From 3169df6e8692ab5ab4015c13bd960b153ce792aa Mon Sep 17 00:00:00 2001 From: eddiek Date: Tue, 10 Dec 2024 15:52:31 +0000 Subject: [PATCH] removing step git reset --hard $CI_COMMIT_SHA --- .../autoscale-into-existing-vpc/README.md | 0 .../autoscale-into-existing-vpc/locals.tf | 0 .../autoscale-into-existing-vpc/main.tf | 0 .../autoscale-into-existing-vpc/output.tf | 0 .../terraform.tfvars | 0 .../autoscale-into-existing-vpc/variables.tf | 0 .../autoscale-into-new-vpc/README.md | 0 .../autoscale-into-new-vpc/locals.tf | 0 .../autoscale-into-new-vpc/main.tf | 0 .../autoscale-into-new-vpc/output.tf | 0 .../autoscale-into-new-vpc/terraform.tfvars | 0 .../autoscale-into-new-vpc/variables.tf | 0 .../common/cluster-member/main.tf | 132 ++++++++ .../common/cluster-member/output.tf | 6 + .../common/cluster-member/variables.tf | 184 +++++++++++ .../common/common/main.tf | 2 + .../common/common/output.tf | 0 .../common/common/variables.tf | 85 +++++ .../common/firewall-rule/main.tf | 10 + .../common/firewall-rule/output.tf | 3 + .../common/firewall-rule/variables.tf | 17 + .../common/network-and-subnet/main.tf | 21 ++ .../common/network-and-subnet/output.tf | 18 + .../common/network-and-subnet/variables.tf | 27 ++ .../common/startup-script.sh | 3 + .../single-into-existing-vpc/README.md | 0 .../single-into-existing-vpc/locals.tf | 0 .../single-into-existing-vpc/main.tf | 0 .../single-into-existing-vpc/output.tf | 0 .../single-into-existing-vpc/terraform.tfvars | 0 .../single-into-existing-vpc/variables.tf | 0 .../single-into-new-vpc/README.md | 0 .../single-into-new-vpc/main.tf | 0 .../single-into-new-vpc/output.tf | 0 .../single-into-new-vpc/terraform.tfvars | 0 .../single-into-new-vpc/variables.tf | 0 terraform/gcp/autoscale/README.md | 257 +++++++++++++++ terraform/gcp/autoscale/locals.tf | 9 + terraform/gcp/autoscale/main.tf | 130 ++++++++ terraform/gcp/autoscale/output.tf | 42 +++ terraform/gcp/autoscale/terraform.tfvars | 41 +++ terraform/gcp/autoscale/variables.tf | 206 ++++++++++++ terraform/gcp/autoscale/versions.tf | 18 + terraform/gcp/common/autoscale-common/main.tf | 150 +++++++++ .../gcp/common/autoscale-common/output.tf | 18 + .../gcp/common/autoscale-common/variables.tf | 179 ++++++++++ terraform/gcp/common/cluster-member/main.tf | 2 +- terraform/gcp/common/common/main.tf | 2 + terraform/gcp/common/common/output.tf | 0 terraform/gcp/common/common/variables.tf | 85 +++++ terraform/gcp/common/members-a-b/main.tf | 4 +- terraform/gcp/common/members-a-b/variables.tf | 4 +- .../gcp/common/network-and-subnet/main.tf | 4 +- terraform/gcp/common/single-common/main.tf | 156 +++++++++ terraform/gcp/common/single-common/output.tf | 3 + .../gcp/common/single-common/variables.tf | 226 +++++++++++++ terraform/gcp/common/startup-script.sh | 2 +- terraform/gcp/single/README.md | 253 ++++++++++++++ terraform/gcp/single/locals.tf | 23 ++ terraform/gcp/single/main.tf | 212 ++++++++++++ terraform/gcp/single/output.tf | 74 +++++ terraform/gcp/single/terraform.tfvars | 46 +++ terraform/gcp/single/variables.tf | 309 ++++++++++++++++++ terraform/gcp/single/versions.tf | 18 + 64 files changed, 2973 insertions(+), 8 deletions(-) rename {terraform/gcp => deprecated/terraform/gcp/separate-single-and-autoscale}/autoscale-into-existing-vpc/README.md (100%) rename {terraform/gcp => deprecated/terraform/gcp/separate-single-and-autoscale}/autoscale-into-existing-vpc/locals.tf (100%) rename {terraform/gcp => deprecated/terraform/gcp/separate-single-and-autoscale}/autoscale-into-existing-vpc/main.tf (100%) rename {terraform/gcp => deprecated/terraform/gcp/separate-single-and-autoscale}/autoscale-into-existing-vpc/output.tf (100%) rename {terraform/gcp => deprecated/terraform/gcp/separate-single-and-autoscale}/autoscale-into-existing-vpc/terraform.tfvars (100%) rename {terraform/gcp => deprecated/terraform/gcp/separate-single-and-autoscale}/autoscale-into-existing-vpc/variables.tf (100%) rename {terraform/gcp => deprecated/terraform/gcp/separate-single-and-autoscale}/autoscale-into-new-vpc/README.md (100%) rename {terraform/gcp => deprecated/terraform/gcp/separate-single-and-autoscale}/autoscale-into-new-vpc/locals.tf (100%) rename {terraform/gcp => deprecated/terraform/gcp/separate-single-and-autoscale}/autoscale-into-new-vpc/main.tf (100%) rename {terraform/gcp => deprecated/terraform/gcp/separate-single-and-autoscale}/autoscale-into-new-vpc/output.tf (100%) rename {terraform/gcp => deprecated/terraform/gcp/separate-single-and-autoscale}/autoscale-into-new-vpc/terraform.tfvars (100%) rename {terraform/gcp => deprecated/terraform/gcp/separate-single-and-autoscale}/autoscale-into-new-vpc/variables.tf (100%) create mode 100755 deprecated/terraform/gcp/separate-single-and-autoscale/common/cluster-member/main.tf create mode 100755 deprecated/terraform/gcp/separate-single-and-autoscale/common/cluster-member/output.tf create mode 100755 deprecated/terraform/gcp/separate-single-and-autoscale/common/cluster-member/variables.tf create mode 100755 deprecated/terraform/gcp/separate-single-and-autoscale/common/common/main.tf create mode 100755 deprecated/terraform/gcp/separate-single-and-autoscale/common/common/output.tf create mode 100755 deprecated/terraform/gcp/separate-single-and-autoscale/common/common/variables.tf create mode 100755 deprecated/terraform/gcp/separate-single-and-autoscale/common/firewall-rule/main.tf create mode 100755 deprecated/terraform/gcp/separate-single-and-autoscale/common/firewall-rule/output.tf create mode 100755 deprecated/terraform/gcp/separate-single-and-autoscale/common/firewall-rule/variables.tf create mode 100755 deprecated/terraform/gcp/separate-single-and-autoscale/common/network-and-subnet/main.tf create mode 100755 deprecated/terraform/gcp/separate-single-and-autoscale/common/network-and-subnet/output.tf create mode 100755 deprecated/terraform/gcp/separate-single-and-autoscale/common/network-and-subnet/variables.tf create mode 100755 deprecated/terraform/gcp/separate-single-and-autoscale/common/startup-script.sh rename {terraform/gcp => deprecated/terraform/gcp/separate-single-and-autoscale}/single-into-existing-vpc/README.md (100%) rename {terraform/gcp => deprecated/terraform/gcp/separate-single-and-autoscale}/single-into-existing-vpc/locals.tf (100%) rename {terraform/gcp => deprecated/terraform/gcp/separate-single-and-autoscale}/single-into-existing-vpc/main.tf (100%) rename {terraform/gcp => deprecated/terraform/gcp/separate-single-and-autoscale}/single-into-existing-vpc/output.tf (100%) rename {terraform/gcp => deprecated/terraform/gcp/separate-single-and-autoscale}/single-into-existing-vpc/terraform.tfvars (100%) rename {terraform/gcp => deprecated/terraform/gcp/separate-single-and-autoscale}/single-into-existing-vpc/variables.tf (100%) rename {terraform/gcp => deprecated/terraform/gcp/separate-single-and-autoscale}/single-into-new-vpc/README.md (100%) rename {terraform/gcp => deprecated/terraform/gcp/separate-single-and-autoscale}/single-into-new-vpc/main.tf (100%) rename {terraform/gcp => deprecated/terraform/gcp/separate-single-and-autoscale}/single-into-new-vpc/output.tf (100%) rename {terraform/gcp => deprecated/terraform/gcp/separate-single-and-autoscale}/single-into-new-vpc/terraform.tfvars (100%) rename {terraform/gcp => deprecated/terraform/gcp/separate-single-and-autoscale}/single-into-new-vpc/variables.tf (100%) create mode 100644 terraform/gcp/autoscale/README.md create mode 100644 terraform/gcp/autoscale/locals.tf create mode 100644 terraform/gcp/autoscale/main.tf create mode 100644 terraform/gcp/autoscale/output.tf create mode 100644 terraform/gcp/autoscale/terraform.tfvars create mode 100644 terraform/gcp/autoscale/variables.tf create mode 100644 terraform/gcp/autoscale/versions.tf create mode 100644 terraform/gcp/common/autoscale-common/main.tf create mode 100644 terraform/gcp/common/autoscale-common/output.tf create mode 100644 terraform/gcp/common/autoscale-common/variables.tf create mode 100755 terraform/gcp/common/common/main.tf create mode 100755 terraform/gcp/common/common/output.tf create mode 100755 terraform/gcp/common/common/variables.tf create mode 100644 terraform/gcp/common/single-common/main.tf create mode 100644 terraform/gcp/common/single-common/output.tf create mode 100644 terraform/gcp/common/single-common/variables.tf create mode 100644 terraform/gcp/single/README.md create mode 100644 terraform/gcp/single/locals.tf create mode 100644 terraform/gcp/single/main.tf create mode 100644 terraform/gcp/single/output.tf create mode 100644 terraform/gcp/single/terraform.tfvars create mode 100644 terraform/gcp/single/variables.tf create mode 100644 terraform/gcp/single/versions.tf diff --git a/terraform/gcp/autoscale-into-existing-vpc/README.md b/deprecated/terraform/gcp/separate-single-and-autoscale/autoscale-into-existing-vpc/README.md similarity index 100% rename from terraform/gcp/autoscale-into-existing-vpc/README.md rename to deprecated/terraform/gcp/separate-single-and-autoscale/autoscale-into-existing-vpc/README.md diff --git a/terraform/gcp/autoscale-into-existing-vpc/locals.tf b/deprecated/terraform/gcp/separate-single-and-autoscale/autoscale-into-existing-vpc/locals.tf similarity index 100% rename from terraform/gcp/autoscale-into-existing-vpc/locals.tf rename to deprecated/terraform/gcp/separate-single-and-autoscale/autoscale-into-existing-vpc/locals.tf diff --git a/terraform/gcp/autoscale-into-existing-vpc/main.tf b/deprecated/terraform/gcp/separate-single-and-autoscale/autoscale-into-existing-vpc/main.tf similarity index 100% rename from terraform/gcp/autoscale-into-existing-vpc/main.tf rename to deprecated/terraform/gcp/separate-single-and-autoscale/autoscale-into-existing-vpc/main.tf diff --git a/terraform/gcp/autoscale-into-existing-vpc/output.tf b/deprecated/terraform/gcp/separate-single-and-autoscale/autoscale-into-existing-vpc/output.tf similarity index 100% rename from terraform/gcp/autoscale-into-existing-vpc/output.tf rename to deprecated/terraform/gcp/separate-single-and-autoscale/autoscale-into-existing-vpc/output.tf diff --git a/terraform/gcp/autoscale-into-existing-vpc/terraform.tfvars b/deprecated/terraform/gcp/separate-single-and-autoscale/autoscale-into-existing-vpc/terraform.tfvars