From 008dbe167a0ec90ea59ea38f3efc27518de4ff98 Mon Sep 17 00:00:00 2001 From: eddiek Date: Wed, 25 Sep 2024 16:59:01 +0300 Subject: [PATCH] resolve code analysis feedbacks --- aws/templates/asg/autoscale.yaml | 30 ++- aws/templates/cluster/cluster-master.yaml | 29 ++- aws/templates/cluster/cluster.yaml | 199 ++++++++++------- .../cross-az-cluster-master.yaml | 23 +- .../cross-az-cluster/cross-az-cluster.yaml | 209 ++++++++++-------- .../geo-cluster/geo-cluster-master.yaml | 29 ++- aws/templates/geo-cluster/geo-cluster.yaml | 198 ++++++++++------- aws/templates/gwlb-asg/gwlb-master.yaml | 39 ++-- aws/templates/gwlb-asg/gwlb.yaml | 36 ++- aws/templates/gwlb-asg/qs-gwlb-master.yaml | 23 +- aws/templates/gwlb-asg/qs-gwlb.yaml | 26 ++- aws/templates/gwlb-asg/tgw-gwlb-master.yaml | 39 ++-- aws/templates/gwlb-asg/tgw-gwlb.yaml | 37 +++- aws/templates/management/management.yaml | 94 ++++---- aws/templates/mds/mds.yaml | 90 +++++--- aws/templates/single-gw/gateway-master.yaml | 31 ++- aws/templates/single-gw/gateway.yaml | 105 +++++---- .../standalone/standalone-master.yaml | 27 ++- aws/templates/standalone/standalone.yaml | 99 +++++---- aws/templates/tgw-asg/tgw-asg-master.yaml | 35 +-- aws/templates/tgw-asg/tgw-asg.yaml | 36 +-- .../tgw-cross-az-cluster-master.yaml | 23 +- .../tgw-cross-az-cluster.yaml | 23 +- aws/templates/tgw-ha/tgw-ha-master.yaml | 30 ++- aws/templates/tgw-ha/tgw-ha.yaml | 27 ++- azure/misc/azure_ha_test.py | 16 -- .../README.md | 1 - .../createUiDefinition.json | 6 +- .../mainTemplate.json | 25 ++- .../marketplace-ha/createUiDefinition.json | 28 +-- .../marketplace-ha/mainTemplate.json | 4 +- .../createUiDefinition.json | 6 +- .../marketplace-management/mainTemplate.json | 4 +- .../marketplace-mds/createUiDefinition.json | 4 +- .../marketplace-mds/mainTemplate.json | 4 +- .../createUiDefinition.json | 4 +- .../marketplace-single-waap/mainTemplate.json | 7 +- .../createUiDefinition.json | 14 +- .../marketplace-single/mainTemplate.json | 4 +- .../createUiDefinition.json | 4 +- .../marketplace-vmss-waap/mainTemplate.json | 8 +- .../marketplace-vmss/createUiDefinition.json | 6 +- .../marketplace-vmss/mainTemplate.json | 4 +- .../nestedtemplates/storageAccount-new.json | 5 +- .../vnet-1-subnet-existing.json | 2 +- .../vnet-2-subnet-ha2-existing.json | 2 +- .../vnet-2-subnet-ha2-new.json | 2 +- .../vnet-existing-stack-ha.json | 2 +- .../nestedtemplates/vnet-existing.json | 2 +- .../nestedtemplates/vnet-new-stack-ha.json | 2 +- azure/templates/single-ipv6/README.md | 1 - azure/templates/single-ipv6/mainTemplate.json | 4 +- azure/templates/vmss-ipv6/mainTemplate.json | 4 +- azure/templates/vwan-managed-app/README.md | 4 +- .../vwan-managed-app/mainTemplate.json | 4 +- common/custom-management-script.py | 3 - .../terraform-azure-gwlb/cpcluster-main.tf | 5 + contrib/terraform-azure-gwlb/cpmgmt-main.tf | 5 + contrib/terraform-azure-gwlb/terraform.tfvars | 38 ++-- .../azure/vmss-new-vnet-with-peer/main.tf | 5 + .../vmss-new-vnet-with-peer/terraform.tfvars | 58 ++--- .../R8040-R81/autoscale-into-new-vpc/main.tf | 2 + terraform/alicloud/cluster-master/README.md | 7 +- terraform/alicloud/cluster/README.md | 7 +- .../cluster/cluster_member_a_userdata.yaml | 2 +- .../cluster/cluster_member_b_userdata.yaml | 2 +- terraform/alicloud/cluster/main.tf | 2 +- terraform/alicloud/gateway-master/README.md | 5 +- terraform/alicloud/gateway/README.md | 5 +- .../alicloud/management-master/README.md | 6 +- terraform/alicloud/management/README.md | 8 +- .../management/management_userdata.yaml | 2 +- .../gateway_instance/gateway_userdata.yaml | 2 +- .../modules/common/version_license/main.tf | 5 - terraform/alicloud/modules/images/images.yaml | 58 ----- terraform/aws/autoscale-gwlb/README.md | 84 +++---- terraform/aws/autoscale-gwlb/locals.tf | 1 - terraform/aws/autoscale-gwlb/main.tf | 28 +-- terraform/aws/autoscale-gwlb/terraform.tfvars | 2 +- terraform/aws/autoscale-gwlb/variables.tf | 2 +- terraform/aws/autoscale/README.md | 90 ++++---- terraform/aws/autoscale/asg_userdata.yaml | 2 +- terraform/aws/autoscale/main.tf | 14 +- terraform/aws/autoscale/terraform.tfvars | 2 +- terraform/aws/autoscale/variables.tf | 2 +- terraform/aws/cluster-master/README.md | 25 ++- terraform/aws/cluster-master/terraform.tfvars | 2 +- terraform/aws/cluster-master/variables.tf | 2 +- terraform/aws/cluster/README.md | 88 ++++---- .../cluster/cluster_member_a_userdata.yaml | 2 +- terraform/aws/cluster/terraform.tfvars | 2 +- terraform/aws/cluster/variables.tf | 2 +- terraform/aws/cme-iam-role-gwlb/README.md | 11 +- terraform/aws/cme-iam-role/README.md | 7 +- .../aws/cross-az-cluster-master/README.md | 20 +- .../cross-az-cluster-master/terraform.tfvars | 2 +- .../aws/cross-az-cluster-master/variables.tf | 2 +- terraform/aws/cross-az-cluster/README.md | 22 +- .../cluster_member_a_userdata.yaml | 2 +- .../cluster_member_b_userdata.yaml | 2 +- .../aws/cross-az-cluster/terraform.tfvars | 2 +- terraform/aws/cross-az-cluster/variables.tf | 2 +- terraform/aws/gateway-master/README.md | 25 ++- terraform/aws/gateway-master/terraform.tfvars | 2 +- terraform/aws/gateway-master/variables.tf | 2 +- terraform/aws/gateway/README.md | 87 ++++---- terraform/aws/gateway/terraform.tfvars | 2 +- terraform/aws/gateway/variables.tf | 2 +- terraform/aws/gwlb-master/README.md | 106 ++++----- terraform/aws/gwlb-master/terraform.tfvars | 2 +- terraform/aws/gwlb-master/variables.tf | 2 +- terraform/aws/gwlb/README.md | 32 +-- terraform/aws/gwlb/terraform.tfvars | 2 +- terraform/aws/gwlb/variables.tf | 2 +- terraform/aws/management/README.md | 25 ++- .../aws/management/management_userdata.yaml | 2 +- terraform/aws/mds/README.md | 22 +- terraform/aws/mds/mds_userdata.yaml | 2 +- terraform/aws/modules/amis/main.tf | 7 +- .../gateway_instance/gateway_userdata.yaml | 2 +- .../common/gateway_instance/variables.tf | 2 +- .../aws/modules/common/instance_type/main.tf | 2 +- .../modules/common/load_balancer/variables.tf | 2 +- .../modules/common/version_license/main.tf | 19 -- .../aws/modules/custom-autoscale/main.tf | 6 +- terraform/aws/qs-autoscale-master/README.md | 21 +- .../aws/qs-autoscale-master/terraform.tfvars | 2 +- .../aws/qs-autoscale-master/variables.tf | 2 +- terraform/aws/qs-autoscale/README.md | 109 +++++---- terraform/aws/qs-autoscale/terraform.tfvars | 2 +- terraform/aws/qs-autoscale/variables.tf | 2 +- terraform/aws/standalone-master/README.md | 21 +- terraform/aws/standalone-master/locals.tf | 1 + terraform/aws/standalone/README.md | 90 ++++---- .../aws/standalone/standalone_userdata.yaml | 2 +- terraform/aws/tgw-asg-master/README.md | 23 +- terraform/aws/tgw-asg-master/locals.tf | 2 + terraform/aws/tgw-asg-master/terraform.tfvars | 2 +- terraform/aws/tgw-asg-master/variables.tf | 2 +- terraform/aws/tgw-asg/README.md | 25 ++- terraform/aws/tgw-asg/terraform.tfvars | 2 +- terraform/aws/tgw-asg/variables.tf | 2 +- .../aws/tgw-cross-az-cluster-master/README.md | 90 ++++---- .../terraform.tfvars | 2 +- .../tgw-cross-az-cluster-master/variables.tf | 2 +- terraform/aws/tgw-cross-az-cluster/README.md | 92 ++++---- .../aws/tgw-cross-az-cluster/terraform.tfvars | 2 +- .../aws/tgw-cross-az-cluster/variables.tf | 2 +- terraform/aws/tgw-gwlb-master/README.md | 126 +++++------ .../aws/tgw-gwlb-master/terraform.tfvars | 2 +- terraform/aws/tgw-gwlb-master/variables.tf | 2 +- terraform/aws/tgw-gwlb/README.md | 132 +++++------ terraform/aws/tgw-gwlb/terraform.tfvars | 2 +- terraform/aws/tgw-gwlb/variables.tf | 2 +- .../high-availability-existing-vnet/README.md | 40 ++-- .../high-availability-existing-vnet/main.tf | 1 + .../variables.tf | 4 +- .../high-availability-new-vnet/README.md | 8 +- .../azure/high-availability-new-vnet/main.tf | 1 + .../high-availability-new-vnet/variables.tf | 4 +- .../azure/management-existing-vnet/README.md | 8 +- .../azure/management-existing-vnet/main.tf | 1 + .../management-existing-vnet/variables.tf | 4 +- terraform/azure/management-new-vnet/README.md | 8 +- terraform/azure/management-new-vnet/main.tf | 1 + .../azure/management-new-vnet/variables.tf | 4 +- terraform/azure/mds-existing-vnet/README.md | 8 +- terraform/azure/mds-existing-vnet/main.tf | 1 + .../azure/mds-existing-vnet/variables.tf | 4 +- terraform/azure/mds-new-vnet/README.md | 8 +- terraform/azure/mds-new-vnet/main.tf | 1 + terraform/azure/mds-new-vnet/variables.tf | 4 +- terraform/azure/modules/common/variables.tf | 8 +- .../azure/nva-into-existing-hub/README.md | 5 +- terraform/azure/nva-into-new-vwan/README.md | 9 +- .../single-gateway-existing-vnet/README.md | 8 +- .../single-gateway-existing-vnet/main.tf | 1 + .../single-gateway-existing-vnet/variables.tf | 4 +- .../azure/single-gateway-new-vnet/README.md | 8 +- .../azure/single-gateway-new-vnet/main.tf | 1 + .../single-gateway-new-vnet/variables.tf | 4 +- terraform/azure/vmss-existing-vnet/README.md | 176 ++++++++------- terraform/azure/vmss-existing-vnet/main.tf | 1 + .../azure/vmss-existing-vnet/terraform.tfvars | 3 +- .../azure/vmss-existing-vnet/variables.tf | 16 +- terraform/azure/vmss-new-vnet/README.md | 8 +- terraform/azure/vmss-new-vnet/main.tf | 1 + terraform/azure/vmss-new-vnet/variables.tf | 6 +- .../gcp/autoscale-into-existing-vpc/README.md | 28 ++- .../gcp/autoscale-into-existing-vpc/locals.tf | 9 + .../gcp/autoscale-into-existing-vpc/main.tf | 25 ++- .../terraform.tfvars | 61 ++--- .../autoscale-into-existing-vpc/variables.tf | 17 +- .../gcp/autoscale-into-new-vpc/README.md | 15 +- .../gcp/autoscale-into-new-vpc/locals.tf | 8 + terraform/gcp/autoscale-into-new-vpc/main.tf | 5 + .../autoscale-into-new-vpc/terraform.tfvars | 5 +- .../gcp/autoscale-into-new-vpc/variables.tf | 17 +- terraform/gcp/common/cluster-member/main.tf | 4 +- .../gcp/common/cluster-member/variables.tf | 12 +- terraform/gcp/common/members-a-b/main.tf | 4 + terraform/gcp/common/members-a-b/variables.tf | 10 + terraform/gcp/common/startup-script.sh | 2 +- terraform/gcp/high-availability/README.md | 24 +- terraform/gcp/high-availability/locals.tf | 12 +- terraform/gcp/high-availability/main.tf | 2 + .../gcp/high-availability/terraform.tfvars | 4 +- terraform/gcp/high-availability/variables.tf | 14 +- .../gcp/single-into-existing-vpc/README.md | 37 ++-- .../gcp/single-into-existing-vpc/locals.tf | 16 +- .../gcp/single-into-existing-vpc/main.tf | 4 +- .../single-into-existing-vpc/terraform.tfvars | 18 +- .../gcp/single-into-existing-vpc/variables.tf | 12 +- terraform/gcp/single-into-new-vpc/README.md | 42 ++-- terraform/gcp/single-into-new-vpc/main.tf | 2 + .../gcp/single-into-new-vpc/terraform.tfvars | 2 + .../gcp/single-into-new-vpc/variables.tf | 12 +- 217 files changed, 2342 insertions(+), 1942 deletions(-) diff --git a/aws/templates/asg/autoscale.yaml b/aws/templates/asg/autoscale.yaml index 15e36d55..97627bd8 100644 --- a/aws/templates/asg/autoscale.yaml +++ b/aws/templates/asg/autoscale.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Create an Auto Scaling group of Check Point gateways (20240417) +Description: Create an Auto Scaling group of Check Point gateways (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -18,6 +18,7 @@ Metadata: - VolumeType - EnableVolumeEncryption - EnableInstanceConnect + - MetaDataToken - Label: default: Auto Scaling Configuration Parameters: @@ -67,6 +68,8 @@ Metadata: default: Enable volume encryption EnableInstanceConnect: default: Enable AWS Instance Connect + MetaDataToken: + default: Metadata HTTP token GatewaysMinSize: default: Minimum Gateway group size GatewaysMaxSize: @@ -119,7 +122,7 @@ Parameters: GatewayInstanceType: Description: The instance type of the Secutiry Gateways. Type: String - Default: c5.xlarge + Default: c6in.xlarge AllowedValues: - c4.large - c4.xlarge @@ -262,6 +265,13 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false GatewaysMinSize: Description: The minimal number of gateways in the Auto Scaling group. Type: Number @@ -287,12 +297,6 @@ Parameters: Type: String Default: R81.20-BYOL AllowedValues: - - R80.40-BYOL - - R80.40-PAYG-NGTP - - R80.40-PAYG-NGTX - - R81-BYOL - - R81-PAYG-NGTP - - R81-PAYG-NGTX - R81.10-BYOL - R81.10-PAYG-NGTP - R81.10-PAYG-NGTX @@ -386,6 +390,7 @@ Conditions: ProvidedTargetGroups: !Not [!Equals [!Ref GatewaysTargetGroups, '']] EnableCloudWatch: !Equals [!Ref CloudWatch, true] CreateELB: !Not [!Equals [!Ref ELBType, none]] + EnableMetaDataToken: !Equals [!Ref MetaDataToken, true] Resources: ChkpGatewayRole: Type: AWS::IAM::Role @@ -405,7 +410,7 @@ Resources: Condition: EnableCloudWatch Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/iam/cloudwatch-policy.yaml + TemplateURL: __URL__/iam/cloudwatch-policy.yaml Parameters: PolicyName: ChkpGatewayPolicy PolicyRole: !Ref ChkpGatewayRole @@ -419,7 +424,7 @@ Resources: AMI: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/amis.yaml + TemplateURL: __URL__/utils/amis.yaml Parameters: Version: !Join ['-', [!Ref GatewayVersion, GW]] NotificationTopic: @@ -515,6 +520,8 @@ Resources: KeyName: !Ref KeyName ImageId: !GetAtt AMI.Outputs.ImageId InstanceType: !Ref GatewayInstanceType + MetadataOptions: + HttpTokens: !If [EnableMetaDataToken, required, optional] BlockDeviceMappings: - DeviceName: '/dev/xvda' Ebs: @@ -538,7 +545,7 @@ Resources: - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] - - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" sicKey=\"${sic}\" installationType=\"autoscale\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"autoscale\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" bootstrapScript64=\"${bootstrap}\"' + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" sicKey=\"${sic}\" installationType=\"autoscale\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"autoscale\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" bootstrapScript64=\"${bootstrap}\"' VersionDescription: Initial template version GatewayScaleUpPolicy: Type: AWS::AutoScaling::ScalingPolicy @@ -605,3 +612,4 @@ Outputs: SecurityGroup: Description: The Security Group of the Auto Scaling group. Value: !GetAtt PermissiveSecurityGroup.GroupId + diff --git a/aws/templates/cluster/cluster-master.yaml b/aws/templates/cluster/cluster-master.yaml index 0f73a08c..6243e34c 100755 --- a/aws/templates/cluster/cluster-master.yaml +++ b/aws/templates/cluster/cluster-master.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Check Point Cluster in a new VPC (20240204) +Description: Deploy a Check Point Cluster in a new VPC (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -23,6 +23,7 @@ Metadata: - EnableInstanceConnect - GatewayPredefinedRole - TerminationProtection + - MetaDataToken - Label: default: Check Point Settings Parameters: @@ -75,6 +76,8 @@ Metadata: default: Existing IAM role name TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token GatewayVersion: default: Version & license Shell: @@ -133,7 +136,7 @@ Parameters: GatewayInstanceType: Description: The instance type of the Secutiry Gateway. Type: String - Default: c5.xlarge + Default: c6in.xlarge AllowedValues: - c4.large - c4.xlarge @@ -290,16 +293,17 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false GatewayVersion: Type: String Default: R81.20-BYOL AllowedValues: - - R80.40-BYOL - - R80.40-PAYG-NGTP - - R80.40-PAYG-NGTX - - R81-BYOL - - R81-PAYG-NGTP - - R81-PAYG-NGTX - R81.10-BYOL - R81.10-PAYG-NGTP - R81.10-PAYG-NGTX @@ -391,7 +395,7 @@ Resources: VPCStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml + TemplateURL: __URL__/utils/vpc.yaml Parameters: AvailabilityZones: !Ref AvailabilityZone NumberOfAZs: 1 @@ -410,7 +414,7 @@ Resources: Type: AWS::CloudFormation::Stack DependsOn: VPCStack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/cluster/cluster.yaml + TemplateURL: __URL__/cluster/cluster.yaml Parameters: VPC: !GetAtt VPCStack.Outputs.VPCID PublicSubnet: !GetAtt VPCStack.Outputs.PublicSubnet1ID @@ -426,6 +430,7 @@ Resources: EnableInstanceConnect: !Ref EnableInstanceConnect GatewayPredefinedRole: !Ref GatewayPredefinedRole TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken GatewayVersion: !Ref GatewayVersion Shell: !Ref Shell GatewayPasswordHash: !Ref GatewayPasswordHash @@ -494,12 +499,12 @@ Rules: MemberATokenNotProvided: RuleCondition: !Equals [!Ref MemberAToken, ''] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member A can not be empty." + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty" Assert: !Equals [!Ref MemberBToken, ''] MemberBTokenNotProvided: RuleCondition: !Equals [ !Ref MemberBToken, '' ] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member B can not be empty." + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty" Assert: !Equals [ !Ref MemberAToken, '' ] MembersTokenValueEquals: RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ] diff --git a/aws/templates/cluster/cluster.yaml b/aws/templates/cluster/cluster.yaml index f065f4f3..f1263257 100755 --- a/aws/templates/cluster/cluster.yaml +++ b/aws/templates/cluster/cluster.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploys a Check Point Cluster into an existing VPC (20240204) +Description: Deploys a Check Point Cluster into an existing VPC (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -23,6 +23,7 @@ Metadata: - EnableInstanceConnect - GatewayPredefinedRole - TerminationProtection + - MetaDataToken - Label: default: Check Point Settings Parameters: @@ -75,6 +76,8 @@ Metadata: default: Existing IAM role name TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token GatewayVersion: default: Version & license Shell: @@ -127,7 +130,7 @@ Parameters: GatewayInstanceType: Description: The instance type of the Secutiry Gateway. Type: String - Default: c5.xlarge + Default: c6in.xlarge AllowedValues: - c4.large - c4.xlarge @@ -285,16 +288,17 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false GatewayVersion: Type: String Default: R81.20-BYOL AllowedValues: - - R80.40-BYOL - - R80.40-PAYG-NGTP - - R80.40-PAYG-NGTX - - R81-BYOL - - R81-PAYG-NGTP - - R81-PAYG-NGTX - R81.10-BYOL - R81.10-PAYG-NGTP - R81.10-PAYG-NGTX @@ -390,6 +394,7 @@ Conditions: ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']] EmptyHostName: !Equals [!Ref GatewayHostname, ''] EnableCloudWatch: !Equals [!Ref CloudWatch, true] + EnableMetaDataToken: !Equals [!Ref MetaDataToken, true] Resources: ClusterReadyHandle: Type: AWS::CloudFormation::WaitConditionHandle @@ -407,7 +412,7 @@ Resources: Condition: CreateRole Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/iam/cluster-iam-role.yaml + TemplateURL: __URL__/iam/cluster-iam-role.yaml ClusterInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: @@ -417,14 +422,14 @@ Resources: Condition: EnableCloudWatch Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/iam/cloudwatch-policy.yaml + TemplateURL: __URL__/iam/cloudwatch-policy.yaml Parameters: PolicyName: !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] PolicyRole: !If [CreateRole, !GetAtt ClusterRole.Outputs.ClusterIAMRole, !Ref GatewayPredefinedRole] AMI: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/amis.yaml + TemplateURL: __URL__/utils/amis.yaml Parameters: Version: !Join [-, [!Ref GatewayVersion, GW]] PermissiveSecurityGroup: @@ -520,8 +525,12 @@ Resources: SubnetId: !Ref PrivateSubnet MemberAInstance: Type: AWS::EC2::Instance - DependsOn: [MemberAExternalInterface, MemberAInternalInterface] + DependsOn: [MemberAExternalInterface, MemberAInternalInterface, MemberAGatewayLaunchTemplate] Properties: + LaunchTemplate: + LaunchTemplateId: !Ref MemberAGatewayLaunchTemplate + Version: !GetAtt MemberAGatewayLaunchTemplate.LatestVersionNumber + DisableApiTermination: !Ref TerminationProtection Tags: - Key: Name Value: !Join ['-', [!Ref GatewayName, Member-A]] @@ -537,46 +546,14 @@ Resources: - - !Join [ '=', [ cluster-ip, !Ref ClusterPublicAddress ] ] - !Join [ '=', [ cluster-eth0-private-ip, !Select [ 0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses ] ] ] - !Join [ '=', [ cluster-eth1-private-ip, !Select [ 0, !GetAtt MemberAInternalInterface.SecondaryPrivateIpAddresses ] ] ] - ImageId: !GetAtt AMI.Outputs.ImageId - InstanceType: !Ref GatewayInstanceType - BlockDeviceMappings: - - DeviceName: '/dev/xvda' - Ebs: - Encrypted: !If [EncryptedVolume, true, false] - KmsKeyId: !If [EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue'] - VolumeType: !Ref VolumeType - VolumeSize: !Ref VolumeSize - KeyName: !Ref KeyName - NetworkInterfaces: - - DeviceIndex: 0 - NetworkInterfaceId: !Ref MemberAExternalInterface - - DeviceIndex: 1 - NetworkInterfaceId: !Ref MemberAInternalInterface - IamInstanceProfile: !Ref ClusterInstanceProfile - DisableApiTermination: !Ref TerminationProtection - UserData: - 'Fn::Base64': - !Join - - |+ - - - - '#cloud-config' - - 'runcmd:' - - ' - |' - - ' set -e' - - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenA=''${MemberAToken}''' - - !If [AllocateAddress, !Sub ' wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue'] - - !If [EmptyHostName, ' hostname=""',!Sub ' hostname=${GatewayHostname}-member-a'] - - !Join ['', [' eip="', !If [AllocateAddress, !Ref MemberAPublicAddress, ''], '"']] - - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] - - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] - - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] - - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] - - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] - - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenA}\"" installationType=\"cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" bootstrapScript64=\"${bootstrap}\"' MemberBInstance: Type: AWS::EC2::Instance - DependsOn: [MemberBExternalInterface, MemberBInternalInterface] + DependsOn: [MemberBExternalInterface, MemberBInternalInterface, MemberBGatewayLaunchTemplate] Properties: + LaunchTemplate: + LaunchTemplateId: !Ref MemberBGatewayLaunchTemplate + Version: !GetAtt MemberBGatewayLaunchTemplate.LatestVersionNumber + DisableApiTermination: !Ref TerminationProtection Tags: - Key: Name Value: !Join ['-', [!Ref GatewayName, Member-B]] @@ -592,41 +569,92 @@ Resources: - - !Join [ '=', [ cluster-ip, !Ref ClusterPublicAddress ] ] - !Join [ '=', [ cluster-eth0-private-ip, !Select [ 0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses ] ] ] - !Join [ '=', [ cluster-eth1-private-ip, !Select [ 0, !GetAtt MemberAInternalInterface.SecondaryPrivateIpAddresses ] ] ] - ImageId: !GetAtt AMI.Outputs.ImageId - InstanceType: !Ref GatewayInstanceType - BlockDeviceMappings: - - DeviceName: '/dev/xvda' - Ebs: - Encrypted: !If [EncryptedVolume, true, false] - KmsKeyId: !If [EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue'] - VolumeType: !Ref VolumeType - VolumeSize: !Ref VolumeSize - KeyName: !Ref KeyName - NetworkInterfaces: - - DeviceIndex: 0 - NetworkInterfaceId: !Ref MemberBExternalInterface - - DeviceIndex: 1 - NetworkInterfaceId: !Ref MemberBInternalInterface - IamInstanceProfile: !Ref ClusterInstanceProfile - DisableApiTermination: !Ref TerminationProtection - UserData: - 'Fn::Base64': - !Join - - |+ + MemberAGatewayLaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateData: + NetworkInterfaces: + - DeviceIndex: 0 + NetworkInterfaceId: !Ref MemberAExternalInterface + - DeviceIndex: 1 + NetworkInterfaceId: !Ref MemberAInternalInterface + KeyName: !Ref KeyName + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref GatewayInstanceType + MetadataOptions: + HttpTokens: !If [EnableMetaDataToken, required, optional] + BlockDeviceMappings: + - DeviceName: '/dev/xvda' + Ebs: + Encrypted: !If [ EncryptedVolume, true, false ] + KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + IamInstanceProfile: + Name: !Ref ClusterInstanceProfile + UserData: + 'Fn::Base64': + !Join + - |+ - - - '#cloud-config' - - 'runcmd:' - - ' - |' - - ' set -e' - - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenB=''${MemberBToken}''' - - !If [AllocateAddress, !Sub ' wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue'] - - !If [EmptyHostName, ' hostname=""',!Sub ' hostname=${GatewayHostname}-member-b'] - - !Join ['', [' eip="', !If [AllocateAddress, !Ref MemberBPublicAddress, ''], '"']] - - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] - - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] - - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] - - !Sub [' version=${Version}', {Version: !Select [0, !Split ['.', !Select [0, !Split ['-', !Ref GatewayVersion]]]]}] - - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenB}\"" installationType=\"cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20230923\" templateName=\"cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" elasticIp=\"${eip}\" bootstrapScript64=\"${bootstrap}\"' + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenA=''${MemberAToken}''' + - !If [AllocateAddress, !Sub ' wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue'] + - !If [EmptyHostName, ' hostname=""',!Sub ' hostname=${GatewayHostname}-member-a'] + - !Join ['', [' eip="', !If [AllocateAddress, !Ref MemberAPublicAddress, ''], '"']] + - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] + - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] + - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] + - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] + - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenA}\"" installationType=\"cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" bootstrapScript64=\"${bootstrap}\"' + VersionDescription: Initial template version + MemberBGatewayLaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateData: + NetworkInterfaces: + - DeviceIndex: 0 + NetworkInterfaceId: !Ref MemberBExternalInterface + - DeviceIndex: 1 + NetworkInterfaceId: !Ref MemberBInternalInterface + KeyName: !Ref KeyName + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref GatewayInstanceType + MetadataOptions: + HttpTokens: !If [EnableMetaDataToken, required, optional] + BlockDeviceMappings: + - DeviceName: '/dev/xvda' + Ebs: + Encrypted: !If [ EncryptedVolume, true, false ] + KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + IamInstanceProfile: + Name: !Ref ClusterInstanceProfile + UserData: + 'Fn::Base64': + !Join + - |+ + + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenB=''${MemberBToken}''' + - !If [AllocateAddress, !Sub ' wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue'] + - !If [EmptyHostName, ' hostname=""',!Sub ' hostname=${GatewayHostname}-member-b'] + - !Join ['', [' eip="', !If [AllocateAddress, !Ref MemberBPublicAddress, ''], '"']] + - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] + - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] + - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] + - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] + - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenB}\"" installationType=\"cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" bootstrapScript64=\"${bootstrap}\"' + VersionDescription: Initial template version ClusterPublicAddress: Type: AWS::EC2::EIP Properties: @@ -719,12 +747,12 @@ Rules: MemberATokenNotProvided: RuleCondition: !Equals [!Ref MemberAToken, ''] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member A can not be empty." + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty" Assert: !Equals [!Ref MemberBToken, ''] MemberBTokenNotProvided: RuleCondition: !Equals [ !Ref MemberBToken, '' ] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member B can not be empty." + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty" Assert: !Equals [ !Ref MemberAToken, '' ] MembersTokenValueEquals: RuleCondition: !EachMemberEquals [[!Ref MemberBToken], !Ref MemberAToken] @@ -734,3 +762,4 @@ Rules: - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" Assert: !Equals [ !Ref MemberBToken, '' ] + diff --git a/aws/templates/cross-az-cluster/cross-az-cluster-master.yaml b/aws/templates/cross-az-cluster/cross-az-cluster-master.yaml index 65ed15aa..dcc61a70 100644 --- a/aws/templates/cross-az-cluster/cross-az-cluster-master.yaml +++ b/aws/templates/cross-az-cluster/cross-az-cluster-master.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Check Point Cluster in a new VPC (20240204) +Description: Deploy a Check Point Cluster in a new VPC (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -24,6 +24,7 @@ Metadata: - EnableInstanceConnect - GatewayPredefinedRole - TerminationProtection + - MetaDataToken - Label: default: Check Point Settings Parameters: @@ -78,6 +79,8 @@ Metadata: default: Existing IAM role name TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token GatewayVersion: default: Version & license Shell: @@ -148,7 +151,7 @@ Parameters: GatewayInstanceType: Description: The instance type of the Secutiry Gateway. Type: String - Default: c5.xlarge + Default: c6in.xlarge AllowedValues: - c4.large - c4.xlarge @@ -298,6 +301,13 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false GatewayVersion: Type: String Default: R81.20-BYOL @@ -391,7 +401,7 @@ Resources: VPCStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml + TemplateURL: __URL__/utils/vpc.yaml Parameters: AvailabilityZones: !Join [',', !Ref AvailabilityZones] NumberOfAZs: 2 @@ -412,7 +422,7 @@ Resources: Type: AWS::CloudFormation::Stack DependsOn: VPCStack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/cluster/cross-az-cluster.yaml + TemplateURL: __URL__/cluster/cross-az-cluster.yaml Parameters: VPC: !GetAtt VPCStack.Outputs.VPCID PublicSubnetA: !GetAtt VPCStack.Outputs.PublicSubnet1ID @@ -429,6 +439,7 @@ Resources: EnableInstanceConnect: !Ref EnableInstanceConnect GatewayPredefinedRole: !Ref GatewayPredefinedRole TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken GatewayVersion: !Ref GatewayVersion Shell: !Ref Shell GatewayPasswordHash: !Ref GatewayPasswordHash @@ -497,12 +508,12 @@ Rules: MemberATokenNotProvided: RuleCondition: !Equals [!Ref MemberAToken, ''] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member A can not be empty." + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty" Assert: !Equals [!Ref MemberBToken, ''] MemberBTokenNotProvided: RuleCondition: !Equals [ !Ref MemberBToken, '' ] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member B can not be empty." + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty" Assert: !Equals [ !Ref MemberAToken, '' ] MembersTokenValueEquals: RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ] diff --git a/aws/templates/cross-az-cluster/cross-az-cluster.yaml b/aws/templates/cross-az-cluster/cross-az-cluster.yaml index 7f4a56ac..5d294579 100644 --- a/aws/templates/cross-az-cluster/cross-az-cluster.yaml +++ b/aws/templates/cross-az-cluster/cross-az-cluster.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploys a Check Point Cluster into an existing VPC (20240204) +Description: Deploys a Check Point Cluster into an existing VPC (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -25,6 +25,7 @@ Metadata: - EnableInstanceConnect - GatewayPredefinedRole - TerminationProtection + - MetaDataToken - Label: default: Check Point Settings Parameters: @@ -81,6 +82,8 @@ Metadata: default: Existing IAM role name TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token GatewayVersion: default: Version & license Shell: @@ -145,7 +148,7 @@ Parameters: GatewayInstanceType: Description: The instance type of the Secutiry Gateway. Type: String - Default: c5.xlarge + Default: c6in.xlarge AllowedValues: - c4.large - c4.xlarge @@ -303,6 +306,13 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false GatewayVersion: Type: String Default: R81.20-BYOL @@ -398,6 +408,7 @@ Conditions: ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']] EmptyHostName: !Equals [!Ref GatewayHostname, ''] EnableCloudWatch: !Equals [!Ref CloudWatch, true] + EnableMetaDataToken: !Equals [!Ref MetaDataToken, true] Resources: ClusterReadyHandle: Type: AWS::CloudFormation::WaitConditionHandle @@ -415,7 +426,7 @@ Resources: Condition: CreateRole Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/iam/cluster-iam-role.yaml + TemplateURL: __URL__/iam/cluster-iam-role.yaml ClusterInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: @@ -425,14 +436,14 @@ Resources: Condition: EnableCloudWatch Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/iam/cloudwatch-policy.yaml + TemplateURL: __URL__/iam/cloudwatch-policy.yaml Parameters: PolicyName: !If [ ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName' ] PolicyRole: !If [CreateRole, !GetAtt ClusterRole.Outputs.ClusterIAMRole, !Ref GatewayPredefinedRole] AMI: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/amis.yaml + TemplateURL: __URL__/utils/amis.yaml Parameters: Version: !Join ['-', [!Ref GatewayVersion, GW]] PermissiveSecurityGroup: @@ -571,8 +582,12 @@ Resources: PrivateIpAddress: !GetAtt MemberBExternalInterface.PrimaryPrivateIpAddress MemberAInstance: Type: AWS::EC2::Instance - DependsOn: [MemberAExternalInterface, MemberAInternalInterface, ClusterPublicAddress, MemberBInternalInterface, MemberBExternalInterface] + DependsOn: [MemberAExternalInterface, MemberAInternalInterface, ClusterPublicAddress, MemberBInternalInterface, MemberBExternalInterface, MemberAGatewayLaunchTemplate] Properties: + LaunchTemplate: + LaunchTemplateId: !Ref MemberAGatewayLaunchTemplate + Version: !GetAtt MemberAGatewayLaunchTemplate.LatestVersionNumber + DisableApiTermination: !Ref TerminationProtection Tags: - Key: Name Value: !Join ['-', [!Ref GatewayName, Member-A]] @@ -587,50 +602,14 @@ Resources: - ':' - - !Join [ '=', [ cluster-ip, !Ref ClusterPublicAddress ] ] - !Join [ '=', [ secondary-external-private-ip, !Select [ 0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses ] ] ] - ImageId: !GetAtt AMI.Outputs.ImageId - InstanceType: !Ref GatewayInstanceType - BlockDeviceMappings: - - DeviceName: '/dev/xvda' - Ebs: - Encrypted: !If [EncryptedVolume, true, false] - KmsKeyId: !If [EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue'] - VolumeType: !Ref VolumeType - VolumeSize: !Ref VolumeSize - KeyName: !Ref KeyName - NetworkInterfaces: - - DeviceIndex: 0 - NetworkInterfaceId: !Ref MemberAExternalInterface - - DeviceIndex: 1 - NetworkInterfaceId: !Ref MemberAInternalInterface - IamInstanceProfile: !Ref ClusterInstanceProfile - DisableApiTermination: !Ref TerminationProtection - UserData: - 'Fn::Base64': - !Join - - |+ - - - - '#cloud-config' - - 'runcmd:' - - ' - |' - - ' set -e' - - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenA=''${MemberAToken}''' - - !If [AllocateAddress, !Sub ' wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue'] - - !If [EmptyHostName, ' hostname=""',!Sub ' hostname=${GatewayHostname}-member-a'] - - !Join ['', [' other_member_ip="', !GetAtt MemberBInternalInterface.PrimaryPrivateIpAddress, '"']] - - !Join ['', [' secondary_ip="', !Select [0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses], '"']] - - !Join ['', [' remote_secondary_ip="', !Select [0, !GetAtt MemberBExternalInterface.SecondaryPrivateIpAddresses], '"']] - - !Join ['', [' cluster_ip="', !Ref ClusterPublicAddress, '"']] - - !Join ['', [' eip="', !If [AllocateAddress, !Ref MemberAPublicAddress, ''], '"']] - - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] - - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] - - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] - - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] - - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] - - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenA}\"" installationType=\"cross-az-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"cross_az_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" otherMemberIp=\"${other_member_ip}\" clusterIp=\"${cluster_ip}\" secondaryIp=\"${secondary_ip}\" otherMemberPrivateClusterIp=\"${remote_secondary_ip}\" bootstrapScript64=\"${bootstrap}\"' MemberBInstance: Type: AWS::EC2::Instance - DependsOn: [MemberBExternalInterface, MemberBInternalInterface, ClusterPublicAddress, MemberAInternalInterface, MemberAExternalInterface] + DependsOn: [MemberBExternalInterface, MemberBInternalInterface, ClusterPublicAddress, MemberAInternalInterface, MemberBGatewayLaunchTemplate] Properties: + LaunchTemplate: + LaunchTemplateId: !Ref MemberBGatewayLaunchTemplate + Version: !GetAtt MemberBGatewayLaunchTemplate.LatestVersionNumber + DisableApiTermination: !Ref TerminationProtection Tags: - Key: Name Value: !Join ['-', [!Ref GatewayName, Member-B]] @@ -645,46 +624,100 @@ Resources: - ':' - - !Join [ '=', [ cluster-ip, !Ref ClusterPublicAddress ] ] - !Join [ '=', [ secondary-external-private-ip, !Select [ 0, !GetAtt MemberBExternalInterface.SecondaryPrivateIpAddresses ] ] ] - ImageId: !GetAtt AMI.Outputs.ImageId - InstanceType: !Ref GatewayInstanceType - BlockDeviceMappings: - - DeviceName: '/dev/xvda' - Ebs: - Encrypted: !If [EncryptedVolume, true, false] - KmsKeyId: !If [EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue'] - VolumeType: !Ref VolumeType - VolumeSize: !Ref VolumeSize - KeyName: !Ref KeyName - NetworkInterfaces: - - DeviceIndex: 0 - NetworkInterfaceId: !Ref MemberBExternalInterface - - DeviceIndex: 1 - NetworkInterfaceId: !Ref MemberBInternalInterface - IamInstanceProfile: !Ref ClusterInstanceProfile - DisableApiTermination: !Ref TerminationProtection - UserData: - 'Fn::Base64': - !Join - - |+ + MemberAGatewayLaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateData: + NetworkInterfaces: + - DeviceIndex: 0 + NetworkInterfaceId: !Ref MemberAExternalInterface + - DeviceIndex: 1 + NetworkInterfaceId: !Ref MemberAInternalInterface + KeyName: !Ref KeyName + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref GatewayInstanceType + MetadataOptions: + HttpTokens: !If [EnableMetaDataToken, required, optional] + BlockDeviceMappings: + - DeviceName: '/dev/xvda' + Ebs: + Encrypted: !If [ EncryptedVolume, true, false ] + KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + IamInstanceProfile: + Name: !Ref ClusterInstanceProfile + UserData: + 'Fn::Base64': + !Join + - |+ + + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenA=''${MemberAToken}''' + - !If [AllocateAddress, !Sub ' wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue'] + - !If [EmptyHostName, ' hostname=""',!Sub ' hostname=${GatewayHostname}-member-a'] + - !Join ['', [' other_member_ip="', !GetAtt MemberBInternalInterface.PrimaryPrivateIpAddress, '"']] + - !Join ['', [' secondary_ip="', !Select [0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses], '"']] + - !Join ['', [' remote_secondary_ip="', !Select [0, !GetAtt MemberBExternalInterface.SecondaryPrivateIpAddresses], '"']] + - !Join ['', [' cluster_ip="', !Ref ClusterPublicAddress, '"']] + - !Join ['', [' eip="', !If [AllocateAddress, !Ref MemberAPublicAddress, ''], '"']] + - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] + - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] + - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] + - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] + - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenA}\"" installationType=\"cross-az-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"cross_az_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" otherMemberIp=\"${other_member_ip}\" clusterIp=\"${cluster_ip}\" secondaryIp=\"${secondary_ip}\" otherMemberPrivateClusterIp=\"${remote_secondary_ip}\" bootstrapScript64=\"${bootstrap}\"' + VersionDescription: Initial template version + MemberBGatewayLaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateData: + NetworkInterfaces: + - DeviceIndex: 0 + NetworkInterfaceId: !Ref MemberBExternalInterface + - DeviceIndex: 1 + NetworkInterfaceId: !Ref MemberBInternalInterface + KeyName: !Ref KeyName + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref GatewayInstanceType + MetadataOptions: + HttpTokens: !If [EnableMetaDataToken, required, optional] + BlockDeviceMappings: + - DeviceName: '/dev/xvda' + Ebs: + Encrypted: !If [ EncryptedVolume, true, false ] + KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + IamInstanceProfile: + Name: !Ref ClusterInstanceProfile + UserData: + 'Fn::Base64': + !Join + - |+ - - - '#cloud-config' - - 'runcmd:' - - ' - |' - - ' set -e' - - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenB=''${MemberBToken}''' - - !If [AllocateAddress, !Sub ' wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue'] - - !If [EmptyHostName, ' hostname=""',!Sub ' hostname=${GatewayHostname}-member-b'] - - !Join ['', [' other_member_ip="', !GetAtt MemberAInternalInterface.PrimaryPrivateIpAddress, '"']] - - !Join ['', [' secondary_ip="', !Select [0, !GetAtt MemberBExternalInterface.SecondaryPrivateIpAddresses], '"']] - - !Join ['', [' remote_secondary_ip="', !Select [0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses], '"']] - - !Join ['', [' cluster_ip="', !Ref ClusterPublicAddress, '"']] - - !Join ['', [' eip="', !If [AllocateAddress, !Ref MemberBPublicAddress, ''], '"']] - - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] - - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] - - !Join [ '', [ ' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"' ] ] - - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] - - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] - - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenB}\"" installationType=\"cross-az-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"cross_az_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" otherMemberIp=\"${other_member_ip}\" clusterIp=\"${cluster_ip}\" secondaryIp=\"${secondary_ip}\" otherMemberPrivateClusterIp=\"${remote_secondary_ip}\" bootstrapScript64=\"${bootstrap}\"' + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenB=''${MemberBToken}''' + - !If [AllocateAddress, !Sub ' wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue'] + - !If [EmptyHostName, ' hostname=""',!Sub ' hostname=${GatewayHostname}-member-b'] + - !Join ['', [' other_member_ip="', !GetAtt MemberAInternalInterface.PrimaryPrivateIpAddress, '"']] + - !Join ['', [' secondary_ip="', !Select [0, !GetAtt MemberBExternalInterface.SecondaryPrivateIpAddresses], '"']] + - !Join ['', [' remote_secondary_ip="', !Select [0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses], '"']] + - !Join ['', [' cluster_ip="', !Ref ClusterPublicAddress, '"']] + - !Join ['', [' eip="', !If [AllocateAddress, !Ref MemberBPublicAddress, ''], '"']] + - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] + - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] + - !Join [ '', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"' ] ] + - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] + - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenB}\"" installationType=\"cross-az-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"cross_az_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" otherMemberIp=\"${other_member_ip}\" clusterIp=\"${cluster_ip}\" secondaryIp=\"${secondary_ip}\" otherMemberPrivateClusterIp=\"${remote_secondary_ip}\" bootstrapScript64=\"${bootstrap}\"' + VersionDescription: Initial template version Outputs: ClusterPublicAddress: Description: The public address of the cluster. @@ -739,12 +772,12 @@ Rules: MemberATokenNotProvided: RuleCondition: !Equals [!Ref MemberAToken, ''] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member A can not be empty." + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty" Assert: !Equals [!Ref MemberBToken, ''] MemberBTokenNotProvided: RuleCondition: !Equals [ !Ref MemberBToken, '' ] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member B can not be empty." + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty" Assert: !Equals [ !Ref MemberAToken, '' ] MembersTokenValueEquals: RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ] diff --git a/aws/templates/geo-cluster/geo-cluster-master.yaml b/aws/templates/geo-cluster/geo-cluster-master.yaml index d030832c..a07c6ed7 100644 --- a/aws/templates/geo-cluster/geo-cluster-master.yaml +++ b/aws/templates/geo-cluster/geo-cluster-master.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Check Point cross AZ Cluster in a new VPC (20240204) +Description: Deploy a Check Point cross AZ Cluster in a new VPC (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -25,6 +25,7 @@ Metadata: - EnableInstanceConnect - GatewayPredefinedRole - TerminationProtection + - MetaDataToken - Label: default: Check Point Settings Parameters: @@ -81,6 +82,8 @@ Metadata: default: Existing IAM role name TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token GatewayVersion: default: Gateways version & license Shell: @@ -151,7 +154,7 @@ Parameters: GatewayInstanceType: Description: The instance type of the Secutiry Gateway. Type: String - Default: c5.xlarge + Default: c6in.xlarge AllowedValues: - c4.large - c4.xlarge @@ -309,17 +312,18 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false GatewayVersion: Description: The license to install on the Security Gateways. Type: String Default: R81.10-BYOL AllowedValues: - - R80.40-BYOL - - R80.40-PAYG-NGTP - - R80.40-PAYG-NGTX - - R81-BYOL - - R81-PAYG-NGTP - - R81-PAYG-NGTX - R81.10-BYOL - R81.10-PAYG-NGTP - R81.10-PAYG-NGTX @@ -409,7 +413,7 @@ Resources: VPCStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml + TemplateURL: __URL__/utils/vpc.yaml Parameters: AvailabilityZones: !Join [',', !Ref AvailabilityZones] NumberOfAZs: 2 @@ -429,7 +433,7 @@ Resources: ClusterStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/cluster/geo-cluster.yaml + TemplateURL: __URL__/cluster/geo-cluster.yaml Parameters: VPC: !GetAtt VPCStack.Outputs.VPCID PublicSubnetA: !GetAtt VPCStack.Outputs.PublicSubnet1ID @@ -447,6 +451,7 @@ Resources: EnableInstanceConnect: !Ref EnableInstanceConnect GatewayPredefinedRole: !Ref GatewayPredefinedRole TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken GatewayVersion: !Ref GatewayVersion Shell: !Ref Shell GatewayPasswordHash: !Ref GatewayPasswordHash @@ -502,12 +507,12 @@ Rules: MemberATokenNotProvided: RuleCondition: !Equals [!Ref MemberAToken, ''] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member A can not be empty." + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty" Assert: !Equals [!Ref MemberBToken, ''] MemberBTokenNotProvided: RuleCondition: !Equals [ !Ref MemberBToken, '' ] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member B can not be empty." + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty" Assert: !Equals [ !Ref MemberAToken, '' ] MembersTokenValueEquals: RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ] diff --git a/aws/templates/geo-cluster/geo-cluster.yaml b/aws/templates/geo-cluster/geo-cluster.yaml index 86d9ea95..eee0a855 100644 --- a/aws/templates/geo-cluster/geo-cluster.yaml +++ b/aws/templates/geo-cluster/geo-cluster.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploys a Check Point cross AZ Cluster into an existing VPC (20240204) +Description: Deploys a Check Point cross AZ Cluster into an existing VPC (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -25,6 +25,7 @@ Metadata: - EnableInstanceConnect - GatewayPredefinedRole - TerminationProtection + - MetaDataToken - Label: default: Check Point Settings Parameters: @@ -81,6 +82,8 @@ Metadata: default: Existing IAM role name TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token GatewayVersion: default: Gateways version & license Shell: @@ -145,7 +148,7 @@ Parameters: Default: Check-Point-Cluster GatewayInstanceType: Type: String - Default: c5.xlarge + Default: c6in.xlarge AllowedValues: - c4.large - c4.xlarge @@ -303,17 +306,18 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false GatewayVersion: Description: The license to install on the Security Gateways. Type: String Default: R81.10-BYOL AllowedValues: - - R80.40-BYOL - - R80.40-PAYG-NGTP - - R80.40-PAYG-NGTX - - R81-BYOL - - R81-PAYG-NGTP - - R81-PAYG-NGTX - R81.10-BYOL - R81.10-PAYG-NGTP - R81.10-PAYG-NGTX @@ -406,6 +410,7 @@ Conditions: ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']] EmptyHostName: !Equals [!Ref GatewayHostname, ''] EnableCloudWatch: !Equals [!Ref CloudWatch, true] + EnableMetaDataToken: !Equals [!Ref MetaDataToken, true] Resources: ClusterReadyHandle: Type: AWS::CloudFormation::WaitConditionHandle @@ -422,7 +427,7 @@ Resources: ClusterRole: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/iam/cluster-iam-role.yaml + TemplateURL: __URL__/iam/cluster-iam-role.yaml ClusterInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: @@ -432,14 +437,14 @@ Resources: Condition: EnableCloudWatch Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/iam/cloudwatch-policy.yaml + TemplateURL: __URL__/iam/cloudwatch-policy.yaml Parameters: PolicyName: !If [ ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName' ] PolicyRole: !If [CreateRole, !GetAtt ClusterRole.Outputs.ClusterIAMRole, !Ref GatewayPredefinedRole] AMI: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/amis.yaml + TemplateURL: __URL__/utils/amis.yaml Parameters: Version: !Join ['-', [!Ref GatewayVersion, GW]] PermissiveSecurityGroup: @@ -535,90 +540,111 @@ Resources: SubnetId: !Ref PrivateSubnetB MemberAInstance: Type: AWS::EC2::Instance - DependsOn: MemberAInternalInterface + DependsOn: [MemberAInternalInterface, MemberAGatewayLaunchTemplate] Properties: + LaunchTemplate: + LaunchTemplateId: !Ref MemberAGatewayLaunchTemplate + Version: !GetAtt MemberAGatewayLaunchTemplate.LatestVersionNumber + DisableApiTermination: !Ref TerminationProtection Tags: - Key: Name Value: !Join ['-', [!Ref GatewayName, Member-A]] - ImageId: !GetAtt AMI.Outputs.ImageId - InstanceType: !Ref GatewayInstanceType - BlockDeviceMappings: - - DeviceName: '/dev/xvda' - Ebs: - Encrypted: !If [EncryptedVolume, true, false] - KmsKeyId: !If [EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue'] - VolumeType: !Ref VolumeType - VolumeSize: !Ref VolumeSize - KeyName: !Ref KeyName - NetworkInterfaces: - - DeviceIndex: 0 - NetworkInterfaceId: !Ref MemberAExternalInterface - - DeviceIndex: 1 - NetworkInterfaceId: !Ref MemberAInternalInterface - IamInstanceProfile: !Ref ClusterInstanceProfile - DisableApiTermination: !Ref TerminationProtection - UserData: !Base64 - 'Fn::Join': - - |+ - - - - '#cloud-config' - - 'runcmd:' - - ' - |' - - ' set -e' - - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenA=''${MemberAToken}''' - - !If [AllocateAddress, !Sub ' wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue'] - - !If [EmptyHostName, ' hostname=""',!Sub ' hostname=${GatewayHostname}-member-a'] - - !Join ['', [' other_member_ip="', !GetAtt MemberBInternalInterface.PrimaryPrivateIpAddress, '"']] - - !Join ['', [' eip="', !If [AllocateAddress, !Ref MemberAPublicAddress, ''], '"']] - - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] - - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] - - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] - - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] - - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] - - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenA}\"" installationType=\"geo-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"geo_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" elasticIp=\"${eip}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" otherMemberIp=\"${other_member_ip}\" bootstrapScript64=\"${bootstrap}\"' MemberBInstance: Type: AWS::EC2::Instance - DependsOn: MemberBInternalInterface + DependsOn: [MemberBInternalInterface, MemberBGatewayLaunchTemplate] Properties: + LaunchTemplate: + LaunchTemplateId: !Ref MemberBGatewayLaunchTemplate + Version: !GetAtt MemberBGatewayLaunchTemplate.LatestVersionNumber + DisableApiTermination: !Ref TerminationProtection Tags: - Key: Name Value: !Join ['-', [!Ref GatewayName, Member-B]] - ImageId: !GetAtt AMI.Outputs.ImageId - InstanceType: !Ref GatewayInstanceType - BlockDeviceMappings: - - DeviceName: '/dev/xvda' - Ebs: - Encrypted: !If [EncryptedVolume, true, false] - KmsKeyId: !If [EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue'] - VolumeType: !Ref VolumeType - VolumeSize: !Ref VolumeSize - KeyName: !Ref KeyName - NetworkInterfaces: - - DeviceIndex: 0 - NetworkInterfaceId: !Ref MemberBExternalInterface - - DeviceIndex: 1 - NetworkInterfaceId: !Ref MemberBInternalInterface - IamInstanceProfile: !Ref ClusterInstanceProfile - DisableApiTermination: !Ref TerminationProtection - UserData: !Base64 - 'Fn::Join': - - |+ + MemberAGatewayLaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateData: + NetworkInterfaces: + - DeviceIndex: 0 + NetworkInterfaceId: !Ref MemberAExternalInterface + - DeviceIndex: 1 + NetworkInterfaceId: !Ref MemberAInternalInterface + KeyName: !Ref KeyName + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref GatewayInstanceType + MetadataOptions: + HttpTokens: !If [EnableMetaDataToken, required, optional] + BlockDeviceMappings: + - DeviceName: '/dev/xvda' + Ebs: + Encrypted: !If [ EncryptedVolume, true, false ] + KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + IamInstanceProfile: + Name: !Ref ClusterInstanceProfile + UserData: !Base64 + 'Fn::Join': + - |+ + + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenA=''${MemberAToken}''' + - !If [AllocateAddress, !Sub ' wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue'] + - !If [EmptyHostName, ' hostname=""',!Sub ' hostname=${GatewayHostname}-member-a'] + - !Join ['', [' other_member_ip="', !GetAtt MemberBInternalInterface.PrimaryPrivateIpAddress, '"']] + - !Join ['', [' eip="', !If [AllocateAddress, !Ref MemberAPublicAddress, ''], '"']] + - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] + - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] + - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] + - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] + - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenA}\"" installationType=\"geo-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"geo_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" elasticIp=\"${eip}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" otherMemberIp=\"${other_member_ip}\" bootstrapScript64=\"${bootstrap}\"' + MemberBGatewayLaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateData: + NetworkInterfaces: + - DeviceIndex: 0 + NetworkInterfaceId: !Ref MemberBExternalInterface + - DeviceIndex: 1 + NetworkInterfaceId: !Ref MemberBInternalInterface + KeyName: !Ref KeyName + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref GatewayInstanceType + MetadataOptions: + HttpTokens: !If [EnableMetaDataToken, required, optional] + BlockDeviceMappings: + - DeviceName: '/dev/xvda' + Ebs: + Encrypted: !If [ EncryptedVolume, true, false ] + KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + IamInstanceProfile: + Name: !Ref ClusterInstanceProfile + UserData: !Base64 + 'Fn::Join': + - |+ - - - '#cloud-config' - - 'runcmd:' - - ' - |' - - ' set -e' - - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenB=''${MemberBToken}''' - - !If [AllocateAddress, !Sub ' wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue'] - - !If [EmptyHostName, ' hostname=""',!Sub ' hostname=${GatewayHostname}-member-b'] - - !Join ['', [' other_member_ip="', !GetAtt MemberAInternalInterface.PrimaryPrivateIpAddress, '"']] - - !Join ['', [' eip="', !If [AllocateAddress, !Ref MemberBPublicAddress, ''], '"']] - - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] - - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] - - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] - - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] - - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] - - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenB}\"" installationType=\"geo-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"geo_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" otherMemberIp=\"${other_member_ip}\" bootstrapScript64=\"${bootstrap}\"' + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenB=''${MemberBToken}''' + - !If [AllocateAddress, !Sub ' wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue'] + - !If [EmptyHostName, ' hostname=""',!Sub ' hostname=${GatewayHostname}-member-b'] + - !Join ['', [' other_member_ip="', !GetAtt MemberAInternalInterface.PrimaryPrivateIpAddress, '"']] + - !Join ['', [' eip="', !If [AllocateAddress, !Ref MemberBPublicAddress, ''], '"']] + - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] + - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] + - !Join [ '', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"' ] ] + - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] + - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenB}\"" installationType=\"geo-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"geo_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" otherMemberIp=\"${other_member_ip}\" bootstrapScript64=\"${bootstrap}\"' + VersionDescription: Initial template version MemberAPublicAddress: Type: AWS::EC2::EIP Condition: AllocateAddress @@ -692,12 +718,12 @@ Rules: MemberATokenNotProvided: RuleCondition: !Equals [!Ref MemberAToken, ''] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member A can not be empty." + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty" Assert: !Equals [!Ref MemberBToken, ''] MemberBTokenNotProvided: RuleCondition: !Equals [ !Ref MemberBToken, '' ] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member B can not be empty." + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty" Assert: !Equals [ !Ref MemberAToken, '' ] MembersTokenValueEquals: RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ] diff --git a/aws/templates/gwlb-asg/gwlb-master.yaml b/aws/templates/gwlb-asg/gwlb-master.yaml index d10e85ad..6766a1b3 100644 --- a/aws/templates/gwlb-asg/gwlb-master.yaml +++ b/aws/templates/gwlb-asg/gwlb-master.