diff --git a/terraform/aws/cme-iam-role-gwlb/README.md b/terraform/aws/cme-iam-role-gwlb/README.md
new file mode 100644
index 00000000..96215042
--- /dev/null
+++ b/terraform/aws/cme-iam-role-gwlb/README.md
@@ -0,0 +1,100 @@
+# AWS IAM Role for Cloud Management Extension (CME) manages Gateway Load Balancer Auto Scale Group Terraform module
+
+Terraform module which creates an AWS IAM Role for Cloud Management Extension (CME) manages Gateway Load Balancer Auto Scale Group on Security Management Server.
+
+These types of Terraform resources are supported:
+* [AWS IAM role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role)
+* [AWS IAM policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy)
+* [AWS IAM policy attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment)
+
+This type of Terraform data source is supported:
+* [AWS IAM policy document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document)
+
+See the [Creating an AWS IAM Role for Security Management Server](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122074) for additional information
+
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/cme-iam-role-gwlb/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+
+## Usage
+- Fill all variables in the /terraform/aws/cme-iam-role-gwlb/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+- Create or modify the deployment:
+ ```
+ terraform apply
+ ```
+
+- Variables are configured in /terraform/aws/cme-iam-role-gwlb/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+ permissions = "Create with read permissions"
+ sts_roles = ['arn:aws:iam::111111111111:role/role_name']
+ trusted_account = ""
+ ```
+
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|-----------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|-------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------|----------|
+| permissions | The IAM role permissions | string | - Create with assume role permissions (specify an STS role ARN)
- Create with read permissions
- Create with read-write permissions | Create with read permissions | no |
+| sts_roles | The IAM role will be able to assume these STS Roles (map of string ARNs) | list(string) | n/a | [] | no |
+| trusted_account | A 12 digits number that represents the ID of a trusted account. IAM users in this account will be able assume the IAM role and receive the permissions attached to it | string | n/a | "" | no |
+
+
+## Outputs
+| Name | Description |
+|----------------------|---------------------------------------|
+| cme_iam_role_arn | The created AWS IAM Role arn |
+| cme_iam_role_name | The created AWS IAM Role name |
+| cme_iam_profile_name | The created AWS instance profile name |
+| cme_iam_profile_arn | The created AWS instance profile arn |
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|--------------------------------------------------------------------|
+| 20230926 | CME instance profile for IAM Role |
+
+
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details
diff --git a/terraform/aws/cme-iam-role-gwlb/main.tf b/terraform/aws/cme-iam-role-gwlb/main.tf
new file mode 100644
index 00000000..c9d19587
--- /dev/null
+++ b/terraform/aws/cme-iam-role-gwlb/main.tf
@@ -0,0 +1,109 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+resource "aws_iam_role" "cme_iam_role_gwlb" {
+ assume_role_policy = data.aws_iam_policy_document.cme_role_assume_policy_document.json
+ path = "/"
+}
+
+data "aws_iam_policy_document" "cme_role_assume_policy_document" {
+ version = "2012-10-17"
+ statement {
+ effect = "Allow"
+ actions = ["sts:AssumeRole"]
+ principals {
+ type = var.trusted_account == "" ? "Service" : "AWS"
+ identifiers = var.trusted_account == "" ? ["ec2.amazonaws.com"] : [var.trusted_account]
+ }
+ }
+}
+
+locals {
+ provided_sts_roles = length(var.sts_roles) == 0 ? 0 : 1
+ allow_read_permissions = var.permissions == "Create with read-write permissions" || var.permissions == "Create with read permissions" ? 1 : 0
+ allow_write_permissions = var.permissions == "Create with read-write permissions" ? 1 : 0
+}
+
+data "aws_iam_policy_document" "cme_role_sts_policy_doc" {
