common.number_of_vm_instances - minimum = var.minimum_number_of_vm_instances - maximum = var.maximum_number_of_vm_instances - } - - rule { - metric_trigger { - metric_name = "Percentage CPU" - metric_resource_id = azurerm_linux_virtual_machine_scale_set.vmss.id - time_grain = "PT1M" - statistic = "Average" - time_window = "PT5M" - time_aggregation = "Average" - operator = "GreaterThan" - threshold = 80 - } - - scale_action { - direction = "Increase" - type = "ChangeCount" - value = "1" - cooldown = "PT5M" - } - } - - rule { - metric_trigger { - metric_name = "Percentage CPU" - metric_resource_id = azurerm_linux_virtual_machine_scale_set.vmss.id - time_grain = "PT1M" - statistic = "Average" - time_window = "PT5M" - time_aggregation = "Average" - operator = "LessThan" - threshold = 60 - } - - scale_action { - direction = "Decrease" - type = "ChangeCount" - value = "1" - cooldown = "PT5M" - } - } - } - - notification { - email { - send_to_subscription_administrator = false - send_to_subscription_co_administrator = false - custom_emails = var.notification_email == "" ? [] : [var.notification_email] - } - } - - tags = merge(lookup(var.tags, "autoscale-setting", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_role_assignment" "custom_metrics_role_assignment"{ - depends_on = [azurerm_linux_virtual_machine_scale_set.vmss] - count = var.enable_custom_metrics ? 1 : 0 - role_definition_id = join("", ["/subscriptions/", var.subscription_id, "/providers/Microsoft.Authorization/roleDefinitions/", "3913510d-42f4-4e42-8a64-420c390055eb"]) - principal_id = lookup(azurerm_linux_virtual_machine_scale_set.vmss.identity[0], "principal_id") - scope = module.common.resource_group_id - lifecycle { - ignore_changes = [ - role_definition_id, principal_id - ] - } -} diff --git a/modules/vmss_existing_vnet/variables.tf b/modules/vmss_existing_vnet/variables.tf deleted file mode 100755 index 63c69fb..0000000 --- a/modules/vmss_existing_vnet/variables.tf +++ /dev/null @@ -1,425 +0,0 @@ -//********************** Basic Configuration Variables **************************// -variable "subscription_id" { - description = "Subscription ID" - type = string -} - -variable "vmss_name"{ - description = "vmss name" - type = string -} - -variable "resource_group_name" { - description = "Azure Resource Group name to build into" - type = string -} - -variable "location" { - description = "The location/region where resources will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions" - type = string -} - -//********************** Virtual Machine Instances Variables **************************// -variable "source_image_vhd_uri" { - type = string - description = "The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images." - default = "noCustomUri" -} - -variable "admin_username" { - description = "Administrator username of deployed VM. Due to Azure limitations 'notused' name can be used" - default = "notused" -} - -variable "admin_password" { - description = "Administrator password of deployed Virtual Machine. The password must meet the complexity requirements of Azure" - type = string -} - -variable "serial_console_password_hash" { - description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" - type = string - default = "" -} - -variable "maintenance_mode_password_hash" { - description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" - type = string - default = "" -} - -variable "availability_zones_num" { - description = "The number of availability zones to use for Scale Set. Note that the load balancers and their IP addresses will be redundant in any case" - #Availability Zones are only supported in several regions at this time - #"centralus", "eastus2", "francecentral", "northeurope", "southeastasia", "westeurope", "westus2", "eastus", "uksouth" - #type = list(string) -} - -locals { // locals for 'availability_zones_num' allowed values - availability_zones_num_allowed_values = [ - "0", - "1", - "2", - "3" - ] - // will fail if [var.availability_zones_num] is invalid: - validate_availability_zones_num_value = index(local.availability_zones_num_allowed_values, var.availability_zones_num) -} - -variable "sic_key" { - description = "Secure Internal Communication(SIC) key" - type = string -} -resource "null_resource" "sic_key_invalid" { - count = length(var.sic_key) >= 12 ? 0 : "SIC key must be at least 12 characters long" -} - -variable "installation_type"{ - description = "Installation type" - type = string - default = "vmss" -} - -variable "number_of_vm_instances"{ - description = "Default number of VM instances to deploy" - type = string - default = "2" -} - -variable "minimum_number_of_vm_instances" { - description = "Minimum number of VM instances to deploy" - type = string -} - -variable "maximum_number_of_vm_instances" { - description = "Maximum number of VM instances to deploy" - type = string -} - -variable "vm_size" { - description = "Specifies size of Virtual Machine" - type = string -} - - -variable "os_version" { - description = "GAIA OS version" - type = string -} - -locals { // locals for 'vm_os_offer' allowed values - os_version_allowed_values = [ - "R8110", - "R8120", - "R82" - ] - // will fail if [var.os_version] is invalid: - validate_os_version_value = index(local.os_version_allowed_values, var.os_version) -} -variable "disk_size" { - description = "Storage data disk size size(GB). Select a number between 100 and 3995, if you are using R81.20 or below, the disk size must be 100" - type = string - default = 100 -} -resource "null_resource" "disk_size_validation" { - // Will fail if var.disk_size is not 100 and the version is R81.20 or below - count = tonumber(var.disk_size) != 100 && contains(["R81", "R8110", "R8120"], var.os_version) ? "variable disk_size can not be changed for R81.20 and below" : 0 -} -variable "vm_os_sku" { - description = "The sku of the image to be deployed." - type = string -} - -variable "authentication_type" { - description = "Specifies whether a password authentication or SSH Public Key authentication should be used" - type = string -} -locals { // locals for 'authentication_type' allowed values - authentication_type_allowed_values = [ - "Password", - "SSH Public Key" - ] - // will fail if [var.authentication_type] is invalid: - validate_authentication_type_value = index(local.authentication_type_allowed_values, var.authentication_type) -} - -variable "allow_upload_download" { - description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" - type = bool -} - -variable "is_blink" { - description = "Define if blink image is used for deployment" - default = true -} - -variable "management_name" { - description = "The name of the management server as it appears in the configuration file" - type = string -} - -variable "management_IP" { - description = "The IP address used to manage the VMSS instances" - type = string -} - -variable "management_interface" { - description = "Manage the Gateways in the Scale Set via the instance's external (eth0) or internal (eth1) NIC's private IP address" - type = string - default = "eth1-private" -} -locals { // locals for 'management_interface' allowed values - management_interface_allowed_values = [ - "eth0-public", - "eth0-private", - "eth1-private" - ] - // will fail if [var.management_interface] is invalid: - validate_management_interface_value = index(local.management_interface_allowed_values, var.management_interface) -} - -variable "configuration_template_name" { - description = "The configuration template name as it appears in the configuration file" - type = string -} - -variable "admin_shell" { - description = "The admin shell to configure on machine or the first time" - type = string - default = "/etc/cli.sh" -} - -locals { - admin_shell_allowed_values = [ - "/etc/cli.sh", - "/bin/bash", - "/bin/csh", - "/bin/tcsh" - ] - // Will fail if [var.admin_shell] is invalid - validate_admin_shell_value = index(local.admin_shell_allowed_values, var.admin_shell) -} - -//********************** Networking Variables **************************// -variable "vnet_name" { - description = "Virtual Network name" - type = string -} - -variable "frontend_subnet_name" { - description = "Frontend subnet name" - type = string -} - -variable "backend_subnet_name" { - description = "Backend subnet name" - type = string -} - -variable "vnet_resource_group" { - description = "Resource group of existing vnet" - type = string -} - -variable "vnet_allocation_method" { - description = "IP address allocation method" - type = string - default = "Static" -} - -variable "add_storage_account_ip_rules" { - type = bool - default = false - description = "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location" -} - -variable "storage_account_additional_ips" { - type = list(string) - description = "IPs/CIDRs that are allowed access to the Storage Account" - default = [] -} - -//********************* Load Balancers Variables **********************// - -variable "deployment_mode" { - description = "The type of the deployment, can be 'Standard' for both load balancers or 'External' for external load balancer or 'Internal for internal load balancer" - type = string - default = "Standard" -} - -locals { // locals for 'deployment_mode' allowed values - deployment_mode_allowd_values = [ - "Standard", - "External", - "Internal" - ] - // will fail if [var.deployment_mode] is invalid: - validate_deployment_mode_value = index(local.deployment_mode_allowd_values, var.deployment_mode) -} - -variable "backend_lb_IP_address" { - description = "The IP address is defined by its position in the subnet" - type = number -} - -variable "lb_probe_port" { - description = "Port to be used for load balancer health probes and rules" - default = "8117" -} - -variable "lb_probe_protocol" { - description = "Protocols to be used for load balancer health probes and rules" - default = "Tcp" -} - -variable "lb_probe_unhealthy_threshold" { - description = "Number of times load balancer health probe has an unsuccessful attempt before considering the endpoint unhealthy." - default = 2 -} - -variable "lb_probe_interval" { - description = "Interval in seconds load balancer health probe rule performs a check" - default = 5 -} - -variable "frontend_port" { - description = "Port that will be exposed to the external Load Balancer" - type = string - default = "80" -} - -variable "backend_port" { - description = "Port that will be exposed to the external Load Balance" - type = string - default = "80" -} - -variable "frontend_load_distribution" { - description = "Specifies the load balancing distribution type to be used by the frontend load balancer" - type = string -} - -locals { // locals for 'frontend_load_distribution' allowed values - frontend_load_distribution_allowed_values = [ - "Default", - "SourceIP", - "SourceIPProtocol" - ] - // will fail if [var.frontend_load_distribution] is invalid: - validate_frontend_load_distribution_value = index(local.frontend_load_distribution_allowed_values, var.frontend_load_distribution) -} - -variable "backend_load_distribution" { - description = "Specifies the load balancing distribution type to be used by the backend load balancer" - type = string -} - -locals { // locals for 'frontend_load_distribution' allowed values - backend_load_distribution_allowed_values = [ - "Default", - "SourceIP", - "SourceIPProtocol" - ] - // will fail if [var.backend_load_distribution] is invalid: - validate_backend_load_distribution_value = index(local.backend_load_distribution_allowed_values, var.backend_load_distribution) -} - -//********************** Scale Set variables *******************// - -variable "vm_os_offer" { - description = "The name of the offer of the image that you want to deploy.Choose from: check-point-cg-r8110, check-point-cg-r8120, check-point-cg-r82" - type = string -} - -locals { // locals for 'vm_os_offer' allowed values - vm_os_offer_allowed_values = [ - "check-point-cg-r8110", - "check-point-cg-r8120", - "check-point-cg-r82" - ] - // will fail if [var.vm_os_offer] is invalid: - validate_os_offer_value = index(local.vm_os_offer_allowed_values, var.vm_os_offer) -} - -variable "bootstrap_script"{ - description = "An optional script to run on the initial boot" - #example: - #"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" -} - -variable "notification_email" { - description = "Specifies a list of custom email addresses to which the email notifications will be sent" - type = string -} - -variable "sku" { - description = "SKU" - type = string - default = "Standard" -} - -variable "enable_custom_metrics" { - description = "Enable CloudGuard metrics in order to send statuses and statistics collected from VMSS instances to the Azure Monitor service." - type = bool - default = true -} - -variable "enable_floating_ip" { - description = "Indicates whether the load balancers will be deployed with floating IP." - type = bool - default = true -} - -variable "use_public_ip_prefix" { - description = "Indicates whether the public IP resources will be deployed with public IP prefix." - type = bool - default = false -} - -variable "create_public_ip_prefix" { - description = "Indicates whether the public IP prefix will created or an existing will be used." - type = bool - default = false -} - -variable "existing_public_ip_prefix_id" { - description = "The existing public IP prefix resource id." - type = string - default = "" -} - -variable "nsg_id" { - description = "NSG ID - Optional - if empty use default NSG" - default = "" -} - -variable "admin_SSH_key" { - type = string - description = "(Optional) TheUsed when the authentication_type is 'SSH Public Key'. The SSH public key for SSH authentication to the template instances." - default = "" -} - -variable "security_rules" { - description = "Security rules for the Network Security Group using this format [name, priority, direction, access, protocol, source_source_port_rangesport_range, destination_port_ranges, source_address_prefix, destination_address_prefix, description]" - type = list(any) - default = [ - { - name = "AllowAllInBound" - priority = "100" - direction = "Inbound" - access = "Allow" - protocol = "*" - source_port_ranges = "*" - destination_port_ranges = "*" - description = "Allow all inbound connections" - source_address_prefix = "*" - destination_address_prefix = "*" - } - ] -} - -variable "tags" { - description = "Assign tags by resource." - type = map(map(string)) - default = {} -} \ No newline at end of file diff --git a/modules/vmss_existing_vnet/versions.tf b/modules/vmss_existing_vnet/versions.tf deleted file mode 100755 index 5bf8d9d..0000000 --- a/modules/vmss_existing_vnet/versions.tf +++ /dev/null @@ -1,14 +0,0 @@ -terraform { - required_version = ">= 0.14.3" - required_providers { - azurerm = { - source = "hashicorp/azurerm" - version = "~> 3.90.0" - } - random = { - version = "~> 3.5.1" - } - } -} - - diff --git a/modules/vmss_new_vnet/README.md b/modules/vmss_new_vnet/README.md deleted file mode 100755 index afd7eca..0000000 --- a/modules/vmss_new_vnet/README.md +++ /dev/null @@ -1,148 +0,0 @@ -# Check Point CloudGuard VMSS Module - New VNet - -This Terraform module deploys Check Point CloudGuard VMSS solution into a new VNet in azure. -As part of the deployment the following resources are created: -- Resource group -- Virtual network -- Network security group -- Role assignment - conditional creation - - -For additional information, -please see the [CloudGuard Network for Azure Virtual Machine Scale Sets (VMSS) Deployment Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_VMSS_for_Azure/Default.htm) - -This solution uses the following modules: -- common - used for creating a resource group and defining common variables. -- vnet - used for creating new virtual network and subnets. -- network_security_group - used for creating new network security groups and rules. - - -## Usage -Follow best practices for using CGNS modules on [the root page](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/azure/latest). - -**Example:** -``` -provider "azurerm" { - features {} -} - -module "example_module" { - - source = "CheckPointSW/cloudguard-network-security/azure//modules/vmss_new_vnet" - version = "1.0.8" - - subscription_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - source_image_vhd_uri = "noCustomUri" - resource_group_name = "checkpoint-vmss-terraform" - location = "eastus" - vmss_name = "checkpoint-vmss-terraform" - vnet_name = "checkpoint-vmss-vnet" - address_space = "10.0.0.0/16" - subnet_prefixes = ["10.0.1.0/24","10.0.2.0/24"] - backend_lb_IP_address = 4 - admin_password = "xxxxxxxxxxxx" - sic_key = "xxxxxxxxxxxx" - vm_size = "Standard_D4ds_v5" - disk_size = "100" - vm_os_sku = "sg-byol" - vm_os_offer = "check-point-cg-r82" - os_version = "R82" - bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" - allow_upload_download = true - authentication_type = "Password" - availability_zones_num = "1" - minimum_number_of_vm_instances = 2 - maximum_number_of_vm_instances = 10 - number_of_vm_instances = 2 - management_name = "mgmt" - management_IP = "13.92.42.181" - management_interface = "eth1-private" - configuration_template_name = "vmss_template" - notification_email = "" - frontend_load_distribution = "Default" - backend_load_distribution = "Default" - enable_custom_metrics = true - enable_floating_ip = true - use_public_ip_prefix = false - create_public_ip_prefix = false - existing_public_ip_prefix_id = "" - deployment_mode = "Standard" - admin_shell = "/etc/cli.sh" - serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - nsg_id = "" - add_storage_account_ip_rules = false - storage_account_additional_ips = [] -} -``` - -## Conditional creation -- To create role assignment and enable CloudGuard metrics in order to send statuses and statistics collected from VMSS instances to the Azure Monitor service: - ``` - enable_custom_metrics = true - ``` -- To create new public IP prefix for the public IP: - ``` - use_public_ip_prefix = true - create_public_ip_prefix = true - ``` -- To use an existing public IP prefix for the public IP: - ``` - use_public_ip_prefix = true - create_public_ip_prefix = false - existing_public_ip_prefix_id = "public IP prefix resource id" - ``` - -## Deploy Without Public IP - -1. By default, the VMSS is deployed with public IP -2. To deploy without public IP, remove the "public_ip_address_configuration" block in main.tf -### Module's variables: -| Name | Description | Type | Allowed values | -|---------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | | -| **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | **Default:** "noCustomUri" | -| **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period.