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, in a new VPC (20240204) +Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, in a new VPC (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -22,6 +22,7 @@ Metadata: - VolumeType - EnableInstanceConnect - TerminationProtection + - MetaDataToken - AllowUploadDownload - ManagementServer - ConfigurationTemplate @@ -48,6 +49,7 @@ Metadata: - ControlGatewayOverPrivateOrPublicAddress - AllocatePublicAddress - CloudWatch + - GatewayBootstrapScript - Label: default: Check Point CloudGuard IaaS Security Management Server Configuration Parameters: @@ -87,6 +89,8 @@ Metadata: default: Enable AWS Instance Connect TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token AllowUploadDownload: default: Allow upload & download ManagementServer: @@ -127,6 +131,8 @@ Metadata: default: Allocate Public IPs CloudWatch: default: CloudWatch metrics + GatewayBootstrapScript: + default: Gateways bootstrap script ManagementDeploy: default: Deploy Management Server ManagementInstanceType: @@ -223,6 +229,13 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false AllowUploadDownload: Description: Automatically download updates and share statistical data for product improvement purpose. Type: String @@ -289,7 +302,7 @@ Parameters: GatewayInstanceType: Description: The EC2 instance type for the Security Gateways. Type: String - Default: c5.xlarge + Default: c6in.xlarge AllowedValues: - c4.large - c4.xlarge @@ -417,9 +430,6 @@ Parameters: Type: String Default: R81.20-BYOL AllowedValues: - - R80.40-BYOL - - R80.40-PAYG-NGTP - - R80.40-PAYG-NGTX - R81.20-BYOL - R81.20-PAYG-NGTP - R81.20-PAYG-NGTX @@ -462,6 +472,11 @@ Parameters: AllowedValues: - true - false + GatewayBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true ManagementDeploy: Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section. Type: String @@ -588,10 +603,6 @@ Parameters: Type: String Default: R81.20-BYOL AllowedValues: - - R80.40-BYOL - - R80.40-PAYG - - R81-BYOL - - R81-PAYG - R81.10-BYOL - R81.10-PAYG - R81.20-BYOL @@ -636,7 +647,7 @@ Resources: VPCStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml + TemplateURL: __URL__/utils/vpc.yaml Parameters: AvailabilityZones: !Join [',' , !Ref AvailabilityZones] NumberOfAZs: !Ref NumberOfAZs @@ -649,7 +660,7 @@ Resources: GWLBStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/gwlb.yaml + TemplateURL: __URL__/gwlb/gwlb.yaml Parameters: VPC: !GetAtt VPCStack.Outputs.VPCID GatewaysSubnets: !Join @@ -664,6 +675,7 @@ Resources: VolumeSize: !Ref VolumeSize EnableInstanceConnect: !Ref EnableInstanceConnect TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken AllowUploadDownload: !Ref AllowUploadDownload ManagementServer: !Ref ManagementServer ConfigurationTemplate: !Ref ConfigurationTemplate @@ -684,6 +696,7 @@ Resources: ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress AllocatePublicAddress: !Ref AllocatePublicAddress CloudWatch: !Ref CloudWatch + GatewayBootstrapScript: !Ref GatewayBootstrapScript ManagementDeploy: !Ref ManagementDeploy ManagementInstanceType: !Ref ManagementInstanceType ManagementVersion: !Ref ManagementVersion @@ -715,7 +728,7 @@ Outputs: Value: !GetAtt GWLBStack.Outputs.GWLBServiceName Rules: GatewayAddressAllocationRule: - RuleCondition: !Equals [!Ref ControlGatewayOverPrivateOrPublicAddress, 'public'] - Assertions: + RuleCondition: !Equals [!Ref ControlGatewayOverPrivateOrPublicAddress, 'public'] + Assertions: - AssertDescription: "Gateway's selected to be provisioned by public IP, but ['AllocatePublicAddress'] parameter is false" Assert: !Equals [!Ref AllocatePublicAddress, 'true'] diff --git a/aws/templates/gwlb-asg/gwlb.yaml b/aws/templates/gwlb-asg/gwlb.yaml index 8b2d8830..8d0340f7 100644 --- a/aws/templates/gwlb-asg/gwlb.yaml +++ b/aws/templates/gwlb-asg/gwlb.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, in a new VPC (20240204) +Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, in a new VPC (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -17,6 +17,7 @@ Metadata: - VolumeType - EnableInstanceConnect - TerminationProtection + - MetaDataToken - AllowUploadDownload - ManagementServer - ConfigurationTemplate @@ -43,6 +44,7 @@ Metadata: - ControlGatewayOverPrivateOrPublicAddress - AllocatePublicAddress - CloudWatch + - GatewayBootstrapScript - Label: default: Check Point CloudGuard IaaS Security Management Server Configuration Parameters: @@ -72,6 +74,8 @@ Metadata: default: Enable AWS Instance Connect TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token AllowUploadDownload: default: Allow upload & download ManagementServer: @@ -112,6 +116,8 @@ Metadata: default: Allocate Public IPs CloudWatch: default: CloudWatch metrics + GatewayBootstrapScript: + default: Gateways bootstrap script ManagementDeploy: default: Deploy Management Server ManagementInstanceType: @@ -177,6 +183,13 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false AllowUploadDownload: Description: Automatically download updates and share statistical data for product improvement purpose. Type: String @@ -239,7 +252,7 @@ Parameters: GatewayInstanceType: Description: The EC2 instance type for the Security Gateways. Type: String - Default: c5.xlarge + Default: c6in.xlarge AllowedValues: - c4.large - c4.xlarge @@ -367,9 +380,6 @@ Parameters: Type: String Default: R81.20-BYOL AllowedValues: - - R80.40-BYOL - - R80.40-PAYG-NGTP - - R80.40-PAYG-NGTX - R81.20-BYOL - R81.20-PAYG-NGTP - R81.20-PAYG-NGTX @@ -412,6 +422,11 @@ Parameters: AllowedValues: - true - false + GatewayBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true ManagementDeploy: Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section. Type: String @@ -538,10 +553,6 @@ Parameters: Type: String Default: R81.20-BYOL AllowedValues: - - R80.40-BYOL - - R80.40-PAYG - - R81-BYOL - - R81-PAYG - R81.10-BYOL - R81.10-PAYG - R81.20-BYOL @@ -631,7 +642,7 @@ Resources: SecurityGatewaysStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/autoscale-gwlb.yaml + TemplateURL: __URL__/gwlb/autoscale-gwlb.yaml Parameters: VPC: !Ref VPC GatewaysSubnets: !Join [',', !Ref GatewaysSubnets] @@ -643,6 +654,7 @@ Resources: VolumeType: !Ref VolumeType VolumeSize: !Ref VolumeSize EnableInstanceConnect: !Ref EnableInstanceConnect + MetaDataToken: !Ref MetaDataToken GatewaysMinSize: !Ref GatewaysMinSize GatewaysMaxSize: !Ref GatewaysMaxSize AdminEmail: !Ref AdminEmail @@ -655,13 +667,14 @@ Resources: ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress AllocatePublicAddress: !Ref AllocatePublicAddress CloudWatch: !Ref CloudWatch + GatewayBootstrapScript: !Ref GatewayBootstrapScript ManagementServer: !Ref ManagementServer ConfigurationTemplate: !Ref ConfigurationTemplate ManagementStack: Type: AWS::CloudFormation::Stack Condition: DeployManagement Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/management-gwlb.yaml + TemplateURL: __URL__/gwlb/management-gwlb.yaml Parameters: VPC: !Ref VPC ManagementSubnet: !Select [0, !Ref GatewaysSubnets] @@ -682,6 +695,7 @@ Resources: GatewayManagement: !Ref GatewayManagement GatewaysAddresses: !Ref GatewaysAddresses TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken ManagementBootstrapScript: !Join - ';' - - 'echo -e "\nStarting Bootstrap script\n"' diff --git a/aws/templates/gwlb-asg/qs-gwlb-master.yaml b/aws/templates/gwlb-asg/qs-gwlb-master.yaml index c95da46e..6979b470 100644 --- a/aws/templates/gwlb-asg/qs-gwlb-master.yaml +++ b/aws/templates/gwlb-asg/qs-gwlb-master.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, in a new VPC (05072024) +Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, in a new VPC (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -37,6 +37,7 @@ Metadata: - VolumeType - EnableInstanceConnect - TerminationProtection + - MetaDataToken - AllowUploadDownload - ManagementServer - ConfigurationTemplate @@ -133,6 +134,8 @@ Metadata: default: Enable AWS Instance Connect TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token AllowUploadDownload: default: Allow upload & download ManagementServer: @@ -335,6 +338,13 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false AllowUploadDownload: Description: Automatically download updates and share statistical data for product improvement purpose. Type: String @@ -401,7 +411,7 @@ Parameters: GatewayInstanceType: Description: The EC2 instance type for the Security Gateways. Type: String - Default: c5.xlarge + Default: c6in.xlarge AllowedValues: - c4.large - c4.xlarge @@ -697,8 +707,6 @@ Parameters: Type: String Default: R81.20-BYOL AllowedValues: - - R81-BYOL - - R81-PAYG - R81.10-BYOL - R81.10-PAYG - R81.20-BYOL @@ -792,7 +800,7 @@ Resources: SecurityVPCStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml + TemplateURL: __URL__/utils/vpc.yaml Parameters: AvailabilityZones: !Join [',' , !Ref AvailabilityZones] NumberOfAZs: !Ref NumberOfAZs @@ -805,7 +813,7 @@ Resources: ServersVPCStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/qs-gwlb-servers-vpc.yaml + TemplateURL: __URL__/gwlb/qs-gwlb-servers-vpc.yaml Parameters: AvailabilityZones: !Join [ ',' , !Ref AvailabilityZones ] NumberOfAZs: !Ref NumberOfAZs @@ -824,7 +832,7 @@ Resources: Type: AWS::CloudFormation::Stack DependsOn: [SecurityVPCStack, ServersVPCStack] Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/qs-gwlb.yaml + TemplateURL: __URL__/gwlb/qs-gwlb.yaml Parameters: SecurityVPC: !GetAtt SecurityVPCStack.Outputs.VPCID NumberOfAZs: !Ref NumberOfAZs @@ -843,6 +851,7 @@ Resources: VolumeSize: !Ref VolumeSize EnableInstanceConnect: !Ref EnableInstanceConnect TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken AllowUploadDownload: !Ref AllowUploadDownload ManagementServer: !Ref ManagementServer ConfigurationTemplate: !Ref ConfigurationTemplate diff --git a/aws/templates/gwlb-asg/qs-gwlb.yaml b/aws/templates/gwlb-asg/qs-gwlb.yaml index 1e560d67..70723206 100644 --- a/aws/templates/gwlb-asg/qs-gwlb.yaml +++ b/aws/templates/gwlb-asg/qs-gwlb.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: "Deploy a Quick-Start Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, optionally: Security Management Server and Application Server Autoscale in an existing VPC (05072024)" +Description: "Deploy a Quick-Start Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, optionally: Security Management Server and Application Server Autoscale in an existing VPC (__VERSION__)" Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -29,6 +29,7 @@ Metadata: - VolumeType - EnableInstanceConnect - TerminationProtection + - MetaDataToken - AllowUploadDownload - ManagementServer - ConfigurationTemplate @@ -105,6 +106,8 @@ Metadata: default: Enable AWS Instance Connect TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token AllowUploadDownload: default: Allow upload & download ManagementServer: @@ -244,6 +247,13 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false AllowUploadDownload: Description: Automatically download updates and share statistical data for product improvement purpose. Type: String @@ -306,7 +316,7 @@ Parameters: GatewayInstanceType: Description: The EC2 instance type for the Security Gateways. Type: String - Default: c5.xlarge + Default: c6in.xlarge AllowedValues: - c4.large - c4.xlarge @@ -602,8 +612,6 @@ Parameters: Type: String Default: R81.20-BYOL AllowedValues: - - R81-BYOL - - R81-PAYG - R81.10-BYOL - R81.10-PAYG - R81.20-BYOL @@ -741,7 +749,7 @@ Resources: SecurityGatewaysStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/autoscale-gwlb.yaml + TemplateURL: __URL__/gwlb/autoscale-gwlb.yaml Parameters: VPC: !Ref SecurityVPC GatewaysSubnets: !Join [',', !Ref GatewaysSubnets] @@ -753,6 +761,7 @@ Resources: VolumeType: !Ref VolumeType VolumeSize: !Ref VolumeSize EnableInstanceConnect: !Ref EnableInstanceConnect + MetaDataToken: !Ref MetaDataToken GatewaysMinSize: !Ref GatewaysMinSize GatewaysMaxSize: !Ref GatewaysMaxSize AdminEmail: !Ref AdminEmail @@ -783,7 +792,7 @@ Resources: Condition: DeployManagement DependsOn: GWLBeEndpointStack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/management-gwlb.yaml + TemplateURL: __URL__/gwlb/management-gwlb.yaml Parameters: VPC: !Ref SecurityVPC ManagementSubnet: !Select [0, !Ref GatewaysSubnets] @@ -804,6 +813,7 @@ Resources: GatewayManagement: !Ref GatewayManagement GatewaysAddresses: !Ref GatewaysAddresses TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken ManagementBootstrapScript: !Join - ';' - - 'echo -e "\nStarting Bootstrap script\n"' @@ -831,7 +841,7 @@ Resources: Type: AWS::CloudFormation::Stack DependsOn: VpcEndpointService Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/qs-gwlb-endpoints.yaml + TemplateURL: __URL__/gwlb/qs-gwlb-endpoints.yaml Parameters: NumberOfAZs: !Ref NumberOfAZs GWLBeVPC: !Ref ServersVPC @@ -844,7 +854,7 @@ Resources: Type: AWS::CloudFormation::Stack DependsOn: GWLBeEndpointStack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/qs-gwlb-servers-autoscale.yaml + TemplateURL: __URL__/gwlb/qs-gwlb-servers-autoscale.yaml Parameters: VPC: !Ref ServersVPC Subnets: !Join [',', !Ref ServersSubnets] diff --git a/aws/templates/gwlb-asg/tgw-gwlb-master.yaml b/aws/templates/gwlb-asg/tgw-gwlb-master.yaml index f0284de3..cdf99b9c 100644 --- a/aws/templates/gwlb-asg/tgw-gwlb-master.yaml +++ b/aws/templates/gwlb-asg/tgw-gwlb-master.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, in a new VPC for Transit Gateway (20240204) +Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, in a new VPC for Transit Gateway (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -34,6 +34,7 @@ Metadata: - VolumeType - EnableInstanceConnect - TerminationProtection + - MetaDataToken - AllowUploadDownload - ManagementServer - ConfigurationTemplate @@ -59,6 +60,7 @@ Metadata: - ControlGatewayOverPrivateOrPublicAddress - AllocatePublicAddress - CloudWatch + - GatewayBootstrapScript - Label: default: Check Point CloudGuard IaaS Security Management Server Configuration Parameters: @@ -122,6 +124,8 @@ Metadata: default: Enable AWS Instance Connect TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token AllowUploadDownload: default: Allow upload & download ManagementServer: @@ -160,6 +164,8 @@ Metadata: default: Allocate Public IPs CloudWatch: default: CloudWatch metrics + GatewayBootstrapScript: + default: Gateways bootstrap script ManagementDeploy: default: Deploy Management Server ManagementInstanceType: @@ -322,6 +328,13 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false AllowUploadDownload: Description: Automatically download updates and share statistical data for product improvement purpose. Type: String @@ -382,7 +395,7 @@ Parameters: GatewayInstanceType: Description: The EC2 instance type for the Security Gateways Type: String - Default: c5.xlarge + Default: c6in.xlarge AllowedValues: - c4.large - c4.xlarge @@ -510,9 +523,6 @@ Parameters: Type: String Default: R81.20-BYOL AllowedValues: - - R80.40-BYOL - - R80.40-PAYG-NGTP - - R80.40-PAYG-NGTX - R81.20-BYOL - R81.20-PAYG-NGTP - R81.20-PAYG-NGTX @@ -555,6 +565,11 @@ Parameters: AllowedValues: - true - false + GatewayBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true ManagementDeploy: Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section. Type: String @@ -681,10 +696,6 @@ Parameters: Type: String Default: R81.20-BYOL AllowedValues: - - R80.40-BYOL - - R80.40-PAYG - - R81-BYOL - - R81-PAYG - R81.10-BYOL - R81.10-PAYG - R81.20-BYOL @@ -730,7 +741,7 @@ Resources: VPCStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml + TemplateURL: __URL__/utils/vpc.yaml Parameters: AvailabilityZones: !Join [',', !Ref AvailabilityZones] NumberOfAZs: !Ref NumberOfAZs @@ -748,7 +759,7 @@ Resources: TgwGwlbStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/tgw-gwlb.yaml + TemplateURL: __URL__/gwlb/tgw-gwlb.yaml Parameters: VPC: !GetAtt VPCStack.Outputs.VPCID IGWID: !GetAtt VPCStack.Outputs.IGWID @@ -778,6 +789,7 @@ Resources: VolumeSize: !Ref VolumeSize EnableInstanceConnect: !Ref EnableInstanceConnect TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken AllowUploadDownload: !Ref AllowUploadDownload ManagementServer: !Ref ManagementServer ConfigurationTemplate: !Ref ConfigurationTemplate @@ -794,6 +806,7 @@ Resources: ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress AllocatePublicAddress: !Ref AllocatePublicAddress CloudWatch: !Ref CloudWatch + GatewayBootstrapScript: !Ref GatewayBootstrapScript GWLBName: !Ref GWLBName TargetGroupName: !Ref TargetGroupName CrossZoneLoadBalancing: !Ref CrossZoneLoadBalancing @@ -856,7 +869,7 @@ Outputs: Condition: 4AZs Rules: GatewayAddressAllocationRule: - RuleCondition: !Equals [!Ref ControlGatewayOverPrivateOrPublicAddress, 'public'] - Assertions: + RuleCondition: !Equals [!Ref ControlGatewayOverPrivateOrPublicAddress, 'public'] + Assertions: - AssertDescription: "Gateway's selected to be provisioned by public IP, but ['AllocatePublicAddress'] parameter is false" Assert: !Equals [!Ref AllocatePublicAddress, 'true'] diff --git a/aws/templates/gwlb-asg/tgw-gwlb.yaml b/aws/templates/gwlb-asg/tgw-gwlb.yaml index 0801a10a..123d500a 100644 --- a/aws/templates/gwlb-asg/tgw-gwlb.yaml +++ b/aws/templates/gwlb-asg/tgw-gwlb.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, in an existing VPC for Transit Gateway (20240204) +Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, in an existing VPC for Transit Gateway (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -32,6 +32,7 @@ Metadata: - VolumeType - EnableInstanceConnect - TerminationProtection + - MetaDataToken - AllowUploadDownload - ManagementServer - ConfigurationTemplate @@ -51,6 +52,7 @@ Metadata: - ControlGatewayOverPrivateOrPublicAddress - AllocatePublicAddress - CloudWatch + - GatewayBootstrapScript - Label: default: Gateway Load Balancer Configuration Parameters: @@ -116,6 +118,8 @@ Metadata: default: Enable AWS Instance Connect TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token AllowUploadDownload: default: Allow upload & download ManagementServer: @@ -148,6 +152,8 @@ Metadata: default: Allocate Public IPs CloudWatch: default: CloudWatch metrics + GatewayBootstrapScript: + default: Gateways bootstrap script GWLBName: default: Gateway Load Balancer Name TargetGroupName: @@ -223,6 +229,7 @@ Parameters: Description: CIDR block for NAT subnet 2 located in the 2nd Availability Zone. Type: String Default: 10.0.23.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. NatGwSubnet3CIDR: Description: CIDR block for NAT subnet 3 located in the 3rd Availability Zone. @@ -234,6 +241,7 @@ Parameters: Description: CIDR block for NAT subnet 4 located in the 4th Availability Zone. Type: String Default: 10.0.43.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. GWLBeSubnet1CIDR: Description: CIDR block for GWLBe subnet 1 located in the 1st Availability Zone. @@ -245,6 +253,7 @@ Parameters: Description: CIDR block for GWLBe subnet 2 located in the 2nd Availability Zone. Type: String Default: 10.0.24.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. GWLBeSubnet3CIDR: Description: CIDR block for GWLBe subnet 3 located in the 3rd Availability Zone. @@ -256,6 +265,7 @@ Parameters: Description: CIDR block for GWLBe subnet 4 located in the 4th Availability Zone. Type: String Default: 10.0.44.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. KeyName: Description: The EC2 Key Pair to allow SSH access to the instances created by this stack. @@ -294,6 +304,13 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false AllowUploadDownload: Description: Automatically download updates and share statistical data for product improvement purpose. Type: String @@ -333,7 +350,7 @@ Parameters: GatewayInstanceType: Description: The EC2 instance type for the Security Gateways. Type: String - Default: c5.xlarge + Default: c6in.xlarge AllowedValues: - c4.large - c4.xlarge @@ -461,9 +478,6 @@ Parameters: Type: String Default: R81.20-BYOL AllowedValues: - - R80.40-BYOL - - R80.40-PAYG-NGTP - - R80.40-PAYG-NGTX - R81.20-BYOL - R81.20-PAYG-NGTP - R81.20-PAYG-NGTX @@ -506,6 +520,11 @@ Parameters: AllowedValues: - true - false + GatewayBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true GWLBName: Description: Gateway Load Balancer name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen. Type: String @@ -649,10 +668,6 @@ Parameters: Type: String Default: R81.20-BYOL AllowedValues: - - R80.40-BYOL - - R80.40-PAYG - - R81-BYOL - - R81-PAYG - R81.10-BYOL - R81.10-PAYG - R81.20-BYOL @@ -962,7 +977,7 @@ Resources: GWLBStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/gwlb.yaml + TemplateURL: __URL__/gwlb/gwlb.yaml Parameters: VPC: !Ref VPC GatewaysSubnets: !Join [',', !Ref GatewaysSubnets] @@ -972,6 +987,7 @@ Resources: VolumeSize: !Ref VolumeSize EnableInstanceConnect: !Ref EnableInstanceConnect TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken AllowUploadDownload: !Ref AllowUploadDownload ManagementServer: !Ref ManagementServer ConfigurationTemplate: !Ref ConfigurationTemplate @@ -992,6 +1008,7 @@ Resources: ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress AllocatePublicAddress: !Ref AllocatePublicAddress CloudWatch: !Ref CloudWatch + GatewayBootstrapScript: !Ref GatewayBootstrapScript ManagementDeploy: !Ref ManagementDeploy ManagementInstanceType: !Ref ManagementInstanceType ManagementVersion: !Ref ManagementVersion diff --git a/aws/templates/management/management.yaml b/aws/templates/management/management.yaml index 4ec20f7a..dd756635 100755 --- a/aws/templates/management/management.yaml +++ b/aws/templates/management/management.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploys a Check Point Management Server (20240417) +Description: Deploys a Check Point Management Server (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -20,6 +20,7 @@ Metadata: - VolumeEncryption - EnableInstanceConnect - TerminationProtection + - MetaDataToken - Label: default: IAM Permissions (ignored when the installation is not Primary Management Server) @@ -70,6 +71,8 @@ Metadata: default: Enable AWS Instance Connect TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token ManagementPermissions: default: IAM role ManagementPredefinedRole: @@ -273,6 +276,13 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false ManagementPermissions: Description: IAM role to attach to the instance profile. Type: String @@ -299,10 +309,6 @@ Parameters: Type: String Default: R81.20-BYOL AllowedValues: - - R80.40-BYOL - - R80.40-PAYG - - R81-BYOL - - R81-PAYG - R81.10-BYOL - R81.10-PAYG - R81.20-BYOL @@ -330,7 +336,7 @@ Parameters: AllowedPattern: '[\$\./a-zA-Z0-9]*' NoEcho: true ManagementHostname: - Description: The name must not contain reserved words. For details, refer to sk40179 (optional). + Description: The name must not contain reserved words. For details, refer to sk40179. (optional) Type: String Default: mgmt-aws AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$' @@ -406,11 +412,12 @@ Conditions: UseRole: !Not [!Equals [!Ref ManagementPermissions, None (configure later)]] NoSIC: !Equals [!Ref SICKey, ''] PreRole: !And [!Condition UseRole, !Not [!Condition CreateRole]] + EnableMetaDataToken: !Equals [!Ref MetaDataToken, true] Resources: AMI: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/amis.yaml + TemplateURL: __URL__/utils/amis.yaml Parameters: Version: !Join ['-', [!Ref ManagementVersion, MGMT]] ManagementReadyHandle: @@ -486,7 +493,7 @@ Resources: Type: AWS::CloudFormation::Stack Condition: CreateRole Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/iam/cme-iam-role.yaml + TemplateURL: __URL__/iam/cme-iam-role.yaml Parameters: Permissions: !Ref ManagementPermissions STSRoles: !Join [',', !Ref ManagementSTSRoles] @@ -499,15 +506,15 @@ Resources: - !Ref ManagementPredefinedRole ManagementInstance: Type: AWS::EC2::Instance - DependsOn: ManagementSecurityGroup + DependsOn: ManagementLaunchTemplate Properties: + LaunchTemplate: + LaunchTemplateId: !Ref ManagementLaunchTemplate + Version: !GetAtt ManagementLaunchTemplate.LatestVersionNumber + DisableApiTermination: !Ref TerminationProtection Tags: - Key: Name Value: !Ref ManagementName - ImageId: !GetAtt AMI.Outputs.ImageId - InstanceType: !Ref ManagementInstanceType - IamInstanceProfile: !If [UseRole, !If [PreRole, !Ref InstanceProfile, !GetAtt ManagementRoleStack.Outputs.CMEIAMRole], !Ref 'AWS::NoValue'] - KeyName: !Ref KeyName NetworkInterfaces: - DeviceIndex: 0 AssociatePublicIpAddress: false @@ -516,32 +523,43 @@ Resources: - !Ref ManagementSecurityGroup DeleteOnTermination: true SubnetId: !Ref ManagementSubnet - BlockDeviceMappings: - - DeviceName: /dev/xvda - Ebs: - Encrypted: !If [EncryptedVolume, true, false] - KmsKeyId: !If [EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue'] - VolumeType: !Ref VolumeType - VolumeSize: !Ref VolumeSize - DisableApiTermination: !Ref TerminationProtection - UserData: - 'Fn::Base64': - !Join - - |+ + ManagementLaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateData: + KeyName: !Ref KeyName + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref ManagementInstanceType + MetadataOptions: + HttpTokens: !If [EnableMetaDataToken, required, optional] + BlockDeviceMappings: + - DeviceName: '/dev/xvda' + Ebs: + Encrypted: !If [ EncryptedVolume, true, false ] + KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + IamInstanceProfile: + Name: !If [ UseRole, !If [ PreRole, !Ref InstanceProfile, !GetAtt ManagementRoleStack.Outputs.CMEIAMRole ], !Ref 'AWS::NoValue' ] + UserData: + 'Fn::Base64': + !Join + - |+ - - - '#cloud-config' - - 'runcmd:' - - ' - |' - - ' set -e' - - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; hostname=${ManagementHostname} ; eic=${EnableInstanceConnect} ; admin_subnet=${AdminCIDR} ; eip=${AllocatePublicAddress} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; mgmt_install_type=''${ManagementInstallationType}''' - - !If [EIP, !Sub ' wait_handle=''${ManagementReadyHandle}''',!Ref 'AWS::NoValue'] - - !If [NoSIC, ' sic=""', !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref SICKey, ')"']]] - - !If [ManageOverInternetAndEIP, ' pub_mgmt=true', ' pub_mgmt=false'] - - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref ManagementBootstrapScript, ')"']] - - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref ManagementPasswordHash, ')"']] - - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref ManagementMaintenancePasswordHash, ')"']] - - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref ManagementVersion]]}] - - ' python3 /etc/cloud_config.py waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" installationType=\"management\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"management\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" "management_installation_type=\"${mgmt_install_type}\"" adminSubnet=\"${admin_subnet}\" allocatePublicAddress=\"${eip}\" overTheInternet=\"${pub_mgmt}\" bootstrapScript64=\"${bootstrap}\"' + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; hostname=${ManagementHostname} ; eic=${EnableInstanceConnect} ; admin_subnet=${AdminCIDR} ; eip=${AllocatePublicAddress} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; mgmt_install_type=''${ManagementInstallationType}''' + - !If [EIP, !Sub ' wait_handle=''${ManagementReadyHandle}''',!Ref 'AWS::NoValue'] + - !If [NoSIC, ' sic=""', !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref SICKey, ')"']]] + - !If [ManageOverInternetAndEIP, ' pub_mgmt=true', ' pub_mgmt=false'] + - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref ManagementBootstrapScript, ')"']] + - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref ManagementPasswordHash, ')"']] + - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref ManagementMaintenancePasswordHash, ')"']] + - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref ManagementVersion]]}] + - ' python3 /etc/cloud_config.py waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" installationType=\"management\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"management\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" "management_installation_type=\"${mgmt_install_type}\"" adminSubnet=\"${admin_subnet}\" allocatePublicAddress=\"${eip}\" overTheInternet=\"${pub_mgmt}\" bootstrapScript64=\"${bootstrap}\"' + VersionDescription: Initial template version PublicAddress: Type: AWS::EC2::EIP Condition: EIP diff --git a/aws/templates/mds/mds.yaml b/aws/templates/mds/mds.yaml index 241bb981..1f5a9b41 100644 --- a/aws/templates/mds/mds.yaml +++ b/aws/templates/mds/mds.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: '2010-09-09' -Description: Deploys a Check Point Multi-Domain Server (20240417) +Description: Deploys a Check Point Multi-Domain Server (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -19,6 +19,7 @@ Metadata: - VolumeEncryption - EnableInstanceConnect - TerminationProtection + - MetaDataToken - Label: default: IAM Permissions (ignored when the installation type is not Primary Multi-Domain Server) @@ -66,6 +67,8 @@ Metadata: default: Enable AWS Instance Connect TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token MDSPermissions: default: IAM role MDSPredefinedRole: @@ -260,6 +263,13 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false MDSPermissions: Description: IAM role to attach to the instance profile. Type: String @@ -286,8 +296,6 @@ Parameters: Type: String Default: R81.20-BYOL AllowedValues: - - R80.40-BYOL - - R81-BYOL - R81.10-BYOL - R81.20-BYOL Shell: @@ -313,7 +321,7 @@ Parameters: AllowedPattern: '[\$\./a-zA-Z0-9]*' NoEcho: true MDSHostname: - Description: The name must not contain reserved words. For details, refer to sk40179 (optional). + Description: The name must not contain reserved words. For details, refer to sk40179. (optional) Type: String Default: mds-aws AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$' @@ -350,7 +358,7 @@ Parameters: with the Multi-Domain Server. The address should be either 0.0.0.0/0 (any address) or /32 (specific address) Type: String AllowedPattern: '^((0.0.0.0\/0)|)$|^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/32)$' - ConstraintDescription: Administrator address must be either 0.0.0.0/0 or /32 + ConstraintDescription: Administrator address must be either 0.0.0.0/0 or /32 GatewaysAddresses: Description: Allow gateways only from this network to communicate with the Multi-Domain. Server @@ -385,11 +393,12 @@ Conditions: PrimaryMDS: !Equals [!Ref MDSInstallationType, Primary Multi-Domain Server] SecondaryMDS: !Equals [!Ref MDSInstallationType, Secondary Multi-Domain Server] PreRole: !And [!Condition UseRole, !Not [!Condition CreateRole]] + EnableMetaDataToken: !Equals [!Ref MetaDataToken, true] Resources: AMI: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/amis.yaml + TemplateURL: __URL__/utils/amis.yaml Parameters: Version: !Join ['-', [!Ref MDSVersion, MGMT]] MDSSecurityGroup: @@ -454,7 +463,7 @@ Resources: Type: AWS::CloudFormation::Stack Condition: CreateRole Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/iam/cme-iam-role.yaml + TemplateURL: __URL__/iam/cme-iam-role.yaml Parameters: Permissions: !Ref MDSPermissions STSRoles: !Join [',', !Ref MDSSTSRoles] @@ -467,15 +476,15 @@ Resources: - !Ref MDSPredefinedRole MDSInstance: Type: AWS::EC2::Instance - DependsOn: MDSSecurityGroup + DependsOn: [MDSSecurityGroup, MDSLaunchTemplate] Properties: + LaunchTemplate: + LaunchTemplateId: !Ref MDSLaunchTemplate + Version: !GetAtt MDSLaunchTemplate.LatestVersionNumber + DisableApiTermination: !Ref TerminationProtection Tags: - Key: Name Value: !Ref MDSName - ImageId: !GetAtt AMI.Outputs.ImageId - InstanceType: !Ref MDSInstanceType - IamInstanceProfile: !If [UseRole, !If [PreRole, !Ref InstanceProfile, !GetAtt MDSRoleStack.Outputs.CMEIAMRole], !Ref 'AWS::NoValue'] - KeyName: !Ref KeyName NetworkInterfaces: - DeviceIndex: 0 AssociatePublicIpAddress: false @@ -484,27 +493,38 @@ Resources: - !Ref MDSSecurityGroup DeleteOnTermination: true SubnetId: !Ref MDSSubnet - BlockDeviceMappings: - - DeviceName: /dev/xvda - Ebs: - Encrypted: !If [EncryptedVolume, true, false] - KmsKeyId: !If [EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue'] - VolumeType: !Ref VolumeType - VolumeSize: !Ref VolumeSize - DisableApiTermination: !Ref TerminationProtection - UserData: !Base64 - Fn::Join: - - |+ + MDSLaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateData: + KeyName: !Ref KeyName + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref MDSInstanceType + MetadataOptions: + HttpTokens: !If [EnableMetaDataToken, required, optional] + BlockDeviceMappings: + - DeviceName: '/dev/xvda' + Ebs: + Encrypted: !If [ EncryptedVolume, true, false ] + KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + IamInstanceProfile: + Name: !If [ UseRole, !If [ PreRole, !Ref InstanceProfile, !GetAtt MDSRoleStack.Outputs.CMEIAMRole ], !Ref 'AWS::NoValue' ] + UserData: !Base64 + Fn::Join: + - |+ - - - '#cloud-config' - - 'runcmd:' - - ' - |' - - ' set -e' - - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; hostname=${MDSHostname} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; admin_subnet=${AdminCIDR}' - - !If [PrimaryMDS, ' primary=true ; secondary=false', !If [SecondaryMDS, ' primary=false ; secondary=true', ' primary=false ; secondary=false']] - - !If [PrimaryMDS, ' sic=notused', !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref MDSSICKey, ')"']]] - - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref MDSBootstrapScript, ')"']] - - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref MDSPasswordHash, ')"']] - - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref MDSMaintenancePasswordHash, ')"']] - - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref MDSVersion]]}] - - ' python3 /etc/cloud_config.py sicKey=\"${sic}\" installationType=\"mds\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"mds\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" primary=\"${primary}\" secondary=\"${secondary}\" adminSubnet=\"${admin_subnet}\" bootstrapScript64=\"${bootstrap}\"' \ No newline at end of file + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; hostname=${MDSHostname} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; admin_subnet=${AdminCIDR}' + - !If [PrimaryMDS, ' primary=true ; secondary=false', !If [SecondaryMDS, ' primary=false ; secondary=true', ' primary=false ; secondary=false']] + - !If [PrimaryMDS, ' sic=notused', !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref MDSSICKey, ')"']]] + - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref MDSBootstrapScript, ')"']] + - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref MDSPasswordHash, ')"']] + - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref MDSMaintenancePasswordHash, ')"']] + - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref MDSVersion]]}] + - ' python3 /etc/cloud_config.py sicKey=\"${sic}\" installationType=\"mds\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"mds\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" primary=\"${primary}\" secondary=\"${secondary}\" adminSubnet=\"${admin_subnet}\" bootstrapScript64=\"${bootstrap}\"' + VersionDescription: Initial template version \ No newline at end of file diff --git a/aws/templates/single-gw/gateway-master.yaml b/aws/templates/single-gw/gateway-master.yaml index 3c34df22..c7c1d195 100644 --- a/aws/templates/single-gw/gateway-master.yaml +++ b/aws/templates/single-gw/gateway-master.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploys a Check Point Security Gateway into a new VPC (20240204) +Description: Deploys a Check Point Security Gateway into a new VPC (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -22,6 +22,7 @@ Metadata: - VolumeEncryption - EnableInstanceConnect - TerminationProtection + - MetaDataToken - Label: default: Check Point Settings Parameters: @@ -77,6 +78,8 @@ Metadata: default: Enable AWS Instance Connect TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token GatewayVersion: default: Gateway Version & license Shell: @@ -124,17 +127,21 @@ Parameters: Description: The public subnet of the Security Gateway. Type: String Default: 10.0.10.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. PrivateSubnetCIDR: Description: The private subnet of the Security Gateway. Type: String Default: 10.0.11.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. GatewayName: Type: String Default: Check-Point-Gateway GatewayInstanceType: Description: The instance type of the Secutiry Gateways. Type: String - Default: c5.xlarge + Default: c6in.xlarge AllowedValues: - c4.large - c4.xlarge @@ -287,16 +294,17 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false GatewayVersion: Type: String Default: R81.20-BYOL AllowedValues: - - R80.40-BYOL - - R80.40-PAYG-NGTP - - R80.40-PAYG-NGTX - - R81-BYOL - - R81-PAYG-NGTP - - R81-PAYG-NGTX - R81.10-BYOL - R81.10-PAYG-NGTP - R81.10-PAYG-NGTX @@ -342,7 +350,7 @@ Parameters: Type: String Default: '' GatewayHostname: - Description: The name must not contain reserved words. For details, refer to sk40179 (optional). + Description: The name must not contain reserved words. For details, refer to sk40179. (optional) Type: String Default: '' AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$' @@ -400,7 +408,7 @@ Resources: VPCStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml + TemplateURL: __URL__/utils/vpc.yaml Parameters: AvailabilityZones: !Ref AvailabilityZone NumberOfAZs: 1 @@ -428,7 +436,7 @@ Resources: GatewayStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/gateway/gateway.yaml + TemplateURL: __URL__/gateway/gateway.yaml Parameters: VPC: !GetAtt VPCStack.Outputs.VPCID PublicSubnet: !GetAtt VPCStack.Outputs.PublicSubnet1ID @@ -443,6 +451,7 @@ Resources: VolumeEncryption: !Ref VolumeEncryption EnableInstanceConnect: !Ref EnableInstanceConnect TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken GatewayVersion: !Ref GatewayVersion Shell: !Ref Shell GatewaySICKey: !Ref GatewaySICKey diff --git a/aws/templates/single-gw/gateway.yaml b/aws/templates/single-gw/gateway.yaml index 5c66f2fa..76c5cef6 100644 --- a/aws/templates/single-gw/gateway.yaml +++ b/aws/templates/single-gw/gateway.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploys a Check Point Security Gateway into an existing VPC (20240204) +Description: Deploys a Check Point Security Gateway into an existing VPC (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -22,6 +22,7 @@ Metadata: - VolumeEncryption - EnableInstanceConnect - TerminationProtection + - MetaDataToken - Label: default: Check Point Settings Parameters: @@ -77,6 +78,8 @@ Metadata: default: Enable AWS Instance Connect TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token GatewayVersion: default: Gateway Version & license Shell: @@ -132,7 +135,7 @@ Parameters: GatewayInstanceType: Description: The instance type of the Secutiry Gateway. Type: String - Default: c5.xlarge + Default: c6in.xlarge AllowedValues: - c4.large - c4.xlarge @@ -285,16 +288,17 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false GatewayVersion: Type: String Default: R81.20-BYOL AllowedValues: - - R80.40-BYOL - - R80.40-PAYG-NGTP - - R80.40-PAYG-NGTX - - R81-BYOL - - R81-PAYG-NGTP - - R81-PAYG-NGTX - R81.10-BYOL - R81.10-PAYG-NGTP - R81.10-PAYG-NGTX @@ -340,7 +344,7 @@ Parameters: Type: String Default: '' GatewayHostname: - Description: The name must not contain reserved words. For details, refer to sk40179 (optional). + Description: The name must not contain reserved words. For details, refer to sk40179. (optional) Type: String Default: '' AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$' @@ -398,6 +402,7 @@ Conditions: ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']] ProvidedManagementParameters: !And [!Not [!Equals [!Ref ManagementServer, '']], !Not [!Equals [!Ref ConfigurationTemplate, '']]] EnableCloudWatch: !Equals [!Ref CloudWatch, true] + EnableMetaDataToken: !Equals [!Ref MetaDataToken, true] Resources: ReadyHandle: Type: AWS::CloudFormation::WaitConditionHandle @@ -432,14 +437,14 @@ Resources: Condition: EnableCloudWatch Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/iam/cloudwatch-policy.yaml + TemplateURL: __URL__/iam/cloudwatch-policy.yaml Parameters: PolicyName: !If [ ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName' ] PolicyRole: !Ref GatewayIAMRole AMI: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/amis.yaml + TemplateURL: __URL__/utils/amis.yaml Parameters: Version: !Join ['-', [!Ref GatewayVersion,GW]] ExternalNetworkInterface: @@ -496,7 +501,12 @@ Resources: RouteTableId: !Ref InternalRouteTable GatewayInstance: Type: AWS::EC2::Instance + DependsOn: GatewayLaunchTemplate Properties: + LaunchTemplate: + LaunchTemplateId: !Ref GatewayLaunchTemplate + Version: !GetAtt GatewayLaunchTemplate.LatestVersionNumber + DisableApiTermination: !Ref TerminationProtection Tags: - Key: Name Value: !Ref GatewayName @@ -510,40 +520,47 @@ Resources: - !Join ['=', [template,!Ref ConfigurationTemplate]] - !Join ['=',[ip-address, !Ref ControlGatewayOverPrivateOrPublicAddress]] - !Ref 'AWS::NoValue' - ImageId: !GetAtt AMI.Outputs.ImageId - InstanceType: !Ref GatewayInstanceType - BlockDeviceMappings: - - DeviceName: '/dev/xvda' - Ebs: - Encrypted: !If [EncryptedVolume, true, false] - KmsKeyId: !If [EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue'] - VolumeType: !Ref VolumeType - VolumeSize: !Ref VolumeSize - IamInstanceProfile: !If [EnableCloudWatch, !Ref GatewayInstanceProfile, !Ref 'AWS::NoValue'] - DisableApiTermination: !Ref TerminationProtection - UserData: - 'Fn::Base64': - !Join - - |+ + GatewayLaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateData: + NetworkInterfaces: + - DeviceIndex: 0 + NetworkInterfaceId: !Ref ExternalNetworkInterface + - DeviceIndex: 1 + NetworkInterfaceId: !Ref InternalNetworkInterface + KeyName: !Ref KeyName + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref GatewayInstanceType + MetadataOptions: + HttpTokens: !If [EnableMetaDataToken, required, optional] + BlockDeviceMappings: + - DeviceName: '/dev/xvda' + Ebs: + Encrypted: !If [ EncryptedVolume, true, false ] + KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + IamInstanceProfile: + Name: !If [EnableCloudWatch, !Ref GatewayInstanceProfile, !Ref 'AWS::NoValue'] + UserData: + 'Fn::Base64': + !Join + - |+ - - - '#cloud-config' - - 'runcmd:' - - ' - |' - - ' set -e' - - !Sub ' admin_shell=${Shell} ; hostname=${GatewayHostname} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; eic=${EnableInstanceConnect} ; eip=${AllocatePublicAddress} ; token=''${GatewayToken}''' - - !If [AllocateAddress, !Sub ' wait_handle=''${ReadyHandle}''',!Ref 'AWS::NoValue'] - - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] - - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] - - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] - - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] - - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] - - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${token}\"" installationType=\"gateway\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"gateway\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" allocatePublicAddress=\"${eip}\" bootstrapScript64=\"${bootstrap}\"' - KeyName: !Ref KeyName - NetworkInterfaces: - - DeviceIndex: 0 - NetworkInterfaceId: !Ref ExternalNetworkInterface - - DeviceIndex: 1 - NetworkInterfaceId: !Ref InternalNetworkInterface + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; hostname=${GatewayHostname} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; eic=${EnableInstanceConnect} ; eip=${AllocatePublicAddress} ; token=''${GatewayToken}''' + - !If [AllocateAddress, !Sub ' wait_handle=''${ReadyHandle}''',!Ref 'AWS::NoValue'] + - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] + - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] + - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] + - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] + - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${token}\"" installationType=\"gateway\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"gateway\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" allocatePublicAddress=\"${eip}\" bootstrapScript64=\"${bootstrap}\"' + VersionDescription: Initial template version PublicAddress: Type: AWS::EC2::EIP Condition: AllocateAddress diff --git a/aws/templates/standalone/standalone-master.yaml b/aws/templates/standalone/standalone-master.yaml index 4f598a3f..42832747 100644 --- a/aws/templates/standalone/standalone-master.yaml +++ b/aws/templates/standalone/standalone-master.yaml @@ -1,6 +1,6 @@ AWSTemplateFormatVersion: 2010-09-09 Description: Deploys either a manually configurable or a Check Point CloudGuard IaaS - Security Gateway & Management (Standalone) instance in a new VPC (20240204) + Security Gateway & Management (Standalone) instance in a new VPC (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -23,6 +23,7 @@ Metadata: - VolumeEncryption - EnableInstanceConnect - TerminationProtection + - MetaDataToken - Label: default: Check Point Settings Parameters: @@ -69,6 +70,8 @@ Metadata: default: Enable AWS Instance Connect TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token StandaloneVersion: default: License Shell: @@ -110,10 +113,14 @@ Parameters: Description: The public subnet of the Security Gateway. Type: String Default: 10.0.10.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. PrivateSubnetCIDR: Description: The private subnet of the Security Gateway. Type: String Default: 10.0.11.