From 00d9c839febeffc1fce02a6d07e7460fdc489810 Mon Sep 17 00:00:00 2001 From: yairra Date: Thu, 21 Dec 2023 15:59:40 +0200 Subject: [PATCH] Added Routing-Intent support --- terraform/azure/modules/add-routing-intent.py | 28 ++++++++ .../azure/nva-into-existing-hub/README.md | 7 ++ terraform/azure/nva-into-existing-hub/main.tf | 64 +++++++++++++++++- .../nva-into-existing-hub/terraform.tfvars | 4 +- .../azure/nva-into-existing-hub/variables.tf | 16 +++++ terraform/azure/nva-into-new-vwan/README.md | 9 ++- terraform/azure/nva-into-new-vwan/main.tf | 65 ++++++++++++++++++- .../azure/nva-into-new-vwan/terraform.tfvars | 10 +-- .../azure/nva-into-new-vwan/variables.tf | 16 +++++ 9 files changed, 210 insertions(+), 9 deletions(-) create mode 100755 terraform/azure/modules/add-routing-intent.py diff --git a/terraform/azure/modules/add-routing-intent.py b/terraform/azure/modules/add-routing-intent.py new file mode 100755 index 00000000..a13eaa0d --- /dev/null +++ b/terraform/azure/modules/add-routing-intent.py @@ -0,0 +1,28 @@ +import json + +import requests +import sys + +def perform_put_request(url, data, headers=None): + """ + This function perform the PUT request to Azure in order to edit the vWAN Hub Routing-Intent + """ + result = {"status": "success", "message": ""} + try: + response = requests.put(url, json=data, headers=headers) + result["message"] = response.text + except Exception as e: + result["status"] = "error" + result["message"] = f"An error occurred: {str(e)}" + return result + +if __name__ == "__main__": + """ + This script receives url, body, and authorization token as arguments and set vWAN Hub Routing-Intent + """ + api_url = sys.argv[1] + api_data = eval(sys.argv[2]) + auth_token = sys.argv[3] + api_headers = {"Authorization": f'Bearer {auth_token}'} + result = perform_put_request(api_url, api_data, api_headers) + print(json.dumps(result)) diff --git a/terraform/azure/nva-into-existing-hub/README.md b/terraform/azure/nva-into-existing-hub/README.md index 13b467c1..e8c8ca55 100755 --- a/terraform/azure/nva-into-existing-hub/README.md +++ b/terraform/azure/nva-into-existing-hub/README.md @@ -11,6 +11,7 @@ As part of the deployment the following resources are created: ## Configurations - Install and configure Terraform to provision Azure resources: [Configure Terraform for Azure](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/terraform-install-configure). +- In order to configure hub routing-intent policies it is **required** to have Python installed. ## Usage - Choose the preferred login method to Azure in order to deploy the solution: @@ -98,6 +99,10 @@ As part of the deployment the following resources are created: | **bgp-asn** | The BGP autonomous system number. | string | 64512 || | | | | | | | **custom-metrics** | Indicates whether CloudGuard Metrics will be use for gateway monitoring | string | yes;
no; | + | | | | | | + | **routing-intent-internet-traffic** | Set routing intent policy to allow internet traffic through the new nva | string | yes;
no; | + | | | | | | + | **routing-intent-private-traffic** | Set routing intent policy to allow private traffic through the new nva | string | yes;
no; | | | | | | | | **smart1-cloud-token-a** | Smart-1 Cloud token to connect automatically ***NVA instance a*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | | | | | | | | @@ -137,6 +142,8 @@ As part of the deployment the following resources are created: ssh-public-key = "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" bgp-asn = "64512" custom-metrics = "yes" + routing-intent-internet-traffic = "yes" + routing-intent-private-traffic = "yes" smart1-cloud-token-a = "" smart1-cloud-token-b = "" smart1-cloud-token-c = "" diff --git a/terraform/azure/nva-into-existing-hub/main.tf b/terraform/azure/nva-into-existing-hub/main.tf index 0f3fbe13..7498c236 100755 --- a/terraform/azure/nva-into-existing-hub/main.tf +++ b/terraform/azure/nva-into-existing-hub/main.tf @@ -41,10 +41,59 @@ data "http" "image-versions" { locals { image_versions = tolist([for version in jsondecode(data.http.image-versions.response_body).properties.availableVersions : version if substr(version, 0, 4) == lower(substr(replace(var.cloudguard-version, ".", ""), 1, 4))]) + routing_intent-internet-policy = { + "name": "InternetTraffic", + "destinations": [ + "Internet" + ], + "nextHop": "/subscriptions/${var.subscription_id}/resourcegroups/${var.nva-rg-name}/providers/Microsoft.Network/networkVirtualAppliances/${var.nva-name}" + } + routing_intent-private-policy = { + "name": "PrivateTrafficPolicy", + "destinations": [ + "PrivateTraffic" + ], + "nextHop": "/subscriptions/${var.subscription_id}/resourcegroups/${var.nva-rg-name}/providers/Microsoft.Network/networkVirtualAppliances/${var.nva-name}" + } + routing-intent-policies = var.routing-intent-internet-traffic == "yes" ? (var.routing-intent-private-traffic == "yes" ? tolist([local.routing_intent-internet-policy, local.routing_intent-private-policy]) : tolist([local.routing_intent-internet-policy])) : (var.routing-intent-private-traffic == "yes" ? tolist([local.routing_intent-private-policy]) : []) + req_body = jsonencode({"properties": {"routingPolicies": local.routing-intent-policies}}) + req_url = "https://management.azure.com/subscriptions/${var.subscription_id}/resourceGroups/${var.vwan-hub-resource-group}/providers/Microsoft.Network/virtualHubs/${var.vwan-hub-name}/routingIntent/hubRoutingIntent?api-version=2022-01-01" +} + +//********************** Marketplace Terms & Solution Registration **************************// +data "http" "accept-marketplace-terms-existing-agreement" { + method = "GET" + url = "https://management.azure.com/subscriptions/${var.subscription_id}/providers/Microsoft.MarketplaceOrdering/agreements/checkpoint/offers/azure-vwan/plans/vwan-app?api-version=2021-01-01" + request_headers = { + Accept = "application/json" + "Authorization" = "Bearer ${local.access_token}" + } +} + +resource "azurerm_marketplace_agreement" "accept-marketplace-terms" { + count = can(jsondecode(data.http.accept-marketplace-terms-existing-agreement.response_body).properties.id) && jsondecode(data.http.accept-marketplace-terms-existing-agreement.response_body).properties.state == "Active" ? 0 : 1 + publisher = "checkpoint" + offer = "azure-vwan" + plan = "vwan-app" +} + +data "http" "azurerm_resource_provider_registration-exist" { + method = "GET" + url = "https://management.azure.com/subscriptions/${var.subscription_id}/providers/Microsoft.Solutions?api-version=2021-01-01" + request_headers = { + Accept = "application/json" + "Authorization" = "Bearer ${local.access_token}" + } +} + +resource "azurerm_resource_provider_registration" "solutions" { + count = jsondecode(data.http.azurerm_resource_provider_registration-exist.response_body).registrationState == "Registered" ? 0 : 1 + name = "Microsoft.Solutions" } //********************** Managed Application Configuration **************************// resource "azurerm_managed_application" "nva" { + depends_on = [azurerm_marketplace_agreement.accept-marketplace-terms, azurerm_resource_provider_registration.solutions] name = var.managed-app-name location = azurerm_resource_group.managed-app-rg.location resource_group_name = azurerm_resource_group.managed-app-rg.name @@ -116,4 +165,17 @@ resource "azurerm_managed_application" "nva" { value = var.smart1-cloud-token-e } }) -} \ No newline at end of file +} + +//********************** Routing Intent **************************// + +data "external" "update-routing-intent" { + count = length(local.routing-intent-policies) != 0 ? 