+ version = "2012-10-17"
+ statement {
+ effect = "Allow"
+ actions = ["sts:AssumeRole"]
+ resources = var.sts_roles
+ }
+}
+resource "aws_iam_policy" "cme_role_sts_policy" {
+ count = local.provided_sts_roles
+ policy = data.aws_iam_policy_document.cme_role_sts_policy_doc.json
+
+}
+resource "aws_iam_role_policy_attachment" "attach_sts_policy" {
+ count = local.provided_sts_roles
+ policy_arn = aws_iam_policy.cme_role_sts_policy[0].arn
+ role = aws_iam_role.cme_iam_role_gwlb.id
+}
+
+data "aws_iam_policy_document" "cme_role_read_policy_doc" {
+ version = "2012-10-17"
+ statement {
+ effect = "Allow"
+ actions = [
+ "autoscaling:DescribeAutoScalingGroups",
+ "ec2:DescribeInstances",
+ "ec2:DescribeNetworkInterfaces",
+ "ec2:DescribeRouteTables",
+ "ec2:DescribeSecurityGroups",
+ "ec2:DescribeSubnets",
+ "ec2:DescribeVpcs",
+ "ec2:DescribeInternetGateways",
+ "ec2:DescribeVpcEndpoints",
+ "ec2:DescribeVpcEndpointServiceConfigurations",
+ "elasticloadbalancing:DescribeLoadBalancers",
+ "elasticloadbalancing:DescribeTags",
+ "elasticloadbalancing:DescribeListeners",
+ "elasticloadbalancing:DescribeTargetGroups",
+ "elasticloadbalancing:DescribeRules",
+ "elasticloadbalancing:DescribeTargetHealth"]
+ resources = ["*"]
+ }
+}
+resource "aws_iam_policy" "cme_role_read_policy" {
+ count = local.allow_read_permissions
+ policy = data.aws_iam_policy_document.cme_role_read_policy_doc.json
+}
+resource "aws_iam_role_policy_attachment" "attach_read_policy" {
+ count = local.allow_read_permissions
+ policy_arn = aws_iam_policy.cme_role_read_policy[0].arn
+ role = aws_iam_role.cme_iam_role_gwlb.id
+}
+
+data "aws_iam_policy_document" "cme_role_write_policy_doc" {
+ version = "2012-10-17"
+ statement {
+ effect = "Allow"
+ actions = [
+ "ec2:CreateRoute",
+ "ec2:ReplaceRoute",
+ "ec2:DeleteRoute",
+ "ec2:CreateRouteTable",
+ "ec2:AssociateRouteTable",
+ "ec2:CreateTags"
+]
+ resources = ["*"]
+ }
+}
+resource "aws_iam_policy" "cme_role_write_policy" {
+ count = local.allow_write_permissions
+ policy = data.aws_iam_policy_document.cme_role_write_policy_doc.json
+}
+resource "aws_iam_role_policy_attachment" "attach_write_policy" {
+ count = local.allow_write_permissions
+ policy_arn = aws_iam_policy.cme_role_write_policy[0].arn
+ role = aws_iam_role.cme_iam_role_gwlb.id
+}
+resource "aws_iam_instance_profile" "iam_instance_profile" {
+ role = aws_iam_role.cme_iam_role_gwlb.id
+}
\ No newline at end of file
diff --git a/terraform/aws/cme-iam-role-gwlb/output.tf b/terraform/aws/cme-iam-role-gwlb/output.tf
new file mode 100644
index 00000000..8c86901a
--- /dev/null
+++ b/terraform/aws/cme-iam-role-gwlb/output.tf
@@ -0,0 +1,13 @@
+output "cme_iam_role_arn" {
+ value = aws_iam_role.cme_iam_role_gwlb.arn
+}
+output "cme_iam_role_name" {
+ value = aws_iam_role.cme_iam_role_gwlb.name
+}
+output "cme_iam_profile_name" {
+ value = aws_iam_instance_profile.iam_instance_profile.name
+}
+output "cme_iam_profile_arn" {
+ value = aws_iam_instance_profile.iam_instance_profile.arn
+}
+
diff --git a/terraform/aws/cme-iam-role-gwlb/terraform.tfvars b/terraform/aws/cme-iam-role-gwlb/terraform.tfvars
new file mode 100644
index 00000000..9914eae9
--- /dev/null
+++ b/terraform/aws/cme-iam-role-gwlb/terraform.tfvars
@@ -0,0 +1,5 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+permissions = "Create with read permissions"
+sts_roles = []
+trusted_account = ""
\ No newline at end of file
diff --git a/terraform/aws/cme-iam-role-gwlb/variables.tf b/terraform/aws/cme-iam-role-gwlb/variables.tf
new file mode 100644
index 00000000..3a0fe740
--- /dev/null
+++ b/terraform/aws/cme-iam-role-gwlb/variables.tf
@@ -0,0 +1,42 @@
+// Module: IAM role for selected permissions
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+variable "permissions" {
+ type = string
+ description = "The IAM role permissions"
+ default = "Create with read permissions"
+}
+locals {
+ permissions_allowed_values = [
+ "Create with assume role permissions (specify an STS role ARN)",
+ "Create with read permissions",
+ "Create with read-write permissions"]
+ // Will fail if var.permissions is invalid