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. StandaloneName: Type: String Default: Check-Point-Instance @@ -157,15 +164,18 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false StandaloneVersion: Description: Standalone Version & License. Type: String Default: R81.20-BYOL AllowedValues: - - R80.40-PAYG-NGTP - - R80.40-BYOL - - R81-PAYG-NGTP - - R81-BYOL - R81.10-PAYG-NGTP - R81.10-BYOL - R81.20-PAYG-NGTP @@ -313,7 +323,7 @@ Parameters: Type: String Default: '' StandaloneHostname: - Description: The name must not contain reserved words. For details, refer to sk40179 (optional). + Description: (optional) Type: String Default: '' AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$' @@ -364,7 +374,7 @@ Resources: VPCStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml + TemplateURL: __URL__/utils/vpc.yaml Parameters: AvailabilityZones: !Ref AvailabilityZone NumberOfAZs: 1 @@ -391,7 +401,7 @@ Resources: StandaloneStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/gateway/standalone.yaml + TemplateURL: __URL__/gateway/standalone.yaml Parameters: VPC: !GetAtt VPCStack.Outputs.VPCID PublicSubnet: !GetAtt VPCStack.Outputs.PublicSubnet1ID @@ -406,6 +416,7 @@ Resources: VolumeEncryption: !Ref VolumeEncryption EnableInstanceConnect: !Ref EnableInstanceConnect TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken StandaloneVersion: !Ref StandaloneVersion Shell: !Ref Shell StandalonePasswordHash: !Ref StandalonePasswordHash diff --git a/aws/templates/standalone/standalone.yaml b/aws/templates/standalone/standalone.yaml index 78f36aba..cc565f6c 100644 --- a/aws/templates/standalone/standalone.yaml +++ b/aws/templates/standalone/standalone.yaml @@ -1,6 +1,6 @@ AWSTemplateFormatVersion: 2010-09-09 Description: Deploys either a manually configurable or a Check Point CloudGuard IaaS - Security Gateway & Management (Standalone) instance into an existing VPC (20240204) + Security Gateway & Management (Standalone) instance into an existing VPC (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -23,6 +23,7 @@ Metadata: - VolumeEncryption - EnableInstanceConnect - TerminationProtection + - MetaDataToken - Label: default: Check Point Settings Parameters: @@ -69,6 +70,8 @@ Metadata: default: Enable AWS Instance Connect TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token StandaloneVersion: default: License Shell: @@ -270,15 +273,18 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false StandaloneVersion: Description: Standalone Version & License. Type: String Default: R81.20-BYOL AllowedValues: - - R80.40-PAYG-NGTP - - R80.40-BYOL - - R81-PAYG-NGTP - - R81-BYOL - R81.10-PAYG-NGTP - R81.10-BYOL - R81.20-PAYG-NGTP @@ -310,7 +316,7 @@ Parameters: Type: String Default: '' StandaloneHostname: - Description: The name must not contain reserved words. For details, refer to sk40179 (optional). + Description: (optional) Type: String Default: '' AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$' @@ -361,6 +367,7 @@ Conditions: ProvidedRouteTable: !Not [!Equals [!Ref InternalRouteTable, '']] EnableCloudWatch: !Equals [!Ref CloudWatch, true] IsBYOL: !Equals [!Select [1, !Split ['-', !Ref StandaloneVersion]], 'BYOL'] + EnableMetaDataToken: !Equals [!Ref MetaDataToken, true] Resources: ReadyHandle: Type: AWS::CloudFormation::WaitConditionHandle @@ -395,14 +402,14 @@ Resources: Condition: EnableCloudWatch Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/iam/cloudwatch-policy.yaml + TemplateURL: __URL__/iam/cloudwatch-policy.yaml Parameters: PolicyName: !If [ ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName' ] PolicyRole: !Ref StandaloneIAMRole AMI: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/amis.yaml + TemplateURL: __URL__/utils/amis.yaml Parameters: Version: !If [IsBYOL, !Join ['-', [!Ref StandaloneVersion,MGMT]], !Ref StandaloneVersion] ExternalNetworkInterface: @@ -456,43 +463,55 @@ Resources: RouteTableId: !Ref InternalRouteTable StandaloneInstance: Type: AWS::EC2::Instance + DependsOn: GatewayLaunchTemplate Properties: + LaunchTemplate: + LaunchTemplateId: !Ref GatewayLaunchTemplate + Version: !GetAtt GatewayLaunchTemplate.LatestVersionNumber + DisableApiTermination: !Ref TerminationProtection Tags: - Key: Name Value: !Ref StandaloneName - ImageId: !GetAtt AMI.Outputs.ImageId - InstanceType: !Ref StandaloneInstanceType - BlockDeviceMappings: - - DeviceName: /dev/xvda - Ebs: - Encrypted: !If [EncryptedVolume, true, false] - KmsKeyId: !If [EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue'] - VolumeType: !Ref VolumeType - VolumeSize: !Ref VolumeSize - IamInstanceProfile: !If [EnableCloudWatch, !Ref StandaloneInstanceProfile, !Ref 'AWS::NoValue'] - DisableApiTermination: !Ref TerminationProtection - UserData: - 'Fn::Base64': - !Join - - |+ + GatewayLaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateData: + NetworkInterfaces: + - DeviceIndex: 0 + NetworkInterfaceId: !Ref ExternalNetworkInterface + - DeviceIndex: 1 + NetworkInterfaceId: !Ref InternalNetworkInterface + KeyName: !Ref KeyName + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref StandaloneInstanceType + MetadataOptions: + HttpTokens: !If [EnableMetaDataToken, required, optional] + BlockDeviceMappings: + - DeviceName: '/dev/xvda' + Ebs: + Encrypted: !If [ EncryptedVolume, true, false ] + KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + IamInstanceProfile: + Name: !If [ EnableCloudWatch, !Ref StandaloneInstanceProfile, !Ref 'AWS::NoValue' ] + UserData: + 'Fn::Base64': + !Join + - |+ - - - '#cloud-config' - - 'runcmd:' - - ' - |' - - ' set -e' - - !Sub ' admin_shell=${Shell} ; hostname=${StandaloneHostname} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; eic=${EnableInstanceConnect} ; eip=${AllocatePublicAddress} ; admin_subnet=${AdminCIDR}' - - !If [AllocateAddress, !Sub ' wait_handle=''${ReadyHandle}''',!Ref 'AWS::NoValue'] - - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref StandaloneBootstrapScript, ')"']] - - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref StandalonePasswordHash, ')"']] - - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref StandaloneMaintenancePasswordHash, ')"']] - - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref StandaloneVersion]]}] - - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" installationType=\"standalone\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"standalone\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" adminSubnet=\"${admin_subnet}\" allocatePublicAddress=\"${eip}\" bootstrapScript64=\"${bootstrap}\"' - KeyName: !Ref KeyName - NetworkInterfaces: - - DeviceIndex: 0 - NetworkInterfaceId: !Ref ExternalNetworkInterface - - DeviceIndex: 1 - NetworkInterfaceId: !Ref InternalNetworkInterface + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; hostname=${StandaloneHostname} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; eic=${EnableInstanceConnect} ; eip=${AllocatePublicAddress} ; admin_subnet=${AdminCIDR}' + - !If [ AllocateAddress, !Sub ' wait_handle=''${ReadyHandle}''',!Ref 'AWS::NoValue' ] + - !Join [ '', [ ' bootstrap="$(echo ', 'Fn::Base64': !Ref StandaloneBootstrapScript, ')"' ] ] + - !Join [ '', [ ' pwd_hash="$(echo ', 'Fn::Base64': !Ref StandalonePasswordHash, ')"' ] ] + - !Join [ '', [ ' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref StandaloneMaintenancePasswordHash, ')"' ] ] + - !Sub [ ' version=${Version}', { Version: !Select [ 0, !Split [ '-', !Ref StandaloneVersion ] ] } ] + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" installationType=\"standalone\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"standalone\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" adminSubnet=\"${admin_subnet}\" allocatePublicAddress=\"${eip}\" bootstrapScript64=\"${bootstrap}\"' + VersionDescription: Initial template version PublicAddress: Type: AWS::EC2::EIP Condition: AllocateAddress diff --git a/aws/templates/tgw-asg/tgw-asg-master.yaml b/aws/templates/tgw-asg/tgw-asg-master.yaml index 076e24a7..bd72aa0e 100644 --- a/aws/templates/tgw-asg/tgw-asg-master.yaml +++ b/aws/templates/tgw-asg/tgw-asg-master.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy an Auto Scaling Group of CloudGuard Security Gateways for Transit Gateway with an optional Management Server in a new VPC (20240204) +Description: Deploy an Auto Scaling Group of CloudGuard Security Gateways for Transit Gateway with an optional Management Server in a new VPC (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -22,6 +22,7 @@ Metadata: - VolumeType - EnableInstanceConnect - TerminationProtection + - MetaDataToken - AllowUploadDownload - Label: default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration @@ -84,6 +85,8 @@ Metadata: default: Enable AWS Instance Connect TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token AllowUploadDownload: default: Allow upload & download GatewayName: @@ -214,6 +217,13 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false AllowUploadDownload: Description: Automatically download updates and share statistical data for product improvement purpose. Type: String @@ -228,7 +238,7 @@ Parameters: GatewayInstanceType: Description: The EC2 instance type for the Security Gateways. Type: String - Default: c5.xlarge + Default: c6in.xlarge AllowedValues: - c4.large - c4.xlarge @@ -356,12 +366,6 @@ Parameters: Type: String Default: R81.20-BYOL AllowedValues: - - R80.40-BYOL - - R80.40-PAYG-NGTP - - R80.40-PAYG-NGTX - - R81-BYOL - - R81-PAYG-NGTP - - R81-PAYG-NGTX - R81.10-BYOL - R81.10-PAYG-NGTP - R81.10-PAYG-NGTX @@ -530,10 +534,6 @@ Parameters: Type: String Default: R81.20-BYOL AllowedValues: - - R80.40-BYOL - - R80.40-PAYG - - R81-BYOL - - R81-PAYG - R81.10-BYOL - R81.10-PAYG - R81.20-BYOL @@ -612,7 +612,7 @@ Resources: VPCStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml + TemplateURL: __URL__/utils/vpc.yaml Parameters: AvailabilityZones: !Join [',', !Ref AvailabilityZones] NumberOfAZs: !Ref NumberOfAZs @@ -625,7 +625,7 @@ Resources: MainStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/autoscale/tgw-asg.yaml + TemplateURL: __URL__/autoscale/tgw-asg.yaml Parameters: VPC: !GetAtt VPCStack.Outputs.VPCID GatewaysSubnets: !Join @@ -640,6 +640,7 @@ Resources: VolumeSize: !Ref VolumeSize EnableInstanceConnect: !Ref EnableInstanceConnect TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken AllowUploadDownload: !Ref AllowUploadDownload GatewayName: !Ref GatewayName GatewayInstanceType: !Ref GatewayInstanceType @@ -682,7 +683,7 @@ Outputs: Condition: DeployManagement Rules: GatewayAddressRule: - RuleCondition: !Equals [!Ref ManagementDeploy, 'true'] - Assertions: + RuleCondition: !Equals [!Ref ManagementDeploy, 'true'] + Assertions: - AssertDescription: "Gateway's netowrk to communicate with the Security Management Server must be provided" - Assert: !Not [ !Equals [!Ref GatewaysAddresses, '']] \ No newline at end of file + Assert: !Not [ !Equals [!Ref GatewaysAddresses, '']] diff --git a/aws/templates/tgw-asg/tgw-asg.yaml b/aws/templates/tgw-asg/tgw-asg.yaml index c63676e1..096570d1 100644 --- a/aws/templates/tgw-asg/tgw-asg.yaml +++ b/aws/templates/tgw-asg/tgw-asg.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: '2010-09-09' -Description: Deploy an Auto Scaling Group of CloudGuard Security Gateways for Transit Gateway with an optional Management Server into an existing VPC (20240204) +Description: Deploy an Auto Scaling Group of CloudGuard Security Gateways for Transit Gateway with an optional Management Server into an existing VPC (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -17,6 +17,7 @@ Metadata: - VolumeType - EnableInstanceConnect - TerminationProtection + - MetaDataToken - AllowUploadDownload - Label: default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration @@ -69,6 +70,8 @@ Metadata: default: Enable AWS Instance Connect TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token AllowUploadDownload: default: Allow upload & download GatewayName: @@ -168,6 +171,13 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false AllowUploadDownload: Description: Automatically download updates and share statistical data for product improvement purpose. Type: String @@ -182,7 +192,7 @@ Parameters: GatewayInstanceType: Description: The EC2 instance type for the Security Gateways. Type: String - Default: c5.xlarge + Default: c6in.xlarge AllowedValues: - c4.large - c4.xlarge @@ -310,12 +320,6 @@ Parameters: Type: String Default: R81.20-BYOL AllowedValues: - - R80.40-BYOL - - R80.40-PAYG-NGTP - - R80.40-PAYG-NGTX - - R81-BYOL - - R81-PAYG-NGTP - - R81-PAYG-NGTX - R81.10-BYOL - R81.10-PAYG-NGTP - R81.10-PAYG-NGTX @@ -484,10 +488,6 @@ Parameters: Type: String Default: R81.20-BYOL AllowedValues: - - R80.40-BYOL - - R80.40-PAYG - - R81-BYOL - - R81-PAYG - R81.10-BYOL - R81.10-PAYG - R81.20-BYOL @@ -566,7 +566,7 @@ Resources: Type: AWS::CloudFormation::Stack Condition: DeployManagement Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/management/management.yaml + TemplateURL: __URL__/management/management.yaml Parameters: VPC: !Ref VPC ManagementSubnet: !Select [0, !Ref GatewaysSubnets] @@ -579,6 +579,7 @@ Resources: VolumeSize: !Ref VolumeSize EnableInstanceConnect: !Ref EnableInstanceConnect TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken ManagementPermissions: !Ref ManagementPermissions ManagementPredefinedRole: !Ref ManagementPredefinedRole ManagementVersion: !Ref ManagementVersion @@ -619,7 +620,7 @@ Resources: SecurityGatewaysStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/autoscale/autoscale.yaml + TemplateURL: __URL__/autoscale/autoscale.yaml Parameters: VPC: !Ref VPC GatewaysSubnets: !Join [',', !Ref GatewaysSubnets] @@ -630,6 +631,7 @@ Resources: VolumeType: !Ref VolumeType VolumeSize: !Ref VolumeSize EnableInstanceConnect: !Ref EnableInstanceConnect + MetaDataToken: !Ref MetaDataToken GatewaysMinSize: !Ref GatewaysMinSize GatewaysMaxSize: !Ref GatewaysMaxSize AdminEmail: !Ref AdminEmail @@ -673,7 +675,7 @@ Outputs: Condition: DeployManagement Rules: GatewayAddressRule: - RuleCondition: !Equals [!Ref ManagementDeploy, 'true'] - Assertions: + RuleCondition: !Equals [!Ref ManagementDeploy, 'true'] + Assertions: - AssertDescription: "Gateway's netowrk to communicate with the Security Management Server must be provided" - Assert: !Not [ !Equals [!Ref GatewaysAddresses, '']] \ No newline at end of file + Assert: !Not [ !Equals [!Ref GatewaysAddresses, '']] diff --git a/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster-master.yaml b/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster-master.yaml index 076c1390..4c03ed53 100644 --- a/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster-master.yaml +++ b/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster-master.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Check Point TGW Cross Availabilty Zone Cluster in a new VPC (20240204) +Description: Deploy a Check Point TGW Cross Availabilty Zone Cluster in a new VPC (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -27,6 +27,7 @@ Metadata: - EnableInstanceConnect - GatewayPredefinedRole - TerminationProtection + - MetaDataToken - Label: default: Check Point Settings Parameters: @@ -87,6 +88,8 @@ Metadata: default: Existing IAM role name TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token GatewayVersion: default: Gateways version & license Shell: @@ -168,7 +171,7 @@ Parameters: GatewayInstanceType: Description: The instance type of the Secutiry Gateway. Type: String - Default: c5.xlarge + Default: c6in.xlarge AllowedValues: - c4.large - c4.xlarge @@ -325,6 +328,13 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false GatewayVersion: Type: String Default: R81.20-BYOL @@ -417,7 +427,7 @@ Resources: VPCStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml + TemplateURL: __URL__/utils/vpc.yaml Parameters: AvailabilityZones: !Join [',', !Ref AvailabilityZones] NumberOfAZs: 2 @@ -441,7 +451,7 @@ Resources: Type: AWS::CloudFormation::Stack DependsOn: VPCStack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/cluster/tgw-cross-az-cluster.yaml + TemplateURL: __URL__/cluster/tgw-cross-az-cluster.yaml Parameters: VPC: !GetAtt VPCStack.Outputs.VPCID PublicSubnetA: !GetAtt VPCStack.Outputs.PublicSubnet1ID @@ -461,6 +471,7 @@ Resources: EnableInstanceConnect: !Ref EnableInstanceConnect GatewayPredefinedRole: !Ref GatewayPredefinedRole TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken GatewayVersion: !Ref GatewayVersion Shell: !Ref Shell GatewayPasswordHash: !Ref GatewayPasswordHash @@ -507,12 +518,12 @@ Rules: MemberATokenNotProvided: RuleCondition: !Equals [!Ref MemberAToken, ''] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member A can not be empty." + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty" Assert: !Equals [!Ref MemberBToken, ''] MemberBTokenNotProvided: RuleCondition: !Equals [ !Ref MemberBToken, '' ] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member B can not be empty." + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty" Assert: !Equals [ !Ref MemberAToken, '' ] MembersTokenValueEquals: RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ] diff --git a/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster.yaml b/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster.yaml index 651a4554..92cce90f 100644 --- a/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster.yaml +++ b/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster.yaml @@ -1,5 +1,7 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploys a Check Point TGW Cross Availabilty Zone Cluster into an existing VPC (20240204) +Description: Deploys a Check Point TGW Cross Availabilty Zone Cluster into an + existing VPC + (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -27,6 +29,7 @@ Metadata: - EnableInstanceConnect - GatewayPredefinedRole - TerminationProtection + - MetaDataToken - Label: default: Check Point Settings Parameters: @@ -87,6 +90,8 @@ Metadata: default: Existing IAM role name TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token GatewayVersion: default: Gateways version & license Shell: @@ -162,7 +167,7 @@ Parameters: GatewayInstanceType: Description: The instance type of the Secutiry Gateway. Type: String - Default: c5.xlarge + Default: c6in.xlarge AllowedValues: - c4.large - c4.xlarge @@ -320,6 +325,13 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false GatewayVersion: Description: The license to install on the Security Gateways. Type: String @@ -413,7 +425,7 @@ Resources: ClusterStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/cluster/cross-az-cluster.yaml + TemplateURL: __URL__/cluster/cross-az-cluster.yaml Parameters: VPC: !Ref VPC PublicSubnetA: !Ref PublicSubnetA @@ -431,6 +443,7 @@ Resources: EnableInstanceConnect: !Ref EnableInstanceConnect GatewayPredefinedRole: !Ref GatewayPredefinedRole TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken GatewayVersion: !Ref GatewayVersion Shell: !Ref Shell GatewayPasswordHash: !Ref GatewayPasswordHash @@ -503,12 +516,12 @@ Rules: MemberATokenNotProvided: RuleCondition: !Equals [!Ref MemberAToken, ''] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member A can not be empty." + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty" Assert: !Equals [!Ref MemberBToken, ''] MemberBTokenNotProvided: RuleCondition: !Equals [ !Ref MemberBToken, '' ] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member B can not be empty." + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty" Assert: !Equals [ !Ref MemberAToken, '' ] MembersTokenValueEquals: RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ] diff --git a/aws/templates/tgw-ha/tgw-ha-master.yaml b/aws/templates/tgw-ha/tgw-ha-master.yaml index 7eb8db40..dcb860be 100644 --- a/aws/templates/tgw-ha/tgw-ha-master.yaml +++ b/aws/templates/tgw-ha/tgw-ha-master.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Check Point TGW HA cross AZ Cluster in a new VPC (20240204) +Description: Deploy a Check Point TGW HA cross AZ Cluster in a new VPC (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -27,6 +27,7 @@ Metadata: - EnableInstanceConnect - GatewayPredefinedRole - TerminationProtection + - MetaDataToken - Label: default: Check Point Settings Parameters: @@ -87,6 +88,8 @@ Metadata: default: Existing IAM role name TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token GatewayVersion: default: Gateways version & license Shell: @@ -160,6 +163,7 @@ Parameters: Description: CIDR block for TGW HA subnet 2 located in the 2nd Availability Zone. Type: String Default: 10.0.22.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. GatewayName: Description: The name tag of the Security Gateway instances. (optional) @@ -168,7 +172,7 @@ Parameters: GatewayInstanceType: Description: The instance type of the Secutiry Gateway. Type: String - Default: c5.xlarge + Default: c6in.xlarge AllowedValues: - c4.large - c4.xlarge @@ -325,16 +329,17 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false GatewayVersion: Type: String Default: R81.10-BYOL AllowedValues: - - R80.40-BYOL - - R80.40-PAYG-NGTP - - R80.40-PAYG-NGTX - - R81-BYOL - - R81-PAYG-NGTP - - R81-PAYG-NGTX - R81.10-BYOL - R81.10-PAYG-NGTP - R81.10-PAYG-NGTX @@ -423,7 +428,7 @@ Resources: VPCStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml + TemplateURL: __URL__/utils/vpc.yaml Parameters: AvailabilityZones: !Join [',', !Ref AvailabilityZones] NumberOfAZs: 2 @@ -446,7 +451,7 @@ Resources: ClusterStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/cluster/tgw-ha.yaml + TemplateURL: __URL__/cluster/tgw-ha.yaml Parameters: VPC: !GetAtt VPCStack.Outputs.VPCID PublicSubnetA: !GetAtt VPCStack.Outputs.PublicSubnet1ID @@ -466,6 +471,7 @@ Resources: EnableInstanceConnect: !Ref EnableInstanceConnect GatewayPredefinedRole: !Ref GatewayPredefinedRole TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken GatewayVersion: !Ref GatewayVersion Shell: !Ref Shell GatewayPasswordHash: !Ref GatewayPasswordHash @@ -509,12 +515,12 @@ Rules: MemberATokenNotProvided: RuleCondition: !Equals [!Ref MemberAToken, ''] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member A can not be empty." + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty" Assert: !Equals [!Ref MemberBToken, ''] MemberBTokenNotProvided: RuleCondition: !Equals [ !Ref MemberBToken, '' ] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member B can not be empty." + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty" Assert: !Equals [ !Ref MemberAToken, '' ] MembersTokenValueEquals: RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ] diff --git a/aws/templates/tgw-ha/tgw-ha.yaml b/aws/templates/tgw-ha/tgw-ha.yaml index e02d8e5e..d05a2e2b 100644 --- a/aws/templates/tgw-ha/tgw-ha.yaml +++ b/aws/templates/tgw-ha/tgw-ha.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploys a Check Point TGW HA Cluster into an existing VPC (20240204) +Description: Deploys a Check Point TGW HA Cluster into an existing VPC (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -27,6 +27,7 @@ Metadata: - EnableInstanceConnect - GatewayPredefinedRole - TerminationProtection + - MetaDataToken - Label: default: Check Point Settings Parameters: @@ -87,6 +88,8 @@ Metadata: default: Existing IAM role name TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token GatewayVersion: default: Gateways version & license Shell: @@ -161,7 +164,7 @@ Parameters: Default: Check-Point-Cluster GatewayInstanceType: Type: String - Default: c5.xlarge + Default: c6in.xlarge AllowedValues: - c4.large - c4.xlarge @@ -319,17 +322,18 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false GatewayVersion: Description: The license to install on the Security Gateways. Type: String Default: R81.10-BYOL AllowedValues: - - R80.40-BYOL - - R80.40-PAYG-NGTP - - R80.40-PAYG-NGTX - - R81-BYOL - - R81-PAYG-NGTP - - R81-PAYG-NGTX - R81.10-BYOL - R81.10-PAYG-NGTP - R81.10-PAYG-NGTX @@ -419,7 +423,7 @@ Resources: ClusterStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/cluster/geo-cluster.yaml + TemplateURL: __URL__/cluster/geo-cluster.yaml Parameters: VPC: !Ref VPC PublicSubnetA: !Ref PublicSubnetA @@ -437,6 +441,7 @@ Resources: EnableInstanceConnect: !Ref EnableInstanceConnect GatewayPredefinedRole: !Ref GatewayPredefinedRole TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken GatewayVersion: !Ref GatewayVersion Shell: !Ref Shell GatewayPasswordHash: !Ref GatewayPasswordHash @@ -506,12 +511,12 @@ Rules: MemberATokenNotProvided: RuleCondition: !Equals [!Ref MemberAToken, ''] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member A can not be empty." + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty" Assert: !Equals [!Ref MemberBToken, ''] MemberBTokenNotProvided: RuleCondition: !Equals [ !Ref MemberBToken, '' ] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member B can not be empty." + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty" Assert: !Equals [ !Ref MemberAToken, '' ] MembersTokenValueEquals: RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ] diff --git a/azure/misc/azure_ha_test.py b/azure/misc/azure_ha_test.py index 48fcac18..53601177 100755 --- a/azure/misc/azure_ha_test.py +++ b/azure/misc/azure_ha_test.py @@ -35,7 +35,6 @@ def set_arm_versions(): - """#TODO fixDocstring""" global ARM_VERSIONS log('Setting api versions for "%s" solution\n' % templateName) if templateName == 'stack-ha': @@ -48,17 +47,14 @@ def set_arm_versions(): def is_azure(): - """#TODO fixDocstring""" return os.path.isfile('/etc/in-azure') def log(msg): - """#TODO fixDocstring""" sys.stderr.write(msg) def test_rw(rid, allow_not_found=False, test_write=True): - """#TODO fixDocstring""" components = rid.split('/') log('Id : %s\n' % rid) log('Subscription : %s\n' % components[2]) @@ -85,7 +81,6 @@ def test_rw(rid, allow_not_found=False, test_write=True): def get_vm_primary_nic(vm): - """#TODO fixDocstring""" nis = vm['properties']['networkProfile']['networkInterfaces'] if len(nis) == 1: ni = nis[0] @@ -97,7 +92,6 @@ def get_vm_primary_nic(vm): def test_cluster_ip(): - """#TODO fixDocstring""" def test_vip(vip_resource): if '/' in vip_resource: cluster_ip_id = vip_resource @@ -116,7 +110,6 @@ def test_vip(vip_resource): def test_load_balancer(): - """#TODO fixDocstring""" load_balancer_nm = conf.get('lbName', '') if not load_balancer_nm: log('An external load balancer name is not configured.\n') @@ -129,7 +122,6 @@ def test_load_balancer(): def vnet_rg(): - """#TODO fixDocstring""" local_vm = azure.arm('GET', conf['baseId'] + 'microsoft.compute/virtualmachines/' + conf['hostname'])[1] @@ -140,7 +132,6 @@ def vnet_rg(): def get_route_table_ids_for_vnet(vnet): - """#TODO fixDocstring""" route_table_ids = set() for subnet in vnet['properties'].get('subnets', []): if subnet['properties'].get('routeTable'): @@ -149,7 +140,6 @@ def get_route_table_ids_for_vnet(vnet): def get_vnet_id(): - """#TODO fixDocstring""" vnet_id = conf.get('vnetId') if vnet_id: return vnet_id @@ -164,7 +154,6 @@ def get_vnet_id(): def get_route_table_ids_for_peering(vnet): - """#TODO fixDocstring""" route_table_ids = set() for peering in vnet['properties'].get('virtualNetworkPeerings', []): @@ -185,7 +174,6 @@ def get_route_table_ids_for_peering(vnet): def get_route_table_ids(): - """#TODO fixDocstring""" route_table_ids = set() vnet_id = get_vnet_id() @@ -198,7 +186,6 @@ def get_route_table_ids(): def interfaces_test_rw(interface_id): - """#TODO fixDocstring""" interface = test_rw(interface_id['id']) if not interface['properties'].get('enableIPForwarding'): raise Exception( @@ -207,7 +194,6 @@ def interfaces_test_rw(interface_id): def test_cluster_parameters(): - """#TODO fixDocstring""" path = "/var/opt/fw.boot/modules/fwkern.conf" text1 = "fwha_dead_timeout_multiplier=20" text2 = "fwha_if_problem_tolerance=200" @@ -248,7 +234,6 @@ def test_cluster_parameters(): def test(): - """#TODO fixDocstring""" global conf if not is_azure(): @@ -412,7 +397,6 @@ def test(): def main(): - """#TODO fixDocstring""" try: test() except Exception: diff --git a/azure/templates/marketplace-gateway-load-balancer/README.md b/azure/templates/marketplace-gateway-load-balancer/README.md index a970e1a3..4b5df7cc 100644 --- a/azure/templates/marketplace-gateway-load-balancer/README.md +++ b/azure/templates/marketplace-gateway-load-balancer/README.md @@ -19,4 +19,3 @@ Benefits: To deploy with full control over all the template options use: [Full Control Deployment](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2Fazure%2Ftemplates%2Fmarketplace-gateway-load-balancer%2FmainTemplate.json) - diff --git a/azure/templates/marketplace-gateway-load-balancer/createUiDefinition.json b/azure/templates/marketplace-gateway-load-balancer/createUiDefinition.json index 54fd25cc..1de1c662 100644 --- a/azure/templates/marketplace-gateway-load-balancer/createUiDefinition.json +++ b/azure/templates/marketplace-gateway-load-balancer/createUiDefinition.json @@ -1120,7 +1120,7 @@ } }, { - "visible": "[bool(basics('auth').sshPublicKey)]", + "visible": "[bool(basics('auth').sshPublicKey)]", "name": "EnableSerialConsolePassword", "type": "Microsoft.Common.OptionsGroup", "label": "Enable Serial console password", @@ -1508,9 +1508,9 @@ "deployNewNSG": "[steps('network').NSG]", "ExistingNSG": "[steps('network').nsgSelector]", "NewNsgName": "[steps('network').NSGName]", - "addStorageAccountIpRules": "[steps('network').addStorageAccountIpRules]", + "addStorageAccountIpRules":"[steps('network').addStorageAccountIpRules]", "SerialConsolePasswordHash": "[steps('chkp').AdditionalPassword]", "MaintenanceModePasswordHash": "[steps('chkp').MaintenanceModePassword]" } } -} \ No newline at end of file +} diff --git a/azure/templates/marketplace-gateway-load-balancer/mainTemplate.json b/azure/templates/marketplace-gateway-load-balancer/mainTemplate.json index f9db5e37..12d29edc 100644 --- a/azure/templates/marketplace-gateway-load-balancer/mainTemplate.json +++ b/azure/templates/marketplace-gateway-load-balancer/mainTemplate.json @@ -414,7 +414,7 @@ "variables": { "resourceGroup": "[resourceGroup()]", "templateName": "gwlb", - "templateVersion": "20240716", + "templateVersion": "20240904", "location": "[parameters('location')]", "offers": { "R81.10 - Bring Your Own License": "BYOL", @@ -639,7 +639,23 @@ "diskSize100GB": 100, "additionalDiskSizeGB": "[if(contains('R8110 R8120', variables('osVersion')), 0, parameters('additionalDiskSizeGB'))]", "diskSizeGB": "[add(variables('additionalDiskSizeGB'), variables('diskSize100GB'))]", - "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'customMetrics=\"', variables('customMetrics'), '\"', '\n', 'adminShell=\"', parameters('adminShell'), '\"', '\n', 'MaintenanceModePassword=\"', parameters('MaintenanceModePasswordHash'), '\"', '\n', 'passwordHash=\"', parameters('SerialConsolePasswordHash'), '\"', '\n')]", + "vxlanParametersForR82": "kernel_parameters:\n sim:\n - sim_enable_vxlan=3\n - sim_enable_gre=3\n fw: \n - fw_enable_vxlan=1\n - fw_enable_gre=1", + "cloudConfigParams":[ + "[concat('installationType=\\\"', variables('installationType'), '\\\"')]", + "[concat('allowUploadDownload=\\\"', variables('allowUploadDownload'), '\\\"')]", + "[concat('osVersion=\\\"', variables('osVersion'), '\\\"')]", + "[concat('templateName=\\\"', variables('templateName'), '\\\"')]", + "[concat('isBlink=\\\"', variables('isBlink'), '\\\"')]", + "[concat('templateVersion=\\\"', variables('templateVersion'), '\\\"')]", + "[concat('bootstrapScript64=\\\"', variables('bootstrapScript64'), '\\\"')]", + "[concat('location=\\\"', variables('location'), '\\\"')]", + "[concat('sicKey=\\\"', variables('sicKey'), '\\\"')]", + "[concat('customMetrics=\\\"', variables('customMetrics'), '\\\"')]", + "[concat('adminShell=\\\"', parameters('adminShell'), '\\\"')]", + "[concat('MaintenanceModePassword=\\\"', parameters('MaintenanceModePasswordHash'), '\\\"')]", + "[concat('passwordHash=\\\"', parameters('SerialConsolePasswordHash'), '\\\"')]" + ], + "customData": "[concat('#cloud-config','\n', if(equals(variables('osVersion'),'R82'),variables('vxlanParametersForR82'), ''),'\n', 'runcmd:\n - python3 /etc/cloud_config.py ', join(variables('cloudConfigParams'), ' '))]", "imageOffer": "[concat('check-point-cg-', toLower(variables('osVersion')))]", "imagePublisher": "checkpoint", "imageReferenceBYOL": { @@ -1032,7 +1048,7 @@ "mode": "Manual" }, "virtualMachineProfile": { - "UserData": "[base64(concat(variables('customData'), '\n', 'vnet=\"', if(equals(parameters('vnetNewOrExisting'), 'new'), reference('networkNewSetup').outputs.vnetAddressPrefix.value, reference('networkExistingSetup').outputs.vnetAddressPrefix.value), '\"', '\n' ))]", + "UserData": "[base64(concat(variables('customData'), '\n'))]", "storageProfile": { "osDisk": { "diskSizeGB": "[variables('diskSizeGB')]", @@ -1048,7 +1064,6 @@ "adminPassword": "[parameters('adminPassword')]", "adminUsername": "[concat('not','used')]", "computerNamePrefix": "[toLower(parameters('vmName'))]", - "customData": "[base64(concat(variables('customData'), '\n', 'vnet=\"', if(equals(parameters('vnetNewOrExisting'), 'new'), reference('networkNewSetup').outputs.vnetAddressPrefix.value, reference('networkExistingSetup').outputs.vnetAddressPrefix.value), '\"', '\n' ))]", "linuxConfiguration": "[variables('linuxConfiguration')]" }, "networkProfile": { @@ -1079,7 +1094,7 @@ "diagnosticsProfile": { "bootDiagnostics": { "enabled": "true", - "storageUri": "[reference(variables('storageAccountId'), '2019-06-01').primaryEndpoints.blob]" + "storageUri": "[reference(variables('storageAccountId'), '2023-01-01').primaryEndpoints.blob]" } } }, diff --git a/azure/templates/marketplace-ha/createUiDefinition.json b/azure/templates/marketplace-ha/createUiDefinition.json index a547363d..c770250c 100644 --- a/azure/templates/marketplace-ha/createUiDefinition.json +++ b/azure/templates/marketplace-ha/createUiDefinition.json @@ -836,7 +836,7 @@ } }, { - "visible": "[bool(basics('auth').sshPublicKey)]", + "visible": "[bool(basics('auth').sshPublicKey)]", "name": "EnableSerialConsolePassword", "type": "Microsoft.Common.OptionsGroup", "label": "Enable Serial console password", @@ -946,7 +946,7 @@ "label": "Availability options", "defaultValue": "Availability Set", "toolTip": "Use replicated Cluster VMs in Availability Set or Availability Zones. Note that the load balancers and their IP addresses will be zone redundant in any case.", - "visible": "[contains(' australiaeast brazilsouth canadacentral centralus eastasia eastus eastus2 francecentral germanywestcentral japaneast koreacentral northeurope norwayeast southafricanorth southcentralus southeastasia swedencentral uksouth usgovvirginia westeurope westus2 westus3 switzerlandnorth qatarcentral centralindia uaenorth italynorth ', concat(' ', location(), ' '))]", + "visible": "[contains(' australiaeast brazilsouth canadacentral centralus eastasia eastus eastus2 francecentral germanywestcentral japaneast koreacentral northeurope norwayeast southafricanorth southcentralus southeastasia swedencentral uksouth usgovvirginia westeurope westus2 westus3 switzerlandnorth qatarcentral centralindia uaenorth italynorth \\ ', concat(' ', location(), ' '))]", "constraints": { "allowedValues": [ { @@ -1199,7 +1199,7 @@ "label": "Quick connect to Smart-1 Cloud", "defaultValue": "Yes", "toolTip": "Automatically connect this Cluster to Smart-1 Cloud - Check Point's Security Management as a Service", - "constraints": { + "constraints": { "allowedValues": [ { "label": "Yes", @@ -1238,16 +1238,16 @@ "visible": "[equals(steps('chkp').allowSmart1CloudConnection, 'yes')]" }, { - "name": "Smart1CloudTokenB", - "type": "Microsoft.Common.TextBox", - "label": "Smart-1 Cloud Token Member B", - "toolTip": "Paste here the token copied from the Connect Gateway (Member B) screen in Smart-1 Cloud portal", - "constraints": { - "required": true, - "regex": "[\\S\\s]{5,}", - "validationMessage": "Smart1Cloud Token Should contain at lease 5 characters" - }, - "visible": "[equals(steps('chkp').allowSmart1CloudConnection, 'yes')]" + "name": "Smart1CloudTokenB", + "type": "Microsoft.Common.TextBox", + "label": "Smart-1 Cloud Token Member B", + "toolTip": "Paste here the token copied from the Connect Gateway (Member B) screen in Smart-1 Cloud portal", + "constraints": { + "required": true, + "regex": "[\\S\\s]{5,}", + "validationMessage": "Smart1Cloud Token Should contain at lease 5 characters" + }, + "visible": "[equals(steps('chkp').allowSmart1CloudConnection, 'yes')]" } ] }, @@ -1640,7 +1640,7 @@ "deployNewNSG": "[steps('network').NSG]", "ExistingNSG": "[steps('network').nsgSelector]", "NewNsgName": "[steps('network').NSGName]", - "addStorageAccountIpRules": "[steps('network').addStorageAccountIpRules]", + "addStorageAccountIpRules":"[steps('network').addStorageAccountIpRules]", "VipsNumber": "[int(steps('network').Vips_Number)]", "VipNames": "[concat(steps('network').VIP_Names.VIP2_Name, ',', steps('network').VIP_Names.VIP3_Name, ',', steps('network').VIP_Names.VIP4_Name, ',', steps('network').VIP_Names.VIP5_Name, ',', steps('network').VIP_Names.VIP6_Name, ',', steps('network').VIP_Names.VIP7_Name, ',', steps('network').VIP_Names.VIP8_Name, ',', steps('network').VIP_Names.VIP9_Name, ',', steps('network').VIP_Names.VIP10_Name)]", "SerialConsolePasswordHash": "[steps('chkp').AdditionalPassword]", diff --git a/azure/templates/marketplace-ha/mainTemplate.json b/azure/templates/marketplace-ha/mainTemplate.json index 77c7fbf3..92ebdc45 100644 --- a/azure/templates/marketplace-ha/mainTemplate.json +++ b/azure/templates/marketplace-ha/mainTemplate.json @@ -357,7 +357,7 @@ "VIPs_Number": "[int(parameters('VipsNumber'))]", "Vip_Names": "[split(parameters('VipNames'), ',')]", "templateName": "ha", - "templateVersion": "20240716", + "templateVersion": "20240904", "location": "[parameters('location')]", "elbPublicIPName": "frontend-lb-address", "haPublicIPName": "[parameters('vmName')]", @@ -1210,7 +1210,7 @@ "diagnosticsProfile": { "bootDiagnostics": { "enabled": "true", - "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2022-09-01').primaryEndpoints.blob]" + "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2023-01-01').primaryEndpoints.blob]" } }, "hardwareProfile": { diff --git a/azure/templates/marketplace-management/createUiDefinition.json b/azure/templates/marketplace-management/createUiDefinition.json index 83dcc85d..7e945af8 100644 --- a/azure/templates/marketplace-management/createUiDefinition.json +++ b/azure/templates/marketplace-management/createUiDefinition.json @@ -225,7 +225,7 @@ } }, { - "visible": "[bool(basics('auth').sshPublicKey)]", + "visible": "[bool(basics('auth').sshPublicKey)]", "name": "EnableSerialConsolePassword", "type": "Microsoft.Common.OptionsGroup", "label": "Enable Serial console password", @@ -422,7 +422,7 @@ } ] } - }, + }, { "name": "enableApi", "type": "Microsoft.Common.DropDown", @@ -694,7 +694,7 @@ "deployNewNSG": "[steps('network').NSG]", "ExistingNSG": "[steps('network').nsgSelector]", "NewNsgName": "[steps('network').NSGName]", - "addStorageAccountIpRules": "[steps('network').addStorageAccountIpRules]", + "addStorageAccountIpRules":"[steps('network').addStorageAccountIpRules]", "SerialConsolePasswordHash": "[steps('chkp').AdditionalPassword]", "MaintenanceModePasswordHash": "[steps('chkp').MaintenanceModePassword]" } diff --git a/azure/templates/marketplace-management/mainTemplate.json b/azure/templates/marketplace-management/mainTemplate.json index 409cb73f..eb3153c8 100644 --- a/azure/templates/marketplace-management/mainTemplate.json +++ b/azure/templates/marketplace-management/mainTemplate.json @@ -269,7 +269,7 @@ }, "variables": { "templateName": "management", - "templateVersion": "20240716", + "templateVersion": "20240904", "location": "[parameters('location')]", "offers": { "R81.10 - Bring Your Own License": "BYOL", @@ -868,7 +868,7 @@ "diagnosticsProfile": { "bootDiagnostics": { "enabled": "true", - "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2022-09-01').primaryEndpoints.blob]" + "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2023-01-01').primaryEndpoints.blob]" } }, "hardwareProfile": { diff --git a/azure/templates/marketplace-mds/createUiDefinition.json b/azure/templates/marketplace-mds/createUiDefinition.json index 52056087..de11e136 100644 --- a/azure/templates/marketplace-mds/createUiDefinition.json +++ b/azure/templates/marketplace-mds/createUiDefinition.json @@ -186,7 +186,7 @@ } }, { - "visible": "[bool(basics('auth').sshPublicKey)]", + "visible": "[bool(basics('auth').sshPublicKey)]", "name": "EnableSerialConsolePassword", "type": "Microsoft.Common.OptionsGroup", "label": "Enable Serial console password", @@ -629,7 +629,7 @@ "deployNewNSG": "[steps('network').NSG]", "ExistingNSG": "[steps('network').nsgSelector]", "NewNsgName": "[steps('network').NSGName]", - "addStorageAccountIpRules": "[steps('network').addStorageAccountIpRules]", + "addStorageAccountIpRules":"[steps('network').addStorageAccountIpRules]", "SerialConsolePasswordHash": "[steps('chkp').AdditionalPassword]", "MaintenanceModePasswordHash": "[steps('chkp').MaintenanceModePassword]" } diff --git a/azure/templates/marketplace-mds/mainTemplate.json b/azure/templates/marketplace-mds/mainTemplate.json index 91f313fc..98e056c2 100644 --- a/azure/templates/marketplace-mds/mainTemplate.json +++ b/azure/templates/marketplace-mds/mainTemplate.json @@ -262,7 +262,7 @@ }, "variables": { "templateName": "mds", - "templateVersion": "20240716", + "templateVersion": "20240904", "location": "[parameters('location')]", "offers": { "R81.10 - Bring Your Own License": "BYOL", @@ -851,7 +851,7 @@ "diagnosticsProfile": { "bootDiagnostics": { "enabled": "true", - "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2022-09-01').primaryEndpoints.blob]" + "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2023-01-01').primaryEndpoints.blob]" } }, "hardwareProfile": { diff --git a/azure/templates/marketplace-single-waap/createUiDefinition.json b/azure/templates/marketplace-single-waap/createUiDefinition.json index 3ebd285b..42e2ebff 100755 --- a/azure/templates/marketplace-single-waap/createUiDefinition.json +++ b/azure/templates/marketplace-single-waap/createUiDefinition.json @@ -67,8 +67,8 @@ "toolTip": "Token can be obtained by logging in to [https://portal.checkpoint.com/](https://portal.checkpoint.com/) –> INFINITY POLICY -> CLOUD -> Profiles", "constraints": { "required": true, - "regex": "^cp-[a-z0-9A-Z-]{72,72}$", - "validationMessage": "Token should begin with 'cp-' and must be 75 characters long" + "regex": "^cp-(([a-z0-9A-Z-]{72,72})|([a-z0-9A-Z-]{75,75}))$", + "validationMessage": "Token should begin with 'cp-' and must be 75 or 78 characters long" }, "options": { "hideConfirmation": false diff --git a/azure/templates/marketplace-single-waap/mainTemplate.json b/azure/templates/marketplace-single-waap/mainTemplate.json index 1d4f4b84..d7704b90 100755 --- a/azure/templates/marketplace-single-waap/mainTemplate.json +++ b/azure/templates/marketplace-single-waap/mainTemplate.json @@ -50,7 +50,7 @@ "waapAgentToken": { "type": "securestring", "minLength": 75, - "maxLength": 75, + "maxLength": 78, "metadata": { "description": "Infinity Next Agent Token" } @@ -203,7 +203,7 @@ }, "variables": { "templateName": "checkpoint_waap", - "templateVersion": "20210922", + "templateVersion": "20211028", "location": "[parameters('location')]", "osVersion": "R8040", "installationType": "waap", @@ -282,6 +282,9 @@ { "type": "Microsoft.Storage/storageAccounts", "name": "[variables('storageAccountName')]", + "properties": { + "minimalTlsVersion": "TLS1_2" + }, "apiVersion": "2021-04-01", "location": "[variables('location')]", "sku": { diff --git a/azure/templates/marketplace-single/createUiDefinition.json b/azure/templates/marketplace-single/createUiDefinition.json index b02e4ffd..4df2533a 100644 --- a/azure/templates/marketplace-single/createUiDefinition.json +++ b/azure/templates/marketplace-single/createUiDefinition.json @@ -785,7 +785,7 @@ "name": "installationType", "type": "Microsoft.Common.DropDown", "label": "Installation type", - "visible": "[or(equals(equals(steps('chkp').cloudGuardVersion, 'R81.10'), equals(steps('chkp').cloudGuardVersion, 'R81.20'))]", + "visible": "[or(equals(steps('chkp').cloudGuardVersion, 'R81.10'), equals(steps('chkp').cloudGuardVersion, 'R81.20'))]", "defaultValue": "Gateway only", "toolTip": "Select the type of deployment", "constraints": { @@ -831,7 +831,7 @@ { "name": "standaloneValidation", "type": "Microsoft.Common.InfoBox", - "visible": "[and(equals(steps('chkp').installationType, 'standalone'), not(and(equals(steps('chkp').R80Offer, 'Bring Your Own License'),or(equals(equals(steps('chkp').cloudGuardVersion, 'R81.10'), equals(steps('chkp').cloudGuardVersion, 'R81.20')))))]", + "visible": "[and(equals(steps('chkp').installationType, 'standalone'), not(and(equals(steps('chkp').R80Offer, 'Bring Your Own License'),or(equals(steps('chkp').cloudGuardVersion, 'R81.10'), equals(steps('chkp').cloudGuardVersion, 'R81.20')))))]", "options": { "icon": "Error", "text": "Standalone deployment is ONLY supported for CloudGuard versions R81.10 and R81.20 Bring Your Own License." @@ -877,7 +877,7 @@ } }, { - "visible": "[bool(basics('auth').sshPublicKey)]", + "visible": "[bool(basics('auth').sshPublicKey)]", "name": "EnableSerialConsolePassword", "type": "Microsoft.Common.OptionsGroup", "label": "Enable Serial console password", @@ -1120,7 +1120,7 @@ "label": "Quick connect to Smart-1 Cloud", "defaultValue": "Yes", "toolTip": "Automatically connect this single gateway to Smart-1 Cloud - Check Point's Security Management as a Service", - "constraints": { + "constraints": { "allowedValues": [ { "label": "Yes", @@ -1157,7 +1157,7 @@ "validationMessage": "Smart1Cloud Token Should contain at lease 5 characters" }, "visible": "[equals(steps('chkp').allowSmart1CloudConnection, 'yes')]" - } + } ] }, { @@ -1347,7 +1347,7 @@ "deployNewNSG": "[steps('network').NSG]", "ExistingNSG": "[steps('network').nsgSelector]", "NewNsgName": "[steps('network').NSGName]", - "addStorageAccountIpRules": "[steps('network').addStorageAccountIpRules]" + "addStorageAccountIpRules":"[steps('network').addStorageAccountIpRules]" } } -} \ No newline at end of file +} diff --git a/azure/templates/marketplace-single/mainTemplate.json b/azure/templates/marketplace-single/mainTemplate.json index 57fea308..6085d845 100644 --- a/azure/templates/marketplace-single/mainTemplate.json +++ b/azure/templates/marketplace-single/mainTemplate.json @@ -306,7 +306,7 @@ }, "variables": { "templateName": "single", - "templateVersion": "20240716", + "templateVersion": "20240904", "location": "[parameters('location')]", "offers": { "R81.10 - Bring Your Own License": "BYOL", @@ -869,7 +869,7 @@ "diagnosticsProfile": { "bootDiagnostics": { "enabled": "true", - "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2022-09-01').primaryEndpoints.blob]" + "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2023-01-01').primaryEndpoints.blob]" } }, "hardwareProfile": { diff --git a/azure/templates/marketplace-vmss-waap/createUiDefinition.json b/azure/templates/marketplace-vmss-waap/createUiDefinition.json index 2ca24a11..51c05e9c 100755 --- a/azure/templates/marketplace-vmss-waap/createUiDefinition.json +++ b/azure/templates/marketplace-vmss-waap/createUiDefinition.json @@ -67,8 +67,8 @@ "toolTip": "Token can be obtained by logging in to [https://portal.checkpoint.com/](https://portal.checkpoint.com/) –> INFINITY POLICY -> CLOUD -> Profiles", "constraints": { "required": true, - "regex": "^cp-[a-z0-9A-Z-]{72,72}$", - "validationMessage": "Token should begin with 'cp-' and must be 75 characters long" + "regex": "^cp-(([a-z0-9A-Z-]{72,72})|([a-z0-9A-Z-]{75,75}))$", + "validationMessage": "Token should begin with 'cp-' and must be 75 or 78 characters long" }, "options": { "hideConfirmation": false diff --git a/azure/templates/marketplace-vmss-waap/mainTemplate.json b/azure/templates/marketplace-vmss-waap/mainTemplate.json index bd80fffb..0b921194 100755 --- a/azure/templates/marketplace-vmss-waap/mainTemplate.json +++ b/azure/templates/marketplace-vmss-waap/mainTemplate.json @@ -51,7 +51,7 @@ "waapAgentToken": { "type": "securestring", "minLength": 75, - "maxLength": 75, + "maxLength": 78, "metadata": { "description": "Infinity Next Agent Token" } @@ -73,6 +73,7 @@ "availabilityZonesNum": { "type": "int", "allowedValues": [ + 0, 1, 2, 3 @@ -387,7 +388,7 @@ }, "variables": { "templateName": "waap_vmss", - "templateVersion": "20210922", + "templateVersion": "20211028", "location": "[parameters('location')]", "osVersion": "R8040", "isBlink": true, @@ -661,6 +662,9 @@ { "type": "Microsoft.Storage/storageAccounts", "name": "[variables('storageAccountName')]", + "properties": { + "minimalTlsVersion": "TLS1_2" + }, "apiVersion": "2021-04-01", "location": "[variables('location')]", "sku": { diff --git a/azure/templates/marketplace-vmss/createUiDefinition.json b/azure/templates/marketplace-vmss/createUiDefinition.json index 6b3ebbce..0f2cf56a 100644 --- a/azure/templates/marketplace-vmss/createUiDefinition.json +++ b/azure/templates/marketplace-vmss/createUiDefinition.json @@ -1331,7 +1331,7 @@ } }, { - "visible": "[bool(basics('auth').sshPublicKey)]", + "visible": "[bool(basics('auth').sshPublicKey)]", "name": "EnableSerialConsolePassword", "type": "Microsoft.Common.OptionsGroup", "label": "Enable Serial console password", @@ -1744,9 +1744,9 @@ "deployNewNSG": "[steps('network').NSG]", "ExistingNSG": "[steps('network').nsgSelector]", "NewNsgName": "[steps('network').NSGName]", - "addStorageAccountIpRules": "[steps('network').addStorageAccountIpRules]", + "addStorageAccountIpRules":"[steps('network').addStorageAccountIpRules]", "SerialConsolePasswordHash": "[steps('chkp').AdditionalPassword]", "MaintenanceModePasswordHash": "[steps('chkp').MaintenanceModePassword]" } } -} \ No newline at end of file +} diff --git a/azure/templates/marketplace-vmss/mainTemplate.json b/azure/templates/marketplace-vmss/mainTemplate.json index 0dd69d8d..077e926c 100644 --- a/azure/templates/marketplace-vmss/mainTemplate.json +++ b/azure/templates/marketplace-vmss/mainTemplate.json @@ -502,7 +502,7 @@ "resourceGroup": "[resourceGroup()]", "resourceGroupName": "[resourceGroup().name]", "templateName": "vmss-v2", - "templateVersion": "20240716", + "templateVersion": "20240904", "location": "[parameters('location')]", "offers": { "R81.10 - Bring Your Own License": "BYOL", @@ -1229,7 +1229,7 @@ "diagnosticsProfile": { "bootDiagnostics": { "enabled": "true", - "storageUri": "[reference(variables('storageAccountId'), '2021-04-01').primaryEndpoints.blob]" + "storageUri": "[reference(variables('storageAccountId'), '2023-01-01').primaryEndpoints.blob]" } } }, diff --git a/azure/templates/nestedtemplates/storageAccount-new.json b/azure/templates/nestedtemplates/storageAccount-new.json index 51820aac..b08a25a7 100644 --- a/azure/templates/nestedtemplates/storageAccount-new.json +++ b/azure/templates/nestedtemplates/storageAccount-new.json @@ -30,6 +30,9 @@ { "type": "Microsoft.Storage/storageAccounts", "name": "[parameters('storageAccountName')]", + "properties": { + "minimalTlsVersion": "TLS1_2" + }, "apiVersion": "[parameters('apiVersion')]", "location": "[parameters('location')]", "sku": { @@ -39,4 +42,4 @@ "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Storage/storageAccounts'), parameters('tagsByResource')['Microsoft.Storage/storageAccounts'], json('{}')) ]" } ] -} +} \ No newline at end of file diff --git a/azure/templates/nestedtemplates/vnet-1-subnet-existing.json b/azure/templates/nestedtemplates/vnet-1-subnet-existing.json index 81fc0d5a..cb335d9a 100644 --- a/azure/templates/nestedtemplates/vnet-1-subnet-existing.json +++ b/azure/templates/nestedtemplates/vnet-1-subnet-existing.json @@ -84,4 +84,4 @@ "type": "object" } } -} +} \ No newline at end of file diff --git a/azure/templates/nestedtemplates/vnet-2-subnet-ha2-existing.json b/azure/templates/nestedtemplates/vnet-2-subnet-ha2-existing.json index 17781d8c..04e3694c 100644 --- a/azure/templates/nestedtemplates/vnet-2-subnet-ha2-existing.json +++ b/azure/templates/nestedtemplates/vnet-2-subnet-ha2-existing.json @@ -73,4 +73,4 @@ "type": "array" } } -} +} \ No newline at end of file diff --git a/azure/templates/nestedtemplates/vnet-2-subnet-ha2-new.json b/azure/templates/nestedtemplates/vnet-2-subnet-ha2-new.json index be5ae374..d9ca08ba 100644 --- a/azure/templates/nestedtemplates/vnet-2-subnet-ha2-new.json +++ b/azure/templates/nestedtemplates/vnet-2-subnet-ha2-new.json @@ -189,4 +189,4 @@ "type": "array" } } -} +} \ No newline at end of file diff --git a/azure/templates/nestedtemplates/vnet-existing-stack-ha.json b/azure/templates/nestedtemplates/vnet-existing-stack-ha.json index 6d7eaf7f..2f99a6f4 100644 --- a/azure/templates/nestedtemplates/vnet-existing-stack-ha.json +++ b/azure/templates/nestedtemplates/vnet-existing-stack-ha.json @@ -90,4 +90,4 @@ "type": "string" } } -} +} \ No newline at end of file diff --git a/azure/templates/nestedtemplates/vnet-existing.json b/azure/templates/nestedtemplates/vnet-existing.json index 415f5361..64533665 100644 --- a/azure/templates/nestedtemplates/vnet-existing.json +++ b/azure/templates/nestedtemplates/vnet-existing.json @@ -73,4 +73,4 @@ "type": "string" } } -} +} \ No newline at end of file diff --git a/azure/templates/nestedtemplates/vnet-new-stack-ha.json b/azure/templates/nestedtemplates/vnet-new-stack-ha.json index f941bb4c..c7e9b1ad 100644 --- a/azure/templates/nestedtemplates/vnet-new-stack-ha.json +++ b/azure/templates/nestedtemplates/vnet-new-stack-ha.json @@ -138,4 +138,4 @@ "type": "string" } } -} +} \ No newline at end of file diff --git a/azure/templates/single-ipv6/README.md b/azure/templates/single-ipv6/README.md index 57e098d6..7021c048 100755 --- a/azure/templates/single-ipv6/README.md +++ b/azure/templates/single-ipv6/README.md @@ -7,4 +7,3 @@ Follow [sk170760](https://supportcenter.checkpoint.com/supportcenter/portal?even Deploy to Azure - diff --git a/azure/templates/single-ipv6/mainTemplate.json b/azure/templates/single-ipv6/mainTemplate.json index 3ef03349..ea4efc14 100755 --- a/azure/templates/single-ipv6/mainTemplate.json +++ b/azure/templates/single-ipv6/mainTemplate.json @@ -296,7 +296,7 @@ "subnetName": "[parameters('Subnet1Name')]", "subnet2Name": "[parameters('Subnet2Name')]", "templateName": "singleIpv6", - "templateVersion": "20240716", + "templateVersion": "20240904", "location": "[parameters('location')]", "subnet-id": "[resourceId(parameters('virtualNetworkExistingRGName'), 'Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworkName'), variables('subnetName'))]", "subnet2-id": "[resourceId(parameters('virtualNetworkExistingRGName'), 'Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworkName'), variables('subnet2Name'))]", @@ -990,7 +990,7 @@ "diagnosticsProfile": { "bootDiagnostics": { "enabled": "true", - "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2021-06-01').primaryEndpoints.blob]" + "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2023-01-01').primaryEndpoints.blob]" } }, "hardwareProfile": { diff --git a/azure/templates/vmss-ipv6/mainTemplate.json b/azure/templates/vmss-ipv6/mainTemplate.json index 4c0f3b0a..f137e829 100755 --- a/azure/templates/vmss-ipv6/mainTemplate.json +++ b/azure/templates/vmss-ipv6/mainTemplate.json @@ -374,7 +374,7 @@ "subnet2Name": "[parameters('Subnet2Name')]", "resourceGroup": "[resourceGroup()]", "templateName": "vmss-v2", - "templateVersion": "20240716", + "templateVersion": "20240904", "location": "[parameters('location')]", "subnet-id": "[resourceId(parameters('virtualNetworkExistingRGName'), 'Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworkName'), variables('subnetName'))]", "subnet2-id": "[resourceId(parameters('virtualNetworkExistingRGName'), 'Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworkName'), variables('subnet2Name'))]", @@ -1283,7 +1283,7 @@ "diagnosticsProfile": { "bootDiagnostics": { "enabled": "true", - "storageUri": "[reference(variables('storageAccountId'), '2021-06-01').primaryEndpoints.blob]" + "storageUri": "[reference(variables('storageAccountId'), '2023-01-01').primaryEndpoints.blob]" } } }, diff --git a/azure/templates/vwan-managed-app/README.md