similarity index 100% rename from terraform/gcp/autoscale-into-existing-vpc/terraform.tfvars rename to deprecated/terraform/gcp/separate-single-and-autoscale/autoscale-into-existing-vpc/terraform.tfvars diff --git a/terraform/gcp/autoscale-into-existing-vpc/variables.tf b/deprecated/terraform/gcp/separate-single-and-autoscale/autoscale-into-existing-vpc/variables.tf similarity index 100% rename from terraform/gcp/autoscale-into-existing-vpc/variables.tf rename to deprecated/terraform/gcp/separate-single-and-autoscale/autoscale-into-existing-vpc/variables.tf diff --git a/terraform/gcp/autoscale-into-new-vpc/README.md b/deprecated/terraform/gcp/separate-single-and-autoscale/autoscale-into-new-vpc/README.md similarity index 100% rename from terraform/gcp/autoscale-into-new-vpc/README.md rename to deprecated/terraform/gcp/separate-single-and-autoscale/autoscale-into-new-vpc/README.md diff --git a/terraform/gcp/autoscale-into-new-vpc/locals.tf b/deprecated/terraform/gcp/separate-single-and-autoscale/autoscale-into-new-vpc/locals.tf similarity index 100% rename from terraform/gcp/autoscale-into-new-vpc/locals.tf rename to deprecated/terraform/gcp/separate-single-and-autoscale/autoscale-into-new-vpc/locals.tf diff --git a/terraform/gcp/autoscale-into-new-vpc/main.tf b/deprecated/terraform/gcp/separate-single-and-autoscale/autoscale-into-new-vpc/main.tf similarity index 100% rename from terraform/gcp/autoscale-into-new-vpc/main.tf rename to deprecated/terraform/gcp/separate-single-and-autoscale/autoscale-into-new-vpc/main.tf diff --git a/terraform/gcp/autoscale-into-new-vpc/output.tf b/deprecated/terraform/gcp/separate-single-and-autoscale/autoscale-into-new-vpc/output.tf similarity index 100% rename from terraform/gcp/autoscale-into-new-vpc/output.tf rename to deprecated/terraform/gcp/separate-single-and-autoscale/autoscale-into-new-vpc/output.tf diff --git a/terraform/gcp/autoscale-into-new-vpc/terraform.tfvars b/deprecated/terraform/gcp/separate-single-and-autoscale/autoscale-into-new-vpc/terraform.tfvars similarity index 100% rename from terraform/gcp/autoscale-into-new-vpc/terraform.tfvars rename to deprecated/terraform/gcp/separate-single-and-autoscale/autoscale-into-new-vpc/terraform.tfvars diff --git a/terraform/gcp/autoscale-into-new-vpc/variables.tf b/deprecated/terraform/gcp/separate-single-and-autoscale/autoscale-into-new-vpc/variables.tf similarity index 100% rename from terraform/gcp/autoscale-into-new-vpc/variables.tf rename to deprecated/terraform/gcp/separate-single-and-autoscale/autoscale-into-new-vpc/variables.tf diff --git a/deprecated/terraform/gcp/separate-single-and-autoscale/common/cluster-member/main.tf b/deprecated/terraform/gcp/separate-single-and-autoscale/common/cluster-member/main.tf new file mode 100755 index 00000000..3027c8fa --- /dev/null +++ b/deprecated/terraform/gcp/separate-single-and-autoscale/common/cluster-member/main.tf @@ -0,0 +1,132 @@ +locals { + disk_type_condition = var.disk_type == "SSD Persistent Disk" ? "pd-ssd" : var.disk_type == "Standard Persistent Disk" ? "pd-standard" : "" + admin_SSH_key_condition = var.admin_SSH_key != "" ? true : false +} + +resource "google_compute_address" "member_ip_address" { + name = "${var.member_name}-address" + region = var.region +} + +resource "google_compute_instance" "cluster_member" { + name = var.member_name + description = "CloudGuard Highly Available