+ validate_permissions = index(local.permissions_allowed_values, var.permissions)
+}
+variable "sts_roles" {
+ type = list(string)
+ description = "The IAM role will be able to assume these STS Roles (map of string ARNs)"
+ default = []
+}
+variable "trusted_account" {
+ type = string
+ description = "A 12 digits number that represents the ID of a trusted account. IAM users in this account will be able assume the IAM role and receive the permissions attached to it"
+ default = ""
+}
diff --git a/terraform/aws/cme-iam-role-gwlb/versions.tf b/terraform/aws/cme-iam-role-gwlb/versions.tf
new file mode 100644
index 00000000..a2133c0a
--- /dev/null
+++ b/terraform/aws/cme-iam-role-gwlb/versions.tf
@@ -0,0 +1,9 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 3.24.1"
+ }
+ }
+}
diff --git a/terraform/aws/cme-iam-role/README.md b/terraform/aws/cme-iam-role/README.md
index 3c39563b..adbbc4ca 100755
--- a/terraform/aws/cme-iam-role/README.md
+++ b/terraform/aws/cme-iam-role/README.md
@@ -60,7 +60,7 @@ secret_key = "my-secret-key"
//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
permissions = "Create with read permissions"
- sts_roles = []
+ sts_roles = ['arn:aws:iam::111111111111:role/role_name']
trusted_account = ""
```
@@ -83,8 +83,8 @@ secret_key = "my-secret-key"
|----------------------|---------------------------------------|
| cme_iam_role_arn | The created AWS IAM Role arn |
| cme_iam_role_name | The created AWS IAM Role name |
-| cme_iam_profile_arn | The created AWS instance profile arn |
| cme_iam_profile_name | The created AWS instance profile name |
+| cme_iam_profile_arn | The created AWS instance profile arn |
## Revision History
In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
@@ -92,7 +92,7 @@ In order to check the template version, please refer to [sk116585](https://suppo
| Template Version | Description |
|------------------|--------------------------------------------------------------------|
| 20210309 | First release of Check Point CME IAM Role Terraform module for AWS |
-| 20230529 | Added CME instance profile for IAM Role |
+| 20230529 | CME instance profile for IAM Role |
diff --git a/terraform/aws/cme-iam-role/output.tf b/terraform/aws/cme-iam-role/output.tf
index c41c0d29..cad35709 100755
--- a/terraform/aws/cme-iam-role/output.tf
+++ b/terraform/aws/cme-iam-role/output.tf
@@ -4,9 +4,9 @@ output "cme_iam_role_arn" {
output "cme_iam_role_name" {
value = aws_iam_role.cme_iam_role.name
}
-output "cme_iam_profile_arn" {
- value = aws_iam_instance_profile.iam_instance_profile.arn
-}
output "cme_iam_profile_name" {
value = aws_iam_instance_profile.iam_instance_profile.name
+}
+output "cme_iam_profile_arn" {
+ value = aws_iam_instance_profile.iam_instance_profile.arn
}
\ No newline at end of file
diff --git a/terraform/aws/gwlb/README.md b/terraform/aws/gwlb/README.md
index 1db69c26..a49b9272 100755
--- a/terraform/aws/gwlb/README.md
+++ b/terraform/aws/gwlb/README.md
@@ -16,7 +16,7 @@ See the [Check Point CloudGuard Gateway Load Balancer on AWS](https://sc1.checkp
This solution uses the following modules:
- /terraform/aws/autoscale-gwlb
- /terraform/aws/management
-- /terraform/aws/cme-iam-role
+- /terraform/aws/cme-iam-role-gwlb
- /terraform/aws/modules/amis
## Configurations
diff --git a/terraform/aws/gwlb/main.tf b/terraform/aws/gwlb/main.tf
index d64184a8..ac75d2ff 100755
--- a/terraform/aws/gwlb/main.tf
+++ b/terraform/aws/gwlb/main.tf
@@ -90,4 +90,5 @@ module "management" {
gateway_management = var.gateway_management
management_bootstrap_script = "echo -e '\nStarting Bootstrap script\n'; cv_json_path='/etc/cloud-version.json'\n cv_json_path_tmp='/etc/cloud-version-tmp.json'\n if test -f \"$cv_json_path\"; then cat \"$cv_json_path\" | jq '.template_name = \"'\"management_gwlb\"'\"' > \"$cv_json_path_tmp\"; mv \"$cv_json_path_tmp\" \"$cv_json_path\"; fi; autoprov_cfg -f init AWS -mn ${var.management_server} -tn ${var.configuration_template} -cn gwlb-controller -po ${var.gateways_policy} -otp ${var.gateway_SICKey} -r ${data.aws_region.current.name} -ver ${split("-", var.gateway_version)[0]} -iam; echo -e '\nFinished Bootstrap script\n'"