Note: Resource group name must not contain reserved words based on: sk40179
| -| **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions
| -| **vmss_name** | The name of the Check Point VMSS Object | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long.
Note: VMSS name must not contain reserved words based on: sk40179
| -| **vnet_name** | The name of the virtual network that will be created | string | The name must begin with a letter or number, end with a letter, number, or underscore, and may contain only letters, numbers, underscores, periods, or hyphens
| -| **address_space** | The address prefixes of the virtual network | string | Valid CIDR block
**Default:** "10.0.0.0/16" | -| **subnet_prefixes** | The address prefixes to be used for created subnets | string | The subnets need to be contained within the address space for this virtual network (defined by the address_space variable)
**Default:** ["10.0.0.0/24", "10.0.1.0/24"] | -| **backend_lb_IP_address** | A whole number that can be represented as a binary integer with no more than the number of digits remaining in the address after the given prefix | number | Starting from the 5th IP address in a subnet. For example: subnet - 10.0.1.0/24, backend_lb_IP_address = 4, the LB IP is 10.0.1.4
| -| **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lowercase character, 1 uppercase character, 1 number, and 1 special character
| -| **sic_key** | The Secure Internal Communication one-time secret used to set up trust between the cluster object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long
| -| **vm_size** | Specifies the size of Virtual Machine | string | A list of valid VM sizes, e.g., "Standard_D4ds_v5", "Standard_D8ds_v5", etc.
| -| **disk_size** | Storage data disk size (GB) must be 100 for versions R81.20 and below | string | A number in the range 100 - 3995 (GB)
**Default:** 100 | -| **vm_os_sku** | A SKU of the image to be deployed | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license;
| -| **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8110";
"check-point-cg-r8120";
"check-point-cg-r82";
| -| **os_version** | GAIA OS version | string | "R8110";
"R8120";
"R82";
| -| **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
| -| **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false;
| -| **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key";
| -| **availability_zones_num** | A list of a single item of the Availability Zone where the Virtual Machine should be allocated | string | "centralus", "eastus2", "francecentral", "northeurope", "southeastasia", "westeurope", "westus2", "eastus", "uksouth"
| -| **minimum_number_of_vm_instances** | The minimum number of VMSS instances for this resource. | number | Valid values are in the range 0 - 10
| -| **maximum_number_of_vm_instances** | The maximum number of VMSS instances for this resource. | number | Valid values are in the range 0 - 10
| -| **number_of_vm_instances** | The default number of VMSS instances to deploy. | number | The number of VMSS instances must not be less then `minimum_number_of_vm_instances`. If the number of VMSS is greater then the `maximum_number_of_vm_instances` use the maximum number by default.
**Default**: 2; | -| **management_name** | The name of the management server as it appears in the configuration file | string | Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long
| -| **management_IP** | The IP address used to manage the VMSS instances | string | A valid IP address
| -| **management_interface** | Management option for the Gateways in the VMSS | string | "eth0-public" - Manages the GWs using their external NIC's public IP address;
"eth0-private" - Manages the GWs using their external NIC's private IP address;
"eth1-private" - Manages the GWs using their internal NIC's private IP address;
**Default:** "eth1-private" | -| **configuration_template_name** | The configuration template name as it appears in the configuration file | string | Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long
| -| **frontend_load_distribution** | The load balancing distribution method for the External Load Balancer | string | "Default" - None (5-tuple);
"SourceIP" - ClientIP (2-tuple);
"SourceIPProtocol" - ClientIP and protocol (3-tuple)
| -| **backend_load_distribution** | The load balancing distribution method for the Internal Load Balancer | string | "Default" - None (5-tuple);
"SourceIP" - ClientIP (2-tuple);
"SourceIPProtocol" - ClientIP and protocol (3-tuple)
| -| **notification_email** | An email address to notify about scaling operations | string | Leave empty double quotes or enter a valid email address
| -| **enable_custom_metrics** | Indicates whether Custom Metrics will be used for VMSS Scaling policy and VM monitoring | boolean | true;
false;
| -| **enable_floating_ip** | Indicates whether the load balancers will be deployed with floating IP | boolean | true;
false;
**Default:** true | -| **use_public_ip_prefix** | Indicates whether the public IP resources will be deployed with public IP prefix. | boolean | true;
false;
**Default:** false | -| **create_public_ip_prefix** | Indicates whether the public IP prefix will be created or an existing one will be used. | boolean | true;
false;
**Default:** false | -| **existing_public_ip_prefix_id** | The existing public IP prefix resource ID. | string | Existing public IP prefix resource ID
**Default:** "" | -| **deployment_mode** | Indicates which load balancer needs to be deployed. External + Internal (Standard), only External, only Internal | string | Standard;
External;
Internal;
**Default:** "Standard" | -| **admin_shell** | Enables selecting different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh;
**Default:** "/etc/cli.sh" | -| **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type | string | | -| **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions | string | | -| **nsg_id** | Optional ID for a Network Security Group that already exists in Azure. If not provided, will create a default NSG | string | Existing NSG resource ID
**Default:** "" | -| **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location | boolean | true;
false;
**Default:** false | -| **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs
**Default:** [] | -| **security_rules** | SSecurity rules for the Network Security | list(any) | A security rule composed of: {name, priority, direction, access, protocol, source_port_ranges, destination_port_ranges, source_address_prefix, destination_address_prefix, description}
**Default:** [] | -| **admin_SSH_key** | The SSH public key for SSH connections to the instance. Used when the authentication_type is 'SSH Public Key' | string | **Default:** "" | -| **is_blink** | Define if blink image is used for deployment | boolean | true;
false;
**Default:** true | -| **tags** | Tags can be associated either globally across all resources or scoped to specific resource types. For example, a global tag can be defined as: {"all": {"example": "example"}}.