b/azure/templates/vwan-managed-app/README.md index 293238e2..085e0620 100644 --- a/azure/templates/vwan-managed-app/README.md +++ b/azure/templates/vwan-managed-app/README.md @@ -64,8 +64,8 @@ https://management.azure.com/subscriptions/{subscription_id}/providers/Microsoft } ], "availableVersions": [ - "8110.900335.1522", - "8120.900631.1522", + "8110.900335.1435", + "8120.900631.1433", "latest" ], "marketPlaceLink": "https://aka.ms/Checkpointmarketplace", diff --git a/azure/templates/vwan-managed-app/mainTemplate.json b/azure/templates/vwan-managed-app/mainTemplate.json index 5b733a83..1856f822 100644 --- a/azure/templates/vwan-managed-app/mainTemplate.json +++ b/azure/templates/vwan-managed-app/mainTemplate.json @@ -25,7 +25,7 @@ } }, "imageVersion": { - "defaultValue": "8120.900631.1594", + "defaultValue": "8120.900634.1641", "type": "String", "metadata": { "description": "The image version that will be used to deploy the solution. To get the image version, make API call to https://management.azure.com/subscriptions/{subscription_id}/providers/Microsoft.Network/networkVirtualApplianceSkus/checkpoint?api-version=2023-05-01" @@ -281,4 +281,4 @@ } } ] - } + } \ No newline at end of file diff --git a/common/custom-management-script.py b/common/custom-management-script.py index 8b53028c..38264dd1 100755 --- a/common/custom-management-script.py +++ b/common/custom-management-script.py @@ -9,11 +9,8 @@ # and at the beginning of the deprovisioning process. # Important: This is a placeholder script, and you should implement __add and __delete functions. -import collections import os -import subprocess import sys -import traceback import logging from logging.handlers import RotatingFileHandler diff --git a/contrib/terraform-azure-gwlb/cpcluster-main.tf b/contrib/terraform-azure-gwlb/cpcluster-main.tf index dc622c82..1af9d1e4 100644 --- a/contrib/terraform-azure-gwlb/cpcluster-main.tf +++ b/contrib/terraform-azure-gwlb/cpcluster-main.tf @@ -233,6 +233,11 @@ resource "random_id" "clusterrandomId" { byte_length = 8 } resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { + blob_properties { + delete_retention_policy { + days = 7 + } + } name = "bootdiag${random_id.clusterrandomId.hex}" resource_group_name = module.common.resource_group_name location = module.common.resource_group_location diff --git a/contrib/terraform-azure-gwlb/cpmgmt-main.tf b/contrib/terraform-azure-gwlb/cpmgmt-main.tf index 8dabd6ab..b009a3b4 100644 --- a/contrib/terraform-azure-gwlb/cpmgmt-main.tf +++ b/contrib/terraform-azure-gwlb/cpmgmt-main.tf @@ -124,6 +124,11 @@ resource "random_id" "randomId" { # Create storage account for boot diagnostics resource "azurerm_storage_account" "ckp-storageaccount" { + blob_properties { + delete_retention_policy { + days = 7 + } + } name = "diag${random_id.randomId.hex}" resource_group_name = azurerm_resource_group.rg-ckpmgmt.name location = azurerm_resource_group.rg-ckpmgmt.location diff --git a/contrib/terraform-azure-gwlb/terraform.tfvars b/contrib/terraform-azure-gwlb/terraform.tfvars index f35851c3..a3259c79 100644 --- a/contrib/terraform-azure-gwlb/terraform.tfvars +++ b/contrib/terraform-azure-gwlb/terraform.tfvars @@ -1,31 +1,31 @@ # Set in this file your deployment variables # Specify the Azure values -azure-client-id = "xxxxx-xxxxx-xxxxx-xxxxx" -azure-client-secret = "xxxxx-xxxxx-xxxxx-xxxxx" -azure-subscription = "xxxxx-xxxxx-xxxxx-xxxxx" -azure-tenant = "xxxxx-xxxxx-xxxxx-xxxxx" +azure-client-id = "PLEASE ENTER AZURE CLIENT ID" # "xxxxx-xxxxx-xxxxx-xxxxx" +azure-client-secret = "PLEASE ENTER AZURE CLIENT SECRET" # "xxxxx-xxxxx-xxxxx-xxxxx" +azure-subscription = "PLEASE ENTER AZURE SUBSCRIPTION" # "xxxxx-xxxxx-xxxxx-xxxxx" +azure-tenant = "PLEASE ENTER AZURE TENANT" # "xxxxx-xxxxx-xxxxx-xxxxx" # Specify where you want to deploy it and where you are coming from -location = "France Central" -my-pub-ip = "x.x.x.x/32" +location = "PLEASE ENTER LOCATION" # "France Central" +my-pub-ip = "PLEASE ENTER PUBLIC IP" # "x.x.x.x/32" # Management details -mgmt-sku-enabled = false # Have you ever deployed a R81.10 CKP management? Set to false if not -mgmt-dns-suffix = "xxxxx" -mgmt-admin-pwd = "xxxxx" +mgmt-sku-enabled = "PLEASE ENTER true or false" # false # Have you ever deployed a R81.10 CKP management? Set to false if not +mgmt-dns-suffix = "PLEASE ENTER MANAGEMENT DNS SUFFIX" # "xxxxx" +mgmt-admin-pwd = "PLEASE ENTER MANAGEMENT ADMIN PASSWORD" # "xxxxx" # VMspoke details -vmspoke-sku-enabled = false # Have you ever deployed a Nginx VM before? set to false if not -vmspoke-usr = "xxxxx" -vmspoke-pwd = "xxxxx" +vmspoke-sku-enabled = "PLEASE ENTER true or false" # false # Have you ever deployed a Nginx VM before? set to false if not +vmspoke-usr = "PLEASE ENTER VMSPOKE USER" # "xxxxx" +vmspoke-pwd = "PLEASE ENTER VMSPOKE PASSWORD" # "xxxxx" # Cluster Details -cpcluster-sku-enabled = false # Have you ever deployed a R80.40 CKP cluster? set to false if not" -admin_username = "xxxxx" -admin_password = "xxxxx" -sic_key = "xxxxx" +cpcluster-sku-enabled = "PLEASE ENTER true or false" # false # Have you ever deployed a R80.40 CKP cluster? set to false if not" +admin_username = "PLEASE ENTER ADMIN USERNAME" # "xxxxx" +admin_password = "PLEASE ENTER ADMIN PASSWORD" # "xxxxx" +sic_key = "PLEASE ENTER SIC KEY" # "xxxxx" # GWLB VMSS Details -gwlb-vmss-agreement = false # Have you ever deployed a GWLB VMSS? set to false if not -chkp-admin-pwd = "xxxxx" -chkp-sic = "xxxxx" +gwlb-vmss-agreement = "PLEASE ENTER true or false" # false # Have you ever deployed a GWLB VMSS? set to false if not +chkp-admin-pwd = "PLEASE ENTER CHKP ADMIN PASSWORD" # "xxxxx" +chkp-sic = "PLEASE ENTER CHKP SIC" # "xxxxx" diff --git a/contrib/terraform/azure/vmss-new-vnet-with-peer/main.tf b/contrib/terraform/azure/vmss-new-vnet-with-peer/main.tf index f114b8ba..8b3cd410 100755 --- a/contrib/terraform/azure/vmss-new-vnet-with-peer/main.tf +++ b/contrib/terraform/azure/vmss-new-vnet-with-peer/main.tf @@ -176,6 +176,11 @@ resource "random_id" "randomId" { byte_length = 8 } resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { + blob_properties { + delete_retention_policy { + days = 7 + } + } name = "diag${random_id.randomId.hex}" resource_group_name = module.common.resource_group_name location = module.common.resource_group_location diff --git a/contrib/terraform/azure/vmss-new-vnet-with-peer/terraform.tfvars b/contrib/terraform/azure/vmss-new-vnet-with-peer/terraform.tfvars index c227cb53..8fda9c83 100755 --- a/contrib/terraform/azure/vmss-new-vnet-with-peer/terraform.tfvars +++ b/contrib/terraform/azure/vmss-new-vnet-with-peer/terraform.tfvars @@ -1,29 +1,29 @@ -resource_group_name = "checkpoint-vmss-terraform" -location = "eastus" -vmss_name = "checkpoint-vmss-terraform" -vnet_name = "checkpoint-vmss-vnet" -address_space = "172.16.0.0/16" -subnet_prefixes = ["172.16.1.0/24","172.16.2.0/24"] -backend_lb_IP_address = 4 -admin_password = "xxxxxxxxxx" -sic_key = "xxxxxxxxxx" -vm_size = "Standard_D3_v2" -disk_size = "110" -vm_os_sku = "sg-byol" -vm_os_offer = "check-point-cg-r8040" -os_version = "R80.40" -bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" -allow_upload_download = true -disable_password_authentication = false -availability_zones_num = "1" -minimum_number_of_vm_instances = 2 -maximum_number_of_vm_instances = 10 -management_name = "mgmt" -management_IP = "192.168.100.4" -management_interface = "eth0" -configuration_template_name = "vmss_template" -notification_email = "name@company.com" -frontend_load_distribution = "Default" -backend_load_distribution = "Default" -mgmt_vnet_name = "mgmt-vnet" -mgmt_resource_group_name = "management" +resource_group_name = "PLEASE ENTER RESOURCE GROUP NAME" # "checkpoint-vmss-terraform" +location = "PLEASE ENTER LOCATION" # "eastus" +vmss_name = "PLEASE ENTER SCALE SET NAME" # "checkpoint-vmss-terraform" +vnet_name = "PLEASE ENTER VIRTUAL NETWORK NAME" # "checkpoint-vmss-vnet" +address_space = "PLEASE ENTER ADDRESS SPACE" # "172.16.0.0/16" +subnet_prefixes = "PLEASE ENTER SUBNET PREFIXES" # ["172.16.1.0/24","172.16.2.0/24"] +backend_lb_IP_address = "PLEASE ENTER BACKEND LB IP ADDRESS POSITIONAL NUMBER" # 4 +admin_password = "PLEASE ENTER ADMIN PASSWORD" # "xxxxxxxxxx" +sic_key = "PLEASE ENTER SIC KEY" # "xxxxxxxxxx" +vm_size = "PLEASE ENTER VM SIZE" # "Standard_D3_v2" +disk_size = "PLEASE ENTER DISK SIZE" # "110" +vm_os_sku = "PLEASE ENTER VM SKU" # "sg-byol" +vm_os_offer = "PLEASE ENTER VM OFFER" # "check-point-cg-r8040" +os_version = "PLEASE ENTER GAIA OS VERSION" # "R80.40" +bootstrap_script = "PLEASE ENTER CUSTOM SCRIPT OR LEAVE EMPTY DOUBLE QUOTES" # "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +allow_upload_download = "PLEASE ENTER true or false" # true +disable_password_authentication = "PLEASE ENTER true or false" # false +availability_zones_num = "PLEASE ENTER NUMBER OF AVAILABILITY ZONES" # "1" +minimum_number_of_vm_instances = "PLEASE ENTER MINIMUM NUMBER OF VM INSTANCES" # 2 +maximum_number_of_vm_instances = "PLEASE ENTER MAXIMUM NUMBER OF VM INSTANCES" # 10 +management_name = "PLEASE ENTER MANAGEMENT NAME" # "mgmt" +management_IP = "PLEASE ENTER MANAGEMENT IP" # "192.168.100.4" +management_interface = "PLEASE ENTER MANAGEMENT INTERFACE" # "eth0" +configuration_template_name = "PLEASE ENTER CONFIGURATION TEMPLATE NAME" # "vmss_template" +notification_email = "PLEASE ENTER NOTIFICATION MAIL OR LEAVE EMPTY DOUBLE QUOTES" # "name@company.com" +frontend_load_distribution = "PLEASE ENTER EXTERNAL LOAD BALANCER SESSION PERSISTENCE" # "Default" +backend_load_distribution = "PLEASE ENTER INTERNAL LOAD BALANCER SESSION PERSISTENCE" # "Default" +mgmt_vnet_name = "PLEASE ENTER MANAGEMENT VIRTUAL NETWORK NAME" # "mgmt-vnet" +mgmt_resource_group_name = "PLEASE ENTER MANAGEMENT RESOURCE GROUP NAME" # "management" diff --git a/deprecated/terraform/gcp/R8040-R81/autoscale-into-new-vpc/main.tf b/deprecated/terraform/gcp/R8040-R81/autoscale-into-new-vpc/main.tf index 16ec2197..d6dda38a 100644 --- a/deprecated/terraform/gcp/R8040-R81/autoscale-into-new-vpc/main.tf +++ b/deprecated/terraform/gcp/R8040-R81/autoscale-into-new-vpc/main.tf @@ -15,6 +15,7 @@ resource "google_compute_network" "external_network" { auto_create_subnetworks = false } resource "google_compute_subnetwork" "external_subnetwork" { + private_ip_google_access = true name = "${var.prefix}-ext-subnet-${random_string.mig_random_string.result}" ip_cidr_range = var.external_subnetwork_ip_cidr_range region = var.region @@ -26,6 +27,7 @@ resource "google_compute_network" "internal_network" { auto_create_subnetworks = false } resource "google_compute_subnetwork" "internal_subnetwork" { + private_ip_google_access = true name = "${var.prefix}-int-subnet-${random_string.mig_random_string.result}" ip_cidr_range = var.internal_subnetwork_ip_cidr_range region = var.region diff --git a/terraform/alicloud/cluster-master/README.md b/terraform/alicloud/cluster-master/README.md index 8c16dc10..010a8a35 100755 --- a/terraform/alicloud/cluster-master/README.md +++ b/terraform/alicloud/cluster-master/README.md @@ -63,8 +63,8 @@ Configure envrionment variables in Windows: | volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | | disk_category | The ECS disk category | string | - cloud
- cloud_efficiency
- cloud_ssd,
- cloud_essd | "cloud_efficiency" | no | | ram_role_name | A predefined RAM role name to attach to the cluster's security gateway instances | string | n/a | "" | no | -| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway ECS Instances | map(string) | n/a | {} | no | -| gateway_version | Gateway version and license | string | - R81-BYOL
- R81.10-BYOL
- R81.20-BYOL | R81.20-BYOL | no | +| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway ECS Instances | map(string) | n/a | {}} | no | +| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.20-BYOL | R81.20-BYOL | no | | admin_shell | Set the admin shell to enable advanced command line configuration. | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | "/etc/cli.sh" | no | | gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | n/a | yes | | gateway_password_hash | (optional) Admin user's password hash (use command \"openssl passwd -6 PASSWORD\" to get the PASSWORD's hash) | string | n/a | "" | no | @@ -161,7 +161,8 @@ ram_role_name = "" | Template Version | Description | |------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 20230830 | Change default Check Point version to R81.20 | +| 20240704 | R81 version deprecation | +| 20230829 | Change default Check Point version to R81.20 | | 20230615 | - Improved userdata quality and stability by moving to cloud-config
- Define default primary and secondary NTP servers
- Improved deployment experience for gateways and clusters managed by Smart-1 Cloud | | 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | | 20230420 | Change alicloud terraform provider version to 1.203.0 | diff --git a/terraform/alicloud/cluster/README.md b/terraform/alicloud/cluster/README.md index a703b75c..0df21dbd 100755 --- a/terraform/alicloud/cluster/README.md +++ b/terraform/alicloud/cluster/README.md @@ -56,7 +56,7 @@ Configure envrionment variables in Windows: | disk_category | The ECS disk category | string | - cloud
- cloud_efficiency
- cloud_ssd,
- cloud_essd | "cloud_efficiency" | no | | ram_role_name | A predefined RAM role name to attach to the cluster's security gateway instances | string | n/a | "" | no | | instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway ECS Instances | map(string) | n/a | {} | no | -| gateway_version | Gateway version and license | string | - R81-BYOL
- R81.10-BYOL
- R81.20-BYOL | R81.20-BYOL | no | +| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.20-BYOL | R81.20-BYOL | no | | admin_shell | Set the admin shell to enable advanced command line configuration. | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | "/etc/cli.sh" | no | | gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | n/a | yes | | gateway_password_hash | (optional) Admin user's password hash (use command \"openssl passwd -6 PASSWORD\" to get the PASSWORD's hash) | string | n/a | "" | no | @@ -145,7 +145,8 @@ ram_role_name = "" | Template Version | Description | |------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 20230830 | Change default Check Point version to R81.20 | +| 20240704 | R81 version deprecation | +| 20230829 | Change default version to R81.20 | | 20230615 | - Improved userdata quality and stability by moving to cloud-config
- Define default primary and secondary NTP servers
- Improved deployment experience for gateways and clusters managed by Smart-1 Cloud | | 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | | 20230420 | Change alicloud terraform provider version to 1.203.0 | @@ -155,4 +156,4 @@ ram_role_name = "" ## License -This project is licensed under the MIT License - see the [LICENSE](../../../LICENSE) file for details \ No newline at end of file +This project is licensed under the MIT License - see the [LICENSE](../../../LICENSE) file for details diff --git a/terraform/alicloud/cluster/cluster_member_a_userdata.yaml b/terraform/alicloud/cluster/cluster_member_a_userdata.yaml index 534d8e42..13d3d35d 100644 --- a/terraform/alicloud/cluster/cluster_member_a_userdata.yaml +++ b/terraform/alicloud/cluster/cluster_member_a_userdata.yaml @@ -1,4 +1,4 @@ #cloud-config runcmd: - | - python3 /etc/cloud_config.py managementIpAddress=\"${ManagementIpAddress}\" sicKey=\"${SICKey}\" installationType=\"cluster\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20230830\" templateName=\"cluster\" templateType=\"terraform\" shell=\"${Shell}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" "smart1CloudToken=\"${TokenA}\"" bootstrapScript64=\"${GatewayBootstrapScript}\" \ No newline at end of file + python3 /etc/cloud_config.py managementIpAddress=\"${ManagementIpAddress}\" sicKey=\"${SICKey}\" installationType=\"cluster\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20240704\" templateName=\"cluster\" templateType=\"terraform\" shell=\"${Shell}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" "smart1CloudToken=\"${TokenA}\"" bootstrapScript64=\"${GatewayBootstrapScript}\" \ No newline at end of file diff --git a/terraform/alicloud/cluster/cluster_member_b_userdata.yaml b/terraform/alicloud/cluster/cluster_member_b_userdata.yaml index 43c69a99..0a4c0633 100644 --- a/terraform/alicloud/cluster/cluster_member_b_userdata.yaml +++ b/terraform/alicloud/cluster/cluster_member_b_userdata.yaml @@ -1,4 +1,4 @@ #cloud-config runcmd: - | - python3 /etc/cloud_config.py managementIpAddress=\"${ManagementIpAddress}\" sicKey=\"${SICKey}\" installationType=\"cluster\" osVersion=\"{OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20230830\" templateName=\"cluster\" templateType=\"terraform\" shell=\"${Shell}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" "smart1CloudToken=\"${TokenB}\"" bootstrapScript64=\"${GatewayBootstrapScript}\" \ No newline at end of file + python3 /etc/cloud_config.py managementIpAddress=\"${ManagementIpAddress}\" sicKey=\"${SICKey}\" installationType=\"cluster\" osVersion=\"{OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20240704\" templateName=\"cluster\" templateType=\"terraform\" shell=\"${Shell}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" "smart1CloudToken=\"${TokenB}\"" bootstrapScript64=\"${GatewayBootstrapScript}\" \ No newline at end of file diff --git a/terraform/alicloud/cluster/main.tf b/terraform/alicloud/cluster/main.tf index 5fa001d6..db2d9c93 100755 --- a/terraform/alicloud/cluster/main.tf +++ b/terraform/alicloud/cluster/main.tf @@ -79,7 +79,7 @@ resource "alicloud_instance" "member-b-instance" { resource "alicloud_network_interface" "member_a_mgmt_eni" { network_interface_name = format("%s-Member-A-management-eni", var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name) vswitch_id = var.mgmt_vswitch_id - security_group_ids = [ + security_group_ids = [ module.common_permissive_sg.permissive_sg_id] description = "eth2" } diff --git a/terraform/alicloud/gateway-master/README.md b/terraform/alicloud/gateway-master/README.md index 301c12a6..a90166fb 100755 --- a/terraform/alicloud/gateway-master/README.md +++ b/terraform/alicloud/gateway-master/README.md @@ -61,7 +61,7 @@ Configure envrionment variables in Windows: | volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | | disk_category | The ECS disk category | string | - cloud
- cloud_efficiency
- cloud_ssd,
- cloud_essd | "cloud_efficiency" | no | | ram_role_name | A predefined RAM role name to attach to the security gateway instance | string | n/a | "" | no | -| gateway_version | Gateway version and license | string | - R81-BYOL
- R81.10-BYOL
- R81.20-BYOL | R81.20-BYOL | no | +| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.20-BYOL | R81.20-BYOL | no | | admin_shell | Set the admin shell to enable advanced command line configuration. | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | "/etc/cli.sh" | no | | gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | n/a | yes | | password_hash | Admin user's password hash (use command \"openssl passwd -6 PASSWORD\" to get the PASSWORD's hash) (optional) | string | n/a | "" | no | @@ -142,7 +142,8 @@ allocate_and_associate_eip = true | Template Version | Description | |------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 20230830 | Change default Check Point version to R81.20 | +| 20240704 | R81 version deprecation | +| 20230829 | Change default Check Point version to R81.20 | | 20230615 | - Improved userdata quality and stability by moving to cloud-config
- Define default primary and secondary NTP servers
- Improved deployment experience for gateways and clusters managed by Smart-1 Cloud | | 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | | 20230420 | Change alicloud terraform provider version to 1.203.0 | diff --git a/terraform/alicloud/gateway/README.md b/terraform/alicloud/gateway/README.md index db7c32e2..32ba9dfc 100755 --- a/terraform/alicloud/gateway/README.md +++ b/terraform/alicloud/gateway/README.md @@ -53,7 +53,7 @@ Configure envrionment variables in Windows: | volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | | disk_category | The ECS disk category | string | - cloud
- cloud_efficiency
- cloud_ssd,
- cloud_essd | "cloud_efficiency" | no | | ram_role_name | A predefined RAM role name to attach to the security gateway instance | string | n/a | "" | no | -| gateway_version | Gateway version and license | string | - R81-BYOL
- R81.10-BYOL
- R81.20-BYOL | R81.20-BYOL | no | +| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.20-BYOL | R81.20-BYOL | no | | admin_shell | Set the admin shell to enable advanced command line configuration. | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | "/etc/cli.sh" | no | | gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | n/a | yes | | password_hash | Admin user's password hash (use command \"openssl passwd -6 PASSWORD\" to get the PASSWORD's hash) (optional) | string | n/a | "" | no | @@ -128,7 +128,8 @@ private_route_table = "rtb-12345678" | Template Version | Description | |------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 20230830 | Change default Check Point version to R81.20 | +| 20240704 | R81 version deprecation | +| 20230829 | Change default Check Point version to R81.20 | | 20230615 | - Improved userdata quality and stability by moving to cloud-config
- Define default primary and secondary NTP servers
- Improved deployment experience for gateways and clusters managed by Smart-1 Cloud | | 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | | 20230420 | Change alicloud terraform provider version to 1.203.0 | diff --git a/terraform/alicloud/management-master/README.md b/terraform/alicloud/management-master/README.md index ec200646..8e7ea6c2 100755 --- a/terraform/alicloud/management-master/README.md +++ b/terraform/alicloud/management-master/README.md @@ -49,7 +49,7 @@ Configure envrionment variables in Windows: | disk_category | The ECS disk category | string | - cloud
- cloud_efficiency
- cloud_ssd,
- cloud_essd | "cloud_essd" | no | | ram_role_name | RAM role name to attach to the instance profile, leave it empty for automatic creation | string | n/a | "" | no | | instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Management ECS Instance | map(string) | n/a | {} | no | -| version_license | Version and license of the Check Point Security Management | string | - R81-BYOL
- R81.10-BYOL
- R81.20-BYOL | R81.20-BYOL | no | +| version_license | Version and license of the Check Point Security Management | string | - R81.10-BYOL
- R81.20-BYOL | R81.20-BYOL | no | | admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | | password_hash | (Optional) Admin user's password hash (use command \"openssl passwd -6 PASSWORD\" to get the PASSWORD's hash) | string | n/a | "" | no | | hostname | (Optional) Management prompt hostname. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | n/a | no | @@ -121,10 +121,10 @@ bootstrap_script = "echo 'this is bootstrap script' > /home/admin/testfile.txt" | Template Version | Description | |------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 20230830 | Change default Check Point version to R81.20 | +| 20240704 | R81 version deprecation | +| 20230829 | Change default Check Point version to R81.20 | | 20230615 | - Improved userdata quality and stability by moving to cloud-config
- Define default primary and secondary NTP servers
- Improved deployment experience for gateways and clusters managed by Smart-1 Cloud | | 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | -| 20230512 | New images with Jumbo Hotfix | | 20230420 | Change alicloud terraform provider version to 1.203.0 | | 20230330 | - Added support of ECS disk category.
- Stability fixes. | | 20230129 | First release of R81.20 CloudGuard Management Terraform deployment in Alibaba Cloud. | diff --git a/terraform/alicloud/management/README.md b/terraform/alicloud/management/README.md index ccff6e8f..0c07c661 100755 --- a/terraform/alicloud/management/README.md +++ b/terraform/alicloud/management/README.md @@ -49,7 +49,7 @@ Configure envrionment variables in Windows: | disk_category | The ECS disk category | string | - cloud
- cloud_efficiency
- cloud_ssd,
- cloud_essd | "cloud_essd" | no | | ram_role_name | RAM role name to attach to the instance profile, leave it empty for automatic creation | string | n/a | "" | no | | instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Management ECS Instance | map(string) | n/a | {} | no | -| version_license | Version and license of the Check Point Security Management | string | - R81-BYOL
- R81.10-BYOL
- R81.20-BYOL | R81.20-BYOL | | +| version_license | Version and license of the Check Point Security Management | string | - R81.10-BYOL
- R81.20-BYOL | R81.20-BYOL | no | | admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | | password_hash | (Optional) Admin user's password hash (use command \"openssl passwd -6 PASSWORD\" to get the PASSWORD's hash) | string | n/a | "" | no | | hostname | (Optional) Management prompt hostname. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | n/a | no | @@ -114,13 +114,13 @@ bootstrap_script = "echo 'this is bootstrap script' > /home/admin/testfile.txt" | Template Version | Description | |------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 20230830 | Change default Check Point version to R81.20 | +| 20240704 | R81 version deprecation | +| 20230829 | Change default Check Point version to R81.20 | | 20230615 | - Improved userdata quality and stability by moving to cloud-config
- Define default primary and secondary NTP servers
- Improved deployment experience for gateways and clusters managed by Smart-1 Cloud | | 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | -| 20230512 | New images with Jumbo Hotfix | | 20230420 | Change alicloud terraform provider version to 1.203.0 | | 20230330 | - Added support of ECS disk category.
- Stability fixes. | -| 20230129 | First release of R81.20 CloudGuard Management Terraform deployment in Alibaba Cloud. | +| 20230129 | First release of R81.20 CloudGuard Management Terraform deployment in Alibaba Cloud. | | | | | 20211011 | First release of Check Point CloudGaurd Management Terraform deployment into an existing VPC in Alibaba cloud. | ## License diff --git a/terraform/alicloud/management/management_userdata.yaml b/terraform/alicloud/management/management_userdata.yaml index 9d957968..46540bbd 100644 --- a/terraform/alicloud/management/management_userdata.yaml +++ b/terraform/alicloud/management/management_userdata.yaml @@ -1,4 +1,4 @@ #cloud-config runcmd: - | - python3 /etc/cloud_config.py sicKey=\"${SICKey}\" installationType=\"management\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20230830\" templateName=\"management\" templateType=\"terraform\" shell=\"${Shell}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" primary=\"${IsPrimary}\" adminSubnet=\"${AdminSubnet}\" allocatePublicAddress=\"${AllocateElasticIP}\" "overTheInternet=\"${GatewayManagement}\"" bootstrapScript64=\"${BootstrapScript}\" + python3 /etc/cloud_config.py sicKey=\"${SICKey}\" installationType=\"management\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20240704\" templateName=\"management\" templateType=\"terraform\" shell=\"${Shell}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" primary=\"${IsPrimary}\" adminSubnet=\"${AdminSubnet}\" allocatePublicAddress=\"${AllocateElasticIP}\" "overTheInternet=\"${GatewayManagement}\"" bootstrapScript64=\"${BootstrapScript}\" diff --git a/terraform/alicloud/modules/common/gateway_instance/gateway_userdata.yaml b/terraform/alicloud/modules/common/gateway_instance/gateway_userdata.yaml index 312ca453..cd294845 100644 --- a/terraform/alicloud/modules/common/gateway_instance/gateway_userdata.yaml +++ b/terraform/alicloud/modules/common/gateway_instance/gateway_userdata.yaml @@ -1,4 +1,4 @@ #cloud-config runcmd: - | - python3 /etc/cloud_config.py sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenKey}\"" installationType=\"gateway\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20230830\" templateName=\"gateway\" templateType=\"terraform\" shell=\"${Shell}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" bootstrapScript64=\"${GatewayBootstrapScript}\" \ No newline at end of file + python3 /etc/cloud_config.py sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenKey}\"" installationType=\"gateway\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20240704\" templateName=\"gateway\" templateType=\"terraform\" shell=\"${Shell}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" bootstrapScript64=\"${GatewayBootstrapScript}\" \ No newline at end of file diff --git a/terraform/alicloud/modules/common/version_license/main.tf b/terraform/alicloud/modules/common/version_license/main.tf index 94d144cd..dfe4739e 100755 --- a/terraform/alicloud/modules/common/version_license/main.tf +++ b/terraform/alicloud/modules/common/version_license/main.tf @@ -1,14 +1,9 @@ locals { gw_versions = [ - //"R81-PAYG-NGTP", - // "R81-PAYG-NGTX", - "R81-BYOL", "R81.10-BYOL", "R81.20-BYOL" ] mgmt_versions = [ - //"R81-PAYG", - "R81-BYOL", "R81.10-BYOL", "R81.20-BYOL" ] diff --git a/terraform/alicloud/modules/images/images.yaml b/terraform/alicloud/modules/images/images.yaml index c2eb1d52..126c819f 100755 --- a/terraform/alicloud/modules/images/images.yaml +++ b/terraform/alicloud/modules/images/images.yaml @@ -5,18 +5,12 @@ Parameters: Type: String Default: R81.20-BYOL-GW AllowedValues: - - R81-BYOL-GW - - R81-BYOL-MGMT - R81.10-BYOL-GW - R81.10-BYOL-MGMT - R81.20-BYOL-GW - R81.20-BYOL-MGMT Mappings: ConverterMap: - R81-BYOL-GW: - Value: R81BYOLGW - R81-BYOL-MGMT: - Value: R81BYOLMGMT R81.10-BYOL-GW: Value: R8110BYOLGW R81.10-BYOL-MGMT: @@ -27,183 +21,131 @@ Mappings: Value: R8120BYOLMGMT RegionMap: cn-hongkong: - R81BYOLMGMT: m-j6c55b1lpz95colzzz1y - R81BYOLGW: m-j6c3gd3gcahojs40842v R8110BYOLMGMT: m-j6c5n6p0tkx8clx72qes R8110BYOLGW: m-j6c0x6ugw2012axbdmkn R8120BYOLMGMT: m-j6c2gv0tohwb5otjzbk4 R8120BYOLGW: m-j6cdnsm44k0csckg4cxa ap-southeast-1: - R81BYOLMGMT: m-t4ngdphpnhzw065e30jt - R81BYOLGW: m-t4n99ag8zbinnc7n7xmw R8110BYOLMGMT: m-t4n9x963l2fx13d4mzi8 R8110BYOLGW: m-t4ndsvficp1ukrcpt4as R8120BYOLMGMT: m-t4n3m9t1icbv1ptf8b67 R8120BYOLGW: m-t4nj16t8nnlp7a70214i us-west-1: - R81BYOLMGMT: m-rj95ffd9q3c8u7rpc7v5 - R81BYOLGW: m-rj9eblv5oe0ypm77no86 R8110BYOLMGMT: m-rj9ebcmy6gxp3lzkjnrp R8110BYOLGW: m-rj952h5pzgaecqhg9h6u R8120BYOLMGMT: m-rj92n7t0j5uvmss2dak5 R8120BYOLGW: m-rj99hmyezcyqa0in2us9 us-east-1: - R81BYOLMGMT: m-0xi064illsngi8q7ejln - R81BYOLGW: m-0xiiv7m3m3ex8zai0lq4 R8110BYOLMGMT: m-0xie3j6n8rxa26v6abni R8110BYOLGW: m-0xiebcmy6gxpiyg830vh R8120BYOLMGMT: m-0xihsclzmkgsxpsmfil2 R8120BYOLGW: m-0xickak3e8yimpt90lh9 ap-southeast-2: - R81BYOLMGMT: m-p0w0pl2rajygi6otl2mh - R81BYOLGW: m-p0w78ynl3rpgo1yq43qf R8110BYOLMGMT: m-p0w7z34zl8gl2nmgzo75 R8110BYOLGW: m-p0w2nhgtaqxil6bruwe2 R8120BYOLMGMT: m-p0w2mgbmrn1pq4973ncq R8120BYOLGW: m-p0wd45q8v82grbipwqkw ap-southeast-3: - R81BYOLMGMT: m-8psi42zrfpq57cibgu2b - R81BYOLGW: m-8ps8swns48itw97zsb2i R8110BYOLMGMT: m-8psc710cdd9x9guiajuk R8110BYOLGW: m-8ps6mel7llq3ffzc2txa R8120BYOLMGMT: m-8psc710cdd9x6k9vbn5m R8120BYOLGW: m-8psf1zkz08byz41qrt1r ap-southeast-5: - R81BYOLMGMT: m-k1aajdkea2t5oyxicbu8 - R81BYOLGW: m-k1afqua8zzbgdaosx7sf R8110BYOLMGMT: m-k1ahug645c79svl6tgbp R8110BYOLGW: m-k1a6n0hj1qidjiig80o0 R8120BYOLMGMT: m-k1ahgt585wlm71lmpmg1 R8120BYOLGW: m-k1a20f2u7nspfcja9mfc ap-southeast-6: - R81BYOLMGMT: m-5ts832hgbk52wwnxzjlx - R81BYOLGW: m-5tsf5buudxrwbijypr0v R8110BYOLMGMT: m-5tsa5qwchhf7q22qj685 R8110BYOLGW: m-5tsdw01mce246abvrnes R8120BYOLMGMT: m-5ts5ukwjgsl6t34hx7po R8120BYOLGW: m-5tsa5qwchhf7pw5n70as ap-northeast-1: - R81BYOLMGMT: m-6we8l9kvu9shqf3j5v4e - R81BYOLGW: m-6we42rtltap69nckfynw R8110BYOLMGMT: m-6we20qh4jffzabapyyle R8110BYOLGW: m-6wefezctjbied9npzp1n R8120BYOLMGMT: m-6weihbzpoyt5h6i2i42e R8120BYOLGW: m-6we215381e51fkneyv5v eu-central-1: - R81BYOLMGMT: m-gw81j322yjmx03hq26qt - R81BYOLGW: m-gw82fm7sbwj7x6fpj1mn R8110BYOLMGMT: m-gw89gvg18gk6nzo3gxe1 R8110BYOLGW: m-gw8divjg7azjl2ndt34v R8120BYOLMGMT: m-gw8csbodb1ntgbtu653c R8120BYOLGW: m-gw83wxmsb5524ke9f6m7 eu-west-1: - R81BYOLMGMT: m-d7ocob57ud2nqiv9fk8w - R81BYOLGW: m-d7oez9xgn0qg5g815tip R8110BYOLMGMT: m-d7o7nj4f81gs8cyo52jd R8110BYOLGW: m-d7o7nj4f81gsnpfbofnh R8120BYOLMGMT: m-d7o63e77fokjsv4aq4kt R8120BYOLGW: m-d7oj29ec4xx04sr8h61z me-east-1: - R81BYOLMGMT: m-eb35op3wyu89kabry2zw - R81BYOLGW: m-eb35op3wyu89iv0z0nmz R8110BYOLMGMT: m-eb33tyrfiy726a0xlw6g R8110BYOLGW: m-eb30m4ho9mkzfb3xi78i R8120BYOLMGMT: m-eb3bbb1nen46tqmcujmn R8120BYOLGW: m-eb3dphy5uzm33cduxr7i ap-south-1: - R81BYOLMGMT: m-a2d16a0v0ms9mg5xh1nm - R81BYOLGW: m-a2didx39bhgf547thni0 R8110BYOLMGMT: m-a2d4ffz0q8dflg62j0zq R8110BYOLGW: m-a2d9j14yemliag92m9d1 R8120BYOLMGMT: m-a2d1e5s7uy9vv5a6n9cn R8120BYOLGW: m-a2d1e5s7uy9vxvxqa04e ap-southeast-7: - R81BYOLMGMT: m-0jo742iyh0qbzg51b6fd - R81BYOLGW: m-0joian1mgt9qt2lpvfnk R8110BYOLMGMT: m-0jo3qwrwsdx3663is0b4 R8110BYOLGW: m-0jogq1yzljp8ziw4caci R8120BYOLMGMT: m-0jo67k42jvg301wis5ol R8120BYOLGW: m-0jo5t1ypg4zy4h12i9c5 ap-northeast-2: - R81BYOLMGMT: m-mj75cxsn1dhdiqhfc3a0 - R81BYOLGW: m-mj7bybnr5b9gebqrf3xt R8110BYOLMGMT: m-mj7h0j7db1ryrwczg9ef R8110BYOLGW: m-mj73osasl4gyi0zqscr5 R8120BYOLMGMT: m-mj7aktw6610pznjgb16z R8120BYOLGW: m-mj79jylrqomj0fv99s3b cn-qingdao: - R81BYOLMGMT: m-m5e1i33z6ohq98tllukn - R81BYOLGW: m-m5eb1zyo5cjbvte7ovay R8110BYOLMGMT: m-m5eftm32pjq4ghtwcn25 R8110BYOLGW: m-m5ef0hxxec3ws2c2y26b R8120BYOLMGMT: m-m5ebt96quorb2gj7dhku R8120BYOLGW: m-m5eftm32pjq4g9xrwf5o cn-beijing: - R81BYOLMGMT: m-2ze5d2jit72gotjw5d77 - R81BYOLGW: m-2zec8i2qli4cnqfw9e3o R8110BYOLMGMT: m-2zehvbpbae19t51owc0j R8110BYOLGW: m-2zeiwvllkl9jybavtmey R8120BYOLMGMT: m-2ze1781062lxfwe35d1p R8120BYOLGW: m-2ze347cq3f6fg3udyb1p cn-zhangjiakou: - R81BYOLMGMT: m-8vb1rjkshxdaynvqbexj - R81BYOLGW: m-8vb1rjkshxdax8kxdzkk R8110BYOLMGMT: m-8vb83tbc4hwpesbvte9d R8110BYOLGW: m-8vbblzj10mzvpnkzdint R8120BYOLMGMT: m-8vbeoj3rrq2tm6o5bhaa R8120BYOLGW: m-8vbd1bffbjhlxjkb0k4i cn-huhehaote: - R81BYOLMGMT: m-hp309790we62uhpo5eed - R81BYOLGW: m-hp3ab2tvfxuar5snxu2r R8110BYOLMGMT: m-hp3h3tzxij7kl9tdrqg2 R8110BYOLGW: m-hp325dwey9rn4tyiyuyu R8120BYOLMGMT: m-hp31ci7e1eeaj062wki0 R8120BYOLGW: m-hp31ci7e1eealqtmjb9n cn-wulanchabu: - R81BYOLMGMT: m-0jlhwuucdujv3wee7m96 - R81BYOLGW: m-0jle5qxpr97s1c64e72k R8110BYOLMGMT: m-0jl54w11sr4odheytky1 R8110BYOLGW: m-0jlbavg2r5fjc4jxypp7 R8120BYOLMGMT: m-0jl54w11sr4oakubuo94 R8120BYOLGW: m-0jlbavg2r5fiwm6736o3 cn-hangzhou: - R81BYOLMGMT: m-bp14kps2wrk6qquv5ok0 - R81BYOLGW: m-bp1aa9u6zcazi4o1hnjh R8110BYOLMGMT: m-bp1dz2nq9fqppcf8smpk R8110BYOLGW: m-bp1hamqhfny1smyl8ql7 R8120BYOLMGMT: m-bp149dep83kgo5p0dw3l R8120BYOLGW: m-bp1gvq0d0413vbnakoqj cn-shanghai: - R81BYOLMGMT: m-uf6cj9tqmxx1bsfmbu45 - R81BYOLGW: m-uf63qkdigbprn96zy3vm R8110BYOLMGMT: m-uf655j7a9r7otwa2xemv R8110BYOLGW: m-uf6idj2b3zt57omxvzbr R8120BYOLMGMT: m-uf62vrhc5bapfoy9lw7n R8120BYOLGW: m-uf6c9vxp1n58y56ep033 cn-shenzhen: - R81BYOLMGMT: m-wz9d9s75jsh11z089uuj - R81BYOLGW: m-wz9czejz43gyhdztsjnr R8110BYOLMGMT: m-wz95gswem9lea2z0d9se R8110BYOLGW: m-wz93e5pwshkmiv35y9ii R8120BYOLMGMT: m-wz9am290ax9js6dfdt5o R8120BYOLGW: m-wz94fs2enyvm6qhx3ged cn-heyuan: - R81BYOLMGMT: m-f8z61z784gwfm1fhxgre - R81BYOLGW: m-f8z7wvp6hhvsvevtpb0j R8110BYOLMGMT: m-f8z5o7741si10yq0piws R8110BYOLGW: m-f8z985hmyc9d8951pr76 R8120BYOLMGMT: m-f8zj0s3cyg3glnlz414g R8120BYOLGW: m-f8z5o7741si10ssxdczf cn-guangzhou: - R81BYOLMGMT: m-7xv95xjo0yd0lg4y1z9p - R81BYOLGW: m-7xv95xjo0yd0k0u54jwr R8110BYOLMGMT: m-7xv4bih29ge5i2je9amd R8110BYOLGW: m-7xv7i7fhzogppdgxa2cc R8120BYOLMGMT: m-7xv3lyr4gpzmp8ei0qgi R8120BYOLGW: m-7xv7i7fhzogp9v36ejbr cn-chengdu: - R81BYOLMGMT: m-2vcho1h20xnncjlroavq - R81BYOLGW: m-2vc0m9vq9oty74yz83d4 R8110BYOLMGMT: m-2vc13w2rjk7p9o285gtj R8110BYOLGW: m-2vc13w2rjk7pp0ivotxs R8120BYOLMGMT: m-2vc0nlbyccv29t5ql0oh diff --git a/terraform/aws/autoscale-gwlb/README.md b/terraform/aws/autoscale-gwlb/README.md index a156f3cc..1ca4b595 100755 --- a/terraform/aws/autoscale-gwlb/README.md +++ b/terraform/aws/autoscale-gwlb/README.md @@ -116,36 +116,36 @@ secret_key = "my-secret-key" ## Inputs -| Name | Description | Type | Allowed values | Default | Required | -|----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------|----------| -| prefix | (Optional) Instances name prefix | string | n/a | "" | no | -| asg_name | Autoscaling Group name | string | n/a | Check-Point-ASG-tf | no | -| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | -| subnet_ids | List of public subnet IDs to launch resources into. Recommended at least 2 | list(string) | n/a | n/a | yes | -| gateways_provision_address_type | Determines if the gateways are provisioned using their private or public address. | string | - private
- public | private | no | -| allocate_public_IP | Allocate a Public IP for gateway members. | bool | true/false | false | no | -| management_server | The name that represents the Security Management Server in the CME configuration | string | n/a | n/a | yes | -| configuration_template | Name of the provisioning template in the CME configuration | string | n/a | n/a | yes | -| gateway_name | The name tag of the Security Gateways instances | string | n/a | Check-Point-ASG-gateway-tf | no | -| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | -| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | -| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | -| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no | -| instances_tags | (Optional) A map of tags as key=value pairs. All tags will be added on all AutoScaling Group instances | map(string) | n/a | {} | no | -| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | -| minimum_group_size | The minimum number of instances in the Auto Scaling group | number | n/a | 2 | no | -| maximum_group_size | The maximum number of instances in the Auto Scaling group | number | n/a | 10 | no | -| target_groups | (Optional) List of Target Group ARNs to associate with the Auto Scaling group | list(string) | n/a | [] | no | -| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | -| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | -| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | -| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components (at least 8 alphanumeric characters) | string | n/a | "12345678" | yes | -| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | -| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | -| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | -| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | -| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no | -| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here). | string | n/a | "" | no | +| Name | Description | Type | Allowed values | Default | Required | +|----------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------|------------------| +| prefix | (Optional) Instances name prefix | string | n/a | "" | no | +| asg_name | Autoscaling Group name | string | n/a | Check-Point-ASG-tf | no | +| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | +| subnet_ids | List of public subnet IDs to launch resources into. Recommended at least 2 | list(string) | n/a | n/a | yes | +| gateways_provision_address_type | Determines if the gateways are provisioned using their private or public address. | string | - private
- public | private | no | +| allocate_public_IP | Allocate a Public IP for gateway members. | bool | true/false | false | no | +| management_server | The name that represents the Security Management Server in the CME configuration | string | n/a | n/a | yes | +| configuration_template | Name of the provisioning template in the CME configuration | string | n/a | n/a | yes | +| gateway_name | The name tag of the Security Gateways instances | string | n/a | Check-Point-ASG-gateway-tf | no | +| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | +| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | +| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | +| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no | +| instances_tags | (Optional) A map of tags as key=value pairs. All tags will be added on all AutoScaling Group instances | map(string) | n/a | {} | no | +| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | +| minimum_group_size | The minimum number of instances in the Auto Scaling group | number | n/a | 2 | no | +| maximum_group_size | The maximum number of instances in the Auto Scaling group | number | n/a | 10 | no | +| target_groups | (Optional) List of Target Group ARNs to associate with the Auto Scaling group | list(string) | n/a | [] | no | +| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | +| gateway_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | +| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components (at least 8 alphanumeric characters) | string | n/a | "12345678" | yes | +| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | +| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | +| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no | +| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here). | string | n/a | "" | no | ## Outputs | Name | Description | @@ -167,18 +167,20 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 20220414 | First release of Check Point Auto Scaling GWLB Terraform module for AWS | -| 20220606 | New instance type support | -| 20221123 | R81.20 version support | -| 20221226 | Support ASG Launch Template instead of Launch Configuration | -| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | -| 20230806 | Add support for c6in instance type | -| 20230829 | Change default Check Point version to R81.20 | -| 20230914 | Add support for maintenance mode password | -| 20230923 | Add support for C5d instance type | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | -| 20240414 | - Add support for Elastic Load Balancer Health Checks.
- EC2 Auto Scaling will start to detect and act on health checks performed by Elastic Load Balancing. | +| 20240704 | - R80.40 version deprecation.
- R81 version deprecation | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20240417 | - Add support for Elastic Load Balancer Health Checks.
- EC2 Auto Scaling will start to detect and act on health checks performed by Elastic Load Balancing. | +| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230923 | Add support for C5d instance type | +| 20230914 | Add support for maintenance mode password | +| 20230829 | Change default Check Point version to R81.20 | +| 20230806 | Add support for c6in instance type | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20221226 | Support ASG Launch Template instead of Launch Configuration | +| 20221123 | R81.20 version support | +| 20220606 | New instance type support | +| 20220414 | First release of Check Point Auto Scaling GWLB Terraform module for AWS | ## License diff --git a/terraform/aws/autoscale-gwlb/locals.tf b/terraform/aws/autoscale-gwlb/locals.tf index ef1abdf2..2c811532 100755 --- a/terraform/aws/autoscale-gwlb/locals.tf +++ b/terraform/aws/autoscale-gwlb/locals.tf @@ -42,7 +42,6 @@ locals { gateway_SICkey_base64 = base64encode(var.gateway_SICKey) gateway_password_hash_base64 = base64encode(var.gateway_password_hash) maintenance_mode_password_hash_base64 = base64encode(var.gateway_maintenance_mode_password_hash) - is_gwlb_ami = length(regexall(".*R80.40.*", var.gateway_version)) > 0 } resource "null_resource" "tags_as_list_of_maps" { diff --git a/terraform/aws/autoscale-gwlb/main.tf b/terraform/aws/autoscale-gwlb/main.tf index 3c7b7948..67691dca 100755 --- a/terraform/aws/autoscale-gwlb/main.tf +++ b/terraform/aws/autoscale-gwlb/main.tf @@ -7,7 +7,7 @@ provider "aws" { module "amis" { source = "../modules/amis" version_license = var.gateway_version - amis_url = local.is_gwlb_ami == true ? "https://cgi-cfts.s3.amazonaws.com/gwlb/amis-gwlb.yaml" : "https://cgi-cfts.s3.amazonaws.com/utils/amis.yaml" + amis_url = "https://cgi-cfts-staging.s3.amazonaws.com/utils/amis.yaml" } @@ -91,28 +91,28 @@ resource "aws_autoscaling_group" "asg" { health_check_type = "ELB" tag { - key = "Name" - value = format("%s%s", var.prefix != "" ? format("%s-", var.prefix) : "", var.gateway_name) - propagate_at_launch = true + key = "Name" + value = format("%s%s", var.prefix != "" ? format("%s-", var.prefix) : "", var.gateway_name) + propagate_at_launch = true } tag { - key = "x-chkp-tags" - value = format("management=%s:template=%s:ip-address=%s", var.management_server, var.configuration_template, var.gateways_provision_address_type) - propagate_at_launch = true + key = "x-chkp-tags" + value = format("management=%s:template=%s:ip-address=%s", var.management_server, var.configuration_template, var.gateways_provision_address_type) + propagate_at_launch = true } tag { - key = "x-chkp-topology" - value = "internal" - propagate_at_launch = true + key = "x-chkp-topology" + value = "internal" + propagate_at_launch = true } tag { - key = "x-chkp-solution" - value = "autoscale_gwlb" - propagate_at_launch = true - } + key = "x-chkp-solution" + value = "autoscale_gwlb" + propagate_at_launch = true + } dynamic "tag" { for_each = var.instances_tags diff --git a/terraform/aws/autoscale-gwlb/terraform.tfvars b/terraform/aws/autoscale-gwlb/terraform.tfvars index 4cced958..4938ae44 100755 --- a/terraform/aws/autoscale-gwlb/terraform.tfvars +++ b/terraform/aws/autoscale-gwlb/terraform.tfvars @@ -16,7 +16,7 @@ configuration_template = "tmpl_env1" // --- EC2 Instances Configuration --- gateway_name = "asg_gateway" -gateway_instance_type = "c5.xlarge" +gateway_instance_type = "c6in.xlarge" key_name = "publickey" instances_tags = { key1 = "value1" diff --git a/terraform/aws/autoscale-gwlb/variables.tf b/terraform/aws/autoscale-gwlb/variables.tf index cb1a985c..82e7396a 100644 --- a/terraform/aws/autoscale-gwlb/variables.tf +++ b/terraform/aws/autoscale-gwlb/variables.tf @@ -78,7 +78,7 @@ variable "gateway_name" { variable "gateway_instance_type" { type = string description = "The instance type of the Security Gateways" - default = "c5.xlarge" + default = "c6in.xlarge" } module "validate_instance_type" { source = "../modules/common/instance_type" diff --git a/terraform/aws/autoscale/README.md b/terraform/aws/autoscale/README.md index eb13ecd4..38d4d034 100755 --- a/terraform/aws/autoscale/README.md +++ b/terraform/aws/autoscale/README.md @@ -125,37 +125,37 @@ secret_key = "my-secret-key" ## Inputs -| Name | Description | Type | Allowed values | Default | Required | -|----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------|----------| -| prefix | (Optional) Instances name prefix | string | n/a | "" | no | -| asg_name | Autoscaling Group name | string | n/a | Check-Point-ASG-tf | no | -| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | -| subnet_ids | List of public subnet IDs to launch resources into. Recommended at least 2 | list(string) | n/a | n/a | yes | -| gateways_provision_address_type | Determines if the gateways are provisioned using their private or public address. | string | - private
- public | private | no | -| management_server | The name that represents the Security Management Server in the CME configuration | string | n/a | n/a | yes | -| configuration_template | Name of the provisioning template in the CME configuration | string | n/a | n/a | yes | -| gateway_name | The name tag of the Security Gateways instances | string | n/a | Check-Point-ASG-gateway-tf | no | -| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | -| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | -| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | -| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no | -| instances_tags | (Optional) A map of tags as key=value pairs. All tags will be added on all AutoScaling Group instances | map(string) | n/a | {} | no | -| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | -| minimum_group_size | The minimum number of instances in the Auto Scaling group | number | n/a | 2 | no | -| maximum_group_size | The maximum number of instances in the Auto Scaling group | number | n/a | 10 | no | -| target_groups | (Optional) List of Target Group ARNs to associate with the Auto Scaling group | list(string) | n/a | [] | no | -| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81-BYOL
- R81-PAYG-NGTP
- R81-PAYG-NGTX
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | -| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | -| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | -| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components (at least 8 alphanumeric characters) | string | n/a | "12345678" | yes | -| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | -| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | -| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | -| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | -| proxy_elb_type | Type of ELB to create as an HTTP/HTTPS outbound proxy | string | - none
- internal
- internet-facing | none | no | -| proxy_elb_port | The TCP port on which the proxy will be listening | number | n/a | 8080 | no | -| proxy_elb_clients | The CIDR range of the clients of the proxy | string | n/a | 0.0.0.0/0 | no | -| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here). | string | n/a | "" | no | +| Name | Description | Type | Allowed values | Default | Required | +|----------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------|----------| +| prefix | (Optional) Instances name prefix | string | n/a | "" | no | +| asg_name | Autoscaling Group name | string | n/a | Check-Point-ASG-tf | no | +| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | +| subnet_ids | List of public subnet IDs to launch resources into. Recommended at least 2 | list(string) | n/a | n/a | yes | +| gateways_provision_address_type | Determines if the gateways are provisioned using their private or public address. | string | - private
- public | private | no | +| management_server | The name that represents the Security Management Server in the CME configuration | string | n/a | n/a | yes | +| configuration_template | Name of the provisioning template in the CME configuration | string | n/a | n/a | yes | +| gateway_name | The name tag of the Security Gateways instances | string | n/a | Check-Point-ASG-gateway-tf | no | +| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | +| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | +| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | +| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no | +| instances_tags | (Optional) A map of tags as key=value pairs. All tags will be added on all AutoScaling Group instances | map(string) | n/a | {} | no | +| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | +| minimum_group_size | The minimum number of instances in the Auto Scaling group | number | n/a | 2 | no | +| maximum_group_size | The maximum number of instances in the Auto Scaling group | number | n/a | 10 | no | +| target_groups | (Optional) List of Target Group ARNs to associate with the Auto Scaling group | list(string) | n/a | [] | no | +| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | +| gateway_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | +| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components (at least 8 alphanumeric characters) | string | n/a | "12345678" | yes | +| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | +| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | +| proxy_elb_type | Type of ELB to create as an HTTP/HTTPS outbound proxy | string | - none
- internal
- internet-facing | none | no | +| proxy_elb_port | The TCP port on which the proxy will be listening | number | n/a | 8080 | no | +| proxy_elb_clients | The CIDR range of the clients of the proxy | string | n/a | 0.0.0.0/0 | no | +| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here). | string | n/a | "" | no | ## Outputs @@ -179,20 +179,22 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 20200318 | First release of Check Point Auto Scaling Terraform module for AWS | -| 20210309 | AWS Terraform modules refactor | -| 20210329 | Stability fixes | -| 20220606 | New instance type support | -| 20221123 | R81.20 version support | -| 20221226 | Support ASG Launch Template instead of Launch Configuration | -| 20230521 | Change default shell for the admin user to /etc/cli.sh | -| 20230806 | Add support for c6in instance type | -| 20230829 | Change default Check Point version to R81.20 | -| 20230914 | Add support for maintenance mode password | -| 20230923 | Add support for C5d instance type | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | -| 20240414 | - Add support for Elastic Load Balancer Health Checks.
- EC2 Auto Scaling will start to detect and act on health checks performed by Elastic Load Balancing. | +| 20240704 | - R80.40 version deprecation.
- R81 version deprecation. | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20240417 | - Add support for Elastic Load Balancer Health Checks.
