Skip to content

Commit

Permalink
Added Routing-Intent support
Browse files Browse the repository at this point in the history
  • Loading branch information
@chkp-yairra
chkp-yairra committed Dec 21, 2023
1 parent 953b2d3 commit 00d9c83
Show file tree
Hide file tree
Showing 9 changed files with 210 additions and 9 deletions.
28 changes: 28 additions & 0 deletions terraform/azure/modules/add-routing-intent.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
import json

import requests
import sys

def perform_put_request(url, data, headers=None):
"""
This function perform the PUT request to Azure in order to edit the vWAN Hub Routing-Intent
"""
result = {"status": "success", "message": ""}
try:
response = requests.put(url, json=data, headers=headers)
result["message"] = response.text
except Exception as e:
result["status"] = "error"
result["message"] = f"An error occurred: {str(e)}"
return result

if __name__ == "__main__":
"""
This script receives url, body, and authorization token as arguments and set vWAN Hub Routing-Intent
"""
api_url = sys.argv[1]
api_data = eval(sys.argv[2])
auth_token = sys.argv[3]
api_headers = {"Authorization": f'Bearer {auth_token}'}
result = perform_put_request(api_url, api_data, api_headers)
print(json.dumps(result))
7 changes: 7 additions & 0 deletions terraform/azure/nva-into-existing-hub/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ As part of the deployment the following resources are created:

## Configurations
- Install and configure Terraform to provision Azure resources: [Configure Terraform for Azure](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/terraform-install-configure).
- In order to configure hub routing-intent policies it is **required** to have Python installed.

## Usage
- Choose the preferred login method to Azure in order to deploy the solution:
Expand Down Expand Up @@ -98,6 +99,10 @@ As part of the deployment the following resources are created:
| **bgp-asn** | The BGP autonomous system number. | string | 64512 ||
| | | | | |
| **custom-metrics** | Indicates whether CloudGuard Metrics will be use for gateway monitoring | string | yes; <br/>no; |
| | | | | |
| **routing-intent-internet-traffic** | Set routing intent policy to allow internet traffic through the new nva | string | yes; <br/>no; |
| | | | | |
| **routing-intent-private-traffic** | Set routing intent policy to allow private traffic through the new nva | string | yes; <br/>no; |
| | | | | |
| **smart1-cloud-token-a** | Smart-1 Cloud token to connect automatically ***NVA instance a*** to Check Point's Security Management as a Service. <br/><br/> Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | |
| | | | | |
Expand Down Expand Up @@ -137,6 +142,8 @@ As part of the deployment the following resources are created:
ssh-public-key = "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key"
bgp-asn = "64512"
custom-metrics = "yes"
routing-intent-internet-traffic = "yes"
routing-intent-private-traffic = "yes"
smart1-cloud-token-a = ""
smart1-cloud-token-b = ""
smart1-cloud-token-c = ""
Expand Down
64 changes: 63 additions & 1 deletion terraform/azure/nva-into-existing-hub/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,10 +41,59 @@ data "http" "image-versions" {

locals {
image_versions = tolist([for version in jsondecode(data.http.image-versions.response_body).properties.availableVersions : version if substr(version, 0, 4) == lower(substr(replace(var.cloudguard-version, ".", ""), 1, 4))])
routing_intent-internet-policy = {
"name": "InternetTraffic",
"destinations": [
"Internet"
],
"nextHop": "/subscriptions/${var.subscription_id}/resourcegroups/${var.nva-rg-name}/providers/Microsoft.Network/networkVirtualAppliances/${var.nva-name}"
}
routing_intent-private-policy = {
"name": "PrivateTrafficPolicy",
"destinations": [
"PrivateTraffic"
],
"nextHop": "/subscriptions/${var.subscription_id}/resourcegroups/${var.nva-rg-name}/providers/Microsoft.Network/networkVirtualAppliances/${var.nva-name}"
}
routing-intent-policies = var.routing-intent-internet-traffic == "yes" ? (var.routing-intent-private-traffic == "yes" ? tolist([local.routing_intent-internet-policy, local.routing_intent-private-policy]) : tolist([local.routing_intent-internet-policy])) : (var.routing-intent-private-traffic == "yes" ? tolist([local.routing_intent-private-policy]) : [])
req_body = jsonencode({"properties": {"routingPolicies": local.routing-intent-policies}})
req_url = "https://management.azure.com/subscriptions/${var.subscription_id}/resourceGroups/${var.vwan-hub-resource-group}/providers/Microsoft.Network/virtualHubs/${var.vwan-hub-name}/routingIntent/hubRoutingIntent?api-version=2022-01-01"
}