Supported resource types for tag assignment include:
`all` (Applies tags universally to all resource instances)
`resource-group`
`virtual-network`
`network-security-group`
`network-interface`
`public-ip`
`public-ip-prefix`
`load-balancer`
`route-table`
`storage-account`
`virtual-machine-scale-set`
`custom-image`
`autoscale-setting`
**Important:** When identical tag keys are defined both globally under `all` and within a specific resource scope, the tag value specified under `all` overrides the resource-specific tag. | map(map(string)) | {} | \ No newline at end of file diff --git a/modules/vmss_new_vnet/cloud-init.sh b/modules/vmss_new_vnet/cloud-init.sh deleted file mode 100755 index 0775580..0000000 --- a/modules/vmss_new_vnet/cloud-init.sh +++ /dev/null @@ -1,17 +0,0 @@ -#!/usr/bin/python3 /etc/cloud_config.py - -installationType="${installation_type}" -allowUploadDownload="${allow_upload_download}" -osVersion="${os_version}" -templateName="${module_name}" -templateVersion="${module_version}" -templateType="${template_type}" -isBlink="${is_blink}" -bootstrapScript64="${bootstrap_script64}" -location="${location}" -sicKey="${sic_key}" -vnet="${vnet}" -customMetrics="${enable_custom_metrics}" -adminShell="${admin_shell}" -passwordHash="${serial_console_password_hash}" -MaintenanceModePassword="${maintenance_mode_password_hash}" diff --git a/modules/vmss_new_vnet/locals.tf b/modules/vmss_new_vnet/locals.tf deleted file mode 100755 index 406c280..0000000 --- a/modules/vmss_new_vnet/locals.tf +++ /dev/null @@ -1,39 +0,0 @@ -locals { - module_name = "vmss_terraform_registry" - module_version = "1.0.7" - - // Validate that the minimum number of VM instances is at least 0. - // If not, return an error message. - validate_number_of_vm_instances_range = var.minimum_number_of_vm_instances >= 0 && var.maximum_number_of_vm_instances >= 0 ? 0 : index("error: The minimum and maximum number of VM instances must be at least 0.") - - // Validate that the maximum number of VM instances is greater than or equal to the minimum number of VM instances. - // If not, return an error message. - validate_maximum_number_of_vm_instances = var.maximum_number_of_vm_instances >= var.minimum_number_of_vm_instances ? 0 : index("error: The maximum number of VM instances must be greater than or equal to the minimum number of VM instances.") - - // The number of VM instances should not exceed the maximum allowed. - // If the provided number of instances exceeds the maximum, use the maximum instead. - number_of_vm_instances = var.maximum_number_of_vm_instances >= var.number_of_vm_instances ? var.number_of_vm_instances : var.maximum_number_of_vm_instances - - // Validate the number of VM instances against the minimum requirement. - // If the number of instances is less than the minimum, return an error message. - validate_number_of_vm_instances = local.number_of_vm_instances >= var.minimum_number_of_vm_instances? 0 : index("error: The number of VM instances must be at least ${var.minimum_number_of_vm_instances}.") - - vmss_tags = var.management_interface == "eth0" ? { - x-chkp-management = var.management_name, - x-chkp-template = var.configuration_template_name, - x-chkp-ip-address = local.management_ip_address_type, - x-chkp-management-interface = local.management_interface_name, - x-chkp-management-address = var.management_IP, - x-chkp-topology = "eth0:external,eth1:internal", - x-chkp-anti-spoofing = "eth0:false,eth1:false", - x-chkp-srcImageUri = var.source_image_vhd_uri - } : { - x-chkp-management = var.management_name, - x-chkp-template = var.configuration_template_name, - x-chkp-ip-address = local.management_ip_address_type, - x-chkp-management-interface = local.management_interface_name, - x-chkp-topology = "eth0:external,eth1:internal", - x-chkp-anti-spoofing = "eth0:false,eth1:false", - x-chkp-srcImageUri = var.source_image_vhd_uri - } -} diff --git a/modules/vmss_new_vnet/main.tf b/modules/vmss_new_vnet/main.tf deleted file mode 100755 index f9778f9..0000000 --- a/modules/vmss_new_vnet/main.tf +++ /dev/null @@ -1,433 +0,0 @@ -provider "azurerm" { - features {} -} - -//********************** Basic Configuration **************************// -module "common" { - source = "../common" - resource_group_name = var.resource_group_name - location = var.location - admin_password = var.authentication_type == "SSH Public Key" ? random_id.random_id.hex : var.admin_password - installation_type = var.installation_type - module_name = local.module_name - module_version = local.module_version - number_of_vm_instances = local.number_of_vm_instances - allow_upload_download = var.allow_upload_download - vm_size = var.vm_size - disk_size = var.disk_size - is_blink = var.is_blink - os_version = var.os_version - vm_os_sku = var.vm_os_sku - vm_os_offer = var.vm_os_offer - authentication_type = var.authentication_type - serial_console_password_hash = var.serial_console_password_hash - maintenance_mode_password_hash = var.maintenance_mode_password_hash - storage_account_additional_ips = var.storage_account_additional_ips - tags = merge(lookup(var.tags, "resource-group", {}), lookup(var.tags, "all", {})) -} - -//********************** Networking **************************// -module "vnet" { - source = "../vnet" - vnet_name = var.vnet_name - resource_group_name = module.common.resource_group_name - location = module.common.resource_group_location - nsg_id = var.nsg_id == "" ? module.network_security_group[0].network_security_group_id: var.nsg_id - address_space = var.address_space - subnet_prefixes = var.subnet_prefixes - tags = var.tags -} - -module "network_security_group" { - source = "../network_security_group" - count = var.nsg_id == "" ? 1 : 0 - resource_group_name = module.common.resource_group_name - security_group_name = "${module.common.resource_group_name}_nsg" - location = module.common.resource_group_location - security_rules = var.security_rules - tags = merge(lookup(var.tags, "network-security-group", {}), lookup(var.tags, "all", {})) -} - -//********************** Load Balancers **************************// -resource "random_id" "random_id" { - byte_length = 13 - keepers = { - rg_id = module.common.resource_group_id - } -} - -resource "azurerm_public_ip_prefix" "public_ip_prefix" { - count = var.use_public_ip_prefix && var.create_public_ip_prefix ? 1 : 0 - name = "${module.common.resource_group_name}-ipprefix" - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - prefix_length = 30 - tags = merge(lookup(var.tags, "public-ip-prefix", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_public_ip" "public-ip-lb" { - count = var.deployment_mode != "Internal" ? 1 : 0 - name = "${var.vmss_name}-app-1" - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - allocation_method = module.vnet.allocation_method - sku = var.sku - domain_name_label = "${lower(var.vmss_name)}-${random_id.random_id.hex}" - public_ip_prefix_id = var.use_public_ip_prefix ? (var.create_public_ip_prefix ? azurerm_public_ip_prefix.public_ip_prefix[0].id : var.existing_public_ip_prefix_id) : null - tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_lb" "frontend-lb" { - count = var.deployment_mode != "Internal" ? 1 : 0 - depends_on = [azurerm_public_ip.public-ip-lb] - name = "frontend-lb" - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - sku = var.sku - - frontend_ip_configuration { - name = "${var.vmss_name}-app-1" - public_ip_address_id = azurerm_public_ip.public-ip-lb[0].id - } - - tags = merge(lookup(var.tags, "load-balancer", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_lb_backend_address_pool" "frontend-lb-pool" { - count = var.deployment_mode != "Internal" ? 