- EC2 Auto Scaling will start to detect and act on health checks performed by Elastic Load Balancing. | +| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230923 | Add support for C5d instance type | +| 20230914 | Add support for maintenance mode password | +| 20230829 | Change default Check Point version to R81.20 | +| 20230806 | Add support for c6in instance type | +| 20230521 | Change default shell for the admin user to /etc/cli.sh | +| 20221226 | Support ASG Launch Template instead of Launch Configuration | +| 20221123 | R81.20 version support | +| 20220606 | New instance type support | +| 20210329 | Stability fixes | +| 20210309 | AWS Terraform modules refactor | +| 20200318 | First release of Check Point Auto Scaling Terraform module for AWS | ## License diff --git a/terraform/aws/autoscale/asg_userdata.yaml b/terraform/aws/autoscale/asg_userdata.yaml index ea6de749..4c6633c3 100755 --- a/terraform/aws/autoscale/asg_userdata.yaml +++ b/terraform/aws/autoscale/asg_userdata.yaml @@ -1,4 +1,4 @@ #cloud-config runcmd: - | - python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" installationType=\"autoscale\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"autoscale\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" bootstrapScript64=\"${BootstrapScript}\" + python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" installationType=\"autoscale\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20240704\" templateName=\"autoscale\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" bootstrapScript64=\"${BootstrapScript}\" diff --git a/terraform/aws/autoscale/main.tf b/terraform/aws/autoscale/main.tf index dea10eca..68abbfe0 100755 --- a/terraform/aws/autoscale/main.tf +++ b/terraform/aws/autoscale/main.tf @@ -91,16 +91,16 @@ resource "aws_autoscaling_group" "asg" { health_check_type = "ELB" tag { - key = "Name" - value = format("%s%s", var.prefix != "" ? format("%s-", var.prefix) : "", var.gateway_name) - propagate_at_launch = true + key = "Name" + value = format("%s%s", var.prefix != "" ? format("%s-", var.prefix) : "", var.gateway_name) + propagate_at_launch = true } tag { - key = "x-chkp-tags" - value = format("management=%s:template=%s:ip-address=%s", var.management_server, var.configuration_template, var.gateways_provision_address_type) - propagate_at_launch = true - } + key = "x-chkp-tags" + value = format("management=%s:template=%s:ip-address=%s", var.management_server, var.configuration_template, var.gateways_provision_address_type) + propagate_at_launch = true + } dynamic "tag" { for_each = var.instances_tags diff --git a/terraform/aws/autoscale/terraform.tfvars b/terraform/aws/autoscale/terraform.tfvars index d513fcd5..d4716480 100755 --- a/terraform/aws/autoscale/terraform.tfvars +++ b/terraform/aws/autoscale/terraform.tfvars @@ -15,7 +15,7 @@ configuration_template = "tmpl_env1" // --- EC2 Instances Configuration --- gateway_name = "asg_gateway" -gateway_instance_type = "c5.xlarge" +gateway_instance_type = "c6in.xlarge" key_name = "publickey" instances_tags = { key1 = "value1" diff --git a/terraform/aws/autoscale/variables.tf b/terraform/aws/autoscale/variables.tf index 81d256ab..2244fcbb 100755 --- a/terraform/aws/autoscale/variables.tf +++ b/terraform/aws/autoscale/variables.tf @@ -66,7 +66,7 @@ variable "gateway_name" { variable "gateway_instance_type" { type = string description = "The instance type of the Security Gateways" - default = "c5.xlarge" + default = "c6in.xlarge" } module "validate_instance_type" { source = "../modules/common/instance_type" diff --git a/terraform/aws/cluster-master/README.md b/terraform/aws/cluster-master/README.md index cfabfd18..7354af59 100755 --- a/terraform/aws/cluster-master/README.md +++ b/terraform/aws/cluster-master/README.md @@ -171,7 +171,7 @@ secret_key = "my-secret-key" | metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | | instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances | map(string) | n/a | {} | no | | predefined_role | (Optional) A predefined IAM role to attach to the cluster profile | string | n/a | "" | no | -| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81-BYOL
- R81-PAYG-NGTP
- R81-PAYG-NGTX
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R81.20-PAYG-NGTX | R81.20-BYOL | no | | admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | | gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | | gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | @@ -203,18 +203,19 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|---------------------------------------------------------------------------------------------------------------| -| 20210309 | First release of Check Point Security Cluster Master Terraform module for AWS | -| 20220606 | New instance type support | -| 20221123 | R81.20 version support | -| 20230411 | Improved deployment experience for gateways and clusters managed by Smart-1 Cloud | -| 20230503 | Smart-1 Cloud token validation | -| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | -| 20230806 | Add support for c6in instance type | -| 20230829 | Change default Check Point version to R81.20 | -| 20230914 | Add support for maintenance mode password | -| 20230923 | Add support for C5d instance type | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20240704 | - R80.40 version deprecation.
- R81 version deprecation. | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230923 | Add support for C5d instance type | +| 20230914 | Add support for maintenance mode password | +| 20230829 | Change default Check Point version to R81.20 | +| 20230806 | Add support for c6in instance type | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20230503 | Smart-1 Cloud token validation | +| 20230411 | Improved deployment experience for gateways and clusters managed by Smart-1 Cloud | +| 20221123 | R81.20 version support | +| 20220606 | New instance type support | +| 20210309 | First release of Check Point Security Cluster Master Terraform module for AWS | ## License diff --git a/terraform/aws/cluster-master/terraform.tfvars b/terraform/aws/cluster-master/terraform.tfvars index 1e7b2c78..491c61dd 100755 --- a/terraform/aws/cluster-master/terraform.tfvars +++ b/terraform/aws/cluster-master/terraform.tfvars @@ -12,7 +12,7 @@ subnets_bit_length = 8 // --- EC2 Instance Configuration --- gateway_name = "Check-Point-Cluster-tf" -gateway_instance_type = "c5.xlarge" +gateway_instance_type = "c6in.xlarge" key_name = "publickey" allocate_and_associate_eip = true volume_size = 100 diff --git a/terraform/aws/cluster-master/variables.tf b/terraform/aws/cluster-master/variables.tf index d1faf72c..af1995e4 100755 --- a/terraform/aws/cluster-master/variables.tf +++ b/terraform/aws/cluster-master/variables.tf @@ -46,7 +46,7 @@ variable "gateway_name" { variable "gateway_instance_type" { type = string description = "The instance type of the Security Gateways" - default = "c5.xlarge" + default = "c6in.xlarge" } module "validate_instance_type" { source = "../modules/common/instance_type" diff --git a/terraform/aws/cluster/README.md b/terraform/aws/cluster/README.md index 073c7fe7..ecb44584 100755 --- a/terraform/aws/cluster/README.md +++ b/terraform/aws/cluster/README.md @@ -132,37 +132,37 @@ secret_key = "my-secret-key" - In Smart Console: reset SIC with the re-deployed member and install policy ## Inputs -| Name | Description | Type | Allowed values | Default | Required | -|----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|----------| -| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | -| public_subnet_id | The public subnet of the cluster. The cluster's public IPs will be generated from this subnet | string | n/a | n/a | yes | -| private_subnet_id | The private subnet of the cluster. The cluster's private IPs will be generated from this subnet | string | n/a | n/a | yes | -| private_route_table | (Optional) Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route | string | n/a | "" | no | -| gateway_name | (Optional) The name tag of the Security Gateway instances | string | n/a | Check-Point-Cluster-tf | no | -| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | -| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes | -| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with each cluster member, in addition to the shared cluster Elastic IP | bool | true/false | true | no | -| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | -| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no | -| enable_instance_connect | Enable AWS Instance Connect. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | -| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | -| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | -| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances | map(string) | n/a | {} | no | -| predefined_role | (Optional) A predefined IAM role to attach to the cluster profile | string | n/a | "" | no | -| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81-BYOL
- R81-PAYG-NGTP
- R81-PAYG-NGTX
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | -| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | -| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | no | -| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | -| memberAToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | -| memberBToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | -| resources_tag_name | (Optional) Name tag prefix of the resources | string | n/a | "" | no | -| gateway_hostname | (Optional) The host name will be appended with member-a/b accordingly. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no | -| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | -| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | -| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | -| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no | -| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no | -| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here). | string | n/a | "" | no | +| Name | Description | Type | Allowed values | Default | Required | +|----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|-----------| +| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | +| public_subnet_id | The public subnet of the cluster. The cluster's public IPs will be generated from this subnet | string | n/a | n/a | yes | +| private_subnet_id | The private subnet of the cluster. The cluster's private IPs will be generated from this subnet | string | n/a | n/a | yes | +| private_route_table | (Optional) Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route | string | n/a | "" | no | +| gateway_name | (Optional) The name tag of the Security Gateway instances | string | n/a | Check-Point-Cluster-tf | no | +| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | +| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes | +| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with each cluster member, in addition to the shared cluster Elastic IP | bool | true/false | true | no | +| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | +| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no | +| enable_instance_connect | Enable AWS Instance Connect. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | +| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | +| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | +| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances | map(string) | n/a | {} | no | +| predefined_role | (Optional) A predefined IAM role to attach to the cluster profile | string | n/a | "" | no | +| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | +| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | no | +| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| memberAToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | +| memberBToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | +| resources_tag_name | (Optional) Name tag prefix of the resources | string | n/a | "" | no | +| gateway_hostname | (Optional) The host name will be appended with member-a/b accordingly. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | +| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | +| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no | +| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no | +| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here). | string | n/a | "" | no | ## Outputs | Name | Description | @@ -181,20 +181,20 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|---------------------------------------------------------------------------------------------------------------| -| 20210309 | First release of Check Point Security Cluster Terraform module for AWS | -| 20220606 | New instance type support | -| 20221123 | R81.20 version support | -| 20230411 | Improved deployment experience for gateways and clusters managed by Smart-1 Cloud | -| 20230503 | Smart-1 Cloud token validation | -| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | -| 20230806 | Add support for c6in instance type | -| 20230829 | Change default Check Point version to R81.20 | -| 20230914 | Add support for maintenance mode password | -| 20230923 | Add support for C5d instance type | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | -| 20240304 | Add x-chkp-cluster-ips, x-chkp-member-ips tags to cluster members | +| 20240704 | - R80.40 version deprecation.
- R81 version deprecation. | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | - +| 20240304 | Add x-chkp-cluster-ips, x-chkp-member-ips tags to cluster members | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230923 | Add support for C5d instance type | +| 20230914 | Add support for maintenance mode password | +| 20230829 | Change default Check Point version to R81.20 | +| 20230806 | Add support for c6in instance type | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20230503 | Smart-1 Cloud token validation | +| 20230411 | Improved deployment experience for gateways and clusters managed by Smart-1 Cloud | +| 20221123 | R81.20 version support | +| 20220606 | New instance type support | +| 20210309 | First release of Check Point Security Cluster Terraform module for AWS | ## License diff --git a/terraform/aws/cluster/cluster_member_a_userdata.yaml b/terraform/aws/cluster/cluster_member_a_userdata.yaml index 6329e2cf..1fa105c0 100755 --- a/terraform/aws/cluster/cluster_member_a_userdata.yaml +++ b/terraform/aws/cluster/cluster_member_a_userdata.yaml @@ -1,4 +1,4 @@ #cloud-config runcmd: - | - python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenA}\"" installationType=\"cluster\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" elasticIp=\"${MemberAPublicAddress}\" templateVersion=\"20231012\" templateName=\"cluster\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" allocatePublicAddress=\"${AllocateAddress}\" bootstrapScript64=\"${GatewayBootstrapScript}\" \ No newline at end of file + python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenA}\"" installationType=\"cluster\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" elasticIp=\"${MemberAPublicAddress}\" templateVersion=\"20240704\" templateName=\"cluster\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" allocatePublicAddress=\"${AllocateAddress}\" bootstrapScript64=\"${GatewayBootstrapScript}\" \ No newline at end of file diff --git a/terraform/aws/cluster/terraform.tfvars b/terraform/aws/cluster/terraform.tfvars index 179fe10b..ea7aa4d9 100755 --- a/terraform/aws/cluster/terraform.tfvars +++ b/terraform/aws/cluster/terraform.tfvars @@ -8,7 +8,7 @@ private_route_table = "rtb-12345678" // --- EC2 Instance Configuration --- gateway_name = "Check-Point-Cluster-tf" -gateway_instance_type = "c5.xlarge" +gateway_instance_type = "c6in.xlarge" key_name = "publickey" allocate_and_associate_eip = true volume_size = 100 diff --git a/terraform/aws/cluster/variables.tf b/terraform/aws/cluster/variables.tf index 1b515744..af28f15c 100755 --- a/terraform/aws/cluster/variables.tf +++ b/terraform/aws/cluster/variables.tf @@ -44,7 +44,7 @@ variable "gateway_name" { variable "gateway_instance_type" { type = string description = "The instance type of the Security Gateways" - default = "c5.xlarge" + default = "c6in.xlarge" } module "validate_instance_type" { source = "../modules/common/instance_type" diff --git a/terraform/aws/cme-iam-role-gwlb/README.md b/terraform/aws/cme-iam-role-gwlb/README.md index 2d6e639b..ae261614 100644 --- a/terraform/aws/cme-iam-role-gwlb/README.md +++ b/terraform/aws/cme-iam-role-gwlb/README.md @@ -89,12 +89,11 @@ secret_key = "my-secret-key" ## Revision History In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) -| Template Version | Description | -|------------------|-------------------------------------------------------------------| -| 20230926 | CME instance profile for IAM Role | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | -| 20240507 | Add ec2:DescribeRegions read permission to the IAM role policy | - +| Template Version | Description | +|------------------|--------------------------------------------------------------------| +| 20240507 | Add ec2:DescribeRegions read permission to the IAM role policy | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230926 | CME instance profile for IAM Role | ## License diff --git a/terraform/aws/cme-iam-role/README.md b/terraform/aws/cme-iam-role/README.md index 203326cb..bc7f0f58 100755 --- a/terraform/aws/cme-iam-role/README.md +++ b/terraform/aws/cme-iam-role/README.md @@ -91,11 +91,10 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|--------------------------------------------------------------------| -| 20210309 | First release of Check Point CME IAM Role Terraform module for AWS | -| 20230514 | CME instance profile for IAM Role | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | | 20240507 | Add ec2:DescribeRegions read permission to the IAM role policy | - +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230514 | CME instance profile for IAM Role | +| 20210309 | First release of Check Point CME IAM Role Terraform module for AWS | ## License diff --git a/terraform/aws/cross-az-cluster-master/README.md b/terraform/aws/cross-az-cluster-master/README.md index 9209ec51..ce475b0d 100755 --- a/terraform/aws/cross-az-cluster-master/README.md +++ b/terraform/aws/cross-az-cluster-master/README.md @@ -202,17 +202,17 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 20221123 | First release of Check Point Security Cross AZ Cluster Master Terraform module for AWS | -| 20221123 | Changed default version and added instances types | -| 20221123 | R81.20 version support | -| 20230411 | - Improved deployment experience for gateways and clusters managed by Smart-1 Cloud
- Multiple VIPs support for Cross Availability Zone Cluster. For more details refer to the [Cross Availability Zone Cluster for AWS R81.20 Administration Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Cross_AZ_Cluster/Content/Topics-AWS-CrossAZ-Cluster-AG/Check-Point-CloudGuard-for-AWS.htm) -> "Deploying Cross AZ Cluster with multiple VIPs" section. | -| 20230503 | Smart-1 Cloud token validation | -| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | -| 20230806 | Add support for c6in instance type | -| 20230914 | Add support for maintenance mode password | -| 20230923 | Add support for C5d instance type | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230923 | Add support for C5d instance type | +| 20230914 | Add support for maintenance mode password | +| 20230806 | Add support for c6in instance type | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20230503 | Smart-1 Cloud token validation | +| 20230411 | - Improved deployment experience for gateways and clusters managed by Smart-1 Cloud
- Multiple VIPs support for Cross Availability Zone Cluster. For more details refer to the [Cross Availability Zone Cluster for AWS R81.20 Administration Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Cross_AZ_Cluster/Content/Topics-AWS-CrossAZ-Cluster-AG/Check-Point-CloudGuard-for-AWS.htm) -> "Deploying Cross AZ Cluster with multiple VIPs" section. | +| 20221123 | R81.20 version support | +| 20221123 | Changed default version and added instances types | +| 20221123 | First release of Check Point Security Cross AZ Cluster Master Terraform module for AWS | ## License diff --git a/terraform/aws/cross-az-cluster-master/terraform.tfvars b/terraform/aws/cross-az-cluster-master/terraform.tfvars index 28cb64a3..a658cb8b 100755 --- a/terraform/aws/cross-az-cluster-master/terraform.tfvars +++ b/terraform/aws/cross-az-cluster-master/terraform.tfvars @@ -14,7 +14,7 @@ subnets_bit_length = 8 // --- EC2 Instance Configuration --- gateway_name = "Check-Point-Cluster-tf" -gateway_instance_type = "c5.xlarge" +gateway_instance_type = "c6in.xlarge" key_name = "publickey" volume_size = 100 volume_encryption = "alias/aws/ebs" diff --git a/terraform/aws/cross-az-cluster-master/variables.tf b/terraform/aws/cross-az-cluster-master/variables.tf index d49cf50c..783f77ff 100755 --- a/terraform/aws/cross-az-cluster-master/variables.tf +++ b/terraform/aws/cross-az-cluster-master/variables.tf @@ -46,7 +46,7 @@ variable "gateway_name" { variable "gateway_instance_type" { type = string description = "The instance type of the Security Gateways" - default = "c5.xlarge" + default = "c6in.xlarge" } module "validate_instance_type" { source = "../modules/common/instance_type" diff --git a/terraform/aws/cross-az-cluster/README.md b/terraform/aws/cross-az-cluster/README.md index f473732d..ed0737da 100755 --- a/terraform/aws/cross-az-cluster/README.md +++ b/terraform/aws/cross-az-cluster/README.md @@ -178,18 +178,18 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 20221123 | First release of Check Point Security Cross AZ Cluster Terraform module for AWS | -| 20221123 | Changed default version and added instances types | -| 20221123 | R81.20 version support | -| 20230411 | - Improved deployment experience for gateways and clusters managed by Smart-1 Cloud
- Multiple VIPs support for Cross Availability Zone Cluster. For more details refer to the [Cross Availability Zone Cluster for AWS R81.20 Administration Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Cross_AZ_Cluster/Content/Topics-AWS-CrossAZ-Cluster-AG/Check-Point-CloudGuard-for-AWS.htm) -> "Deploying Cross AZ Cluster with multiple VIPs" section. | -| 20230503 | Smart-1 Cloud token validation | -| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | -| 20230806 | Add support for c6in instance type | -| 20230914 | Add support for maintenance mode password | -| 20230923 | Add support for C5d instance type | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | -| 20240304 | Add x-chkp-cluster-ips, x-chkp-member-ips tags to cluster members | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20240304 | Add x-chkp-cluster-ips, x-chkp-member-ips tags to cluster members | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230923 | Add support for C5d instance type | +| 20230914 | Add support for maintenance mode password | +| 20230806 | Add support for c6in instance type | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20230503 | Smart-1 Cloud token validation | +| 20230411 | - Improved deployment experience for gateways and clusters managed by Smart-1 Cloud
- Multiple VIPs support for Cross Availability Zone Cluster. For more details refer to the [Cross Availability Zone Cluster for AWS R81.20 Administration Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Cross_AZ_Cluster/Content/Topics-AWS-CrossAZ-Cluster-AG/Check-Point-CloudGuard-for-AWS.htm) -> "Deploying Cross AZ Cluster with multiple VIPs" section. | +| 20221123 | R81.20 version support | +| 20221123 | Changed default version and added instances types | +| 20221123 | First release of Check Point Security Cross AZ Cluster Terraform module for AWS | ## License diff --git a/terraform/aws/cross-az-cluster/cluster_member_a_userdata.yaml b/terraform/aws/cross-az-cluster/cluster_member_a_userdata.yaml index 1a3095e2..f9a926c5 100755 --- a/terraform/aws/cross-az-cluster/cluster_member_a_userdata.yaml +++ b/terraform/aws/cross-az-cluster/cluster_member_a_userdata.yaml @@ -1,4 +1,4 @@ #cloud-config runcmd: - | - python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenA}\"" installationType=\"cross-az-cluster\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"cross_az_cluster\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" elasticIp=\"${MemberAPublicAddress}\" otherMemberIp=\"${MemberBPrivateAddressCluster}\" clusterIp=\"${PublicAddressCluster}\" secondaryIp=\"${MemberAPrivateAddressSecondary}\" otherMemberPrivateClusterIp=\"${MemberBPrivateAddressSecondary}\" bootstrapScript64=\"${GatewayBootstrapScript}\" \ No newline at end of file + python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenA}\"" installationType=\"cross-az-cluster\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20240310\" templateName=\"cross_az_cluster\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" elasticIp=\"${MemberAPublicAddress}\" otherMemberIp=\"${MemberBPrivateAddressCluster}\" clusterIp=\"${PublicAddressCluster}\" secondaryIp=\"${MemberAPrivateAddressSecondary}\" otherMemberPrivateClusterIp=\"${MemberBPrivateAddressSecondary}\" bootstrapScript64=\"${GatewayBootstrapScript}\" \ No newline at end of file diff --git a/terraform/aws/cross-az-cluster/cluster_member_b_userdata.yaml b/terraform/aws/cross-az-cluster/cluster_member_b_userdata.yaml index 9ec9d23a..a374aaa6 100755 --- a/terraform/aws/cross-az-cluster/cluster_member_b_userdata.yaml +++ b/terraform/aws/cross-az-cluster/cluster_member_b_userdata.yaml @@ -1,4 +1,4 @@ #cloud-config runcmd: - | - python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenB}\"" installationType=\"cross-az-cluster\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"cross_az_cluster\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" elasticIp=\"${MemberBPublicAddress}\" otherMemberIp=\"${MemberAPrivateAddressCluster}\" clusterIp=\"${PublicAddressCluster}\" secondaryIp=\"${MemberBPrivateAddressSecondary}\" otherMemberPrivateClusterIp=\"${MemberAPrivateAddressSecondary}\" bootstrapScript64=\"${GatewayBootstrapScript}\" \ No newline at end of file + python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenB}\"" installationType=\"cross-az-cluster\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20240310\" templateName=\"cross_az_cluster\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" elasticIp=\"${MemberBPublicAddress}\" otherMemberIp=\"${MemberAPrivateAddressCluster}\" clusterIp=\"${PublicAddressCluster}\" secondaryIp=\"${MemberBPrivateAddressSecondary}\" otherMemberPrivateClusterIp=\"${MemberAPrivateAddressSecondary}\" bootstrapScript64=\"${GatewayBootstrapScript}\" \ No newline at end of file diff --git a/terraform/aws/cross-az-cluster/terraform.tfvars b/terraform/aws/cross-az-cluster/terraform.tfvars index 8c6aff9b..6823b86f 100755 --- a/terraform/aws/cross-az-cluster/terraform.tfvars +++ b/terraform/aws/cross-az-cluster/terraform.tfvars @@ -8,7 +8,7 @@ private_route_table = "rtb-12345678" // --- EC2 Instance Configuration --- gateway_name = "Check-Point-Cluster-tf" -gateway_instance_type = "c5.xlarge" +gateway_instance_type = "c6in.xlarge" key_name = "publickey" volume_size = 100 volume_encryption = "alias/aws/ebs" diff --git a/terraform/aws/cross-az-cluster/variables.tf b/terraform/aws/cross-az-cluster/variables.tf index c2d66839..e32d7e96 100755 --- a/terraform/aws/cross-az-cluster/variables.tf +++ b/terraform/aws/cross-az-cluster/variables.tf @@ -44,7 +44,7 @@ variable "gateway_name" { variable "gateway_instance_type" { type = string description = "The instance type of the Security Gateways" - default = "c5.xlarge" + default = "c6in.xlarge" } module "validate_instance_type" { source = "../modules/common/instance_type" diff --git a/terraform/aws/gateway-master/README.md b/terraform/aws/gateway-master/README.md index e6f56bec..00594f44 100755 --- a/terraform/aws/gateway-master/README.md +++ b/terraform/aws/gateway-master/README.md @@ -161,7 +161,7 @@ secret_key = "my-secret-key" | disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | | metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | | instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Security Gateway EC2 Instance | map(string) | n/a | {} | no | -| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81-BYOL
- R81-PAYG-NGTP
- R81-PAYG-NGTX
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R81.20-PAYG-NGTX | R81.20-BYOL | no | | admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | | gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | | gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | @@ -198,18 +198,19 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|---------------------------------------------------------------------------------------------------------------| -| 20210309 | First release of Check Point Security Gateway Master Terraform module for AWS | -| 20220606 | New instance type support | -| 20221123 | R81.20 version support | -| 20230411 | Improved deployment experience for gateways and clusters managed by Smart-1 Cloud | -| 20230503 | Smart-1 Cloud token validation | -| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | -| 20230806 | Add support for c6in instance type | -| 20230829 | Change default Check Point version to R81.20 | -| 20230914 | Add support for maintenance mode password | -| 20230923 | Add support for C5d instance type | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20240704 | - R80.40 version deprecation.
- R81 version deprecation. | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230923 | Add support for C5d instance type | +| 20230914 | Add support for maintenance mode password | +| 20230829 | Change default Check Point version to R81.20 | +| 20230806 | Add support for c6in instance type | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20230503 | Smart-1 Cloud token validation | +| 20230411 | Improved deployment experience for gateways and clusters managed by Smart-1 Cloud | +| 20221123 | R81.20 version support | +| 20220606 | New instance type support | +| 20210309 | First release of Check Point Security Gateway Master Terraform module for AWS | ## License diff --git a/terraform/aws/gateway-master/terraform.tfvars b/terraform/aws/gateway-master/terraform.tfvars index a8eb1d58..f42c018e 100755 --- a/terraform/aws/gateway-master/terraform.tfvars +++ b/terraform/aws/gateway-master/terraform.tfvars @@ -12,7 +12,7 @@ subnets_bit_length = 8 // --- EC2 Instance Configuration --- gateway_name = "Check-Point-Gateway-tf" -gateway_instance_type = "c5.xlarge" +gateway_instance_type = "c6in.xlarge" key_name = "publickey" allocate_and_associate_eip = true volume_size = 100 diff --git a/terraform/aws/gateway-master/variables.tf b/terraform/aws/gateway-master/variables.tf index 1c00c4f3..61e7389c 100755 --- a/terraform/aws/gateway-master/variables.tf +++ b/terraform/aws/gateway-master/variables.tf @@ -46,7 +46,7 @@ variable "gateway_name" { variable "gateway_instance_type" { type = string description = "The instance type of the Security Gateway" - default = "c5.xlarge" + default = "c6in.xlarge" } module "validate_instance_type" { source = "../modules/common/instance_type" diff --git a/terraform/aws/gateway/README.md b/terraform/aws/gateway/README.md index 0ee957ff..fefc7512 100755 --- a/terraform/aws/gateway/README.md +++ b/terraform/aws/gateway/README.md @@ -123,38 +123,38 @@ secret_key = "my-secret-key" ## Inputs -| Name | Description | Type | Allowed values | Default | Required | -|------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------|----------| -| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | -| public_subnet_id | The public subnet of the security gateway | string | n/a | n/a | yes | -| private_subnet_id | The private subnet of the security gateway | string | n/a | n/a | yes | -| private_route_table | Sets '0.0.0.0/0' route to the Gateway instance in the specified route table (e.g. rtb-12a34567) | string | n/a | "" | no | -| gateway_name | (Optional) The name tag of the Security Gateway instance | string | n/a | Check-Point-Gateway-tf | no | -| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | -| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes | -| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with the launched instance | bool | true/false | true | no | -| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | -| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no | -| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | -| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | -| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | -| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Security Gateway EC2 Instance | map(string) | n/a | {} | no | -| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81-BYOL
- R81-PAYG-NGTP
- R81-PAYG-NGTX
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | -| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | -| gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | -| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | -| gateway_TokenKey | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | -| resources_tag_name | (optional) | string | n/a | "" | no | -| gateway_hostname | (Optional) Security Gateway prompt hostname. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no | -| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | -| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | -| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | -| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no | -| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no | -| control_gateway_over_public_or_private_address | Determines if the Security Gateway is provisioned using its private or public address | string | - public
- private | private | no | -| management_server | (Optional) The name that represents the Security Management Server in the automatic provisioning configuration | string | n/a | "" | no | -| configuration_template | (Optional) A name of a Security Gateway configuration template in the automatic provisioning configuration | string | n/a | "" | no | -| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here). | string | n/a | "" | no | +| Name | Description | Type | Allowed values | Default | Required | +|------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|----------| +| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | +| public_subnet_id | The public subnet of the security gateway | string | n/a | n/a | yes | +| private_subnet_id | The private subnet of the security gateway | string | n/a | n/a | yes | +| private_route_table | Sets '0.0.0.0/0' route to the Gateway instance in the specified route table (e.g. rtb-12a34567) | string | n/a | "" | no | +| gateway_name | (Optional) The name tag of the Security Gateway instance | string | n/a | Check-Point-Gateway-tf | no | +| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | +| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes | +| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with the launched instance | bool | true/false | true | no | +| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | +| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no | +| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | +| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | +| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | +| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Security Gateway EC2 Instance | map(string) | n/a | {} | no | +| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | +| gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | +| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| gateway_TokenKey | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | +| resources_tag_name | (optional) | string | n/a | "" | no | +| gateway_hostname | (Optional) Security Gateway prompt hostname. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | +| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | +| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no | +| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no | +| control_gateway_over_public_or_private_address | Determines if the Security Gateway is provisioned using its private or public address | string | - public
- private | private | no | +| management_server | (Optional) The name that represents the Security Management Server in the automatic provisioning configuration | string | n/a | "" | no | +| configuration_template | (Optional) A name of a Security Gateway configuration template in the automatic provisioning configuration | string | n/a | "" | no | +| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here). | string | n/a | "" | no | ## Outputs @@ -173,18 +173,19 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|---------------------------------------------------------------------------------------------------------------| -| 20210309 | First release of Check Point Security Gateway Terraform module for AWS | -| 20220606 | New instance type support | -| 20221123 | R81.20 version support | -| 20230411 | Improved deployment experience for gateways and clusters managed by Smart-1 Cloud | -| 20230503 | Smart-1 Cloud token validation | -| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | -| 20230806 | Add support for c6in instance type | -| 20230829 | Change default Check Point version to R81.20 | -| 20230914 | Add support for maintenance mode password | -| 20230923 | Add support for C5d instance type | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20240704 | - R80.40 version deprecation.
- R81 version deprecation. | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230923 | Add support for C5d instance type | +| 20230914 | Add support for maintenance mode password | +| 20230829 | Change default Check Point version to R81.20 | +| 20230806 | Add support for c6in instance type | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20230503 | Smart-1 Cloud token validation | +| 20230411 | Improved deployment experience for gateways and clusters managed by Smart-1 Cloud | +| 20221123 | R81.20 version support | +| 20220606 | New instance type support | +| 20210309 | First release of Check Point Security Gateway Terraform module for AWS | ## License diff --git a/terraform/aws/gateway/terraform.tfvars b/terraform/aws/gateway/terraform.tfvars index 02b1f781..a6414963 100755 --- a/terraform/aws/gateway/terraform.tfvars +++ b/terraform/aws/gateway/terraform.tfvars @@ -8,7 +8,7 @@ private_route_table = "rtb-12345678" // --- EC2 Instance Configuration --- gateway_name = "Check-Point-Gateway-tf" -gateway_instance_type = "c5.xlarge" +gateway_instance_type = "c6in.xlarge" key_name = "publickey" allocate_and_associate_eip = true volume_size = 100 diff --git a/terraform/aws/gateway/variables.tf b/terraform/aws/gateway/variables.tf index 7d32ab1a..f06d4b05 100755 --- a/terraform/aws/gateway/variables.tf +++ b/terraform/aws/gateway/variables.tf @@ -44,7 +44,7 @@ variable "gateway_name" { variable "gateway_instance_type" { type = string description = "The instance type of the Security Gateway" - default = "c5.xlarge" + default = "c6in.xlarge" } module "validate_instance_type" { source = "../modules/common/instance_type" diff --git a/terraform/aws/gwlb-master/README.md b/terraform/aws/gwlb-master/README.md index 4fcdeaa2..c84a3ee7 100755 --- a/terraform/aws/gwlb-master/README.md +++ b/terraform/aws/gwlb-master/README.md @@ -157,48 +157,47 @@ secret_key = "my-secret-key" ``` ## Inputs -| Name | Description | Type | Allowed values | Default | Required | -|-------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|----------| -| vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes | -| public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes | -| subnets_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20 | number | n/a | n/a | yes | -| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | -| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no | -| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | -| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | -| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | -| volume_size | Instances volume size | number | n/a | 100 | no | -| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | -| management_server | The name that represents the Security Management Server in the automatic provisioning configuration. | string | n/a | CP-Management-gwlb-tf | yes | -| configuration_template | The tag is used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each Quick Start deployment | string | n/a | gwlb-configuration | no | -| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | -| gateway_load_balancer_name | Load Balancer name in AWS | string | n/a | gwlb1 | yes | -| target_group_name | Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. | string | n/a | tg1 | yes | -| connection_acceptance_required | Indicate whether requests from service consumers to create an endpoint to your service must be accepted. Default is set to false(acceptance not required). | bool | true/false | false | yes | -| enable_cross_zone_load_balancing | Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges. | bool | true/false | true | yes | -| gateway_name | The name tag of the Security Gateway instances. (optional) | string | n/a | Check-Point-GW-tf | yes | -| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | -| gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no | -| gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no | -| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | -| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | -| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | -| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | -| gateway_bootstrap_script | (Optional) An optional script with semicolon (;) separated commands to run on the initial boot | string | n/ a | "" | no | -| gateways_provision_address_type | Determines if the gateways are provisioned using their private or public address. | string | - private
- public | private | no | -| allocate_public_IP | Allocate a Public IP for gateway members. | bool | true/false | false | no | -| management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no | -| management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no | -| management_version | The license to install on the Security Management Server | string | - R80.40-BYOL
- R80.40-PAYG
- R81-BYOL
- R81-PAYG
- R81.10-BYOL
- R81.10-PAYG | R81.20-BYOL | no | -| management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | -| gateways_policy | The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group | string | n/a | Standard | no | -| gateway_management | Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. | string | - Locally managed
- Over the internet | Locally managed | no | -| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | -| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | -| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no | -| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | -| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | - +| Name | Description | Type | Allowed values | Default | Required | +|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|----------| +| vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes | +| public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes | +| subnets_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20 | number | n/a | n/a | yes | +| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | +| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no | +| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | +| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | +| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | +| volume_size | Instances volume size | number | n/a | 100 | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| management_server | The name that represents the Security Management Server in the automatic provisioning configuration. | string | n/a | CP-Management-gwlb-tf | yes | +| configuration_template | The tag is used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each Quick Start deployment | string | n/a | gwlb-configuration | no | +| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | +| gateway_load_balancer_name | Load Balancer name in AWS | string | n/a | gwlb1 | yes | +| target_group_name | Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. | string | n/a | tg1 | yes | +| connection_acceptance_required | Indicate whether requests from service consumers to create an endpoint to your service must be accepted. Default is set to false(acceptance not required). | bool | true/false | false | yes | +| enable_cross_zone_load_balancing | Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges. | bool | true/false | true | yes | +| gateway_name | The name tag of the Security Gateway instances. (optional) | string | n/a | Check-Point-GW-tf | yes | +| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | +| gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no | +| gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no | +| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | +| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | +| gateway_bootstrap_script | (Optional) An optional script with semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | +| gateways_provision_address_type | Determines if the gateways are provisioned using their private or public address. | string | - private
- public | private | no | +| allocate_public_IP | Allocate a Public IP for gateway members. | bool | true/false | false | no | +| management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no | +| management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no | +| management_version | The license to install on the Security Management Server | string | - R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG | R81.20-BYOL | no | +| management_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | +| gateways_policy | The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group | string | n/a | Standard | no | +| gateway_management | Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. | string | - Locally managed
- Over the internet | Locally managed | no | +| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | +| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | +| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no | +| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | +| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | ## Outputs | Name | Description | @@ -217,18 +216,19 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|---------------------------------------------------------------------------------------------| -| 20220414 | First release of Check Point CloudGuard Network Gateway Load Balancer master module for AWS | -| 20220606 | New instance type support | -| 20221123 | R81.20 version support | -| 20221215 | Support ASG Launch Template instead of Launch Configuration | -| 20230521 | Change default shell for the admin user to /etc/cli.sh | -| 20230806 | Add support for c6in instance type | -| 20230829 | Change default Check Point version to R81.20 | -| 20230910 | Add bootstrap script execution option for deployed gateways | -| 20230914 | Add support for maintenance mode password | -| 20230923 | Add support for C5d instance type | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20240704 | R80.40 version deprecation | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230923 | Add support for C5d instance type | +| 20230914 | Add support for maintenance mode password | +| 20230910 | Add bootstrap script execution option for deployed gateways | +| 20230829 | Change default Check Point version to R81.20 | +| 20230806 | Add support for c6in instance type | +| 20230521 | Change default shell for the admin user to /etc/cli.sh | +| 20221215 | Support ASG Launch Template instead of Launch Configuration | +| 20221123 | R81.20 version support | +| 20220606 | New instance type support | +| 20220414 | First release of Check Point CloudGuard Network Gateway Load Balancer master module for AWS | ## License diff --git a/terraform/aws/gwlb-master/terraform.tfvars b/terraform/aws/gwlb-master/terraform.tfvars index f0f13c92..d5e1c853 100755 --- a/terraform/aws/gwlb-master/terraform.tfvars +++ b/terraform/aws/gwlb-master/terraform.tfvars @@ -28,7 +28,7 @@ enable_cross_zone_load_balancing = "true" // --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration --- gateway_name = "Check-Point-GW-tf" -gateway_instance_type = "c5.xlarge" +gateway_instance_type = "c6in.xlarge" minimum_group_size = 2 maximum_group_size = 10 gateway_version = "R81.20-BYOL" diff --git a/terraform/aws/gwlb-master/variables.tf b/terraform/aws/gwlb-master/variables.tf index fd72c46c..bf51e406 100755 --- a/terraform/aws/gwlb-master/variables.tf +++ b/terraform/aws/gwlb-master/variables.tf @@ -135,7 +135,7 @@ variable "gateway_name" { variable "gateway_instance_type" { type = string description = "The EC2 instance type for the Security Gateways." - default = "c5.xlarge" + default = "c6in.xlarge" } module "validate_instance_type" { source = "../modules/common/instance_type" diff --git a/terraform/aws/gwlb/README.md b/terraform/aws/gwlb/README.md index 4363e8c9..46a142c0 100755 --- a/terraform/aws/gwlb/README.md +++ b/terraform/aws/gwlb/README.md @@ -172,7 +172,7 @@ secret_key = "my-secret-key" | gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | | gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no | | gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no | -| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R81.20-PAYG-NGTX | R81.20-BYOL | no | | gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | | gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | | enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | @@ -181,7 +181,7 @@ secret_key = "my-secret-key" | allocate_public_IP | Allocate a Public IP for gateway members. | bool | true/false | false | no | | management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no | | management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no | -| management_version | The license to install on the Security Management Server | string | - R80.40-BYOL
- R80.40-PAYG
- R81-BYOL
- R81-PAYG
- R81.10-BYOL
- R81.10-PAYG | R81.20-BYOL | no | +| management_version | The license to install on the Security Management Server | string | - R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG | R81.20-BYOL | no | | management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | | gateways_policy | The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group | string | n/a | Standard | no | | gateway_management | Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. | string | - Locally managed
- Over the internet | Locally managed | no | @@ -208,20 +208,22 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|---------------------------------------------------------------------------------------| -| 20220414 | First release of Check Point CloudGuard Network Gateway Load Balancer module for AWS | -| 20220523 | Add support for cross zone load balancing | -| 20220606 | New instance type support | -| 20221123 | R81.20 version support | -| 20221226 | Support ASG Launch Template instead of Launch Configuration | -| 20230521 | Change default shell for the admin user to /etc/cli.sh | -| 20230806 | Add support for c6in instance type | -| 20230829 | Change default Check Point version to R81.20 | -| 20230910 | Add bootstrap script execution option for deployed gateways | -| 20230914 | Add support for maintenance mode password | -| 20230923 | Add support for C5d instance type | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | -| 20231022 | Fixed template to populate x-chkp-tags correctly | +| 20240704 | R80.40 version deprecation | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20231022 | Fixed template to populate x-chkp-tags correctly | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230923 | Add support for C5d instance type | +| 20230914 | Add support for maintenance mode password | +| 20230910 | Add bootstrap script execution option for deployed gateways | +| 20230829 | Change default Check Point version to R81.20 | +| 20230806 | Add support for c6in instance type | +| 20230521 | Change default shell for the admin user to /etc/cli.sh | +| 20221226 | Support ASG Launch Template instead of Launch Configuration | +| 20221123 | R81.20 version support | +| 20220606 | New instance type support | +| 20220523 | Add support for cross zone load balancing | +| 20220414 | First release of Check Point CloudGuard Network Gateway Load Balancer module for AWS | ## License diff --git a/terraform/aws/gwlb/terraform.tfvars b/terraform/aws/gwlb/terraform.tfvars index 0e26ad11..daffb3e2 100755 --- a/terraform/aws/gwlb/terraform.tfvars +++ b/terraform/aws/gwlb/terraform.tfvars @@ -24,7 +24,7 @@ enable_cross_zone_load_balancing = "true" // --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration --- gateway_name = "Check-Point-GW-tf" -gateway_instance_type = "c5.xlarge" +gateway_instance_type = "c6in.xlarge" minimum_group_size = 2 maximum_group_size = 10 gateway_version = "R81.20-BYOL" diff --git a/terraform/aws/gwlb/variables.tf b/terraform/aws/gwlb/variables.tf index 5f099c6c..834842c2 100755 --- a/terraform/aws/gwlb/variables.tf +++ b/terraform/aws/gwlb/variables.tf @@ -124,7 +124,7 @@ variable "gateway_name" { variable "gateway_instance_type" { type = string description = "The EC2 instance type for the Security Gateways." - default = "c5.xlarge" + default = "c6in.xlarge" } module "validate_instance_type" { source = "../modules/common/instance_type" diff --git a/terraform/aws/management/README.md b/terraform/aws/management/README.md index dd57ea4d..8545ff85 100755 --- a/terraform/aws/management/README.md +++ b/terraform/aws/management/README.md @@ -152,7 +152,7 @@ secret_key = "my-secret-key" | iam_permissions | IAM role to attach to the instance profile | string | - None (configure later)
- Use existing (specify an existing IAM role name)
- Create with assume role permissions (specify an STS role ARN)
- Create with read permissions
- Create with read-write permissions | Create with read permissions | no | | predefined_role | (Optional) A predefined IAM role to attach to the instance profile. Ignored if var.iam_permissions is not set to 'Use existing' | string | n/a | "" | no | | sts_roles | (Optional) The IAM role will be able to assume these STS Roles (list of ARNs). Ignored if var.iam_permissions is set to 'None' or 'Use existing' | list(string) | n/a | [] | no | -| management_version | Management version and license | string | - R80.40-BYOL
- R80.40-PAYG
- R81-BYOL
- R81-PAYG
- R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG | R81.20-BYOL | no | +| management_version | Management version and license | string | - R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG | R81.20-BYOL | no | | admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | | management_password_hash | (Optional) Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash) | string | n/a | "" | no | | management_hostname | (Optional) Security Management Server prompt hostname. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no | @@ -182,18 +182,19 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|---------------------------------------------------------------------------------------------------------------| -| 20210309 | First release of Check Point Security Management Server Terraform module for AWS | -| 20210329 | Stability fixes | -| 20220606 | New instance type support | -| 20221123 | R81.20 version support | -| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | -| 20230806 | Add support for c6in instance type | -| 20230829 | Change default Check Point version to R81.20 | -| 20230914 | Add support for maintenance mode password | -| 20230923 | Add support for C5d instance type | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | -| 20240207 | Added Log Server installation support | +| 20240704 | - R80.40 version deprecation.
- R81 version deprecation. | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20240207 | Added Log Server installation support | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230923 | Add support for C5d instance type | +| 20230914 | Add support for maintenance mode password | +| 20230829 | Change default Check Point version to R81.20 | +| 20230806 | Add support for c6in instance type | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20221123 | R81.20 version support | +| 20220606 | New instance type support | +| 20210329 | Stability fixes | +| 20210309 | First release of Check Point Security Management Server Terraform module for AWS | ## License diff --git a/terraform/aws/management/management_userdata.yaml b/terraform/aws/management/management_userdata.yaml index 0f3801ff..cfd9e5dc 100755 --- a/terraform/aws/management/management_userdata.yaml +++ b/terraform/aws/management/management_userdata.yaml @@ -1,4 +1,4 @@ #cloud-config runcmd: - | - python3 /etc/cloud_config.py sicKey=\"${SICKey}\" installationType=\"management\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"management\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" "management_installation_type=\"${ManagementInstallationType}\"" adminSubnet=\"${AdminSubnet}\" allocatePublicAddress=\"${AllocateElasticIP}\" overTheInternet=\"${PubMgmt}\" bootstrapScript64=\"${BootstrapScript}\" \ No newline at end of file + python3 /etc/cloud_config.py sicKey=\"${SICKey}\" installationType=\"management\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20240704\" templateName=\"management\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" "management_installation_type=\"${ManagementInstallationType}\"" adminSubnet=\"${AdminSubnet}\" allocatePublicAddress=\"${AllocateElasticIP}\" overTheInternet=\"${PubMgmt}\" bootstrapScript64=\"${BootstrapScript}\" \ No newline at end of file diff --git a/terraform/aws/mds/README.md b/terraform/aws/mds/README.md index 5da9667d..156aad68 100755 --- a/terraform/aws/mds/README.md +++ b/terraform/aws/mds/README.md @@ -147,7 +147,7 @@ secret_key = "my-secret-key" | iam_permissions | IAM role to attach to the instance profile | string | - None (configure later)
- Use existing (specify an existing IAM role name)
- Create with assume role permissions (specify an STS role ARN)
- Create with read permissions
- Create with read-write permissions | Create with read permissions | no | | predefined_role | (Optional) A predefined IAM role to attach to the instance profile. Ignored if var.iam_permissions is not set to 'Use existing' | string | n/a | "" | no | | sts_roles | (Optional) The IAM role will be able to assume these STS Roles (list of ARNs). Ignored if var.iam_permissions is set to 'None' or 'Use existing' | list(string) | n/a | [] | no | -| mds_version | Multi-Domain Server version and license | string | - R80.40-BYOL
- R81-BYOL
- R81.10-BYOL
- R81.20-BYOL | R81.20-BYOL | no | +| mds_version | Multi-Domain Server version and license | string | - R81.10-BYOL
- R81.20-BYOL | R81.20-BYOL | no | | mds_admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | | mds_password_hash | (Optional) Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash) | string | n/a | "" | no | | mds_hostname | (Optional) Multi-Domain Server prompt hostname. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no | @@ -174,16 +174,18 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|---------------------------------------------------------------------------------------------------------------| -| 20210309 | First release of Check Point Multi-Domain Server Terraform module for AWS | -| 20210329 | Stability fixes | -| 20221123 | R81.20 version support | -| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | -| 20230806 | Add support for c6in instance type | -| 20230829 | Change default Check Point version to R81.20 | -| 20230914 | Add support for maintenance mode password | -| 20230923 | Add support for C5d instance type | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20240704 | - R80.40 version deprecation.
- R81 version deprecation. | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230923 | Add support for C5d instance type | +| 20230914 | Add support for maintenance mode password | +| 20230829 | Change default Check Point version to R81.20 | +| 20230806 | Add support for c6in instance type | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20221123 | R81.20 version support | +| 20210329 | Stability fixes | +| 20210309 | First release of Check Point Multi-Domain Server Terraform module for AWS | ## License diff --git a/terraform/aws/mds/mds_userdata.yaml b/terraform/aws/mds/mds_userdata.yaml index 3321cd60..cd0085c6 100755 --- a/terraform/aws/mds/mds_userdata.yaml +++ b/terraform/aws/mds/mds_userdata.yaml @@ -1,4 +1,4 @@ #cloud-config runcmd: - | - python3 /etc/cloud_config.py sicKey=\"${SICKey}\" installationType=\"mds\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"mds\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" primary=\"${IsPrimary}\" secondary=\"${IsSecondary}\" adminSubnet=\"${AdminSubnet}\" bootstrapScript64=\"${BootstrapScript}\" \ No newline at end of file + python3 /etc/cloud_config.py sicKey=\"${SICKey}\" installationType=\"mds\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20240704\" templateName=\"mds\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" primary=\"${IsPrimary}\" secondary=\"${IsSecondary}\" adminSubnet=\"${AdminSubnet}\" bootstrapScript64=\"${BootstrapScript}\" \ No newline at end of file diff --git a/terraform/aws/modules/amis/main.tf b/terraform/aws/modules/amis/main.tf index 4e76baa3..19d136d2 100644 --- a/terraform/aws/modules/amis/main.tf +++ b/terraform/aws/modules/amis/main.tf @@ -4,10 +4,11 @@ locals { // Variables example: - // version_license = "R80.40-PAYG-NGTX" + // version_license = "R81.10-PAYG-NGTX" // RESULT: - // version_license_key = "R80.40-PAYG-NGTX-GW" - // version_license_value = "R8040PAYGNGTXGW" + // version_license_key = "R81.10-PAYG-NGTX-GW" + + // version_license_value = "R8110PAYGNGTXGW" version_license_key_mgmt_gw = format("%s%s", var.version_license, var.chkp_type == "gateway" ? "-GW" : var.chkp_type == "management" ? "-MGMT" : var.chkp_type == "mds" ? "-MGMT" : "") version_license_key = var.chkp_type == "standalone" ? format("%s%s", var.version_license, element(split("-", var.version_license), 1) == "BYOL" ? "-MGMT" : "") : local.version_license_key_mgmt_gw diff --git a/terraform/aws/modules/common/gateway_instance/gateway_userdata.yaml b/terraform/aws/modules/common/gateway_instance/gateway_userdata.yaml index 05538232..ba55e025 100755 --- a/terraform/aws/modules/common/gateway_instance/gateway_userdata.yaml +++ b/terraform/aws/modules/common/gateway_instance/gateway_userdata.yaml @@ -1,4 +1,4 @@ #cloud-config runcmd: - | - python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenKey}\"" installationType=\"gateway\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"gateway\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" bootstrapScript64=\"${GatewayBootstrapScript}\" \ No newline at end of file + python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenKey}\"" installationType=\"gateway\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20240704\" templateName=\"gateway\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" bootstrapScript64=\"${GatewayBootstrapScript}\" \ No newline at end of file diff --git a/terraform/aws/modules/common/gateway_instance/variables.tf b/terraform/aws/modules/common/gateway_instance/variables.tf index 0e1a010c..5e6ac6bf 100755 --- a/terraform/aws/modules/common/gateway_instance/variables.tf +++ b/terraform/aws/modules/common/gateway_instance/variables.tf @@ -52,7 +52,7 @@ variable "gateway_version" { variable "gateway_instance_type" { type = string description = "The instance type of the Security Gateways" - default = "c5.xlarge" + default = "c6in.xlarge" } module "validate_instance_type" { source = "../instance_type" diff --git a/terraform/aws/modules/common/instance_type/main.tf b/terraform/aws/modules/common/instance_type/main.tf index 22fffe49..418d3415 100755 --- a/terraform/aws/modules/common/instance_type/main.tf +++ b/terraform/aws/modules/common/instance_type/main.tf @@ -350,4 +350,4 @@ locals { sa_values = var.chkp_type == "standalone" ? concat(local.gw_types, local.mgmt_types) : [] allowed_values = coalescelist(local.gw_values, local.mgmt_values, local.mds_values, local.sa_values , local.server_types) is_allowed_type = index(local.allowed_values, var.instance_type) -} \ No newline at end of file +} diff --git a/terraform/aws/modules/common/load_balancer/variables.tf b/terraform/aws/modules/common/load_balancer/variables.tf index 7cc6464e..2e143fc7 100755 --- a/terraform/aws/modules/common/load_balancer/variables.tf +++ b/terraform/aws/modules/common/load_balancer/variables.tf @@ -59,4 +59,4 @@ variable "health_check_protocol" { description = "The health check protocol" type = string default = null -} +} \ No newline at end of file diff --git a/terraform/aws/modules/common/version_license/main.tf b/terraform/aws/modules/common/version_license/main.tf index 43512f98..c0aaca14 100755 --- a/terraform/aws/modules/common/version_license/main.tf +++ b/terraform/aws/modules/common/version_license/main.tf @@ -1,11 +1,5 @@ locals { gw_versions = [ - "R80.40-BYOL", - "R80.40-PAYG-NGTP", - "R80.40-PAYG-NGTX", - "R81-BYOL", - "R81-PAYG-NGTP", - "R81-PAYG-NGTX", "R81.10-BYOL", "R81.10-PAYG-NGTP", "R81.10-PAYG-NGTX", @@ -14,35 +8,22 @@ locals { "R81.20-PAYG-NGTX" ] mgmt_versions = [ - "R80.40-BYOL", - "R80.40-PAYG", - "R81-BYOL", - "R81-PAYG", "R81.10-BYOL", "R81.10-PAYG", "R81.20-BYOL", "R81.20-PAYG" ] mds_versions = [ - "R80.40-BYOL", - "R81-BYOL", "R81.10-BYOL", "R81.20-BYOL" ] standalone_versions = [ - "R80.40-BYOL", - "R80.40-PAYG-NGTP", - "R81-BYOL", - "R81-PAYG-NGTP", "R81.10-BYOL", "R81.10-PAYG-NGTP", "R81.20-BYOL", "R81.20-PAYG-NGTP" ] gwlb_gw_versions = [ - "R80.40-BYOL", - "R80.40-PAYG-NGTP", - "R80.40-PAYG-NGTX", "R81.20-BYOL", "R81.20-PAYG-NGTP", "R81.20-PAYG-NGTX" diff --git a/terraform/aws/modules/custom-autoscale/main.tf b/terraform/aws/modules/custom-autoscale/main.tf index e7d3decd..c361388d 100755 --- a/terraform/aws/modules/custom-autoscale/main.tf +++ b/terraform/aws/modules/custom-autoscale/main.tf @@ -43,9 +43,9 @@ resource "aws_autoscaling_group" "servers_group" { target_group_arns = local.provided_target_groups_condition ? [var.servers_target_groups] : [] tag { - key = "Name" - value = format("%s%s", var.prefix != "" ? format("%s-", var.prefix) : "", var.server_name) - propagate_at_launch = true + key = "Name" + value = format("%s%s", var.prefix != "" ? format("%s-", var.prefix) : "", var.server_name) + propagate_at_launch = true } } resource "aws_autoscaling_policy" "scale_up_policy" { diff --git a/terraform/aws/qs-autoscale-master/README.md b/terraform/aws/qs-autoscale-master/README.md index 809de14a..6d140f0f 100755 --- a/terraform/aws/qs-autoscale-master/README.md +++ b/terraform/aws/qs-autoscale-master/README.md @@ -167,7 +167,6 @@ secret_key = "my-secret-key" ``` ## Inputs - | Name | Description | Type | Allowed values | Default | Required | |-------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|----------| | prefix | (Optional) Instances name prefix | string | n/a | "" | no | @@ -240,18 +239,18 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|---------------------------------------------------------------------------------------| -| 20210309 | First release of Check Point Quick Start Auto Scaling Master Terraform module for AWS | -| 20220606 | New instance type support | -| 20221123 | R81.20 version support | -| 20221226 | Support ASG Launch Template instead of Launch Configuration | -| 20230806 | Add support for c6in instance type | -| 20230829 | Change default Check Point version to R81.20 | -| 20230914 | Add support for maintenance mode password | -| 20230923 | Add support for C5d instance type | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | -| 20231127 | Add support for parameter admin shell | | 20240425 | Remove support for R81 and lower versions | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20231127 | Add support for parameter admin shell | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230923 | Add support for C5d instance type | +| 20230914 | Add support for maintenance mode password | +| 20230829 | Change default Check Point version to R81.20 | +| 20230806 | Add support for c6in instance type | +| 20221226 | Support ASG Launch Template instead of Launch Configuration | +| 20221123 | R81.20 version support | +| 20220606 | New instance type support | +| 20210309 | First release of Check Point Quick Start Auto Scaling Master Terraform module for AWS | ## License diff --git a/terraform/aws/qs-autoscale-master/terraform.tfvars b/terraform/aws/qs-autoscale-master/terraform.tfvars index 37a07774..6272f051 100755 --- a/terraform/aws/qs-autoscale-master/terraform.tfvars +++ b/terraform/aws/qs-autoscale-master/terraform.tfvars @@ -31,7 +31,7 @@ service_port = "80" admin_shell = "/etc/cli.sh" // --- Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration --- -gateway_instance_type = "c5.xlarge" +gateway_instance_type = "c6in.xlarge" gateways_min_group_size = 2 gateways_max_group_size = 8 gateway_version = "R81.20-BYOL" diff --git a/terraform/aws/qs-autoscale-master/variables.tf b/terraform/aws/qs-autoscale-master/variables.tf index 317b1c94..35071b1c 100755 --- a/terraform/aws/qs-autoscale-master/variables.tf +++ b/terraform/aws/qs-autoscale-master/variables.tf @@ -111,7 +111,7 @@ variable "admin_shell" { variable "gateway_instance_type" { type = string description = "The instance type of the Security Gateways" - default = "c5.xlarge" + default = "c6in.xlarge" } module "validate_gateway_instance_type" { source = "../modules/common/instance_type" diff --git a/terraform/aws/qs-autoscale/README.md b/terraform/aws/qs-autoscale/README.md index adadaeff..68244779 100755 --- a/terraform/aws/qs-autoscale/README.md +++ b/terraform/aws/qs-autoscale/README.md @@ -154,47 +154,45 @@ secret_key = "my-secret-key" ``` ## Inputs - -| Name | Description | Type | Allowed values | Default | Required | -|-------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|----------| -| prefix | (Optional) Instances name prefix | string | n/a | "" | no | -| asg_name | Autoscaling Group name | string | n/a | Check-Point-ASG-tf | no | -| vpc_id | Select an existing VPC | string | n/a | n/a | yes | -| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | -| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no | -| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | -| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | -| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | -| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | -| provision_tag | The tag is used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each Quick Start deployment | string | n/a | quickstart | no | -| load_balancers_type | Use Network Load Balancer if you wish to preserve the source IP address and Application Load Balancer if you wish to use content based routing | string | - Network Load Balancer
- Application Load Balancer
| Network Load Balancer | no | -| load_balancer_protocol | The protocol to use on the Load Balancer | string | Network Load Balancer:
- TCP
- TLS
- UDP
- TCP_UDP

Application Load Balancer:
- HTTP
- HTTPS | TCP | yes | -| certificate | Amazon Resource Name (ARN) of an HTTPS Certificate, ignored if the selected protocol is HTTP | string | n/a | n/a | no | -| service_port | The external Load Balancer listens to this port. Leave this field blank to use default ports: 80 for HTTP and 443 for HTTPS | string | n/a | n/a | no | -| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | -| gateways_subnets | Select at least 2 public subnets in the VPC. If you choose to deploy a Security Management Server it will be deployed in the first subnet | list(string) | n/a | n/a | yes | -| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | -| gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no | -| gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no | -| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | -| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | -| gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | -| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | -| management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no | -| management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no | -| management_version | The license to install on the Security Management Server | string | - R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG | R81.20-BYOL | no | -| management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | -| gateways_policy | The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group | string | n/a | Standard | no | -| gateways_blades | Turn on the Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (additional Blades can be manually turned on later) | bool | true/false | true | no | -| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | -| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | -| servers_deploy | Select 'true' to deploy web servers and an internal Application Load Balancer. If you select 'false' the other parameters of this section will be ignored | bool | true/false | false | no | -| servers_subnets | Provide at least 2 private subnet IDs in the chosen VPC, separated by commas (e.g. subnet-0d72417c,subnet-1f61306f,subnet-1061d06f). | list(string) | n/a | n/a | yes | -| servers_instance_type | The EC2 instance type for the web servers | string | - t3.nano
- t3.micro
- t3.small
- t3.medium
- t3.large
- t3.xlarge
- t3.2xlarge | t3.micro | no | -| server_ami | The Amazon Machine Image ID of a preconfigured web server (e.g. ami-0dc7dc63) | string | n/a | n/a | yes | -| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | -| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | - +| Name | Description | Type | Allowed values | Default | Required | +|-------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|----------| +| prefix | (Optional) Instances name prefix | string | n/a | "" | no | +| asg_name | Autoscaling Group name | string | n/a | Check-Point-ASG-tf | no | +| vpc_id | Select an existing VPC | string | n/a | n/a | yes | +| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | +| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no | +| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | +| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | +| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| provision_tag | The tag is used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each Quick Start deployment | string | n/a | quickstart | no | +| load_balancers_type | Use Network Load Balancer if you wish to preserve the source IP address and Application Load Balancer if you wish to use content based routing | string | - Network Load Balancer
- Application Load Balancer
| Network Load Balancer | no | +| load_balancer_protocol | The protocol to use on the Load Balancer | string | Network Load Balancer:
- TCP
- TLS
- UDP
- TCP_UDP

Application Load Balancer:
- HTTP
- HTTPS | TCP | yes | +| certificate | Amazon Resource Name (ARN) of an HTTPS Certificate, ignored if the selected protocol is HTTP | string | n/a | n/a | no | +| service_port | The external Load Balancer listens to this port. Leave this field blank to use default ports: 80 for HTTP and 443 for HTTPS | string | n/a | n/a | no | +| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | +| gateways_subnets | Select at least 2 public subnets in the VPC. If you choose to deploy a Security Management Server it will be deployed in the first subnet | list(string) | n/a | n/a | yes | +| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | +| gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no | +| gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no | +| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | +| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | +| management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no | +| management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no | +| management_version | The license to install on the Security Management Server | string | - R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG | R81.20-BYOL | no | +| management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| gateways_policy | The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group | string | n/a | Standard | no | +| gateways_blades | Turn on the Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (additional Blades can be manually turned on later) | bool | true/false | true | no | +| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | +| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | +| servers_deploy | Select 'true' to deploy web servers and an internal Application Load Balancer. If you select 'false' the other parameters of this section will be ignored | bool | true/false | false | no | +| servers_subnets | Provide at least 2 private subnet IDs in the chosen VPC, separated by commas (e.g. subnet-0d72417c,subnet-1f61306f,subnet-1061d06f). | list(string) | n/a | n/a | yes | +| servers_instance_type | The EC2 instance type for the web servers | string | - t3.nano
- t3.micro
- t3.small
- t3.medium
- t3.large
- t3.xlarge
- t3.2xlarge | t3.micro | no | +| server_ami | The Amazon Machine Image ID of a preconfigured web server (e.g. ami-0dc7dc63) | string | n/a | n/a | yes | +| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | +| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | ## Outputs | Name | Description | @@ -218,21 +216,22 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|-------------------------------------------------------------------------------------------------------------------------------------| -| 20210309 | First release of Check Point Quick Start Auto Scaling Terraform module for AWS | -| 20210329 | Stability fixes | -| 20220606 | New instance type support | -| 20221123 | R81.20 version support | -| 20221226 | Support ASG Launch Template instead of Launch Configuration | -| 20230806 | Add support for c6in instance type | -| 20230829 | Change default Check Point version to R81.20 | -| 20230914 | Add support for maintenance mode password | -| 20230923 | Add support for C5d instance type | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | -| 20231022 | Fixed template to populate x-chkp-tags correctly | -| 20231127 | Add support for parameter admin shell | -| 20240130 | Network Load Balancer Health Check configuration change for higher than R81 version. New Health Check Port is 8117 and Protocol TCP | -| 20240425 | Remove support for R81 and lower versions | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20240425 | Remove support for R81 and lower versions | +| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20240130 | Network Load Balancer Health Check configuration change for higher than R81 version. New Health Check Port is 8117 and Protocol TCP | +| 20231127 | Add support for parameter admin shell | +| 20231022 | Fixed template to populate x-chkp-tags correctly | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230923 | Add support for C5d instance type | +| 20230914 | Add support for maintenance mode password | +| 20230829 | Change default Check Point version to R81.20 | +| 20230806 | Add support for c6in instance type | +| 20221226 | Support ASG Launch Template instead of Launch Configuration | +| 20221123 | R81.20 version support | +| 20220606 | New instance type support | +| 20210329 | Stability fixes | +| 20210309 | First release of Check Point Quick Start Auto Scaling Terraform module for AWS | ## License diff --git a/terraform/aws/qs-autoscale/terraform.tfvars b/terraform/aws/qs-autoscale/terraform.tfvars index d9eb16f4..c9b51179 100755 --- a/terraform/aws/qs-autoscale/terraform.tfvars +++ b/terraform/aws/qs-autoscale/terraform.tfvars @@ -21,7 +21,7 @@ admin_shell = "/etc/cli.sh" // --- Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration --- gateways_subnets = ["subnet-123b5678", "subnet-123a4567"] -gateway_instance_type = "c5.xlarge" +gateway_instance_type = "c6in.xlarge" gateways_min_group_size = 2 gateways_max_group_size = 8 gateway_version = "R81.20-BYOL" diff --git a/terraform/aws/qs-autoscale/variables.tf b/terraform/aws/qs-autoscale/variables.tf index 070ec4f4..b1539ba3 100755 --- a/terraform/aws/qs-autoscale/variables.tf +++ b/terraform/aws/qs-autoscale/variables.tf @@ -98,7 +98,7 @@ variable "gateways_subnets" { variable "gateway_instance_type" { type = string description = "The instance type of the Security Gateways" - default = "c5.xlarge" + default = "c6in.xlarge" } module "validate_gateway_instance_type" { source = "../modules/common/instance_type" diff --git a/terraform/aws/standalone-master/README.md b/terraform/aws/standalone-master/README.md index 7802954c..ef5219d9 100755 --- a/terraform/aws/standalone-master/README.md +++ b/terraform/aws/standalone-master/README.md @@ -152,7 +152,7 @@ secret_key = "my-secret-key" | disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | | metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | | instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Standalone EC2 Instance | map(string) | n/a | {} | no | -| standalone_version | Security Gateway & Management (Standalone) version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R81-BYOL
- R81-PAYG-NGTP
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.20-BYOL
- R81.20-PAYG-NGTP | R81.20-BYOL | no | +| standalone_version | Security Gateway & Management (Standalone) version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.20-BYOL
- R81.20-PAYG-NGTP | R81.20-BYOL | no | | admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | | standalone_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | | resources_tag_name | (optional) | string | n/a | "" | no | @@ -185,16 +185,17 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|-------------------------------------------------------------------------------------------------------------------------| -| 20210309 | First release of Check Point Security Management Server & Security Gateway (Standalone) Master Terraform module for AWS | -| 20220606 | New instance type support | -| 20221123 | R81.20 version support | -| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | -| 20230806 | Add support for c6in instance type | -| 20230829 | Change default Check Point version to R81.20 | -| 20230914 | Add support for maintenance mode password | -| 20231012 | Update AWS Terraform Provider version to 5.20.1 | -| 20231113 | Add support for BYOL license type for Standalone | +| 20240704 | - R80.40 version deprecation.