1 : 0 + depends_on = [azurerm_managed_application.nva] + program = ["python", "../modules/add-routing-intent.py", "${local.req_url}", "${local.req_body}", "${local.access_token}"] +} + +output "api_request_result" { + value = length(local.routing-intent-policies) != 0 ? data.external.update-routing-intent[0].result : {routing-intent: "not changed"} +} + diff --git a/terraform/azure/nva-into-existing-hub/terraform.tfvars b/terraform/azure/nva-into-existing-hub/terraform.tfvars index a0d055e5..fe410e5e 100755 --- a/terraform/azure/nva-into-existing-hub/terraform.tfvars +++ b/terraform/azure/nva-into-existing-hub/terraform.tfvars @@ -18,7 +18,9 @@ admin-shell = "PLEASE ENTER ADMIN SHELL" sic-key = "PLEASE ENTER SIC KEY" # "xxxxxxxxxx" ssh-public-key = "PLEASE ENTER SSH PUBLIC KEY" # "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" bgp-asn = "PLEASE ENTER BGP AUTONOMOUS SYSTEM NUMBER" # "64512" -custom-metrics = "PLEASE ENTER yes or no" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +custom-metrics = "PLEASE ENTER yes or no" # "yes" +routing-intent-internet-traffic = "PLEASE ENTER yes or no" # "yes" +routing-intent-private-traffic = "PLEASE ENTER yes or no" # "yes" smart1-cloud-token-a = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL FOR INSTANCE A OR LEAVE EMPTY DOUBLE QUOTES" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" smart1-cloud-token-b = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL FOR INSTANCE B OR LEAVE EMPTY DOUBLE QUOTES" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" smart1-cloud-token-c = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL FOR INSTANCE C OR LEAVE EMPTY DOUBLE QUOTES" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" diff --git a/terraform/azure/nva-into-existing-hub/variables.tf b/terraform/azure/nva-into-existing-hub/variables.tf index cbe5bfde..0842b74e 100755 --- a/terraform/azure/nva-into-existing-hub/variables.tf +++ b/terraform/azure/nva-into-existing-hub/variables.tf @@ -113,6 +113,22 @@ variable "custom-metrics" { } } +variable "routing-intent-internet-traffic" { + default = "yes" + validation { + condition = contains(["yes", "no"], var.routing-intent-internet-traffic) + error_message = "Valid options are string('yes' or 'no')" + } +} + +variable "routing-intent-private-traffic" { + default = "yes" + validation { + condition = contains(["yes", "no"], var.routing-intent-private-traffic) + error_message = "Valid options are string('yes' or 'no')" + } +} + variable "smart1-cloud-token-a" { type = string default = "" diff --git a/terraform/azure/nva-into-new-vwan/README.md b/terraform/azure/nva-into-new-vwan/README.md index d8365bd3..b886b595 100755 --- a/terraform/azure/nva-into-new-vwan/README.md +++ b/terraform/azure/nva-into-new-vwan/README.md @@ -13,6 +13,7 @@ As part of the deployment the following resources are created: ## Configurations - Install and configure Terraform to provision Azure resources: [Configure Terraform for Azure](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/terraform-install-configure). +- In order to configure hub routing-intent policies it is **required** to have Python installed. ## Usage - Choose the preferred login method to Azure in order to deploy the solution: @@ -102,7 +103,11 @@ As part of the deployment the following resources are created: | **bgp-asn** | The BGP autonomous system number. | string | 64512 || | | | | | | | **custom-metrics** | Indicates whether CloudGuard Metrics will be use for gateway monitoring | string | yes;
no; | - | | | | | | + | | | | | | + | **routing-intent-internet-traffic** | Set routing intent policy to allow internet traffic through the new nva | string | yes;
no; | + | | | | | | + | **routing-intent-private-traffic** | Set routing intent policy to allow private traffic through the new nva | string | yes;