1 : 0 - loadbalancer_id = azurerm_lb.frontend-lb[0].id - name = "${var.vmss_name}-app-1" -} - -resource "azurerm_lb" "backend-lb" { - count = var.deployment_mode != "External" ? 1 : 0 - name = "backend-lb" - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - sku = var.sku - frontend_ip_configuration { - name = "backend-lb" - subnet_id = module.vnet.vnet_subnets[1] - private_ip_address_allocation = module.vnet.allocation_method - private_ip_address = cidrhost(module.vnet.subnet_prefixes[1], var.backend_lb_IP_address) - } - - tags = merge(lookup(var.tags, "load-balancer", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_lb_backend_address_pool" "backend-lb-pool" { - count = var.deployment_mode != "External" ? 1 : 0 - name = "backend-lb-pool" - loadbalancer_id = azurerm_lb.backend-lb[0].id -} - -resource "azurerm_lb_probe" "azure_lb_healprob" { - count = var.deployment_mode == "Standard" ? 2 : 1 - depends_on = [azurerm_lb.frontend-lb, azurerm_lb.backend-lb] - loadbalancer_id = var.deployment_mode == "Standard" ? (count.index == 0 ? azurerm_lb.frontend-lb[0].id : azurerm_lb.backend-lb[0].id) : (var.deployment_mode == "External" ? azurerm_lb.frontend-lb[0].id : azurerm_lb.backend-lb[0].id) - name = var.deployment_mode == "Standard" ? (count.index == 0 ? "${var.vmss_name}-app-1" : "backend-lb") : (var.deployment_mode == "External" ? "${var.vmss_name}-app-1" : "backend-lb") - protocol = var.lb_probe_protocol - port = var.lb_probe_port - interval_in_seconds = var.lb_probe_interval - number_of_probes = var.lb_probe_unhealthy_threshold -} - -// Standard deployment -resource "azurerm_lb_rule" "lbnatrule-standard" { - count = var.deployment_mode == "Standard" ? 2 : 0 - depends_on = [azurerm_lb.frontend-lb[0],azurerm_lb_probe.azure_lb_healprob,azurerm_lb.backend-lb[0]] - loadbalancer_id = count.index == 0 ? azurerm_lb.frontend-lb[0].id : azurerm_lb.backend-lb[0].id - name = count.index == 0 ? "${var.vmss_name}-app-1" : "backend-lb" - protocol = count.index == 0 ? "Tcp" : "All" - frontend_port = count.index == 0 ? var.frontend_port : "0" - backend_port = count.index == 0 ? var.backend_port : "0" - backend_address_pool_ids = count.index == 0 ? [azurerm_lb_backend_address_pool.frontend-lb-pool[0].id] : [azurerm_lb_backend_address_pool.backend-lb-pool[0].id] - frontend_ip_configuration_name = count.index == 0 ? azurerm_lb.frontend-lb[0].frontend_ip_configuration[0].name : azurerm_lb.backend-lb[0].frontend_ip_configuration[0].name - probe_id = azurerm_lb_probe.azure_lb_healprob[count.index].id - load_distribution = count.index == 0 ? var.frontend_load_distribution : var.backend_load_distribution - enable_floating_ip = var.enable_floating_ip -} - -// External deployment -resource "azurerm_lb_rule" "lbnatrule-external" { - count = var.deployment_mode == "External" ? 1 : 0 - depends_on = [azurerm_lb.frontend-lb[0],azurerm_lb_probe.azure_lb_healprob] - loadbalancer_id = azurerm_lb.frontend-lb[0].id - name = "${var.vmss_name}-app-1" - protocol = "Tcp" - frontend_port = var.frontend_port - backend_port = var.backend_port - backend_address_pool_ids = [azurerm_lb_backend_address_pool.frontend-lb-pool[0].id] - frontend_ip_configuration_name = azurerm_lb.frontend-lb[0].frontend_ip_configuration[0].name - probe_id = azurerm_lb_probe.azure_lb_healprob[0].id - load_distribution = var.frontend_load_distribution - enable_floating_ip = var.enable_floating_ip -} - -// Internal deployment -resource "azurerm_lb_rule" "lbnatrule-internal" { - count = var.deployment_mode == "Internal" ? 1 : 0 - depends_on = [azurerm_lb_probe.azure_lb_healprob,azurerm_lb.backend-lb[0]] - loadbalancer_id = azurerm_lb.backend-lb[0].id - name = "backend-lb" - protocol = "All" - frontend_port = "0" - backend_port = "0" - backend_address_pool_ids = [azurerm_lb_backend_address_pool.backend-lb-pool[0].id] - frontend_ip_configuration_name = azurerm_lb.backend-lb[0].frontend_ip_configuration[0].name - probe_id = azurerm_lb_probe.azure_lb_healprob[0].id - load_distribution = var.backend_load_distribution - enable_floating_ip = var.enable_floating_ip -} - -//********************** Storage accounts **************************// -// Generate random text for a unique storage account name -resource "random_id" "randomId" { - keepers = { - # Generate a new ID only when a new resource group is defined - resource_group = module.common.resource_group_name - } - byte_length = 8 -} -resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { - name = "diag${random_id.randomId.hex}" - resource_group_name = module.common.resource_group_name - location = module.common.resource_group_location - account_tier = module.common.storage_account_tier - account_replication_type = module.common.account_replication_type - account_kind = "StorageV2" - min_tls_version = "TLS1_2" - network_rules { - default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" - ip_rules = module.common.storage_account_ip_rules - } - blob_properties { - delete_retention_policy { - days = "15" - } - } - - tags = merge(lookup(var.tags, "storage-account", {}), lookup(var.tags, "all", {})) -} - -//********************** Virtual Machines **************************// -locals { - SSH_authentication_type_condition = var.authentication_type == "SSH Public Key" ? true : false - availability_zones_num_condition = var.availability_zones_num == "0" ? null : var.availability_zones_num == "1" ? ["1"] : var.availability_zones_num == "2" ? ["1", "2"] : ["1", "2", "3"] - custom_image_condition = var.source_image_vhd_uri == "noCustomUri" ? false : true - management_interface_name = split("-", var.management_interface)[0] - management_ip_address_type = split("-", var.management_interface)[1] -} - -resource "azurerm_image" "custom-image" { - count = local.custom_image_condition ? 1 : 0 - name = "custom-image" - location = var.location - resource_group_name = module.common.resource_group_name - - os_disk { - os_type = "Linux" - os_state = "Generalized" - blob_uri = var.source_image_vhd_uri - } - - tags = merge(lookup(var.tags, "custom-image", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_linux_virtual_machine_scale_set" "vmss" { - name = var.vmss_name - location = module.common.resource_group_location - resource_group_name = module.common.resource_group_name - sku = module.common.vm_size - zones = local.availability_zones_num_condition - instances = local.number_of_vm_instances - overprovision = false - - dynamic "identity" { - for_each = var.enable_custom_metrics ? [1] : [] - content { - type = "SystemAssigned" - } - } - - dynamic "source_image_reference" { - for_each = local.custom_image_condition ? [] : [1] - content { - publisher = module.common.publisher - offer = module.common.vm_os_offer - sku = module.common.vm_os_sku - version = module.common.vm_os_version - } - } - source_image_id = local.custom_image_condition? azurerm_image.custom-image[0].id : null - - os_disk { - disk_size_gb = module.common.disk_size - caching = module.common.storage_os_disk_caching - storage_account_type = module.common.storage_account_type - } - - dynamic "plan" { - for_each = local.custom_image_condition ? [] : [1] - content { - name = module.common.vm_os_sku - publisher = module.common.publisher - product = module.common.vm_os_offer - } - } - - computer_name_prefix = lower(var.vmss_name) - admin_username = module.common.admin_username - admin_password = module.common.admin_password - custom_data = base64encode(templatefile("${path.module}/cloud-init.sh", { - installation_type = module.common.installation_type - allow_upload_download = module.common.allow_upload_download - os_version = module.common.os_version - module_name = module.common.module_name - module_version = module.common.module_version - template_type = "terraform" - is_blink = module.common.is_blink - bootstrap_script64 = base64encode(var.bootstrap_script) - location = module.common.resource_group_location - sic_key = var.sic_key - vnet = module.vnet.subnet_prefixes[0] - enable_custom_metrics = var.enable_custom_metrics ? "yes" : "no" - admin_shell = var.admin_shell - serial_console_password_hash = var.serial_console_password_hash - maintenance_mode_password_hash = var.maintenance_mode_password_hash - })) - - - disable_password_authentication = local.SSH_authentication_type_condition - - dynamic "admin_ssh_key" { - for_each = local.SSH_authentication_type_condition ? [ - 1] : [] - content { - public_key = var.admin_SSH_key - username = "notused" - } - } - - - boot_diagnostics { - storage_account_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : "" - } - - upgrade_mode = "Manual" - - network_interface { - name = "eth0" - primary = true - enable_ip_forwarding = true - enable_accelerated_networking = true - network_security_group_id = module.network_security_group[0].network_security_group_id - ip_configuration { - name = "ipconfig1" - subnet_id = module.vnet.vnet_subnets[0] - load_balancer_backend_address_pool_ids = var.deployment_mode != "Internal" ? [azurerm_lb_backend_address_pool.frontend-lb-pool[0].id]: null - primary = true - public_ip_address { - name = "${var.vmss_name}-public-ip" - idle_timeout_in_minutes = 15 - domain_name_label = "${lower(var.vmss_name)}-dns-name" - } - } - } - - network_interface { - name = "eth1" - primary = false - enable_ip_forwarding = true - enable_accelerated_networking = true - ip_configuration { - name = "ipconfig2" - subnet_id = module.vnet.vnet_subnets[1] - load_balancer_backend_address_pool_ids = var.deployment_mode != "External" ? [azurerm_lb_backend_address_pool.backend-lb-pool[0].id] : null - primary = true - } - } - - tags = merge(lookup(var.tags, "virtual-machine-scale-set", {}), lookup(var.tags, "all", {}), local.vmss_tags) -} - -resource "azurerm_monitor_autoscale_setting" "vmss_settings" { - depends_on = [azurerm_linux_virtual_machine_scale_set.vmss] - name = var.vmss_name - resource_group_name = module.common.resource_group_name - location = module.common.resource_group_location - target_resource_id = azurerm_linux_virtual_machine_scale_set.vmss.id - - profile { - name = "Profile1" - - capacity { - default = module.common.number_of_vm_instances - minimum = var.minimum_number_of_vm_instances - maximum = var.maximum_number_of_vm_instances - } - - rule { - metric_trigger { - metric_name = "Percentage CPU" - metric_resource_id = azurerm_linux_virtual_machine_scale_set.vmss.id - time_grain = "PT1M" - statistic = "Average" - time_window = "PT5M" - time_aggregation = "Average" - operator = "GreaterThan" - threshold = 80 - } - - scale_action { - direction = "Increase" - type = "ChangeCount" - value = "1" - cooldown = "PT5M" - } - } - - rule { - metric_trigger { - metric_name = "Percentage CPU" - metric_resource_id = azurerm_linux_virtual_machine_scale_set.vmss.id - time_grain = "PT1M" - statistic = "Average" - time_window = "PT5M" - time_aggregation = "Average" - operator = "LessThan" - threshold = 60 - } - - scale_action { - direction = "Decrease" - type = "ChangeCount" - value = "1" - cooldown = "PT5M" - } - } - } - - notification { - email { - send_to_subscription_administrator = false - send_to_subscription_co_administrator = false - custom_emails = var.notification_email == "" ? [] : [var.notification_email] - } - } - - tags = merge(lookup(var.tags, "autoscale-setting", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_role_assignment" "custom_metrics_role_assignment"{ - depends_on = [azurerm_linux_virtual_machine_scale_set.vmss] - count = var.enable_custom_metrics ? 1 : 0 - role_definition_id = join("", ["/subscriptions/", var.subscription_id, "/providers/Microsoft.Authorization/roleDefinitions/", "3913510d-42f4-4e42-8a64-420c390055eb"]) - principal_id = lookup(azurerm_linux_virtual_machine_scale_set.vmss.identity[0], "principal_id") - scope = module.common.resource_group_id - lifecycle { - ignore_changes = [ - role_definition_id, principal_id - ] - } -} diff --git a/modules/vmss_new_vnet/variables.tf b/modules/vmss_new_vnet/variables.tf deleted file mode 100755 index 0ef653e..0000000 --- a/modules/vmss_new_vnet/variables.tf +++ /dev/null @@ -1,414 +0,0 @@ -//********************** Basic Configuration Variables **************************// -variable "vmss_name"{ - description = "vmss name" - type = string -} - -variable "resource_group_name" { - description = "Azure Resource Group name to build into" - type = string -} - -variable "location" { - description = "The location/region where resources will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions" - type = string -} - -//********************** Virtual Machine Instances Variables **************************// -variable "source_image_vhd_uri" { - type = string - description = "The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images." - default = "noCustomUri" -} - -variable "admin_username" { - description = "Administrator username of deployed VM. Due to Azure limitations 'notused' name can be used" - default = "notused" -} - -variable "admin_password" { - description = "Administrator password of deployed Virtual Machine. The password must meet the complexity requirements of Azure" - type = string -} - -variable "serial_console_password_hash" { - description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" - type = string - default = "" -} - -variable "maintenance_mode_password_hash" { - description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" - type = string - default = "" -} - -variable "availability_zones_num" { - description = "The number of availability zones to use for Scale Set. Note that the load balancers and their IP addresses will be redundant in any case" - #Availability Zones are only supported in several regions at this time - #"centralus", "eastus2", "francecentral", "northeurope", "southeastasia", "westeurope", "westus2", "eastus", "uksouth" - #type = list(string) -} - -locals { // locals for 'availability_zones_num' allowed values - availability_zones_num_allowed_values = [ - "0", - "1", - "2", - "3" - ] - // will fail if [var.availability_zones_num] is invalid: - validate_availability_zones_num_value = index(local.availability_zones_num_allowed_values, var.availability_zones_num) -} - -variable "sic_key" { - description = "Secure Internal Communication(SIC) key" - type = string -} -resource "null_resource" "sic_key_invalid" { - count = length(var.sic_key) >= 12 ? 