- R81 version deprecation. | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20231113 | Add support for BYOL license type for Standalone | +| 20231012 | Update AWS Terraform Provider version to 5.20.1 | +| 20230914 | Add support for maintenance mode password | +| 20230829 | Change default Check Point version to R81.20 | +| 20230806 | Add support for c6in instance type | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20221123 | R81.20 version support | +| 20220606 | New instance type support | +| 20210309 | First release of Check Point Security Management Server & Security Gateway (Standalone) Master Terraform module for AWS | ## License diff --git a/terraform/aws/standalone-master/locals.tf b/terraform/aws/standalone-master/locals.tf index e2e6ab47..61326301 100755 --- a/terraform/aws/standalone-master/locals.tf +++ b/terraform/aws/standalone-master/locals.tf @@ -32,4 +32,5 @@ locals { // Will fail if var.standalone_password_hash is invalid regex_standalone_password_hash = regex(local.regex_valid_standalone_password_hash, var.standalone_password_hash) == var.standalone_password_hash ? 0 : "Variable [standalone_password_hash] must be a valid password hash" regex_maintenance_mode_password_hash = regex(local.regex_valid_standalone_password_hash, var.standalone_maintenance_mode_password_hash) == var.standalone_maintenance_mode_password_hash ? 0 : "Variable [standalone_maintenance_mode_password_hash] must be a valid password hash" + } \ No newline at end of file diff --git a/terraform/aws/standalone/README.md b/terraform/aws/standalone/README.md index 388bba1e..e16f1fe8 100755 --- a/terraform/aws/standalone/README.md +++ b/terraform/aws/standalone/README.md @@ -113,36 +113,35 @@ secret_key = "my-secret-key" ## Inputs -| Name | Description | Type | Allowed values | Default | Required | -|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------|----------| -| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | -| public_subnet_id | The public subnet of the Security Gateway & Management (Standalone) | string | n/a | n/a | yes | -| private_subnet_id | The private subnet of the Security Gateway & Management (Standalone) | string | n/a | n/a | yes | -| private_route_table | Sets '0.0.0.0/0' route to the Security Gateway & Management (Standalone) instance in the specified route table (e.g. rtb-12a34567) | string | n/a | "" | no | -| standalone_name | (Optional) The name tag of the Security Gateway & Management (Standalone) instance | string | n/a | Check-Point-Standalone-tf | no | -| standalone_instance_type | The instance type of the Security Gateway & Management (Standalone) instance | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | -| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | -| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with the launched instance | bool | true/false | true | no | -| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | -| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no | -| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | -| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | -| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | -| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Standalone EC2 Instance | map(string) | n/a | {} | no | -| standalone_version | Security Gateway & Management (Standalone) version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R81-BYOL
- R81-PAYG-NGTP
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.20-BYOL
- R81.20-PAYG-NGTP | R81.20-BYOL | no | -| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | -| standalone_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | -| resources_tag_name | (optional) | string | n/a | "" | no | -| standalone_hostname | (Optional) Security Gateway & Management (Standalone) prompt hostname. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no | -| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | -| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | -| standalone_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | -| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no | -| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no | -| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | n/a | 0.0.0.0/0 | no | -| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | n/a | 0.0.0.0/0 | no | -| standalone_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | - +| Name | Description | Type | Allowed values | Default | Required | +|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------|----------| +| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | +| public_subnet_id | The public subnet of the Security Gateway & Management (Standalone) | string | n/a | n/a | yes | +| private_subnet_id | The private subnet of the Security Gateway & Management (Standalone) | string | n/a | n/a | yes | +| private_route_table | Sets '0.0.0.0/0' route to the Security Gateway & Management (Standalone) instance in the specified route table (e.g. rtb-12a34567) | string | n/a | "" | no | +| standalone_name | (Optional) The name tag of the Security Gateway & Management (Standalone) instance | string | n/a | Check-Point-Standalone-tf | no | +| standalone_instance_type | The instance type of the Security Gateway & Management (Standalone) instance | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | +| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | +| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with the launched instance | bool | true/false | true | no | +| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | +| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no | +| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | +| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | +| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | +| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Standalone EC2 Instance | map(string) | n/a | {} | no | +| standalone_version | Security Gateway & Management (Standalone) version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.20-BYOL
- R81.20-PAYG-NGTP | R81.20-BYOL | no | +| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | +| standalone_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| resources_tag_name | (optional) | string | n/a | "" | no | +| standalone_hostname | (Optional) Security Gateway & Management (Standalone) prompt hostname. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | +| standalone_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | +| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no | +| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no | +| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | n/a | 0.0.0.0/0 | no | +| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | n/a | 0.0.0.0/0 | no | +| standalone_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | ## Outputs | Name | Description | @@ -155,22 +154,21 @@ secret_key = "my-secret-key" ## Revision History In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) - -| Template Version | Description | -|--------------------|------------------------------------------------------------------------------------------------------------------| -| 20210309 | First release of Check Point Security Management Server & Security Gateway (Standalone) Terraform module for AWS | -| 20210329 | Stability fixes | -| 20220606 | New instance type support | -| 20221123 | R81.20 version support | -| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | -| 20230806 | Add support for c6in instance type | -| 20230829 | Change default Check Point version to R81.20 | -| 20230914 | Add support for maintenance mode password | -| 20230923 | Add support for C5d instance type | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | -| 20231113 | Add support for BYOL license type for Standalone | -| 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | - +| Template Version | Description | +|------------------|------------------------------------------------------------------------------------------------------------------| +| 20240704 | - R80.40 version deprecation.
- R81 version deprecation. | +| 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20231113 | Add support for BYOL license type for Standalone | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230923 | Add support for C5d instance type | +| 20230914 | Add support for maintenance mode password | +| 20230829 | Change default Check Point version to R81.20 | +| 20230806 | Add support for c6in instance type | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20221123 | R81.20 version support | +| 20220606 | New instance type support | +| 20210329 | Stability fixes | +| 20210309 | First release of Check Point Security Management Server & Security Gateway (Standalone) Terraform module for AWS | ## License diff --git a/terraform/aws/standalone/standalone_userdata.yaml b/terraform/aws/standalone/standalone_userdata.yaml index 1bdf7eca..0bf47ec4 100755 --- a/terraform/aws/standalone/standalone_userdata.yaml +++ b/terraform/aws/standalone/standalone_userdata.yaml @@ -1,4 +1,4 @@ #cloud-config runcmd: - | - python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" installationType=\"standalone\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"standalone\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" adminSubnet=\"${AdminSubnet}\" allocatePublicAddress=\"${AllocateElasticIP}\" bootstrapScript64=\"${StandaloneBootstrapScript}\" \ No newline at end of file + python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" installationType=\"standalone\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20240704\" templateName=\"standalone\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" adminSubnet=\"${AdminSubnet}\" allocatePublicAddress=\"${AllocateElasticIP}\" bootstrapScript64=\"${StandaloneBootstrapScript}\" \ No newline at end of file diff --git a/terraform/aws/tgw-asg-master/README.md b/terraform/aws/tgw-asg-master/README.md index 7850cebd..18940e6e 100755 --- a/terraform/aws/tgw-asg-master/README.md +++ b/terraform/aws/tgw-asg-master/README.md @@ -168,14 +168,14 @@ secret_key = "my-secret-key" | gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | | gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no | | gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no | -| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81-BYOL
- R81-PAYG-NGTP
- R81-PAYG-NGTX
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | | gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | | gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | | enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | | asn | The organization Autonomous System Number (ASN) that identifies the routing domain for the Security Gateways | string | n/a | 6500 | no | | management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no | | management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no | -| management_version | The license to install on the Security Management Server | string | - R80.40-BYOL
- R80.40-PAYG
- R81-BYOL
- R81-PAYG
- R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG | R81.20-BYOL | no | +| management_version | The license to install on the Security Management Server | string | - R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG | R81.20-BYOL | no | | management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | | management_permissions | IAM role to attach to the instance profile | string | - None (configure later)
- Use existing (specify an existing IAM role name)
- Create with assume role permissions (specify an STS role ARN)
- Create with read permissions
- Create with read-write permissions | Create with read-write permissions | no | | management_predefined_role | ((Optional) A predefined IAM role to attach to the instance profile. Ignored if IAM role is not set to 'Use existing' | string | n/a | "" | no | @@ -207,16 +207,17 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|-------------------------------------------------------------------------------------------------| -| 20210329 | First release of Check Point Transit Gateway Auto Scaling Group Master Terraform module for AWS | -| 20220606 | New instance type support | -| 20221123 | R81.20 version support | -| 20221226 | Support ASG Launch Template instead of Launch Configuration | -| 20230806 | Add support for c6in instance type | -| 20230829 | Change default Check Point version to R81.20 | -| 20230914 | Add support for maintenance mode password | -| 20230923 | Add support for C5d instance type | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20240704 | - R80.40 version deprecation.
- R81 version deprecation. | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230923 | Add support for C5d instance type | +| 20230914 | Add support for maintenance mode password | +| 20230829 | Change default Check Point version to R81.20 | +| 20230806 | Add support for c6in instance type | +| 20221226 | Support ASG Launch Template instead of Launch Configuration | +| 20221123 | R81.20 version support | +| 20220606 | New instance type support | +| 20210329 | First release of Check Point Transit Gateway Auto Scaling Group Master Terraform module for AWS | ## License diff --git a/terraform/aws/tgw-asg-master/locals.tf b/terraform/aws/tgw-asg-master/locals.tf index 54cef511..467c4b4e 100755 --- a/terraform/aws/tgw-asg-master/locals.tf +++ b/terraform/aws/tgw-asg-master/locals.tf @@ -35,10 +35,12 @@ locals { regex_valid_management_password_hash = "^[\\$\\./a-zA-Z0-9]*$" // Will fail if var.management_password_hash is invalid regex_management_password_hash = regex(local.regex_valid_management_password_hash, var.management_password_hash) == var.management_password_hash ? 0 : "Variable [management_password_hash] must be a valid password hash" + regex_management_maintenance_mode_password_hash = regex(local.regex_valid_management_password_hash, var.management_maintenance_mode_password_hash) == var.management_maintenance_mode_password_hash ? 0 : "Variable [management_maintenance_mode_password_hash] must be a valid password hash" regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$" // Will fail if var.gateway_password_hash is invalid regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash" + regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash" regex_valid_asn = "^[0-9]+$" // Will fail if var.asn is invalid diff --git a/terraform/aws/tgw-asg-master/terraform.tfvars b/terraform/aws/tgw-asg-master/terraform.tfvars index 7807cc3d..5fb15521 100755 --- a/terraform/aws/tgw-asg-master/terraform.tfvars +++ b/terraform/aws/tgw-asg-master/terraform.tfvars @@ -18,7 +18,7 @@ allow_upload_download = true // --- Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration --- gateway_name = "Check-Point-gateway" -gateway_instance_type = "c5.xlarge" +gateway_instance_type = "c6in.xlarge" gateways_min_group_size = 2 gateways_max_group_size = 8 gateway_version = "R81.20-BYOL" diff --git a/terraform/aws/tgw-asg-master/variables.tf b/terraform/aws/tgw-asg-master/variables.tf index a709a74f..f1713e76 100755 --- a/terraform/aws/tgw-asg-master/variables.tf +++ b/terraform/aws/tgw-asg-master/variables.tf @@ -74,7 +74,7 @@ variable "gateway_name" { variable "gateway_instance_type" { type = string description = "The instance type of the Security Gateways" - default = "c5.xlarge" + default = "c6in.xlarge" } module "validate_gateway_instance_type" { source = "../modules/common/instance_type" diff --git a/terraform/aws/tgw-asg/README.md b/terraform/aws/tgw-asg/README.md index 540a8d28..44e1c298 100755 --- a/terraform/aws/tgw-asg/README.md +++ b/terraform/aws/tgw-asg/README.md @@ -159,14 +159,14 @@ secret_key = "my-secret-key" | gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | | gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no | | gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no | -| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81-BYOL
- R81-PAYG-NGTP
- R81-PAYG-NGTX
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX | R81.20-BYOL | no | +| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R81.20-PAYG-NGTX | R81.20-BYOL | no | | gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | | gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | | enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | | asn | The organization Autonomous System Number (ASN) that identifies the routing domain for the Security Gateways | string | n/a | 6500 | no | | management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no | | management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no | -| management_version | The license to install on the Security Management Server | string | - R80.40-BYOL
- R80.40-PAYG
- R81-BYOL
- R81-PAYG
- R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG | R81.20-BYOL | no | +| management_version | The license to install on the Security Management Server | string | - R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG | R81.20-BYOL | no | | management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | | management_permissions | IAM role to attach to the instance profile | string | - None (configure later)
- Use existing (specify an existing IAM role name)
- Create with assume role permissions (specify an STS role ARN)
- Create with read permissions
- Create with read-write permissions | Create with read-write permissions | no | | management_predefined_role | ((Optional) A predefined IAM role to attach to the instance profile. Ignored if IAM role is not set to 'Use existing' | string | n/a | "" | no | @@ -196,17 +196,18 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|------------------------------------------------------------------------------------------| -| 20210329 | First release of Check Point Transit Gateway Auto Scaling Group Terraform module for AWS | -| 20220606 | New instance type support | -| 20221123 | R81.20 version support | -| 20221226 | Support ASG Launch Template instead of Launch Configuration | -| 20230626 | Fixed missing x-chkp-* tags on Auto Scale Group | -| 20230806 | Add support for c6in instance type | -| 20230829 | Change default Check Point version to R81.20 | -| 20230914 | Add support for maintenance mode password | -| 20230923 | Add support for C5d instance type | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20240704 | - R80.40 version deprecation.
- R81 version deprecation. | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230923 | Add support for C5d instance type | +| 20230914 | Add support for maintenance mode password | +| 20230829 | Change default Check Point version to R81.20 | +| 20230806 | Add support for c6in instance type | +| 20230626 | Fixed missing x-chkp-* tags on Auto Scale Group | +| 20221226 | Support ASG Launch Template instead of Launch Configuration | +| 20221123 | R81.20 version support | +| 20220606 | New instance type support | +| 20210329 | First release of Check Point Transit Gateway Auto Scaling Group Terraform module for AWS | ## License diff --git a/terraform/aws/tgw-asg/terraform.tfvars b/terraform/aws/tgw-asg/terraform.tfvars index 9bdbb84e..c0f038e4 100755 --- a/terraform/aws/tgw-asg/terraform.tfvars +++ b/terraform/aws/tgw-asg/terraform.tfvars @@ -14,7 +14,7 @@ allow_upload_download = true // --- Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration --- gateway_name = "Check-Point-gateway" -gateway_instance_type = "c5.xlarge" +gateway_instance_type = "c6in.xlarge" gateways_min_group_size = 2 gateways_max_group_size = 8 gateway_version = "R81.20-BYOL" diff --git a/terraform/aws/tgw-asg/variables.tf b/terraform/aws/tgw-asg/variables.tf index 9a9a47e1..bd4af5b7 100755 --- a/terraform/aws/tgw-asg/variables.tf +++ b/terraform/aws/tgw-asg/variables.tf @@ -68,7 +68,7 @@ variable "gateway_name" { variable "gateway_instance_type" { type = string description = "The instance type of the Security Gateways" - default = "c5.xlarge" + default = "c6in.xlarge" } module "validate_gateway_instance_type" { source = "../modules/common/instance_type" diff --git a/terraform/aws/tgw-cross-az-cluster-master/README.md b/terraform/aws/tgw-cross-az-cluster-master/README.md index 937444d8..3a821c9c 100755 --- a/terraform/aws/tgw-cross-az-cluster-master/README.md +++ b/terraform/aws/tgw-cross-az-cluster-master/README.md @@ -139,40 +139,39 @@ secret_key = "my-secret-key" - In Smart Console: reset SIC with the re-deployed member and install policy ## Inputs -| Name | Description | Type | Allowed values | Default | Required | -|----------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------|----------| -| vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes | -| public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1 \"us-east-1b\" = 2} ) | map | n/a | n/a | yes | -| private_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 3 \"us-east-1b\" = 4} ) | map | n/a | n/a | yes | -| tgw_subnets_map | A map of pairs {availability-zone = subnet-suffix-number} for the tgw subnets. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes | -| subnets_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20 | number | n/a | n/a | yes | -| gateway_name | (Optional) The name tag of the Security Gateway instances | string | n/a | Check-Point-Cluster-tf | no | -| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | -| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes | -| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with each cluster member, in addition to the shared cluster Elastic IP | bool | true/false | true | no | -| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | -| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no | -| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no | -| enable_instance_connect | Enable AWS Instance Connect. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | -| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | -| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | -| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances | map(string) | n/a | {} | no | -| predefined_role | (Optional) A predefined IAM role to attach to the cluster profile | string | n/a | "" | no | -| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | -| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | -| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | -| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | -| memberAToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | -| memberBToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | -| resources_tag_name | (Optional) Name tag prefix of the resources | string | n/a | "" | no | -| gateway_hostname | (Optional) The host name will be appended with member-a/b accordingly. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no | -| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | -| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | -| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | -| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no | -| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no | -| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | - +| Name | Description | Type | Allowed values | Default | Required | +|----------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|----------| +| vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes | +| public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1 \"us-east-1b\" = 2} ) | map | n/a | n/a | yes | +| private_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 3 \"us-east-1b\" = 4} ) | map | n/a | n/a | yes | +| tgw_subnets_map | A map of pairs {availability-zone = subnet-suffix-number} for the tgw subnets. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes | +| subnets_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20 | number | n/a | n/a | yes | +| gateway_name | (Optional) The name tag of the Security Gateway instances | string | n/a | Check-Point-Cluster-tf | no | +| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | +| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes | +| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with each cluster member, in addition to the shared cluster Elastic IP | bool | true/false | true | no | +| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | +| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no | +| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no | +| enable_instance_connect | Enable AWS Instance Connect. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | +| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | +| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | +| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances | map(string) | n/a | {} | no | +| predefined_role | (Optional) A predefined IAM role to attach to the cluster profile | string | n/a | "" | no | +| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | +| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | +| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| memberAToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | +| memberBToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | +| resources_tag_name | (Optional) Name tag prefix of the resources | string | n/a | "" | no | +| gateway_hostname | (Optional) The host name will be appended with member-a/b accordingly. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | +| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | +| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no | +| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no | +| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | ## Outputs | Name | Description | @@ -190,20 +189,17 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 20221123 | First release of Check Point Security Cluster Terraform module for AWS | -| 20221229 | Removed unsupported versions | -| 20221123 | R81.20 version support | -| 20230411 | - Improved deployment experience for gateways and clusters managed by Smart-1 Cloud
- Multiple VIPs support for Cross Availability Zone Cluster. For more details refer to the [Cross Availability Zone Cluster for AWS R81.20 Administration Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Cross_AZ_Cluster/Content/Topics-AWS-CrossAZ-Cluster-AG/Check-Point-CloudGuard-for-AWS.htm) -> "Deploying Cross AZ Cluster with multiple VIPs" section. | -| 20230503 | Smart-1 Cloud token validation | -| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | -| 20230829 | Change default Check Point version to R81.20 | -| 20230806 | Add support for c6in instance type | -| 20230914 | Add support for maintenance mode password | -| 20230923 | Add support for C5d instance type | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | - - +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230923 | Add support for C5d instance type | +| 20230914 | Add support for maintenance mode password | +| 20230829 | Change default Check Point version to R81.20 | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20230503 | Smart-1 Cloud token validation | +| 20230411 | - Improved deployment experience for gateways and clusters managed by Smart-1 Cloud
- Multiple VIPs support for Cross Availability Zone Cluster. For more details refer to the [Cross Availability Zone Cluster for AWS R81.20 Administration Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Cross_AZ_Cluster/Content/Topics-AWS-CrossAZ-Cluster-AG/Check-Point-CloudGuard-for-AWS.htm) -> "Deploying Cross AZ Cluster with multiple VIPs" section. | +| 20221123 | R81.20 version support | +| 20221229 | Removed unsupported versions | +| 20221123 | First release of Check Point Security Cluster Terraform module for AWS | ## License diff --git a/terraform/aws/tgw-cross-az-cluster-master/terraform.tfvars b/terraform/aws/tgw-cross-az-cluster-master/terraform.tfvars index 2a1fee10..a7403f7b 100755 --- a/terraform/aws/tgw-cross-az-cluster-master/terraform.tfvars +++ b/terraform/aws/tgw-cross-az-cluster-master/terraform.tfvars @@ -18,7 +18,7 @@ subnets_bit_length = 8 // --- EC2 Instance Configuration --- gateway_name = "Check-Point-Cluster-tf" -gateway_instance_type = "c5.xlarge" +gateway_instance_type = "c6in.xlarge" key_name = "publickey" volume_size = 100 volume_encryption = "alias/aws/ebs" diff --git a/terraform/aws/tgw-cross-az-cluster-master/variables.tf b/terraform/aws/tgw-cross-az-cluster-master/variables.tf index 1485389b..8d14327a 100755 --- a/terraform/aws/tgw-cross-az-cluster-master/variables.tf +++ b/terraform/aws/tgw-cross-az-cluster-master/variables.tf @@ -59,7 +59,7 @@ variable "gateway_name" { variable "gateway_instance_type" { type = string description = "The instance type of the Security Gateways" - default = "c5.xlarge" + default = "c6in.xlarge" } module "validate_instance_type" { source = "../modules/common/instance_type" diff --git a/terraform/aws/tgw-cross-az-cluster/README.md b/terraform/aws/tgw-cross-az-cluster/README.md index 1dcb1b0c..a8fd8013 100755 --- a/terraform/aws/tgw-cross-az-cluster/README.md +++ b/terraform/aws/tgw-cross-az-cluster/README.md @@ -134,42 +134,40 @@ secret_key = "my-secret-key" - In Smart Console: reset SIC with the re-deployed member and install policy ## Inputs -| Name | Description | Type | Allowed values | Default | Required | -|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|----------| -| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | -| public_subnet_id | The public subnet of the cluster. The cluster's public IPs will be generated from this subnet | string | n/a | n/a | yes | -| private_subnet_id | The private subnet of the cluster. The cluster's private IPs will be generated from this subnet | string | n/a | n/a | yes | -| tgw_subnet_1_id | The TGW attachment subnet ID located in the 1st Availability Zone | string | n/a | n/a | yes | -| tgw_subnet_2_id | The TGW attachment subnet ID located in the 2st Availability Zone | string | n/a | n/a | yes | -| private_route_table | (Optional) Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route | string | n/a | "" | no | -| gateway_name | (Optional) The name tag of the Security Gateway instances | string | n/a | Check-Point-Cluster-tf | no | -| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | -| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes | -| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with each cluster member, in addition to the shared cluster Elastic IP | bool | true/false | true | no | -| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | -| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no | -| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no | -| enable_instance_connect | Enable AWS Instance Connect. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | -| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | -| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | -| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances | map(string) | n/a | {} | no | -| predefined_role | (Optional) A predefined IAM role to attach to the cluster profile | string | n/a | "" | no | -| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | -| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | -| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | -| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | -| memberAToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | -| memberBToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | -| resources_tag_name | (Optional) Name tag prefix of the resources | string | n/a | "" | no | -| gateway_hostname | (Optional) The host name will be appended with member-a/b accordingly. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no | -| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | -| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | -| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | -| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no | -| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no | -| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | -| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | - +| Name | Description | Type | Allowed values | Default | Required | +|----------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|----------| +| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | +| public_subnet_id | The public subnet of the cluster. The cluster's public IPs will be generated from this subnet | string | n/a | n/a | yes | +| private_subnet_id | The private subnet of the cluster. The cluster's private IPs will be generated from this subnet | string | n/a | n/a | yes | +| tgw_subnet_1_id | The TGW attachment subnet ID located in the 1st Availability Zone | string | n/a | n/a | yes | +| tgw_subnet_2_id | The TGW attachment subnet ID located in the 2st Availability Zone | string | n/a | n/a | yes | +| private_route_table | (Optional) Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route | string | n/a | "" | no | +| gateway_name | (Optional) The name tag of the Security Gateway instances | string | n/a | Check-Point-Cluster-tf | no | +| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | +| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes | +| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with each cluster member, in addition to the shared cluster Elastic IP | bool | true/false | true | no | +| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | +| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no | +| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no | +| enable_instance_connect | Enable AWS Instance Connect. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | +| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | +| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | +| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances | map(string) | n/a | {} | no | +| predefined_role | (Optional) A predefined IAM role to attach to the cluster profile | string | n/a | "" | no | +| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | +| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | +| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| memberAToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | +| memberBToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | +| resources_tag_name | (Optional) Name tag prefix of the resources | string | n/a | "" | no | +| gateway_hostname | (Optional) The host name will be appended with member-a/b accordingly. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | +| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | +| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no | +| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no | +| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | ## Outputs | Name | Description | @@ -187,18 +185,18 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 20221123 | First release of Check Point Security Cluster Terraform module for AWS | -| 20221123 | R81.20 version support | -| 20221229 | Removed unsupported versions | -| 20230411 | - Improved deployment experience for gateways and clusters managed by Smart-1 Cloud
- Multiple VIPs support for Cross Availability Zone Cluster. For more details refer to the [Cross Availability Zone Cluster for AWS R81.20 Administration Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Cross_AZ_Cluster/Content/Topics-AWS-CrossAZ-Cluster-AG/Check-Point-CloudGuard-for-AWS.htm) -> "Deploying Cross AZ Cluster with multiple VIPs" section. | -| 20230503 | Smart-1 Cloud token validation | -| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | -| 20230806 | Add support for c6in instance type | -| 20230829 | Change default Check Point version to R81.20 | -| 20230914 | Add support for maintenance mode password | -| 20230923 | Add support for C5d instance type | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230923 | Add support for C5d instance type | +| 20230914 | Add support for maintenance mode password | +| 20230829 | Change default Check Point version to R81.20 | +| 20230806 | Add support for c6in instance type | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20230503 | Smart-1 Cloud token validation | +| 20230411 | - Improved deployment experience for gateways and clusters managed by Smart-1 Cloud
- Multiple VIPs support for Cross Availability Zone Cluster. For more details refer to the [Cross Availability Zone Cluster for AWS R81.20 Administration Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Cross_AZ_Cluster/Content/Topics-AWS-CrossAZ-Cluster-AG/Check-Point-CloudGuard-for-AWS.htm) -> "Deploying Cross AZ Cluster with multiple VIPs" section. | +| 20221229 | Removed unsupported versions | +| 20221123 | R81.20 version support | +| 20221123 | First release of Check Point Security Cluster Terraform module for AWS | ## License diff --git a/terraform/aws/tgw-cross-az-cluster/terraform.tfvars b/terraform/aws/tgw-cross-az-cluster/terraform.tfvars index c1008d0d..64e995b8 100755 --- a/terraform/aws/tgw-cross-az-cluster/terraform.tfvars +++ b/terraform/aws/tgw-cross-az-cluster/terraform.tfvars @@ -12,7 +12,7 @@ private_route_table = "" // --- EC2 Instance Configuration --- gateway_name = "Check-Point-Cluster-tf" -gateway_instance_type = "c5.xlarge" +gateway_instance_type = "c6in.xlarge" key_name = "publickey" volume_size = 100 volume_encryption = "alias/aws/ebs" diff --git a/terraform/aws/tgw-cross-az-cluster/variables.tf b/terraform/aws/tgw-cross-az-cluster/variables.tf index eb330795..9f17451b 100755 --- a/terraform/aws/tgw-cross-az-cluster/variables.tf +++ b/terraform/aws/tgw-cross-az-cluster/variables.tf @@ -60,7 +60,7 @@ variable "gateway_name" { variable "gateway_instance_type" { type = string description = "The instance type of the Security Gateways" - default = "c5.xlarge" + default = "c6in.xlarge" } module "validate_instance_type" { source = "../modules/common/instance_type" diff --git a/terraform/aws/tgw-gwlb-master/README.md b/terraform/aws/tgw-gwlb-master/README.md index fa8a0ffd..a28b180a 100755 --- a/terraform/aws/tgw-gwlb-master/README.md +++ b/terraform/aws/tgw-gwlb-master/README.md @@ -175,59 +175,58 @@ secret_key = "my-secret-key" ``` ## Inputs -| Name | Description | Type | Allowed values | Default | Required | -|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|-----------| -| vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes | -| subnets_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20 | number | n/a | n/a | yes | -| public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes | -| availability_zones | The Availability Zones (AZs) to use for the subnets in the VPC. | string | n/a | n/a | yes | -| Number_of_AZs | Number of Availability Zones to use in the VPC. | number | n/a | 2 | yes | -| tgw_subnets_map | A map of pairs {availability-zone = subnet-suffix-number} for the tgw subnets. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes | -| nat_gw_subnet_1_cidr | CIDR block for NAT subnet 1 located in the 1st Availability Zone | string | n/a | 10.0.13.0/24 | yes | -| nat_gw_subnet_2_cidr | CIDR block for NAT subnet 2 located in the 2st Availability Zone | string | n/a | 10.0.23.0/24 | yes | -| nat_gw_subnet_3_cidr | CIDR block for NAT subnet 3 located in the 3st Availability Zone | string | n/a | 10.0.33.0/24 | yes | -| nat_gw_subnet_4_cidr | CIDR block for NAT subnet 4 located in the 4st Availability Zone | string | n/a | 10.0.43.0/24 | yes | -| gwlbe_subnet_1_cidr | CIDR block for GWLBe subnet 1 located in the 1st Availability Zone | string | n/a | 10.0.14.0/24 | yes | -| gwlbe_subnet_2_cidr | CIDR block for GWLBe subnet 2 located in the 2st Availability Zone | string | n/a | 10.0.24.0/24 | yes | -| gwlbe_subnet_3_cidr | CIDR block for GWLBe subnet 3 located in the 3st Availability Zone | string | n/a | 10.0.34.0/24 | yes | -| gwlbe_subnet_4_cidr | CIDR block for GWLBe subnet 4 located in the 4st Availability Zone | string | n/a | 10.0.44.0/24 | yes | -| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | -| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no | -| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | -| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | -| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | -| volume_size | Instances volume size | number | n/a | 100 | no | -| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | -| management_server | The name that represents the Security Management Server in the automatic provisioning configuration. | string | n/a | CP-Management-gwlb-tf | yes | -| configuration_template | The tag is used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each Quick Start deployment | string | n/a | gwlb-ter | no | -| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | -| gateway_load_balancer_name | Load Balancer name in AWS | string | n/a | gwlb-terraform | yes | -| target_group_name | Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. | string | n/a | tg1-terraform | yes | -| connection_acceptance_required | Indicate whether requests from service consumers to create an endpoint to your service must be accepted. Default is set to false(acceptance not required). | bool | true/false | false | yes | -| enable_cross_zone_load_balancing | Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges. | bool | true/false | true | yes | -| gateway_name | The name tag of the Security Gateway instances. (optional) | string | n/a | gwlb-terraform | yes | -| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | -| gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no | -| gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no | -| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | -| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | -| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | -| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | -| gateway_bootstrap_script | (Optional) An optional script with semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | -| gateways_provision_address_type | Determines if the gateways are provisioned using their private or public address. | string | - private
- public | private | no | -| allocate_public_IP | Allocate a Public IP for gateway members. | bool | true/false | false | no | -| management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no | -| management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no | -| management_version | The license to install on the Security Management Server | string | - R80.40-BYOL
- R80.40-PAYG
- R81-BYOL
- R81-PAYG
- R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG | R81.20-BYOL | no | -| management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | -| gateways_policy | The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group | string | n/a | Standard | no | -| gateway_management | Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. | string | - Locally managed
- Over the internet | Locally managed | no | -| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | -| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | -| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no | -| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | -| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | - +| Name | Description | Type | Allowed values | Default | Required | +|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|----------| +| vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes | +| subnets_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20 | number | n/a | n/a | yes | +| public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes | +| availability_zones | The Availability Zones (AZs) to use for the subnets in the VPC. | string | n/a | n/a | yes | +| Number_of_AZs | Number of Availability Zones to use in the VPC. | number | n/a | 2 | yes | +| tgw_subnets_map | A map of pairs {availability-zone = subnet-suffix-number} for the tgw subnets. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes | +| nat_gw_subnet_1_cidr | CIDR block for NAT subnet 1 located in the 1st Availability Zone | string | n/a | 10.0.13.0/24 | yes | +| nat_gw_subnet_2_cidr | CIDR block for NAT subnet 2 located in the 2st Availability Zone | string | n/a | 10.0.23.0/24 | yes | +| nat_gw_subnet_3_cidr | CIDR block for NAT subnet 3 located in the 3st Availability Zone | string | n/a | 10.0.33.0/24 | yes | +| nat_gw_subnet_4_cidr | CIDR block for NAT subnet 4 located in the 4st Availability Zone | string | n/a | 10.0.43.0/24 | yes | +| gwlbe_subnet_1_cidr | CIDR block for GWLBe subnet 1 located in the 1st Availability Zone | string | n/a | 10.0.14.0/24 | yes | +| gwlbe_subnet_2_cidr | CIDR block for GWLBe subnet 2 located in the 2st Availability Zone | string | n/a | 10.0.24.0/24 | yes | +| gwlbe_subnet_3_cidr | CIDR block for GWLBe subnet 3 located in the 3st Availability Zone | string | n/a | 10.0.34.0/24 | yes | +| gwlbe_subnet_4_cidr | CIDR block for GWLBe subnet 4 located in the 4st Availability Zone | string | n/a | 10.0.44.0/24 | yes | +| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | +| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no | +| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | +| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | +| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | +| volume_size | Instances volume size | number | n/a | 100 | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| management_server | The name that represents the Security Management Server in the automatic provisioning configuration. | string | n/a | CP-Management-gwlb-tf | yes | +| configuration_template | The tag is used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each Quick Start deployment | string | n/a | gwlb-ter | no | +| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | +| gateway_load_balancer_name | Load Balancer name in AWS | string | n/a | gwlb-terraform | yes | +| target_group_name | Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. | string | n/a | tg1-terraform | yes | +| connection_acceptance_required | Indicate whether requests from service consumers to create an endpoint to your service must be accepted. Default is set to false(acceptance not required). | bool | true/false | false | yes | +| enable_cross_zone_load_balancing | Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges. | bool | true/false | true | yes | +| gateway_name | The name tag of the Security Gateway instances. (optional) | string | n/a | gwlb-terraform | yes | +| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | +| gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no | +| gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no | +| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | +| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | +| gateway_bootstrap_script | (Optional) An optional script with semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | +| gateways_provision_address_type | Determines if the gateways are provisioned using their private or public address. | string | - private
- public | private | no | +| allocate_public_IP | Allocate a Public IP for gateway members. | bool | true/false | false | no | +| management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no | +| management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no | +| management_version | The license to install on the Security Management Server | string | - R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG | R81.20-BYOL | no | +| management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| gateways_policy | The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group | string | n/a | Standard | no | +| gateway_management | Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. | string | - Locally managed
- Over the internet | Locally managed | no | +| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | +| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | +| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no | +| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | +| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | ## Outputs | Name | Description | @@ -247,17 +246,18 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|----------------------------------------------------------------------------------------------------------------------------| -| 20220414 | First release of Check Point CloudGuar d Network Gateway Load Balancer for Transit Gateway Master Terraform module for AWS | -| 20220606 | New instance type support | -| 20221123 | R81.20 version support | -| 20221226 | Support ASG Launch Template instead of Launch Configuration | -| 20230806 | Add support for c6in instance type | -| 20230829 | Change default Check Point version to R81.20 | -| 20230910 | Add bootstrap script execution option for deployed gateways | -| 20230914 | Add support for maintenance mode password | -| 20230923 | Add support for C5d instance type | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20240704 | R80.40 version deprecation | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230923 | Add support for C5d instance type | +| 20230914 | Add support for maintenance mode password | +| 20230910 | Add bootstrap script execution option for deployed gateways | +| 20230829 | Change default Check Point version to R81.20 | +| 20230806 | Add support for c6in instance type | +| 20221226 | Support ASG Launch Template instead of Launch Configuration | +| 20221123 | R81.20 version support | +| 20220606 | New instance type support | +| 20220414 | First release of Check Point CloudGuar d Network Gateway Load Balancer for Transit Gateway Master Terraform module for AWS | ## License diff --git a/terraform/aws/tgw-gwlb-master/terraform.tfvars b/terraform/aws/tgw-gwlb-master/terraform.tfvars index bdb7a361..57cb8a02 100755 --- a/terraform/aws/tgw-gwlb-master/terraform.tfvars +++ b/terraform/aws/tgw-gwlb-master/terraform.tfvars @@ -48,7 +48,7 @@ enable_cross_zone_load_balancing = "true" // --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration --- gateway_name = "Check-Point-GW-tf" -gateway_instance_type = "c5.xlarge" +gateway_instance_type = "c6in.xlarge" minimum_group_size = 2 maximum_group_size = 10 gateway_version = "R81.20-BYOL" diff --git a/terraform/aws/tgw-gwlb-master/variables.tf b/terraform/aws/tgw-gwlb-master/variables.tf index af425811..830caffa 100755 --- a/terraform/aws/tgw-gwlb-master/variables.tf +++ b/terraform/aws/tgw-gwlb-master/variables.tf @@ -193,7 +193,7 @@ variable "gateway_name" { variable "gateway_instance_type" { type = string description = "The EC2 instance type for the Security Gateways." - default = "c5.xlarge" + default = "c6in.xlarge" } module "validate_instance_type" { source = "../modules/common/instance_type" diff --git a/terraform/aws/tgw-gwlb/README.md b/terraform/aws/tgw-gwlb/README.md index a01c29bc..5daec1a3 100755 --- a/terraform/aws/tgw-gwlb/README.md +++ b/terraform/aws/tgw-gwlb/README.md @@ -171,62 +171,61 @@ secret_key = "my-secret-key" ``` ## Inputs -| Name | Description | Type | Allowed values | Default | Required | -|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|----------| -| vpc_id | Select an existing VPC | string | n/a | n/a | yes | -| internet_gateway_id | VPC's Internet Gateway Id | string | n/a | n/a | yes | -| availability_zones | The Availability Zones (AZs) to use for the subnets in the VPC. | string | n/a | n/a | yes | -| Number_of_AZs | Number of Availability Zones to use in the VPC. | number | n/a | 2 | yes | -| Gateways_subnets | Select at least 2 public subnets in the VPC. If you choose to deploy a Security Management Server it will be deployed in the first subnet | string | n/a | n/a | yes | -| transit_gateway_attachment_subnet_1_id | The TGW attachment subnet ID located in the 1st Availability Zone | string | n/a | n/a | yes | -| transit_gateway_attachment_subnet_2_id | The TGW attachment subnet ID located in the 2st Availability Zone | string | n/a | n/a | yes | -| transit_gateway_attachment_subnet_3_id | The TGW attachment subnet ID located in the 3st Availability Zone | string | n/a | n/a | yes | -| transit_gateway_attachment_subnet_4_id | The TGW attachment subnet ID located in the 4st Availability Zone | string | n/a | n/a | yes | -| nat_gw_subnet_1_cidr | CIDR block for NAT subnet 1 located in the 1st Availability Zone | string | n/a | 10.0.13.0/24 | yes | -| nat_gw_subnet_2_cidr | CIDR block for NAT subnet 2 located in the 2st Availability Zone | string | n/a | 10.0.23.0/24 | yes | -| nat_gw_subnet_3_cidr | CIDR block for NAT subnet 3 located in the 3st Availability Zone | string | n/a | 10.0.33.0/24 | yes | -| nat_gw_subnet_4_cidr | CIDR block for NAT subnet 4 located in the 4st Availability Zone | string | n/a | 10.0.43.0/24 | yes | -| gwlbe_subnet_1_cidr | CIDR block for GWLBe subnet 1 located in the 1st Availability Zone | string | n/a | 10.0.14.0/24 | yes | -| gwlbe_subnet_2_cidr | CIDR block for GWLBe subnet 2 located in the 2st Availability Zone | string | n/a | 10.0.24.0/24 | yes | -| gwlbe_subnet_3_cidr | CIDR block for GWLBe subnet 3 located in the 3st Availability Zone | string | n/a | 10.0.34.0/24 | yes | -| gwlbe_subnet_4_cidr | CIDR block for GWLBe subnet 4 located in the 4st Availability Zone | string | n/a | 10.0.44.0/24 | yes | -| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | -| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no | -| management_server | The name that represents the Security Management Server in the automatic provisioning configuration. | string | n/a | CP-Management-gwlb-tf | yes | -| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | -| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | -| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | -| volume_size | Instances volume size | number | n/a | 100 | no | -| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | -| configuration_template | The tag is used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each Quick Start deployment | string | n/a | gwlb-ter | no | -| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | -| gateway_load_balancer_name | Load Balancer name in AWS | string | n/a | gwlb-terraform | yes | -| target_group_name | Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. | string | n/a | tg1-terraform | yes | -| connection_acceptance_required | Indicate whether requests from service consumers to create an endpoint to your service must be accepted. Default is set to false(acceptance not required). | bool | true/false | false | yes | -| enable_cross_zone_load_balancing | Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges. | bool | true/false | true | yes | -| gateway_name | The name tag of the Security Gateway instances. (optional) | string | n/a | gwlb-terraform | yes | -| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | -| gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no | -| gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no | -| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | -| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | -| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | -| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | -| gateway_bootstrap_script | (Optional) An optional script with semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | -| gateways_provision_address_type | Determines if the gateways are provisioned using their private or public address. | string | - private
- public | private | no | -| allocate_public_IP | Allocate a Public IP for gateway members. | bool | true/false | false | no | -| management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no | -| management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no | -| management_version | The license to install on the Security Management Server | string | - R80.40-BYOL
- R80.40-PAYG
- R81-BYOL
- R81-PAYG
- R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG | R81.20-BYOL | no | -| management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | -| gateways_policy | The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group | string | n/a | Standard | no | -| gateway_management | Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. | string | - Locally managed
- Over the internet | Locally managed | no | -| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | -| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | -| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no | -| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | -| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | - +| Name | Description | Type | Allowed values | Default | Required | +|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|----------| +| vpc_id | Select an existing VPC | string | n/a | n/a | yes | +| internet_gateway_id | VPC's Internet Gateway Id | string | n/a | n/a | yes | +| availability_zones | The Availability Zones (AZs) to use for the subnets in the VPC. | string | n/a | n/a | yes | +| Number_of_AZs | Number of Availability Zones to use in the VPC. | number | n/a | 2 | yes | +| Gateways_subnets | Select at least 2 public subnets in the VPC. If you choose to deploy a Security Management Server it will be deployed in the first subnet | string | n/a | n/a | yes | +| transit_gateway_attachment_subnet_1_id | The TGW attachment subnet ID located in the 1st Availability Zone | string | n/a | n/a | yes | +| transit_gateway_attachment_subnet_2_id | The TGW attachment subnet ID located in the 2st Availability Zone | string | n/a | n/a | yes | +| transit_gateway_attachment_subnet_3_id | The TGW attachment subnet ID located in the 3st Availability Zone | string | n/a | n/a | yes | +| transit_gateway_attachment_subnet_4_id | The TGW attachment subnet ID located in the 4st Availability Zone | string | n/a | n/a | yes | +| nat_gw_subnet_1_cidr | CIDR block for NAT subnet 1 located in the 1st Availability Zone | string | n/a | 10.0.13.0/24 | yes | +| nat_gw_subnet_2_cidr | CIDR block for NAT subnet 2 located in the 2st Availability Zone | string | n/a | 10.0.23.0/24 | yes | +| nat_gw_subnet_3_cidr | CIDR block for NAT subnet 3 located in the 3st Availability Zone | string | n/a | 10.0.33.0/24 | yes | +| nat_gw_subnet_4_cidr | CIDR block for NAT subnet 4 located in the 4st Availability Zone | string | n/a | 10.0.43.0/24 | yes | +| gwlbe_subnet_1_cidr | CIDR block for GWLBe subnet 1 located in the 1st Availability Zone | string | n/a | 10.0.14.0/24 | yes | +| gwlbe_subnet_2_cidr | CIDR block for GWLBe subnet 2 located in the 2st Availability Zone | string | n/a | 10.0.24.0/24 | yes | +| gwlbe_subnet_3_cidr | CIDR block for GWLBe subnet 3 located in the 3st Availability Zone | string | n/a | 10.0.34.0/24 | yes | +| gwlbe_subnet_4_cidr | CIDR block for GWLBe subnet 4 located in the 4st Availability Zone | string | n/a | 10.0.44.0/24 | yes | +| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | +| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no | +| management_server | The name that represents the Security Management Server in the automatic provisioning configuration. | string | n/a | CP-Management-gwlb-tf | yes | +| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | +| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | +| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | +| volume_size | Instances volume size | number | n/a | 100 | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| configuration_template | The tag is used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each Quick Start deployment | string | n/a | gwlb-ter | no | +| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | +| gateway_load_balancer_name | Load Balancer name in AWS | string | n/a | gwlb-terraform | yes | +| target_group_name | Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. | string | n/a | tg1-terraform | yes | +| connection_acceptance_required | Indicate whether requests from service consumers to create an endpoint to your service must be accepted. Default is set to false(acceptance not required). | bool | true/false | false | yes | +| enable_cross_zone_load_balancing | Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges. | bool | true/false | true | yes | +| gateway_name | The name tag of the Security Gateway instances. (optional) | string | n/a | gwlb-terraform | yes | +| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | +| gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no | +| gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no | +| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | +| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | +| gateway_bootstrap_script | (Optional) An optional script with semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | +| gateways_provision_address_type | Determines if the gateways are provisioned using their private or public address. | string | - private