no; | + | | | | | | | **smart1-cloud-token-a** | Smart-1 Cloud token to connect automatically ***NVA instance a*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | | | | | | | | | **smart1-cloud-token-b** | Smart-1 Cloud token to connect automatically ***NVA instance b*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | | @@ -142,6 +147,8 @@ As part of the deployment the following resources are created: ssh-public-key = "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" bgp-asn = "64512" custom-metrics = "yes" + routing-intent-internet-traffic = "yes" + routing-intent-private-traffic = "yes" smart1-cloud-token-a = "" smart1-cloud-token-b = "" smart1-cloud-token-c = "" diff --git a/terraform/azure/nva-into-new-vwan/main.tf b/terraform/azure/nva-into-new-vwan/main.tf index 5a420e6b..143ddd5c 100755 --- a/terraform/azure/nva-into-new-vwan/main.tf +++ b/terraform/azure/nva-into-new-vwan/main.tf @@ -18,7 +18,6 @@ resource "azurerm_virtual_hub" "vwan-hub" { virtual_wan_id = azurerm_virtual_wan.vwan.id } - //********************** Image Version **************************// data "external" "az_access_token" { @@ -51,10 +50,61 @@ data "http" "image-versions" { locals { image_versions = tolist([for version in jsondecode(data.http.image-versions.response_body).properties.availableVersions : version if substr(version, 0, 4) == lower(substr(replace(var.cloudguard-version, ".", ""), 1, 4))]) + routing_intent-internet-policy = { + "name": "InternetTraffic", + "destinations": [ + "Internet" + ], + "nextHop": "/subscriptions/${var.subscription_id}/resourcegroups/${var.nva-rg-name}/providers/Microsoft.Network/networkVirtualAppliances/${var.nva-name}" + } + routing_intent-private-policy = { + "name": "PrivateTrafficPolicy", + "destinations": [ + "PrivateTraffic" + ], + "nextHop": "/subscriptions/${var.subscription_id}/resourcegroups/${var.nva-rg-name}/providers/Microsoft.Network/networkVirtualAppliances/${var.nva-name}" + } + routing-intent-policies = var.routing-intent-internet-traffic == "yes" ? (var.routing-intent-private-traffic == "yes" ? tolist([local.routing_intent-internet-policy, local.routing_intent-private-policy]) : tolist([local.routing_intent-internet-policy])) : (var.routing-intent-private-traffic == "yes" ? tolist([local.routing_intent-private-policy]) : []) + req_body = jsonencode({"properties": {"routingPolicies": local.routing-intent-policies}}) + req_url = "https://management.azure.com/subscriptions/${var.subscription_id}/resourceGroups/${azurerm_resource_group.managed-app-rg.name}/providers/Microsoft.Network/virtualHubs/${var.vwan-hub-name}/routingIntent/hubRoutingIntent?api-version=2022-01-01" + +} + +//********************** Marketplace Terms & Solution Registration **************************// +data "http" "accept-marketplace-terms-existing-agreement" { + method = "GET" + url = "https://management.azure.com/subscriptions/${var.subscription_id}/providers/Microsoft.MarketplaceOrdering/agreements/checkpoint/offers/azure-vwan/plans/vwan-app?api-version=2021-01-01" + request_headers = { + Accept = "application/json" + "Authorization" = "Bearer ${local.access_token}" + } +} + +resource "azurerm_marketplace_agreement" "accept-marketplace-terms" { + count = can(jsondecode(data.http.accept-marketplace-terms-existing-agreement.response_body).properties.id) && jsondecode(data.http.accept-marketplace-terms-existing-agreement.response_body).properties.state == "Active" ? 0 : 1 + publisher = "checkpoint" + offer = "azure-vwan" + plan = "vwan-app" +} + + +data "http" "azurerm_resource_provider_registration-exist" { + method = "GET" + url = "https://management.azure.com/subscriptions/${var.subscription_id}/providers/Microsoft.Solutions?api-version=2021-01-01" + request_headers = { + Accept = "application/json" + "Authorization" = "Bearer ${local.access_token}" + } +} + +resource "azurerm_resource_provider_registration" "solutions" { + count = jsondecode(data.http.azurerm_resource_provider_registration-exist.response_body).registrationState == "Registered" ? 0 : 1 + name = "Microsoft.Solutions" } //********************** Managed Application Configuration **************************// resource "azurerm_managed_application" "nva" { + depends_on = [azurerm_marketplace_agreement.accept-marketplace-terms, azurerm_resource_provider_registration.solutions] name = var.managed-app-name location = azurerm_resource_group.managed-app-rg.location resource_group_name = azurerm_resource_group.managed-app-rg.name @@ -126,4 +176,15 @@ resource "azurerm_managed_application" "nva" { value = var.smart1-cloud-token-e } }) -} \ No newline at end of file +} + +//********************** Routing Intent **************************// +data "external" "update-routing-intent" { + count = length(local.routing-intent-policies) != 0 ? 