volume_type = var.volume_type
+ is_gwlb_iam = true
}
diff --git a/terraform/aws/management/locals.tf b/terraform/aws/management/locals.tf
index c89f6e12..65ef62ad 100755
--- a/terraform/aws/management/locals.tf
+++ b/terraform/aws/management/locals.tf
@@ -10,6 +10,11 @@ locals {
use_role = var.iam_permissions == "None (configure later)" ? 0 : 1
create_iam_role = var.iam_permissions == "Create with assume role permissions (specify an STS role ARN)" || var.iam_permissions == "Create with read permissions" || var.iam_permissions == "Create with read-write permissions"
+ pre_role = (local.use_role == 1 && local.create_iam_role == false) ? 1 : 0
+ new_instance_profile = (local.create_iam_role == true && local.use_role == 1) ? 1 : 0
+
+ new_instance_profile_general = local.new_instance_profile == 1 && var.is_gwlb_iam == false ? 1 : 0
+ new_instance_profile_gwlb = local.new_instance_profile == 1 && var.is_gwlb_iam ? 1 : 0
admin_shell_allowed_values = [
"/etc/cli.sh",
diff --git a/terraform/aws/management/main.tf b/terraform/aws/management/main.tf
index 618b4f14..ab9e727f 100755
--- a/terraform/aws/management/main.tf
+++ b/terraform/aws/management/main.tf
@@ -113,9 +113,9 @@ resource "aws_eip" "eip" {
}
resource "aws_iam_instance_profile" "management_instance_profile" {
- count = local.use_role
+ count = local.pre_role
path = "/"
- role = local.create_iam_role ? join("", module.cme_iam_role.*.cme_iam_role_name) : var.predefined_role
+ role = var.predefined_role
}
resource "aws_instance" "management-instance" {
@@ -145,7 +145,8 @@ resource "aws_instance" "management-instance" {
}
instance_type = var.management_instance_type
key_name = var.key_name
- iam_instance_profile = local.use_role == 1 ? aws_iam_instance_profile.management_instance_profile[0].id : ""
+
+ iam_instance_profile = local.use_role == 1 ? (local.pre_role == 1 ? aws_iam_instance_profile.management_instance_profile[0].id : join("", (var.is_gwlb_iam == true ? module.cme_iam_role_gwlb.*.cme_iam_profile_name : module.cme_iam_role.*.cme_iam_profile_name))): ""
disable_api_termination = var.disable_instance_termination
@@ -176,7 +177,18 @@ module "cme_iam_role" {
providers = {
aws = aws
}
- count = local.create_iam_role ? 1 : 0
+ count = local.new_instance_profile_general
+
+ sts_roles = var.sts_roles
+ permissions = var.iam_permissions
+}
+
+module "cme_iam_role_gwlb" {
+ source = "../cme-iam-role-gwlb"
+ providers = {
+ aws = aws
+ }
+ count = local.new_instance_profile_gwlb
sts_roles = var.sts_roles
permissions = var.iam_permissions
diff --git a/terraform/aws/management/management_userdata.yaml b/terraform/aws/management/management_userdata.yaml
index a58bd498..b836813d 100755
--- a/terraform/aws/management/management_userdata.yaml
+++ b/terraform/aws/management/management_userdata.yaml
@@ -1,4 +1,4 @@
#cloud-config
runcmd:
- |
- python3 /etc/cloud_config.py sicKey=\"${SICKey}\" installationType=\"management\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20230923\" templateName=\"management\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" primary=\"${IsPrimary}\" adminSubnet=\"${AdminSubnet}\" allocatePublicAddress=\"${AllocateElasticIP}\" overTheInternet=\"${PubMgmt}\" bootstrapScript64=\"${BootstrapScript}\"
\ No newline at end of file
+ python3 /etc/cloud_config.py sicKey=\"${SICKey}\" installationType=\"management\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20230926\" templateName=\"management\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" primary=\"${IsPrimary}\" adminSubnet=\"${AdminSubnet}\" allocatePublicAddress=\"${AllocateElasticIP}\" overTheInternet=\"${PubMgmt}\" bootstrapScript64=\"${BootstrapScript}\"
\ No newline at end of file
diff --git a/terraform/aws/management/variables.tf b/terraform/aws/management/variables.tf
index b283e917..8eb2a074 100755
--- a/terraform/aws/management/variables.tf
+++ b/terraform/aws/management/variables.tf
@@ -177,4 +177,8 @@ variable "volume_type" {
type = string
description = "General Purpose SSD Volume Type"
default = "gp3"
+}
+variable "is_gwlb_iam" {
+ type = bool
+ default = false
}
\ No newline at end of file