- public | private | no | +| allocate_public_IP | Allocate a Public IP for gateway members. | bool | true/false | false | no | +| management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no | +| management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no | +| management_version | The license to install on the Security Management Server | string | - R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG | R81.20-BYOL | no | +| management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| gateways_policy | The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group | string | n/a | Standard | no | +| gateway_management | Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. | string | - Locally managed
- Over the internet | Locally managed | no | +| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | +| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | +| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no | +| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | +| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | ## Outputs | Name | Description | @@ -246,17 +245,18 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|--------------------------------------------------------------------------------------------------------------------| -| 20220414 | First release of Check Point CloudGuard Network Gateway Load Balancer for Transit Gateway Terraform module for AWS | -| 20220606 | New instance type support | -| 20221123 | R81.20 version support | -| 20221226 | Support ASG Launch Template instead of Launch Configuration | -| 20230806 | Add support for c6in instance type | -| 20230829 | Change default Check Point version to R81.20 | -| 20230910 | Add bootstrap script execution option for deployed gateways | -| 20230914 | Add support for maintenance mode password | -| 20230923 | Add support for C5d instance type | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20240704 | R80.40 version deprecation | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230923 | Add support for C5d instance type | +| 20230914 | Add support for maintenance mode password | +| 20230910 | Add bootstrap script execution option for deployed gateways | +| 20230829 | Change default Check Point version to R81.20 | +| 20230806 | Add support for c6in instance type | +| 20221226 | Support ASG Launch Template instead of Launch Configuration | +| 20221123 | R81.20 version support | +| 20220606 | New instance type support | +| 20220414 | First release of Check Point CloudGuard Network Gateway Load Balancer for Transit Gateway Terraform module for AWS | ## License diff --git a/terraform/aws/tgw-gwlb/terraform.tfvars b/terraform/aws/tgw-gwlb/terraform.tfvars index 266b4d1a..e6df1c8b 100755 --- a/terraform/aws/tgw-gwlb/terraform.tfvars +++ b/terraform/aws/tgw-gwlb/terraform.tfvars @@ -41,7 +41,7 @@ enable_cross_zone_load_balancing = "true" // --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration --- gateway_name = "Check-Point-GW-tf" -gateway_instance_type = "c5.xlarge" +gateway_instance_type = "c6in.xlarge" minimum_group_size = 2 maximum_group_size = 10 gateway_version = "R81.20-BYOL" diff --git a/terraform/aws/tgw-gwlb/variables.tf b/terraform/aws/tgw-gwlb/variables.tf index 52b97b13..767885aa 100755 --- a/terraform/aws/tgw-gwlb/variables.tf +++ b/terraform/aws/tgw-gwlb/variables.tf @@ -201,7 +201,7 @@ variable "gateway_name" { variable "gateway_instance_type" { type = string description = "The EC2 instance type for the Security Gateways." - default = "c5.xlarge" + default = "c6in.xlarge" } module "validate_instance_type" { source = "../modules/common/instance_type" diff --git a/terraform/azure/high-availability-existing-vnet/README.md b/terraform/azure/high-availability-existing-vnet/README.md index c26e307a..666aec67 100755 --- a/terraform/azure/high-availability-existing-vnet/README.md +++ b/terraform/azure/high-availability-existing-vnet/README.md @@ -55,7 +55,7 @@ This solution uses the following modules: - sku = vm_os_sku (see accepted values in the table below); - version = latest

Example:
- az vm image terms accept --urn checkpoint:check-point-cg-r8040:sg-byol:latest + az vm image terms accept --urn checkpoint:check-point-cg-r8120:sg-byol:latest - In the terraform.tfvars file leave empty double quotes for client_secret, client_id and tenant_id variables. @@ -115,9 +115,9 @@ This solution uses the following modules: | | | | | | | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license; | n/a | | | | | | | - | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r81.10";
"check-point-cg-r81.20"; | n/a | + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r81";
"check-point-cg-r81.10";
"check-point-cg-r81.20"; | n/a | | | | | | | - | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120"; | n/a | + | **os_version** | GAIA OS version | string | "R81";
"R8110";
"R8120"; | n/a | | | | | | | | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | n/a | | | | | | | @@ -214,24 +214,22 @@ availability_type = "Availability Zone" ## Revision History In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) -| Template Version | Description | -| ---------------- |----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 20240613 | - Updated Azure Terraform provider version
- Updated managed identity permissions
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Added validation for os_version & os_offer | -| | | | -| 20230910 | - R81.20 is the default version | -| | | | -| 20230212 | - Added Smart-1 Cloud support | -| | | | -| 20221124 | - Added R81.20 support
- Upgraded azurerm provider | -| | | | -| 20220111 | - Added support to select different shells. | -| | | | -| 20210309 | - Add "source_image_vhd_uri" variable for using a custom development image | -| | | | -| 20210111 | First release of Check Point CloudGuard IaaS High Availability Terraform deployment into an existing Vnet in Azure. | -| | | | -| | Addition of "templateType" parameter to "cloud-version" files. | -| | | | +| Template Version | Description | +| ---------------- | ------------- | +| 20230910 | - R81.20 is the default version | +| | | | +| 20230212 | - Added Smart-1 Cloud support | +| | | | +| 20221124 | - Added R81.20 support
- Upgraded azurerm provider | +| | | | +| 20220111 | - Added support to select different shells. | +| | | | +| 20210309 | - Add "source_image_vhd_uri" variable for using a custom development image | +| | | | +| 20210111 | First release of Check Point CloudGuard IaaS High Availability Terraform deployment into an existing Vnet in Azure. | +| | | | +| | Addition of "templateType" parameter to "cloud-version" files. | +| | | | ## License diff --git a/terraform/azure/high-availability-existing-vnet/main.tf b/terraform/azure/high-availability-existing-vnet/main.tf index 934102da..86cf812b 100755 --- a/terraform/azure/high-availability-existing-vnet/main.tf +++ b/terraform/azure/high-availability-existing-vnet/main.tf @@ -284,6 +284,7 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { location = module.common.resource_group_location account_tier = module.common.storage_account_tier account_replication_type = module.common.account_replication_type + min_tls_version = "TLS1_2" network_rules { default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" ip_rules = module.common.storage_account_ip_rules diff --git a/terraform/azure/high-availability-existing-vnet/variables.tf b/terraform/azure/high-availability-existing-vnet/variables.tf index c11fa238..4aa5ca72 100755 --- a/terraform/azure/high-availability-existing-vnet/variables.tf +++ b/terraform/azure/high-availability-existing-vnet/variables.tf @@ -115,7 +115,6 @@ variable "os_version" { locals { // locals for 'vm_os_offer' allowed values os_version_allowed_values = [ - "R8040", "R81", "R8110", "R8120" @@ -130,13 +129,12 @@ variable "vm_os_sku" { } variable "vm_os_offer" { - description = "The name of the image offer to be deployed.Choose from: check-point-cg-r8040, check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" type = string } locals { // locals for 'vm_os_offer' allowed values vm_os_offer_allowed_values = [ - "check-point-cg-r8040", "check-point-cg-r81", "check-point-cg-r8110", "check-point-cg-r8120" diff --git a/terraform/azure/high-availability-new-vnet/README.md b/terraform/azure/high-availability-new-vnet/README.md index 51153c0a..2218fd5a 100755 --- a/terraform/azure/high-availability-new-vnet/README.md +++ b/terraform/azure/high-availability-new-vnet/README.md @@ -59,7 +59,7 @@ This solution uses the following modules: - sku = vm_os_sku (see accepted values in the table below); - version = latest

Example:
- az vm image terms accept --urn checkpoint:check-point-cg-r8040:sg-byol:latest + az vm image terms accept --urn checkpoint:check-point-cg-r8120:sg-byol:latest - In the terraform.tfvars file leave empty double quotes for client_secret, client_id and tenant_id variables. @@ -113,9 +113,9 @@ This solution uses the following modules: | | | | | | | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license;| n/a | | | | | | | - | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a | + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a | | | | | | | - | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120"; | n/a | + | **os_version** | GAIA OS version | string | "R81";
"R8110";
"R8120"; | n/a | | | | | | | | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | n/a | | | | | | | @@ -215,8 +215,6 @@ In order to check the template version refer to the [sk116585](https://supportce | Template Version | Description | | ---------------- | ------------- | -| 20240613 | - Updated Azure Terraform provider version
- Updated managed identity permissions
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Added validation for os_version & os_offer | -| | | | | 20230910 | - R81.20 is the default version | | | | | | 20230212 | - Added Smart-1 Cloud support | diff --git a/terraform/azure/high-availability-new-vnet/main.tf b/terraform/azure/high-availability-new-vnet/main.tf index 1506b913..641826ed 100755 --- a/terraform/azure/high-availability-new-vnet/main.tf +++ b/terraform/azure/high-availability-new-vnet/main.tf @@ -303,6 +303,7 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { location = module.common.resource_group_location account_tier = module.common.storage_account_tier account_replication_type = module.common.account_replication_type + min_tls_version = "TLS1_2" network_rules { default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" ip_rules = module.common.storage_account_ip_rules diff --git a/terraform/azure/high-availability-new-vnet/variables.tf b/terraform/azure/high-availability-new-vnet/variables.tf index 6bb79338..15e5ee4e 100755 --- a/terraform/azure/high-availability-new-vnet/variables.tf +++ b/terraform/azure/high-availability-new-vnet/variables.tf @@ -115,7 +115,6 @@ variable "os_version" { locals { // locals for 'vm_os_offer' allowed values os_version_allowed_values = [ - "R8040", "R81", "R8110", "R8120" @@ -130,13 +129,12 @@ variable "vm_os_sku" { } variable "vm_os_offer" { - description = "The name of the image offer to be deployed.Choose from: check-point-cg-r8040, check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" type = string } locals { // locals for 'vm_os_offer' allowed values vm_os_offer_allowed_values = [ - "check-point-cg-r8040", "check-point-cg-r81", "check-point-cg-r8110", "check-point-cg-r8120" diff --git a/terraform/azure/management-existing-vnet/README.md b/terraform/azure/management-existing-vnet/README.md index 3ab73dbd..e2877075 100755 --- a/terraform/azure/management-existing-vnet/README.md +++ b/terraform/azure/management-existing-vnet/README.md @@ -54,7 +54,7 @@ This solution uses the following modules: - sku = vm_os_sku (see accepted values in the table below); - version = latest

Example:
- az vm image terms accept --urn checkpoint:check-point-cg-r8040:sg-byol:latest + az vm image terms accept --urn checkpoint:check-point-cg-r8120:sg-byol:latest - In the terraform.tfvars file leave empty double quotes for client_secret, client_id and tenant_id variables. @@ -108,9 +108,9 @@ This solution uses the following modules: | | | | | | | **vm_os_sku** | A sku of the image to be deployed | string | "mgmt-byol" - BYOL license;
"mgmt-25" - PAYG; | n/a | | | | | | - | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a | | | | | | - | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120";| n/a + | **os_version** | GAIA OS version | string | "R81";
"R8110";
"R8120";| n/a | | | | | | | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | "" | | | | | | @@ -168,8 +168,6 @@ In order to check the template version refer to the [sk116585](https://supportce | Template Version | Description | | ---------------- | ------------- | -| 20240613 | - Updated Azure Terraform provider version
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Updated Public IP sku to Standard
- Added validation for os_version & os_offer | -| | | | | 20230910 | - R81.20 is the default version | | | | | | 20221124 | - Added R81.20 support
- Upgraded azurerm provider | diff --git a/terraform/azure/management-existing-vnet/main.tf b/terraform/azure/management-existing-vnet/main.tf index a471b842..ed9b2b85 100755 --- a/terraform/azure/management-existing-vnet/main.tf +++ b/terraform/azure/management-existing-vnet/main.tf @@ -196,6 +196,7 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { account_tier = module.common.storage_account_tier account_replication_type = module.common.account_replication_type account_kind = "Storage" + min_tls_version = "TLS1_2" network_rules { default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" ip_rules = module.common.storage_account_ip_rules diff --git a/terraform/azure/management-existing-vnet/variables.tf b/terraform/azure/management-existing-vnet/variables.tf index 6030652b..ec9272a4 100755 --- a/terraform/azure/management-existing-vnet/variables.tf +++ b/terraform/azure/management-existing-vnet/variables.tf @@ -89,7 +89,6 @@ variable "os_version" { locals { // locals for 'vm_os_offer' allowed values os_version_allowed_values = [ - "R8040", "R81", "R8110", "R8120" @@ -104,13 +103,12 @@ variable "vm_os_sku" { } variable "vm_os_offer" { - description = "The name of the image offer to be deployed.Choose from: check-point-cg-r8040, check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" type = string } locals { // locals for 'vm_os_offer' allowed values vm_os_offer_allowed_values = [ - "check-point-cg-r8040", "check-point-cg-r81", "check-point-cg-r8110", "check-point-cg-r8120", diff --git a/terraform/azure/management-new-vnet/README.md b/terraform/azure/management-new-vnet/README.md index f744dccc..8851e3d6 100755 --- a/terraform/azure/management-new-vnet/README.md +++ b/terraform/azure/management-new-vnet/README.md @@ -56,7 +56,7 @@ This solution uses the following modules: - sku = vm_os_sku (see accepted values in the table below); - version = latest

Example:
- az vm image terms accept --urn checkpoint:check-point-cg-r8040:sg-byol:latest + az vm image terms accept --urn checkpoint:check-point-cg-r8120:sg-byol:latest - In the terraform.tfvars file leave empty double quotes for client_secret, client_id and tenant_id variables. @@ -108,9 +108,9 @@ This solution uses the following modules: | | | | | | | **vm_os_sku** | A sku of the image to be deployed | string | "mgmt-byol" - BYOL license;
"mgmt-25" - PAYG; | n/a | | | | | | - | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a | | | | | | - | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120";| n/a + | **os_version** | GAIA OS version | string | "R81";
"R8110";
"R8120";| n/a | | | | | | | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | "" | | | | | | @@ -166,8 +166,6 @@ In order to check the template version refer to the [sk116585](https://supportce | Template Version | Description | | ---------------- | ------------- | -| 20240613 | - Updated Azure Terraform provider version
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Updated Public IP sku to Standard
- Added validation for os_version & os_offer | -| | | | | 20230910 | - R81.20 is the default version | | | | | | 20221124 | - Added R81.20 support
- Upgraded azurerm provider | diff --git a/terraform/azure/management-new-vnet/main.tf b/terraform/azure/management-new-vnet/main.tf index 77c16ac6..c334c034 100755 --- a/terraform/azure/management-new-vnet/main.tf +++ b/terraform/azure/management-new-vnet/main.tf @@ -202,6 +202,7 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { account_tier = module.common.storage_account_tier account_replication_type = module.common.account_replication_type account_kind = "Storage" + min_tls_version = "TLS1_2" network_rules { default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" ip_rules = module.common.storage_account_ip_rules diff --git a/terraform/azure/management-new-vnet/variables.tf b/terraform/azure/management-new-vnet/variables.tf index 63839bd0..3ed686e1 100755 --- a/terraform/azure/management-new-vnet/variables.tf +++ b/terraform/azure/management-new-vnet/variables.tf @@ -88,7 +88,6 @@ variable "os_version" { locals { // locals for 'vm_os_offer' allowed values os_version_allowed_values = [ - "R8040", "R81", "R8110", "R8120", @@ -103,13 +102,12 @@ variable "vm_os_sku" { } variable "vm_os_offer" { - description = "The name of the image offer to be deployed.Choose from: check-point-cg-r8040, check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" type = string } locals { // locals for 'vm_os_offer' allowed values vm_os_offer_allowed_values = [ - "check-point-cg-r8040", "check-point-cg-r81", "check-point-cg-r8110", "check-point-cg-r8120" diff --git a/terraform/azure/mds-existing-vnet/README.md b/terraform/azure/mds-existing-vnet/README.md index 7c8003fd..f83a56e8 100755 --- a/terraform/azure/mds-existing-vnet/README.md +++ b/terraform/azure/mds-existing-vnet/README.md @@ -54,7 +54,7 @@ This solution uses the following modules: - sku = vm_os_sku (see accepted values in the table below); - version = latest

Example:
- az vm image terms accept --urn checkpoint:check-point-cg-r8040:sg-byol:latest + az vm image terms accept --urn checkpoint:check-point-cg-r8120:sg-byol:latest - In the terraform.tfvars file leave empty double quotes for client_secret, client_id and tenant_id variables. @@ -108,9 +108,9 @@ This solution uses the following modules: | | | | | | | **vm_os_sku** | A sku of the image to be deployed | string | "mgmt-byol" - BYOL license;
"mgmt-25" - PAYG; | n/a | | | | | | - | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a | | | | | | - | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120";| n/a + | **os_version** | GAIA OS version | string | "R81";
"R8110";
"R8120";| n/a | | | | | | | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | "" | | | | | | @@ -182,8 +182,6 @@ In order to check the template version refer to the [sk116585](https://supportce | Template Version | Description | |------------------|---------------------------------------------------------------------------------------------| -| 20240613 | - Updated Azure Terraform provider version
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Updated Public IP sku to Standard
- Added validation for os_version & os_offer | -| | | | | 20230910 | - R81.20 is the default version | | | | | | 20230629 | First release of Check Point CloudGuard Network Security MDS Terraform deployment for Azure | diff --git a/terraform/azure/mds-existing-vnet/main.tf b/terraform/azure/mds-existing-vnet/main.tf index 0c8719f1..6a64aea0 100755 --- a/terraform/azure/mds-existing-vnet/main.tf +++ b/terraform/azure/mds-existing-vnet/main.tf @@ -196,6 +196,7 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { account_tier = module.common.storage_account_tier account_replication_type = module.common.account_replication_type account_kind = "Storage" + min_tls_version = "TLS1_2" network_rules { default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" ip_rules = module.common.storage_account_ip_rules diff --git a/terraform/azure/mds-existing-vnet/variables.tf b/terraform/azure/mds-existing-vnet/variables.tf index 8896ceae..745c78c7 100755 --- a/terraform/azure/mds-existing-vnet/variables.tf +++ b/terraform/azure/mds-existing-vnet/variables.tf @@ -109,7 +109,6 @@ variable "os_version" { locals { // locals for 'vm_os_offer' allowed values os_version_allowed_values = [ - "R8040", "R81", "R8110", "R8120" @@ -124,13 +123,12 @@ variable "vm_os_sku" { } variable "vm_os_offer" { - description = "The name of the image offer to be deployed.Choose from: check-point-cg-r8040, check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" type = string } locals { // locals for 'vm_os_offer' allowed values vm_os_offer_allowed_values = [ - "check-point-cg-r8040", "check-point-cg-r81", "check-point-cg-r8110", "check-point-cg-r8120" diff --git a/terraform/azure/mds-new-vnet/README.md b/terraform/azure/mds-new-vnet/README.md index 293c3862..cb782964 100755 --- a/terraform/azure/mds-new-vnet/README.md +++ b/terraform/azure/mds-new-vnet/README.md @@ -56,7 +56,7 @@ This solution uses the following modules: - sku = vm_os_sku (see accepted values in the table below); - version = latest

Example:
- az vm image terms accept --urn checkpoint:check-point-cg-r8040:sg-byol:latest + az vm image terms accept --urn checkpoint:check-point-cg-r8120:sg-byol:latest - In the terraform.tfvars file leave empty double quotes for client_secret, client_id and tenant_id variables. @@ -108,9 +108,9 @@ This solution uses the following modules: | | | | | | | **vm_os_sku** | A sku of the image to be deployed | string | "mgmt-byol" - BYOL license;
"mgmt-25" - PAYG; | n/a | | | | | | - | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a | | | | | | - | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120";| n/a + | **os_version** | GAIA OS version | string | "R81";
"R8110";
"R8120";| n/a | | | | | | | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | "" | | | | | | @@ -175,8 +175,6 @@ In order to check the template version refer to the [sk116585](https://supportce | Template Version | Description | |------------------|---------------------------------------------------------------------------------------------| -| 20240613 | - Updated Azure Terraform provider version
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Updated Public IP sku to Standard
- Added validation for os_version & os_offer | -| | | | | 20230910 | - R81.20 is the default version | | | | | | 20230629 | First release of Check Point CloudGuard Network Security MDS Terraform deployment for Azure | diff --git a/terraform/azure/mds-new-vnet/main.tf b/terraform/azure/mds-new-vnet/main.tf index 7f2c1de9..26ad4d00 100755 --- a/terraform/azure/mds-new-vnet/main.tf +++ b/terraform/azure/mds-new-vnet/main.tf @@ -202,6 +202,7 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { account_tier = module.common.storage_account_tier account_replication_type = module.common.account_replication_type account_kind = "Storage" + min_tls_version = "TLS1_2" network_rules { default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" ip_rules = module.common.storage_account_ip_rules diff --git a/terraform/azure/mds-new-vnet/variables.tf b/terraform/azure/mds-new-vnet/variables.tf index 9ce9d0ba..45c2175a 100755 --- a/terraform/azure/mds-new-vnet/variables.tf +++ b/terraform/azure/mds-new-vnet/variables.tf @@ -108,7 +108,6 @@ variable "os_version" { locals { // locals for 'vm_os_offer' allowed values os_version_allowed_values = [ - "R8040", "R81", "R8110", "R8120" @@ -123,13 +122,12 @@ variable "vm_os_sku" { } variable "vm_os_offer" { - description = "The name of the image offer to be deployed.Choose from: check-point-cg-r8040, check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" type = string } locals { // locals for 'vm_os_offer' allowed values vm_os_offer_allowed_values = [ - "check-point-cg-r8040", "check-point-cg-r81", "check-point-cg-r8110", "check-point-cg-r8120" diff --git a/terraform/azure/modules/common/variables.tf b/terraform/azure/modules/common/variables.tf index e768159b..33d85f45 100755 --- a/terraform/azure/modules/common/variables.tf +++ b/terraform/azure/modules/common/variables.tf @@ -136,7 +136,6 @@ variable "os_version"{ locals { // locals for 'os_version' allowed values os_version_allowed_values = [ - "R8040", "R81", "R8110", "R8120" @@ -217,13 +216,12 @@ variable "publisher" { //************** Storage image reference and plan variables ****************// variable "vm_os_offer" { - description = "The name of the image offer to be deployed.Choose from: check-point-cg-r8040, check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" type = string } locals { // locals for 'vm_os_offer' allowed values vm_os_offer_allowed_values = [ - "check-point-cg-r8040", "check-point-cg-r81", "check-point-cg-r8110", "check-point-cg-r8120" @@ -237,8 +235,8 @@ variable "vm_os_sku" { /* Choose from: - "sg-byol" - - "sg-ngtp" (for R80.40 and above) - - "sg-ngtx" (for R80.40 and above) + - "sg-ngtp" (for R81 and above) + - "sg-ngtx" (for R81 and above) - "mgmt-byol" - "mgmt-25" */ diff --git a/terraform/azure/nva-into-existing-hub/README.md b/terraform/azure/nva-into-existing-hub/README.md index a2765298..253cce89 100644 --- a/terraform/azure/nva-into-existing-hub/README.md +++ b/terraform/azure/nva-into-existing-hub/README.md @@ -1,6 +1,6 @@ # Check Point CloudGuard Network Security Virtual WAN Terraform deployment for Azure -This Terraform module deploys Check Point CloudGuard Network Security Virtual WAN NVA solution into an existing vWAN Hub in Azure. +This Terraform module deploys Check Point CloudGuard Network Security vWAN NVA solution into an existing vWAN Hub in Azure. As part of the deployment the following resources are created: - Resource groups - Azure Managed Application: @@ -77,7 +77,7 @@ please see the [CloudGuard Network for Azure Virtual WAN Deployment Guide](https | | | | | | | **vwan-hub-name** | The name of the virtual WAN hub that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | n/a | | | | | | | - | **vwan-hub-resource-group** | The virtual WAN hub resource group name | string | | n/a | + | **vwan-hub-resource-group** | The vWAN hub resource group name | string | | n/a | | | | | | | | **managed-app-name** | The name of the managed application that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | "tf-vwan-managed-app-nva" | | | | | | | @@ -161,7 +161,6 @@ In order to check the template version refer to the [sk116585](https://supportce | Template Version | Description | |------------------|-------------------| -| 20240613 | Cosmetic fixes & default values | | 20240228 | Added public IP for ingress support | | | | 20231226 | First release of Check Point CloudGuard Network Security Virtual WAN Terraform deployment for Azure | | diff --git a/terraform/azure/nva-into-new-vwan/README.md b/terraform/azure/nva-into-new-vwan/README.md index 52cc1b17..c7f06c09 100644 --- a/terraform/azure/nva-into-new-vwan/README.md +++ b/terraform/azure/nva-into-new-vwan/README.md @@ -1,6 +1,6 @@ # Check Point CloudGuard Network Security Virtual WAN Terraform deployment for Azure -This Terraform module deploys Check Point CloudGuard Network Security Virtual WAN NVA solution into a new vWAN Hub in Azure. +This Terraform module deploys Check Point CloudGuard Network Security vWAN NVA solution into a new vWAN Hub in Azure. As part of the deployment the following resources are created: - Resource groups - Virtual WAN @@ -170,10 +170,9 @@ please see the [CloudGuard Network for Azure Virtual WAN Deployment Guide](https In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) | Template Version | Description | -|------------------|-----------------------------------------------------------------------------------------------| -| 20240613 | Cosmetic fixes & default values | -| 20240228 | Added public IP for ingress support | | | -| 20231226 | First release of Check Point CloudGuard Network Security Virtual WAN Terraform deployment for Azure | | | +|------------------|---------------------------------------------------------------------------------------------------| +| 20240228 | Added public IP for ingress support | | | +| 20231226 | First release of Check Point CloudGuard Network Security Virtual WAN Terraform deployment for Azure | | | ## License diff --git a/terraform/azure/single-gateway-existing-vnet/README.md b/terraform/azure/single-gateway-existing-vnet/README.md index 73fa074d..feebb542 100755 --- a/terraform/azure/single-gateway-existing-vnet/README.md +++ b/terraform/azure/single-gateway-existing-vnet/README.md @@ -52,7 +52,7 @@ This solution uses the following modules: - sku = vm_os_sku (see accepted values in the table below); - version = latest

Example:
- az vm image terms accept --urn checkpoint:check-point-cg-r8040:sg-byol:latest + az vm image terms accept --urn checkpoint:check-point-cg-r81200:sg-byol:latest - In the terraform.tfvars file leave empty double quotes for client_secret, client_id and tenant_id variables. @@ -112,9 +112,9 @@ This solution uses the following modules: | | | | | | | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license | n/a | | | | | | - | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a | | | | | | - | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120"; | n/a + | **os_version** | GAIA OS version | string | "R81";
"R8110";
"R8120"; | n/a | | | | | | | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | "" | | | | | | @@ -185,8 +185,6 @@ In order to check the template version refer to the [sk116585](https://supportce | Template Version | Description | |------------------|---------------------------------------------------------------------------------------------------| -| 20240613 | - Updated Azure Terraform provider version
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Added accelerated networking to SGW Terraform templates
- Updated Public IP sku to Standard
- Added validation for os_version & os_offer | -| | | | | 20230910 | - R81.20 is the default version | | | | | | 20230629 | First release of Check Point CloudGuard Network Security Single GW Terraform deployment for Azure | diff --git a/terraform/azure/single-gateway-existing-vnet/main.tf b/terraform/azure/single-gateway-existing-vnet/main.tf index 81ced59f..e7a9e174 100755 --- a/terraform/azure/single-gateway-existing-vnet/main.tf +++ b/terraform/azure/single-gateway-existing-vnet/main.tf @@ -137,6 +137,7 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { account_tier = module.common.storage_account_tier account_replication_type = module.common.account_replication_type account_kind = "Storage" + min_tls_version = "TLS1_2" network_rules { default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" ip_rules = module.common.storage_account_ip_rules diff --git a/terraform/azure/single-gateway-existing-vnet/variables.tf b/terraform/azure/single-gateway-existing-vnet/variables.tf index dd4dc15e..f6f2da36 100755 --- a/terraform/azure/single-gateway-existing-vnet/variables.tf +++ b/terraform/azure/single-gateway-existing-vnet/variables.tf @@ -102,7 +102,6 @@ variable "os_version" { locals { // locals for 'vm_os_offer' allowed values os_version_allowed_values = [ - "R8040", "R81", "R8110", "R8120" @@ -117,13 +116,12 @@ variable "vm_os_sku" { } variable "vm_os_offer" { - description = "The name of the image offer to be deployed.Choose from: check-point-cg-r8040, check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" type = string } locals { // locals for 'vm_os_offer' allowed values vm_os_offer_allowed_values = [ - "check-point-cg-r8040", "check-point-cg-r81", "check-point-cg-r8110", "check-point-cg-r8120" diff --git a/terraform/azure/single-gateway-new-vnet/README.md b/terraform/azure/single-gateway-new-vnet/README.md index d4d821ac..b9227c85 100755 --- a/terraform/azure/single-gateway-new-vnet/README.md +++ b/terraform/azure/single-gateway-new-vnet/README.md @@ -56,7 +56,7 @@ This solution uses the following modules: - sku = vm_os_sku (see accepted values in the table below); - version = latest

Example:
- az vm image terms accept --urn checkpoint:check-point-cg-r8040:sg-byol:latest + az vm image terms accept --urn checkpoint:check-point-cg-r8120:sg-byol:latest - In the terraform.tfvars file leave empty double quotes for client_secret, client_id and tenant_id variables. @@ -112,9 +112,9 @@ This solution uses the following modules: | | | | | | | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license | n/a | | | | | | - | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a | | | | | | - | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120"; | n/a | + | **os_version** | GAIA OS version | string | "R81";
"R8110";
"R8120"; | n/a | | | | | | | | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | "" | | | | | | @@ -183,8 +183,6 @@ In order to check the template version refer to the [sk116585](https://supportce | Template Version | Description | |------------------|---------------------------------------------------------------------------------------------------| -| 20240613 | - Updated Azure Terraform provider version
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Added accelerated networking to SGW Terraform templates
- Updated Public IP sku to Standard
- Added validation for os_version & os_offer | -| | | | | 20230910 | - R81.20 is the default version | | | | | | 20230629 | First release of Check Point CloudGuard Network Security Single GW Terraform deployment for Azure | diff --git a/terraform/azure/single-gateway-new-vnet/main.tf b/terraform/azure/single-gateway-new-vnet/main.tf index dcb817bf..c7673cd2 100755 --- a/terraform/azure/single-gateway-new-vnet/main.tf +++ b/terraform/azure/single-gateway-new-vnet/main.tf @@ -137,6 +137,7 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { account_tier = module.common.storage_account_tier account_replication_type = module.common.account_replication_type account_kind = "Storage" + min_tls_version = "TLS1_2" network_rules { default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" ip_rules = module.common.storage_account_ip_rules diff --git a/terraform/azure/single-gateway-new-vnet/variables.tf b/terraform/azure/single-gateway-new-vnet/variables.tf index 65076afc..7b247e96 100755 --- a/terraform/azure/single-gateway-new-vnet/variables.tf +++ b/terraform/azure/single-gateway-new-vnet/variables.tf @@ -101,7 +101,6 @@ variable "os_version" { locals { // locals for 'vm_os_offer' allowed values os_version_allowed_values = [ - "R8040", "R81", "R8110", "R8120" @@ -116,13 +115,12 @@ variable "vm_os_sku" { } variable "vm_os_offer" { - description = "The name of the image offer to be deployed.Choose from: check-point-cg-r8040, check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" type = string } locals { // locals for 'vm_os_offer' allowed values vm_os_offer_allowed_values = [ - "check-point-cg-r8040", "check-point-cg-r81", "check-point-cg-r8110", "check-point-cg-r8120" diff --git a/terraform/azure/vmss-existing-vnet/README.md b/terraform/azure/vmss-existing-vnet/README.md index dca0361a..f0602c30 100755 --- a/terraform/azure/vmss-existing-vnet/README.md +++ b/terraform/azure/vmss-existing-vnet/README.md @@ -55,7 +55,7 @@ This solution uses the following modules: - sku = vm_os_sku (see accepted values in the table below); - version = latest

Example:
- az vm image terms accept --urn checkpoint:check-point-cg-r8040:sg-byol:latest + az vm image terms accept --urn checkpoint:check-point-cg-r8120:sg-byol:latest - In the terraform.tfvars file leave empty double quotes for client_secret, client_id and tenant_id variables. @@ -71,91 +71,89 @@ This solution uses the following modules: terraform apply ### terraform.tfvars variables: - | Name | Description | Type | Allowed values | Default | - | ------------- |-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- | ------------- | ------------- | - | **client_secret** | The client secret of the Service Principal used to deploy the solution | string | | n/a - | | | | | | - | **client_id** | The client ID of the Service Principal used to deploy the solution | string | | n/a - | | | | | | - | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | | n/a - | | | | | | - | **subscription_id** | The subsscription ID is used to pay for Azure cloud services | string | | n/a - | | | | | | - | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | | "noCustomUri" - | | | | | | - | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period
Note: Resource group name must not contain reserved words based on: sk40179| n/a - | | | | | | - | **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | n/a - | | | | | | - | **vmss_name** | The name of the Check Point VMSS Object | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long
Note: vmss_name name must not contain reserved words based on: sk40179 | n/a - | | | | | | - | **vnet_name** | Virtual Network name | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | n/a - | | | | | | - | **vnet_resource_group** | Resource Group of the existing virtual network | string | The exact name of the existing vnet's resource group | n/a - | | | | | | - | **frontend_subnet_name** | Specifies the name of the external subnet | string | The exact name of the existing external subnet | n/a - | | | | | | - | **backend_subnet_name** | Specifies the name of the internal subnet | string | The exact name of the existing internal subnet | n/a - | | | | | | - | **backend_lb_IP_address** | Is a whole number that can be represented as a binary integer with no more than the number of digits remaining in the address after the given prefix | string | Starting from 5-th IP address in a subnet. For example: subnet - 10.0.1.0/24, backend_lb_IP_address = 4 , the LB IP is 10.0.1.4 | n/a - | | | | | | - | **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | n/a - | | | | | | - | **sic_key** | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | n/a - | | | | | | - | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | n/a - | | | | | | - | **disk_size** | Storage data disk size size(GB) must be 100 for versions R81.20 and below | string | A number in the range 100 - 3995 (GB) | 100 - | | | | | | - | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license; | n/a - | | | | | | - | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a - | | | | | | - | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120"; | n/a - | | | | | | - | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | n/a - | | | | | | - | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | n/a - | | | | | | - | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | n/a - | | | | | | - | **availability_zones_num** | A list of a single item of the Availability Zone which the Virtual Machine should be allocated in | string | "centralus", "eastus2", "francecentral", "northeurope", "southeastasia", "westeurope", "westus2", "eastus", "uksouth" | n/a - | | | | | | - | **minimum_number_of_vm_instances** | The minimum number of VMSS instances for this resource | number | Valid values are in the range 0 - 10 | n/a - | | | | | | - | **maximum_number_of_vm_instances** | The maximum number of VMSS instances for this resource | number | Valid values are in the range 0 - 10 | n/a - | | | | | | - | **management_name** | The name of the management server as it appears in the configuration file | string | Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long | n/a - | | | | | | - | **management_IP** | The IP address used to manage the VMSS instances | string | A valid IP address | n/a - | | | | | | - | **management_interface** | Management option for the Gateways in the VMSS | string | "eth0-public" - Manages the GWs using their external NIC's public IP address;
"eth0-private" -Manages the GWs using their external NIC's private IP address;
"eth1-private" - Manages the GWs using their internal NIC's private IP address | "eth1-private" - | | | | | | - | **configuration_template_name** | The configuration template name as it appears in the configuration file | string | Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long | n/a - | | | | | | - | **frontend_load_distribution** | The load balancing distribution method for the External Load Balancer | string | "Default" - None(5-tuple);
"SourceIP" - ClientIP(2-tuple);
"SourceIPProtocol" - ClientIP and protocol(3-tuple) | n/a - | | | | | | - | **backend_load_distribution** | The load balancing distribution method for the Internal Load Balancer | string | "Default" - None(5-tuple);
"SourceIP" - ClientIP(2-tuple);
"SourceIPProtocol" - ClientIP and protocol(3-tuple) | n/a - | | | | | | - | **notification_email** | An email address to notify about scaling operations | string | Leave empty double quotes or enter a valid email address | n/a - | | | | | | - | **enable_custom_metrics** | Indicates whether Custom Metrics will be used for VMSS Scaling policy and VM monitoring | boolean | true;
false; | true - | | | | | | - | **enable_floating_ip** | Indicates whether the load balancers will be deployed with floating IP | boolean | true;
false; | false - | | | | | | - | **deployment_mode** | Indicates which load balancer need to be deployed. External + Internal(Standard), only External, only Internal | string | Standard ;
External;
Internal; | "Standard" - | | | | | | - | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | "/etc/cli.sh" - | | | | | | - | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here | string | | n/a - | | | | | | - | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here | string | | n/a - | | | | | | - | **nsg_id** | Optional ID for a Network Security Group that already exists in Azure, if not provided, will create a default NSG | string | Existing NSG resource ID | "" - | | | | | | - | **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false; | false - | | | | | | - | **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs | [] + | Name | Description | Type | Allowed values | Default | + | ------------- | ------------- | ------------- | ------------- | ------------- | + | **client_secret** | The client secret of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **client_id** | The client ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | | n/a + | | | | | | + | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | | "noCustomUri" + | | | | | | + | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period
Note: Resource group name must not contain reserved words based on: sk40179| n/a + | | | | | | + | **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | n/a + | | | | | | + | **vmss_name** | The name of the Check Point VMSS Object | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long
Note: vmss_name name must not contain reserved words based on: sk40179 | n/a + | | | | | | + | **vnet_name** | Virtual Network name | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | n/a + | | | | | | + | **vnet_resource_group** | Resource Group of the existing virtual network | string | The exact name of the existing vnet's resource group | n/a + | | | | | | + | **frontend_subnet_name** | Specifies the name of the external subnet | string | The exact name of the existing external subnet | n/a + | | | | | | + | **backend_subnet_name** | Specifies the name of the internal subnet | string | The exact name of the existing internal subnet | n/a + | | | | | | + | **backend_lb_IP_address** | Is a whole number that can be represented as a binary integer with no more than the number of digits remaining in the address after the given prefix| string | Starting from 5-th IP address in a subnet. For example: subnet - 10.0.1.0/24, backend_lb_IP_address = 4 , the LB IP is 10.0.1.4 | n/a + | | | | | | + | **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | n/a + | | | | | | + | **sic_key** | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | n/a + | | | | | | + | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | n/a + | | | | | | + | **disk_size** | Storage data disk size size(GB) must be 100 for versions R81.20 and below | string | A number in the range 100 - 3995 (GB) | 100 + | | | | | | + | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license; | n/a + | | | | | | + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | | | | | | + | **os_version** | GAIA OS version | string | "R81";
"R8110";
"R8120"; | n/a + | | | | | | + | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | n/a + | | | | | | + | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | n/a + | | | | | | + | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | n/a + | | | | | | + | **availability_zones_num** | A list of a single item of the Availability Zone which the Virtual Machine should be allocated in | string | "centralus", "eastus2", "francecentral", "northeurope", "southeastasia", "westeurope", "westus2", "eastus", "uksouth" | n/a + | | | | | | + | **minimum_number_of_vm_instances** | The minimum number of VMSS instances for this resource | number | Valid values are in the range 0 - 10 | n/a + | | | | | | + | **maximum_number_of_vm_instances** | The maximum number of VMSS instances for this resource | number | Valid values are in the range 0 - 10 | n/a + | | | | | | + | **management_name** | The name of the management server as it appears in the configuration file | string | Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long | n/a + | | | | | | + | **management_IP** | The IP address used to manage the VMSS instances | string | A valid IP address | n/a + | | | | | | + | **management_interface** | Management option for the Gateways in the VMSS | string | "eth0-public" - Manages the GWs using their external NIC's public IP address;
"eth0-private" -Manages the GWs using their external NIC's private IP address;
"eth1-private" - Manages the GWs using their internal NIC's private IP address | "eth1-private" + | | | | | | + | **configuration_template_name** | The configuration template name as it appears in the configuration file | string | Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long | n/a + | | | | | | + | **frontend_load_distribution** | The load balancing distribution method for the External Load Balancer | string | "Default" - None(5-tuple);
"SourceIP" - ClientIP(2-tuple);
"SourceIPProtocol" - ClientIP and protocol(3-tuple) | n/a + | | | | | | + | **backend_load_distribution** | The load balancing distribution method for the Internal Load Balancer | string | "Default" - None(5-tuple);
"SourceIP" - ClientIP(2-tuple);
"SourceIPProtocol" - ClientIP and protocol(3-tuple) | n/a + | | | | | | + | **notification_email** | An email address to notify about scaling operations | string | Leave empty double quotes or enter a valid email address | n/a + | | | | | | + | **enable_custom_metrics** | Indicates whether Custom Metrics will be used for VMSS Scaling policy and VM monitoring | boolean | true;
false; | true + | | | | | | + | **enable_floating_ip** | Indicates whether the load balancers will be deployed with floating IP | boolean | true;
false; | false + | | | | | | + | **deployment_mode** | Indicates which load balancer need to be deployed. External + Internal(Standard), only External, only Internal | string | Standard ;
External;
Internal; | "Standard" + | | | | | | + | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | "/etc/cli.sh" + | | | | | | + | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here | string | | n/a + | | | | | | + | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here | string | | n/a + | | | | | | + | **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false; | false + | | | | | | + | **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs | [] ## Conditional creation To create role assignment and enable CloudGuard metrics in order to send statuses and statistics collected from VMSS instances to the Azure Monitor service: @@ -203,7 +201,6 @@ enable_custom_metrics = true admin_shell = "/etc/cli.sh" serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - nsg_id = "" add_storage_account_ip_rules = false storage_account_additional_ips = [] @@ -215,14 +212,15 @@ enable_custom_metrics = true ## Known limitations +1. Deploy the VMSS with External load balancer only (Inbound inspection only) is not supported +2. Deploy the VMSS with Internal load balancer only (Outbound and E-W inspection only) is not supported + ## Revision History In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) | Template Version | Description | | ---------------- | ------------- | -| 20240613 | - Updated Azure Terraform provider version
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Updated diskSizeGB
- Added validation for os_version & os_offer | -| | | | | 20230910 | - R81.20 is the default version | | | | | | 20221124 | - Added R81.20 support
- Upgraded azurerm provider | diff --git a/terraform/azure/vmss-existing-vnet/main.tf b/terraform/azure/vmss-existing-vnet/main.tf index 70e7169a..af194878 100755 --- a/terraform/azure/vmss-existing-vnet/main.tf +++ b/terraform/azure/vmss-existing-vnet/main.tf @@ -198,6 +198,7 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { location = module.common.resource_group_location account_tier = module.common.storage_account_tier account_replication_type = module.common.account_replication_type + min_tls_version = "TLS1_2" network_rules { default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" ip_rules = module.common.storage_account_ip_rules diff --git a/terraform/azure/vmss-existing-vnet/terraform.tfvars b/terraform/azure/vmss-existing-vnet/terraform.tfvars index 66836af3..399ffeef 100755 --- a/terraform/azure/vmss-existing-vnet/terraform.tfvars +++ b/terraform/azure/vmss-existing-vnet/terraform.tfvars @@ -39,5 +39,4 @@ admin_shell = "PLEASE ENTER ADMIN SHELL" serial_console_password_hash = "PLEASE ENTER SERIAL CONSOLE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" add_storage_account_ip_rules = "PLEASE ENTER true or false" # false -storage_account_additional_ips = "PLEASE ENTER A LIST OF VALID IPS/CIDRS" # [] -nsg_id = "PLEASE ENTER NETWORK SECURITY GROUP ID" # "" \ No newline at end of file +storage_account_additional_ips = "PLEASE ENTER A LIST OF VALID IPS/CIDRS" # [] \ No newline at end of file diff --git a/terraform/azure/vmss-existing-vnet/variables.tf b/terraform/azure/vmss-existing-vnet/variables.tf index 9ef598a3..aa405627 100755 --- a/terraform/azure/vmss-existing-vnet/variables.tf +++ b/terraform/azure/vmss-existing-vnet/variables.tf @@ -114,7 +114,6 @@ variable "os_version" { locals { // locals for 'vm_os_offer' allowed values os_version_allowed_values = [ - "R8040", "R81", "R8110", "R8120" @@ -129,7 +128,7 @@ variable "disk_size" { } resource "null_resource" "disk_size_validation" { // Will fail if var.disk_size is not 100 and the version is R81.20 or below - count = tonumber(var.disk_size) != 100 && contains(["R8040", "R81", "R8110", "R8120"], var.os_version) ? "variable disk_size can not be changed for R81.20 and below" : 0 + count = tonumber(var.disk_size) != 100 && contains(["R81", "R8110", "R8120"], var.os_version) ? "variable disk_size can not be changed for R81.20 and below" : 0 } variable "vm_os_sku" { description = "The sku of the image to be deployed." @@ -243,10 +242,7 @@ variable "storage_account_additional_ips" { type = list(string) description = "IPs/CIDRs that are allowed access to the Storage Account" default = [] -} - -//********************* Load Balancers Variables **********************// - +}//********************* Load Balancers Variables **********************// variable "deployment_mode" { description = "The type of the deployment, can be 'Standard' for both load balancers or 'External' for external load balancer or 'Internal for internal load balancer" type = string @@ -333,13 +329,12 @@ locals { // locals for 'frontend_load_distribution' allowed values //********************** Scale Set variables *******************// variable "vm_os_offer" { - description = "The name of the offer of the image that you want to deploy.Choose from: check-point-cg-r8040, check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + description = "The name of the offer of the image that you want to deploy.Choose from: check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" type = string } locals { // locals for 'vm_os_offer' allowed values vm_os_offer_allowed_values = [ - "check-point-cg-r8040", "check-point-cg-r81", "check-point-cg-r8110", "check-point-cg-r8120", @@ -397,8 +392,3 @@ variable "enable_floating_ip" { type = bool default = false } - -variable "nsg_id" { - description = "NSG ID - Optional - if empty use default NSG" - default = "" -} diff --git a/terraform/azure/vmss-new-vnet/README.md b/terraform/azure/vmss-new-vnet/README.md index b57e3011..06f786e7 100755 --- a/terraform/azure/vmss-new-vnet/README.md +++ b/terraform/azure/vmss-new-vnet/README.md @@ -59,7 +59,7 @@ This solution uses the following modules: - sku = vm_os_sku (see accepted values in the table below); - version = latest

Example:
- az vm image terms accept --urn checkpoint:check-point-cg-r8040:sg-byol:latest + az vm image terms accept --urn checkpoint:check-point-cg-r8120:sg-byol:latest - In the terraform.tfvars file leave empty double quotes for client_secret, client_id and tenant_id variables. @@ -111,9 +111,9 @@ This solution uses the following modules: | | | | | | | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license; | n/a | | | | | | - | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a | | | | | | - | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120"; | n/a + | **os_version** | GAIA OS version | string | "R81";
"R8110";
"R8120"; | n/a | | | | | | | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | n/a | | | | | | @@ -221,8 +221,6 @@ In order to check the template version refer to the [sk116585](https://supportce | Template Version | Description | | ---------------- | --------- | -| 20240613 | - Updated Azure Terraform provider version
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Updated diskSizeGB
- Added validation for os_version & os_offer | -| | | | | 20230910 | - R81.20 is the default version | | | | | | 20221124 | - Added R81.20 support
- Upgraded azurerm provider | diff --git a/terraform/azure/vmss-new-vnet/main.tf b/terraform/azure/vmss-new-vnet/main.tf index 2438915d..025592dc 100755 --- a/terraform/azure/vmss-new-vnet/main.tf +++ b/terraform/azure/vmss-new-vnet/main.tf @@ -195,6 +195,7 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { location = module.common.resource_group_location account_tier = module.common.storage_account_tier account_replication_type = module.common.account_replication_type + min_tls_version = "TLS1_2" network_rules { default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" ip_rules = module.common.storage_account_ip_rules diff --git a/terraform/azure/vmss-new-vnet/variables.tf b/terraform/azure/vmss-new-vnet/variables.tf index 1760b8a2..afc907c5 100755 --- a/terraform/azure/vmss-new-vnet/variables.tf +++ b/terraform/azure/vmss-new-vnet/variables.tf @@ -114,7 +114,6 @@ variable "os_version" { locals { // locals for 'vm_os_offer' allowed values os_version_allowed_values = [ - "R8040", "R81", "R8110", "R8120", @@ -129,7 +128,7 @@ variable "disk_size" { } resource "null_resource" "disk_size_validation" { // Will fail if var.disk_size is not 100 and the version is R81.20 or below - count = tonumber(var.disk_size) != 100 && contains(["R8040", "R81", "R8110", "R8120"], var.os_version) ? "variable disk_size can not be changed for R81.20 and below" : 0 + count = tonumber(var.disk_size) != 100 && contains(["R81", "R8110", "R8120"], var.os_version) ? "variable disk_size can not be changed for R81.20 and below" : 0 } variable "vm_os_sku" { description = "The sku of the image to be deployed." @@ -327,13 +326,12 @@ locals { // locals for 'frontend_load_distribution' allowed values //********************** Scale Set variables *******************// variable "vm_os_offer" { - description = "The name of the offer of the image that you want to deploy.Choose from: check-point-cg-r8040, check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + description = "The name of the offer of the image that you want to deploy.Choose from: check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" type = string } locals { // locals for 'vm_os_offer' allowed values vm_os_offer_allowed_values = [ - "check-point-cg-r8040", "check-point-cg-r81", "check-point-cg-r8110", "check-point-cg-r8120", diff --git a/terraform/gcp/autoscale-into-existing-vpc/README.md b/terraform/gcp/autoscale-into-existing-vpc/README.md index 1c11c3d3..2ce564df 100755 --- a/terraform/gcp/autoscale-into-existing-vpc/README.md +++ b/terraform/gcp/autoscale-into-existing-vpc/README.md @@ -35,23 +35,22 @@ provider "google" { compute.autoscalers.create compute.autoscalers.delete compute.autoscalers.get + compute.autoscalers.update compute.disks.create - compute.disks.delete compute.firewalls.create compute.firewalls.delete compute.firewalls.get - compute.images.get - compute.images.useReadOnly + compute.firewalls.update compute.instanceGroupManagers.create compute.instanceGroupManagers.delete compute.instanceGroupManagers.get compute.instanceGroupManagers.use + compute.instanceGroups.delete compute.instanceTemplates.create compute.instanceTemplates.delete compute.instanceTemplates.get compute.instanceTemplates.useReadOnly compute.instances.create - compute.instances.delete compute.instances.setMetadata compute.instances.setTags compute.networks.get @@ -60,11 +59,7 @@ provider "google" { compute.subnetworks.get compute.subnetworks.use compute.subnetworks.useExternalIp - iam.serviceAccountKeys.get - iam.serviceAccountKeys.list iam.serviceAccounts.actAs - iam.serviceAccounts.get - iam.serviceAccounts.list ``` 3. ```credentials``` - Your service account key file is used to complete a two-legged OAuth 2.0 flow to obtain access tokens to authenticate with the GCP API as needed; Terraform will use it to reauthenticate automatically when tokens expire.
The provider credentials can be provided either as static credentials or as [Environment Variables](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#credentials-1). @@ -113,11 +108,14 @@ project = "project-id" # --- Check Point--- prefix = "chkp-tf-mig" license = "BYOL" -image_name = "check-point-r8110-gw-byol-mig-335-985-v20220126" +image_name = "check-point-r8120-gw-byol-mig-631-991001335-v20230622" +os_version = "R8120" management_nic = "Ephemeral Public IP (eth0)" management_name = "tf-checkpoint-management" configuration_template_name = "tf-asg-autoprov-tmplt" +generate_password = true admin_SSH_key = "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" +maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" network_defined_by_routes = true admin_shell = "/etc/cli.sh" allow_upload_download = true @@ -166,13 +164,17 @@ Please leave empty list for a protocol if you want to disable traffic for it. | service_account_path | User service account path in JSON format - From the service account key page in the Cloud Console choose an existing account or create a new one. Next, download the JSON key file. Name it something you can remember, store it somewhere secure on your machine, and supply the path to the location is stored. (e.g. "service-accounts/service-account-name.json") | string | N/A | "" | yes | | project | Personal project id. The project indicates the default GCP project all of your resources will be created in. | string | N/A | "" | yes | | | | | | | -| prefix | (Optional) Resources name prefix. | string | N/A | "chkp-tf-mig" | no | +| prefix | (Optional) Resources name prefix.