0 : "SIC key must be at least 12 characters long" -} - -variable "installation_type"{ - description = "Installation type" - type = string - default = "vmss" -} - -variable "number_of_vm_instances"{ - description = "Default number of VM instances to deploy" - type = string - default = "2" -} - -variable "minimum_number_of_vm_instances" { - description = "Minimum number of VM instances to deploy" - type = string -} - -variable "maximum_number_of_vm_instances" { - description = "Maximum number of VM instances to deploy" - type = string -} - -variable "vm_size" { - description = "Specifies size of Virtual Machine" - type = string -} - - -variable "os_version" { - description = "GAIA OS version" - type = string -} - -locals { // locals for 'vm_os_offer' allowed values - os_version_allowed_values = [ - "R8110", - "R8120", - "R82" - ] - // will fail if [var.os_version] is invalid: - validate_os_version_value = index(local.os_version_allowed_values, var.os_version) -} -variable "disk_size" { - description = "Storage data disk size size(GB). Select a number between 100 and 3995, if you are using R81.20 or below, the disk size must be 100" - type = string - default = 100 -} -resource "null_resource" "disk_size_validation" { - // Will fail if var.disk_size is not 100 and the version is R81.20 or below - count = tonumber(var.disk_size) != 100 && contains(["R81", "R8110", "R8120"], var.os_version) ? "variable disk_size can not be changed for R81.20 and below" : 0 -} -variable "vm_os_sku" { - description = "The sku of the image to be deployed." - type = string -} - -variable "authentication_type" { - description = "Specifies whether a password authentication or SSH Public Key authentication should be used" - type = string -} -locals { // locals for 'authentication_type' allowed values - authentication_type_allowed_values = [ - "Password", - "SSH Public Key" - ] - // will fail if [var.authentication_type] is invalid: - validate_authentication_type_value = index(local.authentication_type_allowed_values, var.authentication_type) -} - -variable "allow_upload_download" { - description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" - type = bool -} - -variable "is_blink" { - description = "Define if blink image is used for deployment" - default = true -} - -variable "management_name" { - description = "The name of the management server as it appears in the configuration file" - type = string -} - -variable "management_IP" { - description = "The IP address used to manage the VMSS instances" - type = string -} - -variable "management_interface" { - description = "Manage the Gateways in the Scale Set via the instance's external (eth0) or internal (eth1) NIC's private IP address" - type = string - default = "eth1-private" -} -locals { // locals for 'management_interface' allowed values - management_interface_allowed_values = [ - "eth0-public", - "eth0-private", - "eth1-private" - ] - // will fail if [var.management_interface] is invalid: - validate_management_interface_value = index(local.management_interface_allowed_values, var.management_interface) -} - -variable "configuration_template_name" { - description = "The configuration template name as it appears in the configuration file" - type = string -} - -variable "admin_shell" { - description = "The admin shell to configure on machine or the first time" - type = string - default = "/etc/cli.sh" -} - -locals { - admin_shell_allowed_values = [ - "/etc/cli.sh", - "/bin/bash", - "/bin/csh", - "/bin/tcsh" - ] - // Will fail if [var.admin_shell] is invalid - validate_admin_shell_value = index(local.admin_shell_allowed_values, var.admin_shell) -} - -//********************** Networking Variables **************************// -variable "vnet_name" { - description = "Virtual Network name" - type = string -} - -variable "address_space" { - description = "The address space that is used by a Virtual Network." - type = string - default = "10.0.0.0/16" -} - -variable "subnet_prefixes" { - description = "Address prefix to be used for network subnets" - type = list(string) - default = ["10.0.0.0/24","10.0.1.0/24"] -} - -variable "nsg_id" { - description = "NSG ID - Optional - if empty use default NSG" - default = "" -} - -variable "add_storage_account_ip_rules" { - type = bool - default = false - description = "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location" -} - -variable "storage_account_additional_ips" { - type = list(string) - description = "IPs/CIDRs that are allowed access to the Storage Account" - default = [] -} -//********************* Load Balancers Variables **********************// -variable "deployment_mode" { - description = "The type of the deployment, can be 'Standard' for both load balancers or 'External' for external load balancer or 'Internal for internal load balancer" - type = string - default = "Standard" -} - -locals { // locals for 'deployment_mode' allowed values - deployment_mode_allowd_values = [ - "Standard", - "External", - "Internal" - ] - // will fail if [var.deployment_mode] is invalid: - validate_deployment_mode_value = index(local.deployment_mode_allowd_values, var.deployment_mode) -} - -variable "backend_lb_IP_address" { - description = "The IP address is defined by its position in the subnet" - type = number -} - -variable "lb_probe_port" { - description = "Port to be used for load balancer health probes and rules" - default = "8117" -} - -variable "lb_probe_protocol" { - description = "Protocols to be used for load balancer health probes and rules" - default = "Tcp" -} - -variable "lb_probe_unhealthy_threshold" { - description = "Number of times load balancer health probe has an unsuccessful attempt before considering the endpoint unhealthy." - default = 2 -} - -variable "lb_probe_interval" { - description = "Interval in seconds load balancer health probe rule performs a check" - default = 5 -} - -variable "frontend_port" { - description = "Port that will be exposed to the external Load Balancer" - type = string - default = "80" -} - -variable "backend_port" { - description = "Port that will be exposed to the external Load Balance" - type = string - default = "80" -} - -variable "frontend_load_distribution" { - description = "Specifies the load balancing distribution type to be used by the frontend load balancer" - type = string -} - -locals { // locals for 'frontend_load_distribution' allowed values - frontend_load_distribution_allowed_values = [ - "Default", - "SourceIP", - "SourceIPProtocol" - ] - // will fail if [var.frontend_load_distribution] is invalid: - validate_frontend_load_distribution_value = index(local.frontend_load_distribution_allowed_values, var.frontend_load_distribution) -} - -variable "backend_load_distribution" { - description = "Specifies the load balancing distribution type to be used by the backend load balancer" - type = string -} - -locals { // locals for 'frontend_load_distribution' allowed values - backend_load_distribution_allowed_values = [ - "Default", - "SourceIP", - "SourceIPProtocol" - ] - // will fail if [var.backend_load_distribution] is invalid: - validate_backend_load_distribution_value = index(local.backend_load_distribution_allowed_values, var.backend_load_distribution) -} - -//********************** Scale Set variables *******************// - -variable "vm_os_offer" { - description = "The name of the offer of the image that you want to deploy.Choose from: check-point-cg-r8110, check-point-cg-r8120, check-point-cg-r82" - type = string -} - -locals { // locals for 'vm_os_offer' allowed values - vm_os_offer_allowed_values = [ - "check-point-cg-r8110", - "check-point-cg-r8120", - "check-point-cg-r82" - ] - // will fail if [var.vm_os_offer] is invalid: - validate_os_offer_value = index(local.vm_os_offer_allowed_values, var.vm_os_offer) -} - -variable "bootstrap_script"{ - description = "An optional script to run on the initial boot" - #example: - #"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" -} - -variable "notification_email" { - description = "Specifies a list of custom email addresses to which the email notifications will be sent" - type = string -} - -variable "sku" { - description = "SKU" - type = string - default = "Standard" -} - -variable "enable_custom_metrics" { - description = "Enable CloudGuard metrics in order to send statuses and statistics collected from VMSS instances to the Azure Monitor service." - type = bool - default = true -} - -variable "enable_floating_ip" { - description = "Indicates whether the load balancers will be deployed with floating IP." - type = bool - default = true -} - -variable "use_public_ip_prefix" { - description = "Indicates whether the public IP resources will be deployed with public IP prefix." - type = bool - default = false -} - -variable "create_public_ip_prefix" { - description = "Indicates whether the public IP prefix will created or an existing will be used." - type = bool - default = false -} - -variable "existing_public_ip_prefix_id" { - description = "The existing public IP prefix resource id." - type = string - default = "" -} - -variable "subscription_id" { - description = "Subscription ID" - type = string -} - -variable "admin_SSH_key" { - type = string - description = "(Optional) TheUsed when the authentication_type is 'SSH Public Key'. The SSH public key for SSH authentication to the template instances." - default = "" -} - -variable "security_rules" { - description = "Security rules for the Network Security Group using this format [name, priority, direction, access, protocol, source_source_port_rangesport_range, destination_port_ranges, source_address_prefix, destination_address_prefix, description]" - type = list(any) - default = [ - { - name = "AllowAllInBound" - priority = "100" - direction = "Inbound" - access = "Allow" - protocol = "*" - source_port_ranges = "*" - destination_port_ranges = "*" - description = "Allow all inbound connections" - source_address_prefix = "*" - destination_address_prefix = "*" - } - ] -} - -variable "tags" { - description = "Assign tags by resource." - type = map(map(string)) - default = {} -} \ No newline at end of file diff --git a/modules/vmss_new_vnet/versions.tf b/modules/vmss_new_vnet/versions.tf deleted file mode 100755 index 5bf8d9d..0000000 --- a/modules/vmss_new_vnet/versions.tf +++ /dev/null @@ -1,14 +0,0 @@ -terraform { - required_version = ">= 0.14.3" - required_providers { - azurerm = { - source = "hashicorp/azurerm" - version = "~> 3.90.0" - } - random = { - version = "~> 3.5.1" - } - } -} - - diff --git a/modules/vnet/main.tf b/modules/vnet/main.tf deleted file mode 100755 index b9edafa..0000000 --- a/modules/vnet/main.tf +++ /dev/null @@ -1,87 +0,0 @@ -resource "azurerm_virtual_network" "vnet" { - name = var.vnet_name - location = var.location - address_space = [var.address_space] - resource_group_name = var.resource_group_name - dns_servers = var.dns_servers - tags = merge(lookup(var.tags, "virtual-network", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_subnet" "subnet" { - depends_on = [azurerm_virtual_network.vnet] - count = length(var.subnet_names) - name = var.subnet_names[count.index] - virtual_network_name = azurerm_virtual_network.vnet.name - resource_group_name = var.resource_group_name - address_prefixes = [var.subnet_prefixes[count.index]] -} - -resource "azurerm_subnet_network_security_group_association" "security_group_frontend_association" { - depends_on = [azurerm_virtual_network.vnet, azurerm_subnet.subnet[0]] - subnet_id = azurerm_subnet.subnet[0].id - network_security_group_id = var.nsg_id -} -resource "azurerm_subnet_network_security_group_association" "security_group_backend_association" { - count = length(var.subnet_names) >= 2 ? 1 : 0 - depends_on = [azurerm_virtual_network.vnet, azurerm_subnet.subnet[1]] - subnet_id = azurerm_subnet.subnet[1].id - network_security_group_id = var.nsg_id -} - -locals { // locals for 'next_hop_type' allowed values - next_hop_type_allowed_values = [ - "VirtualNetworkGateway", - "VnetLocal", - "Internet", - "VirtualAppliance", - "None" - ] - address_prefix_length = length(var.subnet_prefixes[0]) -} - -resource "azurerm_route_table" "frontend" { - name = azurerm_subnet.subnet[0].name - location = var.location - resource_group_name = var.resource_group_name - - route { - name = "Local-Subnet" - address_prefix = azurerm_subnet.subnet[0].address_prefixes[0] - next_hop_type = local.next_hop_type_allowed_values[1] - } - route { - name = "To-Internal" - address_prefix = var.address_space - next_hop_type = local.next_hop_type_allowed_values[3] - next_hop_in_ip_address = join(".", [for i, v in split(".", element(split("/", azurerm_subnet.subnet[0].address_prefixes[0]), 0)) : i == 3 ? tostring(tonumber(v) + 4) : v]) - } - - tags = merge(lookup(var.tags, "route-table", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_subnet_route_table_association" "frontend_association" { - subnet_id = azurerm_subnet.subnet[0].id - route_table_id = azurerm_route_table.frontend.id -} - -resource "azurerm_route_table" "backend" { - count = length(var.subnet_names) >= 2 ? 1 : 0 - name = azurerm_subnet.subnet[1].name - location = var.location - resource_group_name = var.resource_group_name - - route { - name = "To-Internet" - address_prefix = "0.0.0.0/0" - next_hop_type = local.next_hop_type_allowed_values[3] - next_hop_in_ip_address = join(".", [for i, v in split(".", element(split("/", azurerm_subnet.subnet[1].address_prefixes[0]), 0)) : i == 3 ? tostring(tonumber(v) + 4) : v]) - } - - tags = merge(lookup(var.tags, "route-table", {}), lookup(var.tags, "all", {})) -} - -resource "azurerm_subnet_route_table_association" "backend_association" { - count = length(var.subnet_names) >= 2 ? 1 : 0 - subnet_id = azurerm_subnet.subnet[1].id - route_table_id = azurerm_route_table.backend[count.index].id -} diff --git a/modules/vnet/outputs.tf b/modules/vnet/outputs.tf deleted file mode 100755 index 9dc8e20..0000000 --- a/modules/vnet/outputs.tf +++ /dev/null @@ -1,27 +0,0 @@ -output "vnet_id" { - value = azurerm_virtual_network.vnet.id -} - -output "vnet_name" { - value = azurerm_virtual_network.vnet.name -} - -output "vnet_location" { - value = azurerm_virtual_network.vnet.location -} - -output "vnet_address_space" { - value = azurerm_virtual_network.vnet.address_space -} - -output "vnet_subnets" { - value = azurerm_subnet.subnet.*.id -} - -output "subnet_prefixes" { - value = var.subnet_prefixes -} - -output "allocation_method" { - value = var.allocation_method -} \ No newline at end of file diff --git a/modules/vnet/variables.tf b/modules/vnet/variables.tf deleted file mode 100755 index 3a34972..0000000 --- a/modules/vnet/variables.tf +++ /dev/null @@ -1,63 +0,0 @@ -variable "vnet_name" { - description = "Name of Virtual Network" - type = string - default = "vnet01" -} - -variable "resource_group_name" { - description = "Azure Resource Group name to build into" - type = string -} - -variable "location" { - description = "The location/region where the core network will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions" - type = string -} - -variable "address_space" { - description = "The address prefixes of the virtual network" - type = string - default = "10.0.0.0/16" -} - -variable "dns_servers" { - description = " DNS servers to be used with a Virtual Network. If no values specified, this defaults to Azure DNS" - type = list(string) - default = [] -} - -variable "subnet_prefixes" { - description = "The address prefixes to be used for subnets" - type = list(string) - default = ["10.0.0.0/24","10.0.1.0/24"] -} - -variable "subnet_names" { - description = "A list of subnet names in a Virtual Network" - type = list(string) - default = ["Frontend","Backend"] -} - -variable "tags" { - description = "Tags to be associated with Virtual Network and subnets" - type = map(map(string)) - default = {} -} -variable "nsg_id" { - description = "Network security group to be associated with a Virtual Network and subnets" - type = string -} - -variable "allocation_method" { - description = "IP address allocation method" - type = string - default = "Static" -} - -locals { // locals for 'allocation_method' allowed values - allocation_method_allowed_values = [ - "Static" - ] - // will fail if [var.allocation_method] is invalid: - validate_method_allowed_value = index(local.allocation_method_allowed_values, var.allocation_method) -} \ No newline at end of file