//********************** Marketplace Terms & Solution Registration **************************//
data "http" "accept-marketplace-terms-existing-agreement" {
method = "GET"
url = "https://management.azure.com/subscriptions/${var.subscription_id}/providers/Microsoft.MarketplaceOrdering/agreements/checkpoint/offers/azure-vwan/plans/vwan-app?api-version=2021-01-01"
request_headers = {
Accept = "application/json"
"Authorization" = "Bearer ${local.access_token}"
}
}

resource "azurerm_marketplace_agreement" "accept-marketplace-terms" {
count = can(jsondecode(data.http.accept-marketplace-terms-existing-agreement.response_body).properties.id) && jsondecode(data.http.accept-marketplace-terms-existing-agreement.response_body).properties.state == "Active" ? 0 : 1
publisher = "checkpoint"
offer = "azure-vwan"
plan = "vwan-app"
}

data "http" "azurerm_resource_provider_registration-exist" {
method = "GET"
url = "https://management.azure.com/subscriptions/${var.subscription_id}/providers/Microsoft.Solutions?api-version=2021-01-01"
request_headers = {
Accept = "application/json"
"Authorization" = "Bearer ${local.access_token}"
}
}

resource "azurerm_resource_provider_registration" "solutions" {
count = jsondecode(data.http.azurerm_resource_provider_registration-exist.response_body).registrationState == "Registered" ? 0 : 1
name = "Microsoft.Solutions"
}

//********************** Managed Application Configuration **************************//
resource "azurerm_managed_application" "nva" {
depends_on = [azurerm_marketplace_agreement.accept-marketplace-terms, azurerm_resource_provider_registration.solutions]
name = var.managed-app-name
location = azurerm_resource_group.managed-app-rg.location
resource_group_name = azurerm_resource_group.managed-app-rg.name
Expand Down Expand Up @@ -116,4 +165,17 @@ resource "azurerm_managed_application" "nva" {
value = var.smart1-cloud-token-e
}
})
}
}

//********************** Routing Intent **************************//

data "external" "update-routing-intent" {
count = length(local.routing-intent-policies) != 0 ? 1 : 0
depends_on = [azurerm_managed_application.nva]
program = ["python", "../modules/add-routing-intent.py", "${local.req_url}", "${local.req_body}", "${local.access_token}"]
}

output "api_request_result" {
value = length(local.routing-intent-policies) != 0 ? data.external.update-routing-intent[0].result : {routing-intent: "not changed"}
}

4 changes: 3 additions & 1 deletion terraform/azure/nva-into-existing-hub/terraform.tfvars
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,9 @@ admin-shell = "PLEASE ENTER ADMIN SHELL"
sic-key = "PLEASE ENTER SIC KEY" # "xxxxxxxxxx"
ssh-public-key = "PLEASE ENTER SSH PUBLIC KEY" # "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key"
bgp-asn = "PLEASE ENTER BGP AUTONOMOUS SYSTEM NUMBER" # "64512"
custom-metrics = "PLEASE ENTER yes or no" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
custom-metrics = "PLEASE ENTER yes or no" # "yes"
routing-intent-internet-traffic = "PLEASE ENTER yes or no" # "yes"
routing-intent-private-traffic = "PLEASE ENTER yes or no" # "yes"
smart1-cloud-token-a = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL FOR INSTANCE A OR LEAVE EMPTY DOUBLE QUOTES" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
smart1-cloud-token-b = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL FOR INSTANCE B OR LEAVE EMPTY DOUBLE QUOTES" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
smart1-cloud-token-c = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL FOR INSTANCE C OR LEAVE EMPTY DOUBLE QUOTES" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
Expand Down
16 changes: 16 additions & 0 deletions terraform/azure/nva-into-existing-hub/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,22 @@ variable "custom-metrics" {
}
}

variable "routing-intent-internet-traffic" {
default = "yes"
validation {
condition = contains(["yes", "no"], var.routing-intent-internet-traffic)
error_message = "Valid options are string('yes' or 'no')"
}
}

variable "routing-intent-private-traffic" {
default = "yes"
validation {
condition = contains(["yes", "no"], var.routing-intent-private-traffic)
error_message = "Valid options are string('yes' or 'no')"
}
}

variable "smart1-cloud-token-a" {
type = string
default = ""
Expand Down
Loading

0 comments on commit 00d9c83

Please sign in to comment.