Note: resource name must not contain reserved words based on: sk40179. | string | N/A | "chkp-tf-mig" | no | | license | Checkpoint license (BYOL or PAYG). | string | - BYOL
- PAYG
| "BYOL" | no | -| image_name | The autoscaling (MIG) image name (e.g. check-point-r8110-gw-byol-mig-335-985-v20220126). You can choose the desired mig image value from [Github](https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/autoscale-byol/images.py). | string | N/A | N/A | yes | +| image_name | The autoscaling (MIG) image name (e.g. check-point-r8120-gw-byol-mig-631-991001335-v20230622). You can choose the desired mig image value from [Github](https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/autoscale-byol/images.py). | string | N/A | N/A | yes | +| os_version |GAIA OS Version | string | R81;
R8110;
R8120 | R8120 | yes | +| | | | | | | management_nic | Management Interface - Autoscaling Security Gateways in GCP can be managed by an ephemeral public IP or using the private IP of the internal interface (eth1). | string | Ephemeral Public IP (eth0)
- Private IP (eth1) | "Ephemeral Public IP (eth0)" | no | | management_name | The name of the Security Management Server as appears in autoprovisioning configuration. (Please enter a valid Security Management name including lowercase letters, digits and hyphens only). | string | N/A | "checkpoint-management" | no | | configuration_template_name | Specify the provisioning configuration template name (for autoprovisioning). (Please enter a valid autoprovisioing configuration template name including lowercase letters, digits and hyphens only). | string | N/A | "gcp-asg-autoprov-tmplt" | no | +| generate_password | Automatically generate an administrator password. | bool | true/false | false | no | | admin_SSH_key | Public SSH key for the user 'admin' - The SSH public key for SSH authentication to the MIG instances. Leave this field blank to use all project-wide pre-configured SSH keys. | string | A valid public ssh key | "" | no | +| maintenance_mode_password_hash | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here. | string | N/A | "" | no | | network_defined_by_routes | Set eth1 topology to define the networks behind this interface by the routes configured on the gateway. | bool | true/false | true | no | | admin_shell | Change the admin shell to enable advanced command line configuration. | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | "/etc/cli.sh" | no | | allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | @@ -197,6 +199,7 @@ Please leave empty list for a protocol if you want to disable traffic for it. | enable_monitoring | Enable Stackdriver monitoring | bool | true/false | false | no | + ## Outputs | Name | Description | | ------------- | ------------- | @@ -212,12 +215,13 @@ Please leave empty list for a protocol if you want to disable traffic for it. | SCTP_firewall_rules_name | If enable - the SCTP firewall rules name, otherwise, an empty list. | | ESP_firewall_rules_name | If enable - the ESP firewall rules name, otherwise, an empty list. | - ## Revision History In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) | Template Version | Description | | ---------------- | ------------- | +| 20230910 | - R81.20 is the default version | +| | | | | 20230109 | Updated startup script to use cloud-config. | | | | | | 20201208 | First release of Check Point CloudGuard IaaS Auto Scaling Group of Check Point Security Gateways Terraform solution into an existing VPC on GCP. | diff --git a/terraform/gcp/autoscale-into-existing-vpc/locals.tf b/terraform/gcp/autoscale-into-existing-vpc/locals.tf index 058d0689..9687f394 100755 --- a/terraform/gcp/autoscale-into-existing-vpc/locals.tf +++ b/terraform/gcp/autoscale-into-existing-vpc/locals.tf @@ -9,6 +9,14 @@ locals { // will fail if the image name is not in the right syntax validate_image_name = length(regexall(local.regex_validate_image_name, var.image_name)) > 0 ? 0 : index(split("-", var.image_name), "INVALID IMAGE NAME") + version_allowed_values = [ + "R81", + "R8110", + "R8120" + ] + // Will fail if var.os_version is invalid: + validate_os_version = index(local.version_allowed_values, var.os_version) + management_nic_allowed_values = [ "Ephemeral Public IP (eth0)", "Private IP (eth1)"] @@ -48,6 +56,7 @@ locals { + adminPasswordSourceMetadata = var.generate_password ? random_string.generated_password.result : "" disk_type_condition = var.disk_type == "SSD Persistent Disk" ? "pd-ssd" : var.disk_type == "Balanced Persistent Disk" ? "pd-balanced" : var.disk_type == "Standard Persistent Disk" ? "pd-standard" : "" mgmt_nic_condition = var.management_nic == "Ephemeral Public IP (eth0)" ? true : false mgmt_nic_ip_address_condition = local.mgmt_nic_condition ? "x-chkp-ip-address--public" : "x-chkp-ip-address--private" diff --git a/terraform/gcp/autoscale-into-existing-vpc/main.tf b/terraform/gcp/autoscale-into-existing-vpc/main.tf index 24548144..b854e133 100755 --- a/terraform/gcp/autoscale-into-existing-vpc/main.tf +++ b/terraform/gcp/autoscale-into-existing-vpc/main.tf @@ -20,7 +20,10 @@ resource "random_string" "random_sic_key" { length = 12 special = false } - +resource "random_string" "generated_password" { + length = 12 + special = false +} resource "google_compute_instance_template" "instance_template" { name = "${var.prefix}-tmplt-${random_string.random_string.result}" machine_type = var.machine_type @@ -81,9 +84,18 @@ resource "google_compute_instance_template" "instance_template" { local.network_defined_by_routes_condition, local.network_defined_by_routes_settings_condition] + metadata = local.admin_SSH_key_condition ? { + serial-port-enable = "true" + instanceSSHKey = var.admin_SSH_key + adminPasswordSourceMetadata = var.generate_password ?random_string.generated_password.result : "" + } : { + serial-port-enable = "true" + adminPasswordSourceMetadata = var.generate_password?random_string.generated_password.result : "" + } + metadata_startup_script = templatefile("${path.module}/../common/startup-script.sh", { // script's arguments - generatePassword = "false" + generatePassword = var.generate_password config_url = "" config_path = "" sicKey = "" @@ -106,14 +118,9 @@ resource "google_compute_instance_template" "instance_template" { name = "" zoneConfig = "" region = "" + os_version = var.os_version + maintenance_mode_password_hash = var.maintenance_mode_password_hash }) - - metadata = local.admin_SSH_key_condition ? { - serial-port-enable = "true" - instanceSSHKey = var.admin_SSH_key - } : { - serial-port-enable = "true" - } } resource "google_compute_firewall" "ICMP_firewall_rules" { diff --git a/terraform/gcp/autoscale-into-existing-vpc/terraform.tfvars b/terraform/gcp/autoscale-into-existing-vpc/terraform.tfvars index dfb828db..2f402aa6 100755 --- a/terraform/gcp/autoscale-into-existing-vpc/terraform.tfvars +++ b/terraform/gcp/autoscale-into-existing-vpc/terraform.tfvars @@ -1,36 +1,39 @@ # --- Google Provider --- -service_account_path = "PLEASE ENTER SERVICE ACCOUNT PATH" # "service-accounts/service-account-file-name.json" -project = "PLEASE ENTER PROJECT ID" # "project-id" +service_account_path = "PLEASE ENTER SERVICE ACCOUNT PATH" # "service-accounts/service-account-file-name.json" +project = "PLEASE ENTER PROJECT ID" # "project-id" # --- Check Point--- -prefix = "PLEASE ENTER PREFIX" # "chkp-tf-mig" -license = "PLEASE ENTER LICENSE" # "BYOL" -image_name = "PLEASE ENTER IMAGE NAME" # "check-point-r8110-gw-byol-mig-335-985-v20220126" -management_nic = "PLEASE ENTER MANAGEMENT INTERFACE" # "Ephemeral Public IP (eth0)" -management_name = "PLEASE ENTER MANAGEMENT NAME" # "tf-checkpoint-management" -configuration_template_name = "PLEASE ENTER CONFIGURATION TEMPLATE NAME" # "tf-asg-autoprov-tmplt" -admin_SSH_key = "PLEASE ENTER ADMIN SSH KEY" # "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" -network_defined_by_routes = "PLEASE ENTER true OR false" # true -admin_shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" -allow_upload_download = "PLEASE ENTER true OR false" # true +prefix = "PLEASE ENTER PREFIX" # "chkp-tf-mig" +license = "PLEASE ENTER LICENSE" # "BYOL" +image_name = "PLEASE ENTER IMAGE NAME" # "check-point-r8120-gw-byol-mig-631-991001335-v20230622" +os_version = "PLEASE ENTER GAIA OS VERSION" # "R8120" +management_nic = "PLEASE ENTER MANAGEMENT INTERFACE" # "Ephemeral Public IP (eth0)" +management_name = "PLEASE ENTER MANAGEMENT NAME" # "tf-checkpoint-management" +configuration_template_name = "PLEASE ENTER CONFIGURATION TEMPLATE NAME" # "tf-asg-autoprov-tmplt" +generate_password = "PLEASE ENTER true or false" # false +admin_SSH_key = "PLEASE ENTER ADMIN SSH KEY" # "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +network_defined_by_routes = "PLEASE ENTER true OR false" # true +admin_shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" +allow_upload_download = "PLEASE ENTER true OR false" # true # --- Networking --- -region = "PLEASE ENTER REGION" # "us-central1" -external_network_name = "PLEASE ENTER EXTERNAL NETWORK NAME" # "default" -external_subnetwork_name = "PLEASE ENTER EXTERNAL SUBNETWORK NAME" # "default" -internal_network_name = "PLEASE ENTER INTERNAL NETWORK NAME" # "tf-vpc-network" -internal_subnetwork_name = "PLEASE ENTER INTERNAL SUBNETWORK NAME" # "tf-vpc-subnetwork" -ICMP_traffic = "PLEASE ENTER ICMP SOURCE IP RANGES" # ["123.123.0.0/24", "234.234.0.0/24"] -TCP_traffic = "PLEASE ENTER TCP SOURCE IP RANGES" # ["0.0.0.0/0"] -UDP_traffic = "PLEASE ENTER UDP SOURCE IP RANGES" # [] -SCTP_traffic = "PLEASE ENTER SCTP SOURCE IP RANGES" # [] -ESP_traffic = "PLEASE ENTER ESP SOURCE IP RANGES" # [] +region = "PLEASE ENTER REGION" # "us-central1" +external_network_name = "PLEASE ENTER EXTERNAL NETWORK NAME" # "default" +external_subnetwork_name = "PLEASE ENTER EXTERNAL SUBNETWORK NAME" # "default" +internal_network_name = "PLEASE ENTER INTERNAL NETWORK NAME" # "tf-vpc-network" +internal_subnetwork_name = "PLEASE ENTER INTERNAL SUBNETWORK NAME" # "tf-vpc-subnetwork" +ICMP_traffic = "PLEASE ENTER ICMP SOURCE IP RANGES" # ["123.123.0.0/24", "234.234.0.0/24"] +TCP_traffic = "PLEASE ENTER TCP SOURCE IP RANGES" # ["0.0.0.0/0"] +UDP_traffic = "PLEASE ENTER UDP SOURCE IP RANGES" # [] +SCTP_traffic = "PLEASE ENTER SCTP SOURCE IP RANGES" # [] +ESP_traffic = "PLEASE ENTER ESP SOURCE IP RANGES" # [] # --- Instance Configuration --- -machine_type = "PLEASE ENTER MACHINE TYPE" # "n1-standard-4" -cpu_usage = "PLEASE ENTER CPU USAGE" # 60 -instances_min_grop_size = "PLEASE ENTER INSTANCES MIN GROP SIZE" # 2 -instances_max_grop_size = "PLEASE ENTER INSTANCES MAX GROP SIZE" # 10 -disk_type = "PLEASE ENTER DISK TYPE" # "SSD Persistent Disk" -disk_size = "PLEASE ENTER DISK SIZE" # 100 -enable_monitoring = "PLEASE ENTER true OR false" # false \ No newline at end of file +machine_type = "PLEASE ENTER MACHINE TYPE" # "n1-standard-4" +cpu_usage = "PLEASE ENTER CPU USAGE" # 60 +instances_min_grop_size = "PLEASE ENTER INSTANCES MIN GROP SIZE" # 2 +instances_max_grop_size = "PLEASE ENTER INSTANCES MAX GROP SIZE" # 10 +disk_type = "PLEASE ENTER DISK TYPE" # "SSD Persistent Disk" +disk_size = "PLEASE ENTER DISK SIZE" # 100 +enable_monitoring = "PLEASE ENTER true OR false" # false \ No newline at end of file diff --git a/terraform/gcp/autoscale-into-existing-vpc/variables.tf b/terraform/gcp/autoscale-into-existing-vpc/variables.tf index 8acd8fda..54fd97f1 100755 --- a/terraform/gcp/autoscale-into-existing-vpc/variables.tf +++ b/terraform/gcp/autoscale-into-existing-vpc/variables.tf @@ -25,7 +25,12 @@ variable "license" { } variable "image_name" { type = string - description = "The autoscaling (MIG) image name (e.g. check-point-r8110-gw-byol-mig-335-985-v20220126). You can choose the desired mig image value from: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/autoscale-byol/images.py" + description = "The autoscaling (MIG) image name (e.g. check-point-r8120-gw-byol-mig-123-456-v12345678). You can choose the desired mig image value from: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/autoscale-byol/images.py" +} +variable "os_version" { + type = string + description = "GAIA OS version" + default = "R8120" } variable "management_nic" { type = string @@ -47,6 +52,16 @@ variable "admin_SSH_key" { description = "(Optional) The SSH public key for SSH authentication to the MIG instances. Leave this field blank to use all project-wide pre-configured SSH keys." default = "" } +variable "generate_password" { + type = bool + description = "Automatically generate an administrator password" + default = false +} +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string + default = "" +} variable "network_defined_by_routes" { type = bool description = "Set eth1 topology to define the networks behind this interface by the routes configured on the gateway." diff --git a/terraform/gcp/autoscale-into-new-vpc/README.md b/terraform/gcp/autoscale-into-new-vpc/README.md index 3439418c..3958865d 100755 --- a/terraform/gcp/autoscale-into-new-vpc/README.md +++ b/terraform/gcp/autoscale-into-new-vpc/README.md @@ -121,11 +121,14 @@ project = "project-id" # --- Check Point--- prefix = "chkp-tf-mig" license = "BYOL" -image_name = "check-point-r8110-gw-byol-mig-335-985-v20220126" +image_name = "check-point-r8120-gw-byol-mig-631-991001335-v20230622" +os_version = "R8120" management_nic = "Ephemeral Public IP (eth0)" management_name = "tf-checkpoint-management" configuration_template_name = "tf-asg-autoprov-tmplt" +generate_password = true admin_SSH_key = "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" +maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" network_defined_by_routes = true admin_shell = "/etc/cli.sh" allow_upload_download = true @@ -172,13 +175,17 @@ Please leave empty list for a protocol if you want to disable traffic for it. | service_account_path | User service account path in JSON format - From the service account key page in the Cloud Console choose an existing account or create a new one. Next, download the JSON key file. Name it something you can remember, store it somewhere secure on your machine, and supply the path to the location is stored. (e.g. "service-accounts/service-account-name.json") | string | N/A | "" | yes | | project | Personal project id. The project indicates the default GCP project all of your resources will be created in. | string | N/A | "" | yes | | | | | | | -| prefix | (Optional) Resources name prefix. | string | N/A | "chkp-tf-mig" | no | +| prefix | (Optional) Resources name prefix.
Note: resource name must not contain reserved words based on: sk40179. | string | N/A | "chkp-tf-mig" | no | | license | Checkpoint license (BYOL or PAYG). | string | - BYOL
- PAYG
| "BYOL" | no | -| image_name | The autoscaling (MIG) image name (e.g. check-point-r8110-gw-byol-mig-335-985-v20220126). You can choose the desired mig image value from [Github](https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/autoscale-byol/images.py). | string | N/A | N/A | yes | +| image_name | The autoscaling (MIG) image name (e.g. check-point-r8120-gw-byol-mig-631-991001335-v20230622). You can choose the desired mig image value from [Github](https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/autoscale-byol/images.py). | string | N/A | N/A | yes | +| os_version |GAIA OS Version | string | R81;
R8110;
R8120 | R8120 | yes | +| | | | | | | management_nic | Management Interface - Autoscaling Security Gateways in GCP can be managed by an ephemeral public IP or using the private IP of the internal interface (eth1). | string | Ephemeral Public IP (eth0)
- Private IP (eth1) | "Ephemeral Public IP (eth0)" | no | | management_name | The name of the Security Management Server as appears in autoprovisioning configuration. (Please enter a valid Security Management name including lowercase letters, digits and hyphens only). | string | N/A | "checkpoint-management" | no | | configuration_template_name | Specify the provisioning configuration template name (for autoprovisioning). (Please enter a valid autoprovisioing configuration template name including lowercase letters, digits and hyphens only). | string | N/A | "gcp-asg-autoprov-tmplt" | no | +| generate_password | Automatically generate an administrator password. | bool | true/false | false | no | | admin_SSH_key | Public SSH key for the user 'admin' - The SSH public key for SSH authentication to the MIG instances. Leave this field blank to use all project-wide pre-configured SSH keys. | string | A valid public ssh key | "" | no | +| maintenance_mode_password_hash | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here. | string | | "" | no | | network_defined_by_routes | Set eth1 topology to define the networks behind this interface by the routes configured on the gateway. | bool | true/false | true | no | | admin_shell | Change the admin shell to enable advanced command line configuration. | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | "/etc/cli.sh" | no | | allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | @@ -226,6 +233,8 @@ In order to check the template version refer to the [sk116585](https://supportce | Template Version | Description | | ---------------- | ------------- | +| 20230910 | - R81.20 is the default version | +| | | | | 20230109 | Updated startup script to use cloud-config. | | | | | | 20201208 | First release of Check Point CloudGuard IaaS Auto Scaling Group of Check Point Security Gateways Terraform solution into a new VPC on GCP. | diff --git a/terraform/gcp/autoscale-into-new-vpc/locals.tf b/terraform/gcp/autoscale-into-new-vpc/locals.tf index 451bbd93..d49e09c4 100755 --- a/terraform/gcp/autoscale-into-new-vpc/locals.tf +++ b/terraform/gcp/autoscale-into-new-vpc/locals.tf @@ -9,6 +9,14 @@ locals { // will fail if the image name is not in the right syntax validate_image_name = length(regexall(local.regex_validate_image_name, var.image_name)) > 0 ? 0 : index(split("-", var.image_name), "INVALID IMAGE NAME") + version_allowed_values = [ + "R81", + "R8110", + "R8120" + ] + // Will fail if var.os_version is invalid: + validate_os_version = index(local.version_allowed_values, var.os_version) + management_nic_allowed_values = [ "Ephemeral Public IP (eth0)", "Private IP (eth1)"] diff --git a/terraform/gcp/autoscale-into-new-vpc/main.tf b/terraform/gcp/autoscale-into-new-vpc/main.tf index 16ec2197..180ff6c3 100755 --- a/terraform/gcp/autoscale-into-new-vpc/main.tf +++ b/terraform/gcp/autoscale-into-new-vpc/main.tf @@ -17,6 +17,7 @@ resource "google_compute_network" "external_network" { resource "google_compute_subnetwork" "external_subnetwork" { name = "${var.prefix}-ext-subnet-${random_string.mig_random_string.result}" ip_cidr_range = var.external_subnetwork_ip_cidr_range + private_ip_google_access = true region = var.region network = google_compute_network.external_network.id } @@ -28,6 +29,7 @@ resource "google_compute_network" "internal_network" { resource "google_compute_subnetwork" "internal_subnetwork" { name = "${var.prefix}-int-subnet-${random_string.mig_random_string.result}" ip_cidr_range = var.internal_subnetwork_ip_cidr_range + private_ip_google_access = true region = var.region network = google_compute_network.internal_network.id } @@ -42,10 +44,13 @@ module "autoscale-into-existing-vpc" { # --- Check Point--- prefix = var.prefix image_name = var.image_name + os_version = var.os_version management_nic = var.management_nic management_name = var.management_name configuration_template_name = var.configuration_template_name + generate_password = var.generate_password admin_SSH_key = var.admin_SSH_key + maintenance_mode_password_hash = var.maintenance_mode_password_hash network_defined_by_routes = var.network_defined_by_routes admin_shell = var.admin_shell allow_upload_download = var.allow_upload_download diff --git a/terraform/gcp/autoscale-into-new-vpc/terraform.tfvars b/terraform/gcp/autoscale-into-new-vpc/terraform.tfvars index 48fe765a..a7e7eb72 100755 --- a/terraform/gcp/autoscale-into-new-vpc/terraform.tfvars +++ b/terraform/gcp/autoscale-into-new-vpc/terraform.tfvars @@ -5,11 +5,14 @@ project = "PLEASE ENTER PROJECT ID" # --- Check Point--- prefix = "PLEASE ENTER PREFIX" # "chkp-tf-mig" license = "PLEASE ENTER LICENSE" # "BYOL" -image_name = "PLEASE ENTER IMAGE NAME" # "check-point-r8110-gw-byol-mig-335-985-v20220126" +image_name = "PLEASE ENTER IMAGE NAME" # "check-point-r8120-gw-byol-mig-631-991001335-v20230622" +os_version = "PLEASE ENTER GAIA OS VERSION" # "R8120" management_nic = "PLEASE ENTER MANAGEMENT INTERFACE" # "Ephemeral Public IP (eth0)" management_name = "PLEASE ENTER MANAGEMENT NAME" # "tf-checkpoint-management" configuration_template_name = "PLEASE ENTER CONFIGURATION TEMPLATE NAME" # "tf-asg-autoprov-tmplt" +generate_password = "PLEASE ENTER true or false" # false admin_SSH_key = "PLEASE ENTER ADMIN SSH KEY" # "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" network_defined_by_routes = "PLEASE ENTER true OR false" # true admin_shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" allow_upload_download = "PLEASE ENTER true OR false" # true diff --git a/terraform/gcp/autoscale-into-new-vpc/variables.tf b/terraform/gcp/autoscale-into-new-vpc/variables.tf index f19a77d2..e929d1ff 100755 --- a/terraform/gcp/autoscale-into-new-vpc/variables.tf +++ b/terraform/gcp/autoscale-into-new-vpc/variables.tf @@ -25,7 +25,12 @@ variable "license" { } variable "image_name" { type = string - description = "The autoscaling (MIG) image name (e.g. check-point-r8110-gw-byol-mig-335-985-v20220126). You can choose the desired mig image value from: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/autoscale-byol/images.py" + description = "The autoscaling (MIG) image name (e.g. check-point-r8120-gw-byol-mig-123-456-v12345678). You can choose the desired mig image value from: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/autoscale-byol/images.py" +} +variable "os_version" { + type = string + description = "GAIA OS version" + default = "R8120" } variable "management_nic" { type = string @@ -42,11 +47,21 @@ variable "configuration_template_name" { description = "Specify the provisioning configuration template name (for autoprovisioning). (Please enter a valid autoprovisioing configuration template name including ascii characters only)" default = "tf-asg-autoprov-tmplt" } +variable "generate_password" { + type = bool + description = "Automatically generate an administrator password" + default = false +} variable "admin_SSH_key" { type = string description = "(Optional) The SSH public key for SSH authentication to the MIG instances. Leave this field blank to use all project-wide pre-configured SSH keys." default = "" } +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string + default = "" +} variable "network_defined_by_routes" { type = bool description = "Set eth1 topology to define the networks behind this interface by the routes configured on the gateway." diff --git a/terraform/gcp/common/cluster-member/main.tf b/terraform/gcp/common/cluster-member/main.tf index c740f8b3..c5ae7eda 100755 --- a/terraform/gcp/common/cluster-member/main.tf +++ b/terraform/gcp/common/cluster-member/main.tf @@ -109,7 +109,7 @@ resource "google_compute_instance" "cluster_member" { sicKey = var.sic_key allowUploadDownload = var.allow_upload_download templateName = "cluster_tf" - templateVersion = "20230109" + templateVersion = "20230910" templateType = "terraform" mgmtNIC = "" hasInternet = "true" @@ -126,5 +126,7 @@ resource "google_compute_instance" "cluster_member" { name = var.member_name zoneConfig = var.zone region = var.region + os_version = var.os_version + maintenance_mode_password_hash = var.maintenance_mode_password_hash }) } \ No newline at end of file diff --git a/terraform/gcp/common/cluster-member/variables.tf b/terraform/gcp/common/cluster-member/variables.tf index 51b0e1d9..333e509f 100755 --- a/terraform/gcp/common/cluster-member/variables.tf +++ b/terraform/gcp/common/cluster-member/variables.tf @@ -31,7 +31,12 @@ variable "disk_type" { } variable "image_name" { type = string - description = "The High Availability (cluster) image name (e.g. check-point-r8110-gw-byol-cluster-335-985-v20220126). You can choose the desired cluster image value from: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/ha-byol/images.py" + description = "The High Availability (cluster) image name (e.g. check-point-r8120-gw-byol-cluster-123-456-v12345678). You can choose the desired cluster image value from: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/ha-byol/images.py" +} +variable "os_version" { + type = string + description = "GAIA OS version" + default = "R8120" } variable "cluster_network" { type = list(string) @@ -158,6 +163,11 @@ variable "smart_1_cloud_token_b" { description ="(Optional) Smart-1 cloud token for member B to connect this Gateway to Check Point's Security Management as a Service" default = "" } +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string + default = "" +} variable "management_network" { type = string description = "Security Management Server address - The public address of the Security Management Server, in CIDR notation. If using Smart-1 Cloud management, insert 'S1C'. VPN peers addresses cannot be in this CIDR block, so this value cannot be the zero-address." diff --git a/terraform/gcp/common/members-a-b/main.tf b/terraform/gcp/common/members-a-b/main.tf index d40ae6d1..8424e7d8 100755 --- a/terraform/gcp/common/members-a-b/main.tf +++ b/terraform/gcp/common/members-a-b/main.tf @@ -39,6 +39,8 @@ module "member_a" { secondary_cluster_address_name = var.secondary_cluster_address_name smart_1_cloud_token_a = var.smart_1_cloud_token_a smart_1_cloud_token_b = var.smart_1_cloud_token_b + os_version = var.os_version + maintenance_mode_password_hash = var.maintenance_mode_password_hash } module "member_b" { @@ -82,4 +84,6 @@ module "member_b" { secondary_cluster_address_name = var.secondary_cluster_address_name smart_1_cloud_token_a = var.smart_1_cloud_token_a smart_1_cloud_token_b = var.smart_1_cloud_token_b + os_version = var.os_version + maintenance_mode_password_hash = var.maintenance_mode_password_hash } diff --git a/terraform/gcp/common/members-a-b/variables.tf b/terraform/gcp/common/members-a-b/variables.tf index 4a5b6e04..6fa8b30c 100755 --- a/terraform/gcp/common/members-a-b/variables.tf +++ b/terraform/gcp/common/members-a-b/variables.tf @@ -34,6 +34,11 @@ variable "image_name" { type = string description = "The High Availability (cluster) image name (e.g. check-point-r8110-gw-byol-cluster-335-985-v20220126). You can choose the desired cluster image value from: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/ha-byol/images.py" } +variable "os_version" { + type = string + description = "GAIA OS version" + default = "R8120" +} variable "cluster_network" { type = list(string) description = "Cluster external network ID in the chosen zone." @@ -159,6 +164,11 @@ variable "smart_1_cloud_token_b" { description ="(Optional) Smart-1 cloud token for member B to connect this Gateway to Check Point's Security Management as a Service" default = "" } +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string + default = "" +} variable "management_network" { type = string description = "Security Management Server address - The public address of the Security Management Server, in CIDR notation. If using Smart-1 Cloud management, insert 'S1C'. VPN peers addresses cannot be in this CIDR block, so this value cannot be the zero-address." diff --git a/terraform/gcp/common/startup-script.sh b/terraform/gcp/common/startup-script.sh index 196a04e3..c8192303 100755 --- a/terraform/gcp/common/startup-script.sh +++ b/terraform/gcp/common/startup-script.sh @@ -1,3 +1,3 @@ #cloud-config runcmd: - - 'python3 /etc/cloud_config.py generatePassword=\"${generatePassword}\" allowUploadDownload=\"${allowUploadDownload}\" templateName=\"${templateName}\" templateVersion=\"${templateVersion}\" mgmtNIC="X${mgmtNIC}X" hasInternet=\"${hasInternet}\" config_url=\"${config_url}\" config_path=\"${config_path}\" installationType="X${installationType}X" enableMonitoring=\"${enableMonitoring}\" shell=\"${shell}\" computed_sic_key=\"${computed_sic_key}\" sicKey=\"${sicKey}\" managementGUIClientNetwork=\"${managementGUIClientNetwork}\" primary_cluster_address_name=\"${primary_cluster_address_name}\" secondary_cluster_address_name=\"${secondary_cluster_address_name}\" managementNetwork=\"${managementNetwork}\" numAdditionalNICs=\"${numAdditionalNICs}\" smart1CloudToken="X${smart_1_cloud_token}X" name=\"${name}\" zone=\"${zoneConfig}\" region=\"${region}\"' \ No newline at end of file + - 'python3 /etc/cloud_config.py generatePassword=\"${generatePassword}\" allowUploadDownload=\"${allowUploadDownload}\" templateName=\"${templateName}\" templateVersion=\"${templateVersion}\" mgmtNIC="X${mgmtNIC}X" hasInternet=\"${hasInternet}\" config_url=\"${config_url}\" config_path=\"${config_path}\" installationType="X${installationType}X" enableMonitoring=\"${enableMonitoring}\" shell=\"${shell}\" computed_sic_key=\"${computed_sic_key}\" sicKey=\"${sicKey}\" managementGUIClientNetwork=\"${managementGUIClientNetwork}\" primary_cluster_address_name=\"${primary_cluster_address_name}\" secondary_cluster_address_name=\"${secondary_cluster_address_name}\" managementNetwork=\"${managementNetwork}\" numAdditionalNICs=\"${numAdditionalNICs}\" smart1CloudToken="X${smart_1_cloud_token}X" name=\"${name}\" zone=\"${zoneConfig}\" region=\"${region}\" osVersion=\"${os_version}\" MaintenanceModePassword=\"${maintenance_mode_password_hash}\"' \ No newline at end of file diff --git a/terraform/gcp/high-availability/README.md b/terraform/gcp/high-availability/README.md index 03e9d97b..d83af628 100755 --- a/terraform/gcp/high-availability/README.md +++ b/terraform/gcp/high-availability/README.md @@ -46,17 +46,20 @@ provider "google" { compute.firewalls.create compute.firewalls.delete compute.firewalls.get - compute.images.get - compute.images.useReadOnly + compute.firewalls.update compute.instances.create compute.instances.delete compute.instances.get + compute.instances.setLabels + compute.instances.setMachineType compute.instances.setMetadata compute.instances.setServiceAccount compute.instances.setTags + compute.instances.updateNetworkInterface compute.networks.create compute.networks.delete compute.networks.get + compute.networks.list compute.networks.updatePolicy compute.regions.list compute.subnetworks.create @@ -65,11 +68,7 @@ provider "google" { compute.subnetworks.use compute.subnetworks.useExternalIp compute.zones.get - iam.serviceAccountKeys.get - iam.serviceAccountKeys.list iam.serviceAccounts.actAs - iam.serviceAccounts.get - iam.serviceAccounts.list ``` 3. ```credentials``` - Your service account key file is used to complete a two-legged OAuth 2.0 flow to obtain access tokens to authenticate with the GCP API as needed; Terraform will use it to reauthenticate automatically when tokens expire.
The provider credentials can be provided either as static credentials or as [Environment Variables](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#credentials-1). @@ -118,7 +117,8 @@ project = "project-id" # --- Check Point Deployment --- prefix = "chkp-tf-ha" license = "BYOL" -image_name = "check-point-r8110-gw-byol-cluster-335-985-v20220126" +image_name = "check-point-r8120-gw-byol-cluster-631-991001335-v20230622" +os_version = "R8120" # --- Instances Configuration --- region = "us-central1" @@ -135,7 +135,8 @@ management_network = "209.87.209.100/32" sic_key = "aaaaaaaa" generate_password = false allow_upload_download = false -admin_shell = "/bin/bash" +admin_shell = "/etc/cli.sh" +maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" #--- Quick connect to Smart-1 Cloud --- smart_1_cloud_token_a = "xxxxxxxxxxxxxxxxxxxxxxxx" @@ -226,7 +227,9 @@ internal_network1_subnetwork_name = "" | | | | | | | prefix | (Optional) Resources name prefix. | string | N/A | "chkp-tf-ha" | no | | license | Checkpoint license (BYOL or PAYG). | string | - BYOL
- PAYG
| "BYOL" | no | -| image_name | The High Availability (cluster) image name (e.g. check-point-r8110-gw-byol-cluster-335-985-v20220126). You can choose the desired cluster image value from [Github](https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/ha-byol/images.py). | string | N/A | N/A | yes | +| image_name | The High Availability (cluster) image name (e.g. check-point-r8120-gw-byol-cluster-631-991001335-v20230622). You can choose the desired cluster image value from [Github](https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/ha-byol/images.py). | string | N/A | N/A | yes | +| | | | | | +| os_version |GAIA OS Version | string | R81;
R8110;
R8120 | R8120 | yes | | | | | | | | region | GCP region | string | N/A | "us-central1" | no | | zoneA | Member A Zone. The zone determines what computing resources are available and where your data is stored and used. | string | N/A | "us-central1-a" | no | @@ -241,6 +244,7 @@ internal_network1_subnetwork_name = "" | generate_password | Automatically generate an administrator password. | bool | true/false | false | no | | allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | | admin_shell | Change the admin shell to enable advanced command line configuration. | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | "/etc/cli.sh" | no | +| maintenance_mode_password_hash | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here. | string | | "" | no | | smart_1_cloud_token_a | Smart-1 Cloud token to connect ***member A*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal.| | smart_1_cloud_token_b | Smart-1 Cloud token to connect ***member B*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501)| string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal.| | cluster_network_cidr | Cluster external subnet CIDR. If the variable's value is not empty double quotes, a new network will be created. The Cluster public IP will be translated to a private address assigned to the active member in this external network. | string | N/A | "10.0.0.0/24" | no | @@ -300,6 +304,8 @@ In order to check the template version refer to the [sk116585](https://supportce | Template Version | Description | | ---------------- | ------------- | +| 20230910 | - R81.20 is the default version | +| | | | | 20230209 | Added Smart-1 Cloud support. | | | | | | 20230109 | Updated startup script to use cloud-config. | diff --git a/terraform/gcp/high-availability/locals.tf b/terraform/gcp/high-availability/locals.tf index e764ccaf..680c7f9c 100755 --- a/terraform/gcp/high-availability/locals.tf +++ b/terraform/gcp/high-availability/locals.tf @@ -9,14 +9,22 @@ locals { // will fail if the image name is not in the right syntax validate_image_name = length(regexall(local.regex_validate_image_name, var.image_name)) > 0 ? 0 : index(split("-", var.image_name), "INVALID IMAGE NAME") + version_allowed_values = [ + "R81", + "R8110", + "R8120" + ] + // Will fail if var.os_version is invalid: + validate_os_version = index(local.version_allowed_values, var.os_version) + split_zoneA = split("-", var.zoneA) split_zoneB = split("-", var.zoneB) // will fail if the var.zoneA and var.zoneB are not at the same region: validate_zones = index(local.split_zoneA, local.split_zoneB[0]) == local.split_zoneA[0] && index(local.split_zoneA, local.split_zoneB[1]) == local.split_zoneA[0] ? 0 : "var.zoneA and var.zoneB are not at the same region" - regex_valid_management_network = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))|(S1C)$" + regex_valid_management_network = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))|(S1C)$" // Will fail if var.management_network is invalid - regex_management_network = regex(local.regex_valid_management_network, var.management_network) == var.management_network ? 0 : "Variable [management_network] must be a valid address in CIDR notation or 'S1C'." + regex_management_network = regex(local.regex_valid_management_network, var.management_network) == var.management_network ? 0 : "Variable [management_network] must be a valid address in CIDR notation or S1C." regex_valid_network_cidr = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))|$" diff --git a/terraform/gcp/high-availability/main.tf b/terraform/gcp/high-availability/main.tf index 821d3542..1abd6c7b 100755 --- a/terraform/gcp/high-availability/main.tf +++ b/terraform/gcp/high-availability/main.tf @@ -247,4 +247,6 @@ module "members_a_b" { secondary_cluster_address_name = google_compute_address.secondary_cluster_ip_ext_address.name smart_1_cloud_token_a = var.smart_1_cloud_token_a smart_1_cloud_token_b = var.smart_1_cloud_token_b + os_version = var.os_version + maintenance_mode_password_hash = var.maintenance_mode_password_hash } \ No newline at end of file diff --git a/terraform/gcp/high-availability/terraform.tfvars b/terraform/gcp/high-availability/terraform.tfvars index f888479f..bb4f9e5e 100755 --- a/terraform/gcp/high-availability/terraform.tfvars +++ b/terraform/gcp/high-availability/terraform.tfvars @@ -5,7 +5,8 @@ project = "PLEASE ENTER PROJECT ID" # --- Check Point Deployment --- prefix = "PLEASE ENTER PREFIX" # "chkp-tf-ha" license = "PLEASE ENTER LICENSE" # "BYOL" -image_name = "PLEASE ENTER IMAGE NAME" # "check-point-r8110-gw-byol-cluster-335-985-v20220126" +image_name = "PLEASE ENTER IMAGE NAME" # "check-point-r8120-gw-byol-cluster-631-991001335-v20230622" +os_version = "PLEASE ENTER GAIA OS VERSION" # "R8120" # --- Instances Configuration --- region = "PLEASE ENTER REGION" # "us-central1" @@ -23,6 +24,7 @@ sic_key = "PLEASE ENTER A SIC KEY" generate_password = "PLEASE ENTER true or false" # false allow_upload_download = "PLEASE ENTER true OR false" # true admin_shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" # --- Quick connect to Smart-1 Cloud --- smart_1_cloud_token_a = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL" # "" diff --git a/terraform/gcp/high-availability/variables.tf b/terraform/gcp/high-availability/variables.tf index a7bede31..72f4e916 100755 --- a/terraform/gcp/high-availability/variables.tf +++ b/terraform/gcp/high-availability/variables.tf @@ -25,9 +25,13 @@ variable "license" { } variable "image_name" { type = string - description = "The High Availability (cluster) image name (e.g. check-point-r8110-gw-byol-cluster-335-985-v20220126). You can choose the desired cluster image value from: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/ha-byol/images.py" + description = "The High Availability (cluster) image name (e.g. check-point-r8120-gw-byol-cluster-123-456-v12345678). You can choose the desired cluster image value from: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/ha-byol/images.py" +} +variable "os_version" { + type = string + description = "GAIA OS version" + default = "R8120" } - # --- Instances Configuration --- data "google_compute_regions" "available_regions" { } @@ -102,6 +106,11 @@ variable "admin_shell" { description = "Change the admin shell to enable advanced command line configuration." default = "/etc/cli.sh" } +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string + default = "" +} # --- Quick connect to Smart-1 Cloud --- variable "smart_1_cloud_token_a" { type = string @@ -120,6 +129,7 @@ resource "null_resource" "validate_both_tokens" { resource "null_resource" "validate_different_tokens" { count = var.smart_1_cloud_token_a != "" && var.smart_1_cloud_token_a == var.smart_1_cloud_token_b ? "To connect to Smart-1 Cloud, you must provide two different tokens" : 0 } + # --- Networking --- variable "cluster_network_cidr" { type = string diff --git a/terraform/gcp/single-into-existing-vpc/README.md b/terraform/gcp/single-into-existing-vpc/README.md index a3213acb..72bc8265 100755 --- a/terraform/gcp/single-into-existing-vpc/README.md +++ b/terraform/gcp/single-into-existing-vpc/README.md @@ -30,41 +30,30 @@ provider "google" { 1. [Create a Service Account](https://cloud.google.com/docs/authentication/getting-started) (or use the existing one). Next, download the JSON key file. Name it something you can remember and store it somewhere secure on your machine.
2. Select "Editor" Role or verify you have the following permissions: ``` + compute.addresses.create + compute.addresses.delete compute.addresses.get compute.addresses.use - compute.addresses.create compute.disks.create - compute.disks.delete compute.firewalls.create compute.firewalls.delete compute.firewalls.get - compute.images.get - compute.images.useReadOnly - compute.images.getFromFamily - compute.instanceTemplates.create - compute.instanceTemplates.delete - compute.instanceTemplates.get - compute.instanceTemplates.useReadOnly - compute.instances.addAccessConfig + compute.firewalls.update compute.instances.create compute.instances.delete compute.instances.get + compute.instances.setLabels + compute.instances.setMachineType compute.instances.setMetadata + compute.instances.setServiceAccount compute.instances.setTags - compute.instances.setLabels + compute.instances.updateNetworkInterface compute.networks.get compute.networks.updatePolicy - compute.regions.list - compute.subnetworks.get compute.subnetworks.use compute.subnetworks.useExternalIp compute.zones.get - iam.serviceAccountKeys.get - iam.serviceAccountKeys.list iam.serviceAccounts.actAs - iam.serviceAccounts.get - iam.serviceAccounts.list - iam.serviceAccounts.set ``` 3. ```credentials``` - Your service account key file is used to complete a two-legged OAuth 2.0 flow to obtain access tokens to authenticate with the GCP API as needed; Terraform will use it to reauthenticate automatically when tokens expire.
The provider credentials can be provided either as static credentials or as [Environment Variables](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#credentials-1). @@ -109,13 +98,15 @@ service_account_path = "service-accounts/service-account-file-name.json" project = "project-id" # --- Check Point--- -image_name = "check-point-r8110-gw-byol-single-335-985-v20220126" +image_name = "check-point-r8120-gw-byol-single-631-991001335-v20230622" +os_version = "R8120" installationType = "Gateway only" license = "BYOL" prefix = "chkp-single-tf-" management_nic = "Ephemeral Public IP (eth0)" admin_shell = "/etc/cli.sh" admin_SSH_key = "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" +maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" generatePassword = false allow_upload_download = true sicKey = "" @@ -178,7 +169,9 @@ Please leave empty list for a protocol if you want to disable traffic for it. | | | | | | | zone | The zone determines what computing resources are available and where your data is stored and used | string | List of allowed [Regions and Zones](https://cloud.google.com/compute/docs/regions-zones?_ga=2.31926582.-962483654.1585043745) |us-central1-a|yes| | | | | | | -| image_name |The single gateway or management image name (e.g. check-point-r8110-gw-byol-single-335-985-v20220126 for gateway or check-point-r8110-byol-335-883-v20210706 for management). You can choose the desired gateway image value from [Github](https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/single-byol/images.py).| string | N/A | N/A | yes | +| image_name |The single gateway or management image name (e.g. check-point-r8120-gw-byol-single-631-991001335-v20230622 for gateway or check-point-r8120-byol-631-991001335-v20230621 for management). You can choose the desired gateway image value from [Github](https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/single-byol/images.py).| string | N/A | N/A | yes | +| | | | | | +| os_version |GAIA OS Version | string | R81;
R8110;
R8120 | R8120 | yes | | | | | | | | installationType | Installation type and version | string |Gateway only;
Management only;
Manual Configuration
Gateway and Management (Standalone) |Gateway only|yes| | | | | | | @@ -230,6 +223,8 @@ Please leave empty list for a protocol if you want to disable traffic for it. | | | | | | | admin_SSH_key | Public SSH key for the user 'admin' - The SSH public key for SSH authentication to the instances. Leave this field blank to use all project-wide pre-configured SSH keys. | string | A valid public ssh key | "" | no | | | | | | | +| maintenance_mode_password_hash | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here. | string | | "" | no| +| | | | | | | sicKey | The Secure Internal Communication one time secret used to set up trust between the single gateway object and the management server | string | At least 8 alpha numeric characters.
If SIC is not provided and needed, a key will be automatically generated |""|no| | | | | | | | managementGUIClientNetwork | Allowed GUI clients | string | A valid IPv4 network CIDR (e.g. 0.0.0.0/0) |0.0.0.0/0|no| @@ -258,6 +253,8 @@ In order to check the template version refer to the [sk116585](https://supportce | Template Version | Description | | ---------------- | ------------- | +| 20230910 | - R81.20 is the default version | +| | | | | 20230209 | Added Smart-1 Cloud support. | | | | | | 20230109 | Updated startup script to use cloud-config. | diff --git a/terraform/gcp/single-into-existing-vpc/locals.tf b/terraform/gcp/single-into-existing-vpc/locals.tf index 39527714..3bfa4737 100755 --- a/terraform/gcp/single-into-existing-vpc/locals.tf +++ b/terraform/gcp/single-into-existing-vpc/locals.tf @@ -22,6 +22,15 @@ locals { regex_validate_single_image_name = "check-point-r8[0-1][1-4]0-gw-(byol|payg)-single-[0-9]{3}-([0-9]{3,}|[a-z]+)-v[0-9]{8,}" // will fail if the image name is not in the right syntax validate_image_name = var.installationType != "Gateway only" && length(regexall(local.regex_validate_mgmt_image_name, var.image_name)) > 0 ? 0 : (var.installationType == "Gateway only" && length(regexall(local.regex_validate_single_image_name, var.image_name)) > 0 ? 0 : index(split("-", var.image_name), "INVALID IMAGE NAME")) + + version_allowed_values = [ + "R81", + "R8110", + "R8120" + ] + // Will fail if var.os_version is invalid: + validate_os_version = index(local.version_allowed_values, var.os_version) + regex_valid_admin_SSH_key = "^(^$|ssh-rsa AAAA[0-9A-Za-z+/]+[=]{0,3})" // Will fail if var.admin_SSH_key is invalid regex_admin_SSH_key = regex(local.regex_valid_admin_SSH_key, var.admin_SSH_key) == var.admin_SSH_key ? 0 : "Please enter a valid SSH public key or leave empty" @@ -49,7 +58,6 @@ locals { // Will fail if management_only and payg is_management_only = var.installationType == "Management only" is_license_payg = var.license == "PAYG" - validation_message = "Cannot use 'Management only' installation type with 'PAYG' license." - _= regex("^$",local.is_management_only && local.is_license_payg ? local.validation_message : "") - -} + validation_massage = "Cannot use 'Management only' installation type with 'Payg' license." + _= regex("^$",local.is_management_only && local.is_license_payg ? local.validation_massage : "") +} \ No newline at end of file diff --git a/terraform/gcp/single-into-existing-vpc/main.tf b/terraform/gcp/single-into-existing-vpc/main.tf index aeab8b93..7e34492d 100755 --- a/terraform/gcp/single-into-existing-vpc/main.tf +++ b/terraform/gcp/single-into-existing-vpc/main.tf @@ -192,7 +192,7 @@ resource "google_compute_instance" "gateway" { sicKey = "" allowUploadDownload = var.allowUploadDownload templateName = "single_tf" - templateVersion = "20230109" + templateVersion = "20230910" templateType = "terraform" hasInternet = "true" enableMonitoring = var.enableMonitoring @@ -211,6 +211,8 @@ resource "google_compute_instance" "gateway" { name = "" zoneConfig = "" region = "" + os_version = var.os_version + maintenance_mode_password_hash = var.maintenance_mode_password_hash }) } resource "google_compute_address" "static" { diff --git a/terraform/gcp/single-into-existing-vpc/terraform.tfvars b/terraform/gcp/single-into-existing-vpc/terraform.tfvars index 8ac21504..f2dd4fbe 100755 --- a/terraform/gcp/single-into-existing-vpc/terraform.tfvars +++ b/terraform/gcp/single-into-existing-vpc/terraform.tfvars @@ -1,15 +1,17 @@ # --- Google Provider --- service_account_path = "PLEASE ENTER SERVICE_ACCOUNT_PATH" # "service-accounts/service-account-file-name.json" -project = "PLEASE ENTER PROJECT ID" # "project-id" +project = "PLEASE ENTER PROJECT ID" # "project-id" # --- Check Point Deployment--- -image_name = "PLEASE ENTER IMAGE_NAME" # "check-point-r8110-gw-byol-single-335-985-v20220126" +image_name = "PLEASE ENTER IMAGE_NAME" # "check-point-r8120-gw-byol-single-631-991001335-v20230622" +os_version = "PLEASE ENTER GAIA OS VERSION" # "R8120" installationType = "PLEASE ENTER INSTALLATION TYPE" # "Gateway only" license = "PLEASE ENTER LICENSE" # "BYOL" prefix = "PLEASE ENTER PREFIX" # "chkp-single-tf-" management_nic = "PLEASE ENTER MANAGEMENT_NIC" # "Ephemeral Public IP (eth0)" admin_shell = "PLEASE ENTER ADMIN_SHELL" # "/etc/cli.sh" admin_SSH_key = "PLEASE ENTER ADMIN_SSH_KEY" # "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" generatePassword = "PLEASE ENTER GENERATE PASSWORD" # false allowUploadDownload = "PLEASE ENTER ALLOW UPLOAD DOWNLOAD" # false sicKey = "PLEASE ENTER SIC KEY" # "" @@ -23,17 +25,17 @@ zone = "PLEASE ENTER ZONE" network = "PLEASE ENTER NETWORK" # ["default"] subnetwork = "PLEASE ENTER SUBNETWORK" # ["default"] network_enableTcp = "PLEASE ENTER NETWORK ENABLE TCP" # false -network_tcpSourceRanges = "PLEASE ENTER NETWORK TCP SOURCE RANGES" # [""] +network_tcpSourceRanges = "PLEASE ENTER NETWORK TCP SOURCE RANGES" # [] network_enableGwNetwork = "PLEASE ENTER NETWORK ENABLE GW NETWORK" # false -network_gwNetworkSourceRanges = "PLEASE ENTER NETWORK GW NETWORK SOURCE RANGES" # [""] +network_gwNetworkSourceRanges = "PLEASE ENTER NETWORK GW NETWORK SOURCE RANGES" # [] network_enableIcmp = "PLEASE ENTER NETWORK ENABLE ICMP" # false -network_icmpSourceRanges = "PLEASE ENTER NETWORK ICMP SOURCE RANGES" # [""] +network_icmpSourceRanges = "PLEASE ENTER NETWORK ICMP SOURCE RANGES" # [] network_enableUdp = "PLEASE ENTER NETWORK ENABLE UDP" # false -network_udpSourceRanges = "PLEASE ENTER NETWORK UDP SOURCE RANGES" # [""] +network_udpSourceRanges = "PLEASE ENTER NETWORK UDP SOURCE RANGES" # [] network_enableSctp = "PLEASE ENTER NETWORK ENABLE SCTP" # false -network_sctpSourceRanges = "PLEASE ENTER NETWORK SCTP SOURCE RANGES" # [""] +network_sctpSourceRanges = "PLEASE ENTER NETWORK SCTP SOURCE RANGES" # [] network_enableEsp = "PLEASE ENTER NETWORK ENABLE ESP" # false -network_espSourceRanges = "PLEASE ENTER NETWORK ESP SOURCE RANGES" # [""] +network_espSourceRanges = "PLEASE ENTER NETWORK ESP SOURCE RANGES" # [] numAdditionalNICs = "PLEASE ENTER NUM ADDITIONAL NICS" # 1 externalIP = "PLEASE ENTER EXTERNAL IP" # "static" internal_network1_network = "PLEASE ENTER INTERNAL_NETWORK1_NETWORK" # [""] diff --git a/terraform/gcp/single-into-existing-vpc/variables.tf b/terraform/gcp/single-into-existing-vpc/variables.tf index cc620851..196e4678 100755 --- a/terraform/gcp/single-into-existing-vpc/variables.tf +++ b/terraform/gcp/single-into-existing-vpc/variables.tf @@ -15,7 +15,12 @@ variable "zone" { } variable "image_name" { type = string - description = "The single gateway and management image name. You can choose the desired image value from: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/single-byol/images.py" + description = "The single gateway and management image name" +} +variable "os_version" { + type = string + description = "GAIA OS version" + default = "R8120" } variable "installationType" { type = string @@ -147,6 +152,11 @@ variable "admin_SSH_key" { description = "(Optional) The SSH public key for SSH authentication to the template instances. Leave this field blank to use all project-wide pre-configured SSH keys." default = "" } +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string + default = "" +} variable "sicKey" { type = string description ="The Secure Internal Communication one time secret used to set up trust between the single gateway object and the management server" diff --git a/terraform/gcp/single-into-new-vpc/README.md b/terraform/gcp/single-into-new-vpc/README.md index 857b7c75..62e0b19f 100644 --- a/terraform/gcp/single-into-new-vpc/README.md +++ b/terraform/gcp/single-into-new-vpc/README.md @@ -30,48 +30,45 @@ provider "google" { 1. [Create a Service Account](https://cloud.google.com/docs/authentication/getting-started) (or use the existing one). Next, download the JSON key file. Name it something you can remember and store it somewhere secure on your machine.
2. Select "Editor" Role or verify you have the following permissions: ``` + compute.addresses.create + compute.addresses.delete compute.addresses.get compute.addresses.use - compute.addresses.create compute.disks.create - compute.disks.delete compute.firewalls.create compute.firewalls.delete compute.firewalls.get - compute.images.get - compute.images.useReadOnly - compute.images.getFromFamily - compute.instanceTemplates.create - compute.instanceTemplates.delete - compute.instanceTemplates.get - compute.instanceTemplates.useReadOnly - compute.instances.addAccessConfig + compute.firewalls.update compute.instances.create compute.instances.delete + compute.instances.deleteAccessConfig compute.instances.get + compute.instances.setLabels + compute.instances.setMachineType compute.instances.setMetadata + compute.instances.setServiceAccount compute.instances.setTags - compute.instances.setLabels + compute.instances.updateNetworkInterface + compute.networks.create + compute.networks.delete compute.networks.get compute.networks.updatePolicy + compute.regionOperations.get compute.regions.list + compute.subnetworks.create + compute.subnetworks.delete compute.subnetworks.get compute.subnetworks.use compute.subnetworks.useExternalIp compute.zones.get - iam.serviceAccountKeys.get - iam.serviceAccountKeys.list iam.serviceAccounts.actAs - iam.serviceAccounts.get - iam.serviceAccounts.list - iam.serviceAccounts.set ``` 3. ```credentials``` - Your service account key file is used to complete a two-legged OAuth 2.0 flow to obtain access tokens to authenticate with the GCP API as needed; Terraform will use it to reauthenticate automatically when tokens expire.
The provider credentials can be provided either as static credentials or as [Environment Variables](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#credentials-1). - - Static credentials can be provided by adding the path to your service-account json file, project-id and region in /gcp/modules/single/terraform.tfvars file as follows: + - Static credentials can be provided by adding the path to your service-account json file, project-name and region in /gcp/modules/single/terraform.tfvars file as follows: ``` service_account_path = "service-accounts/service-account-file-name.json" - project = "project-id" + project = "project-name" ``` - In case the Environment Variables are used, perform modifications described below:
a. The next lines in the main.tf file, in the provider google resource, need to be deleted or commented: @@ -106,16 +103,18 @@ The provider credentials can be provided either as static credentials or as [Env ``` # --- Google Provider --- service_account_path = "service-accounts/service-account-file-name.json" -project = "project-id" +project = "project-name" # --- Check Point--- image_name = "check-point-r8120-gw-byol-single-631-991001335-v20230622" +os_version = "R8120" installationType = "Gateway only" license = "BYOL" prefix = "chkp-single-tf-" management_nic = "Ephemeral Public IP (eth0)" admin_shell = "/etc/cli.sh" admin_SSH_key = "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" +maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" generatePassword = false allow_upload_download = true sicKey = "" @@ -181,6 +180,8 @@ Please leave empty list for a protocol if you want to disable traffic for it. | | | | | | | image_name |The single gateway or management image name (e.g. check-point-r8120-gw-byol-single-631-991001335-v20230622 for gateway or check-point-r8120-byol-631-991001335-v20230621 for management). You can choose the desired gateway image value from [Github](https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/single-byol/images.py).| string | N/A | N/A | yes | | | | | | | +| os_version |GAIA OS Version | string | R81;
R8110;
R8120 | R8120 | yes | +| | | | | | | installationType | Installation type and version | string |Gateway only;
Management only;
Manual Configuration
Gateway and Management (Standalone) |Gateway only|yes| | | | | | | | license | Checkpoint license (BYOL or PAYG).|string|BYOL;
PAYG;|BYOL|yes| @@ -229,6 +230,8 @@ Please leave empty list for a protocol if you want to disable traffic for it. | | | | | | | admin_SSH_key | Public SSH key for the user 'admin' - The SSH public key for SSH authentication to the instances. Leave this field blank to use all project-wide pre-configured SSH keys. | string | A valid public ssh key | "" | no | | | | | | | +| maintenance_mode_password_hash | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here. | string | | "" | no| +| | | | | | | sicKey | The Secure Internal Communication one time secret used to set up trust between the single gateway object and the management server | string | At least 8 alpha numeric characters.
If SIC is not provided and needed, a key will be automatically generated |""|no| | | | | | | | managementGUIClientNetwork | Allowed GUI clients | string | A valid IPv4 network CIDR (e.g. 0.0.0.0/0) |0.0.0.0/0|no| @@ -262,6 +265,7 @@ In order to check the template version refer to the [sk116585](https://supportce | 20230921 | Added single-into-new-vpc template. | | | | + ## Authors diff --git a/terraform/gcp/single-into-new-vpc/main.tf b/terraform/gcp/single-into-new-vpc/main.tf index 1597ae33..a9dacc6f 100644 --- a/terraform/gcp/single-into-new-vpc/main.tf +++ b/terraform/gcp/single-into-new-vpc/main.tf @@ -47,12 +47,14 @@ module "single-into-existing-vpc" { # --- Check Point Deployment--- image_name = var.image_name + os_version = var.os_version installationType = var.installationType license = var.license prefix = var.prefix management_nic = var.management_nic admin_shell = var.admin_shell admin_SSH_key = var.admin_SSH_key + maintenance_mode_password_hash = var.maintenance_mode_password_hash generatePassword = var.generatePassword allowUploadDownload = var.allowUploadDownload sicKey = var.sicKey diff --git a/terraform/gcp/single-into-new-vpc/terraform.tfvars b/terraform/gcp/single-into-new-vpc/terraform.tfvars index b387fa3d..dee19701 100644 --- a/terraform/gcp/single-into-new-vpc/terraform.tfvars +++ b/terraform/gcp/single-into-new-vpc/terraform.tfvars @@ -4,12 +4,14 @@ project = "PLEASE ENTER PROJECT ID" # --- Check Point Deployment--- image_name = "PLEASE ENTER IMAGE_NAME" # "check-point-r8120-gw-byol-single-631-991001335-v20230622" +os_version = "PLEASE ENTER GAIA OS VERSION" # "R8120" installationType = "PLEASE ENTER INSTALLATION TYPE" # "Gateway only" license = "PLEASE ENTER LICENSE" # "BYOL" prefix = "PLEASE ENTER PREFIX" # "chkp-single-tf-" management_nic = "PLEASE ENTER MANAGEMENT_NIC" # "Ephemeral Public IP (eth0)" admin_shell = "PLEASE ENTER ADMIN_SHELL" # "/etc/cli.sh" admin_SSH_key = "PLEASE ENTER ADMIN_SSH_KEY" # "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" generatePassword = "PLEASE ENTER GENERATE PASSWORD" # false allowUploadDownload = "PLEASE ENTER ALLOW UPLOAD DOWNLOAD" # false sicKey = "PLEASE ENTER SIC KEY" # "" diff --git a/terraform/gcp/single-into-new-vpc/variables.tf b/terraform/gcp/single-into-new-vpc/variables.tf index 3d6454cf..6a40d8e8 100644 --- a/terraform/gcp/single-into-new-vpc/variables.tf +++ b/terraform/gcp/single-into-new-vpc/variables.tf @@ -19,7 +19,12 @@ variable "zone" { } variable "image_name" { type = string - description = "The single gateway and management image name. You can choose the desired image value from: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/single-byol/images.py" + description = "The single gateway and management image name" +} +variable "os_version" { + type = string + description = "GAIA OS version" + default = "R8120" } variable "installationType" { type = string @@ -149,6 +154,11 @@ variable "admin_SSH_key" { description = "(Optional) The SSH public key for SSH authentication to the template instances. Leave this field blank to use all project-wide pre-configured SSH keys." default = "" } +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string + default = "" +} variable "sicKey" { type = string description ="The Secure Internal Communication one time secret used to set up trust between the single gateway object and the management server"