1 : 0 + depends_on = [azurerm_managed_application.nva] + program = ["python", "../modules/add-routing-intent.py", "${local.req_url}", "${local.req_body}", "${local.access_token}"] +} + +output "api_request_result" { + value = length(local.routing-intent-policies) != 0 ? data.external.update-routing-intent[0].result : {routing-intent: "not changed"} +} diff --git a/terraform/azure/nva-into-new-vwan/terraform.tfvars b/terraform/azure/nva-into-new-vwan/terraform.tfvars index 7a58991a..9b29241a 100755 --- a/terraform/azure/nva-into-new-vwan/terraform.tfvars +++ b/terraform/azure/nva-into-new-vwan/terraform.tfvars @@ -1,4 +1,4 @@ - #PLEASE refer to the README.md for accepted values for the variables below +#PLEASE refer to the README.md for accepted values for the variables below authentication_method = "PLEASE ENTER AUTHENTICATION METHOD" # "Service Principal" client_secret = "PLEASE ENTER CLIENT SECRET" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" client_id = "PLEASE ENTER CLIENT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" @@ -6,8 +6,8 @@ tenant_id = "PLEASE ENTER TENANT ID" subscription_id = "PLEASE ENTER SUBSCRIPTION ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" resource-group-name = "PLEASE ENTER RESOURCE GROUP NAME" # "tf-managed-app-resource-group" location = "PLEASE ENTER LOCATION" # "westcentralus" -vwan-name = "PLEASE ENTER VIRTUAL WAN NAME" # "tf-vwan" -vwan-hub-name = "PLEASE ENTER VWAN HUB NAME" # "tf-vwan-hub" +vwan-name = "PLEASE ENTER VIRTUAL WAN NAME" # "tf-cp-vwan" +vwan-hub-name = "PLEASE ENTER VWAN HUB NAME" # "tf-cp-vwan-hub" vwan-hub-address-prefix = "PLEASE ENTER VWAN HUB ADDRESS PREFIX" # "10.0.0.0/16" managed-app-name = "PLEASE ENTER MANAGED APPLICATION NAME" # "tf-vwan-managed-app-nva" nva-rg-name = "PLEASE ENTER NVA RESOURCE GROUP NAME" # "tf-vwan-nva-rg" @@ -19,7 +19,9 @@ admin-shell = "PLEASE ENTER ADMIN SHELL" sic-key = "PLEASE ENTER SIC KEY" # "xxxxxxxxxx" ssh-public-key = "PLEASE ENTER SSH PUBLIC KEY" # "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" bgp-asn = "PLEASE ENTER BGP AUTONOMOUS SYSTEM NUMBER" # "64512" -custom-metrics = "PLEASE ENTER yes or no" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +custom-metrics = "PLEASE ENTER yes or no" # "yes" +routing-intent-internet-traffic = "PLEASE ENTER yes or no" # "yes" +routing-intent-private-traffic = "PLEASE ENTER yes or no" # "yes" smart1-cloud-token-a = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL FOR INSTANCE A OR LEAVE EMPTY DOUBLE QUOTES" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" smart1-cloud-token-b = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL FOR INSTANCE B OR LEAVE EMPTY DOUBLE QUOTES" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" smart1-cloud-token-c = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL FOR INSTANCE C OR LEAVE EMPTY DOUBLE QUOTES" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" diff --git a/terraform/azure/nva-into-new-vwan/variables.tf b/terraform/azure/nva-into-new-vwan/variables.tf index bfd866d8..033819bb 100755 --- a/terraform/azure/nva-into-new-vwan/variables.tf +++ b/terraform/azure/nva-into-new-vwan/variables.tf @@ -119,6 +119,22 @@ variable "custom-metrics" { } } +variable "routing-intent-internet-traffic" { + default = "yes" + validation { + condition = contains(["yes", "no"], var.routing-intent-internet-traffic) + error_message = "Valid options are string('yes' or 'no')" + } +} + +variable "routing-intent-private-traffic" { + default = "yes" + validation { + condition = contains(["yes", "no"], var.routing-intent-private-traffic) + error_message = "Valid options are string('yes' or 'no')" + } +} + variable "smart1-cloud-token-a" { type = string default = ""