Security Cluster" + zone = var.zone + tags = [ + "checkpoint-gateway"] + machine_type = var.machine_type + can_ip_forward = true + + boot_disk { + auto_delete = true + device_name = "${var.prefix}-boot" + + initialize_params { + size = var.disk_size + type = local.disk_type_condition + image = var.image_name + } + } + + network_interface { + network = var.cluster_network[0] + subnetwork = var.cluster_network_subnetwork[0] + } + network_interface { + network = var.mgmt_network[0] + subnetwork = var.mgmt_network_subnetwork[0] + access_config { + nat_ip = google_compute_address.member_ip_address.address + } + } + dynamic "network_interface" { + for_each = var.num_internal_networks >= 1 ? [ + 1] : [] + content { + network = var.internal_network1_network[0] + subnetwork = var.internal_network1_subnetwork[0] + } + } + dynamic "network_interface" { + for_each = var.num_internal_networks >= 2 ? [ + 1] : [] + content { + network = var.internal_network2_network[0] + subnetwork = var.internal_network2_subnetwork[0] + } + } + dynamic "network_interface" { + for_each = var.num_internal_networks >= 3 ? [ + 1] : [] + content { + network = var.internal_network3_network[0] + subnetwork = var.internal_network3_subnetwork[0] + } + } + dynamic "network_interface" { + for_each = var.num_internal_networks >= 4 ? [ + 1] : [] + content { + network = var.internal_network4_network[0] + subnetwork = var.internal_network4_subnetwork[0] + } + } + dynamic "network_interface" { + for_each = var.num_internal_networks >= 5 ? [ + 1] : [] + content { + network = var.internal_network5_network[0] + subnetwork = var.internal_network5_subnetwork[0] + } + } + dynamic "network_interface" { + for_each = var.num_internal_networks == 6 ? [ + 1] : [] + content { + network = var.internal_network6_network[0] + subnetwork = var.internal_network6_subnetwork[0] + } + } + + service_account { + + scopes = [ + "https://www.googleapis.com/auth/monitoring.write", + "https://www.googleapis.com/auth/compute", + "https://www.googleapis.com/auth/cloudruntimeconfig"] + } + + metadata = local.admin_SSH_key_condition ? { + instanceSSHKey = var.admin_SSH_key + adminPasswordSourceMetadata = var.generate_password ? var.generated_admin_password : "" + } : { adminPasswordSourceMetadata = var.generate_password ? var.generated_admin_password : "" } + + metadata_startup_script = templatefile("${path.module}/../startup-script.sh", { + // script's arguments + generatePassword = var.generate_password + config_url = "https://runtimeconfig.googleapis.com/v1beta1/projects/${var.project}/configs/${var.prefix}-config" + config_path = "projects/${var.project}/configs/${var.prefix}-config" + sicKey = var.sic_key + allowUploadDownload = var.allow_upload_download + templateName = "cluster_tf" + templateVersion = "20230910" + templateType = "terraform" + mgmtNIC = "" + hasInternet = "true" + enableMonitoring = var.enable_monitoring + shell = var.admin_shell + installation_type = "Cluster" + computed_sic_key = "" + managementGUIClientNetwork = "" + primary_cluster_address_name = var.primary_cluster_address_name + secondary_cluster_address_name = var.secondary_cluster_address_name + managementNetwork = var.management_network + numAdditionalNICs = var.num_internal_networks + smart_1_cloud_token = "${var.member_name}" == "${var.prefix}-member-a" ? var.smart_1_cloud_token_a : var.smart_1_cloud_token_b + name = var.member_name + zoneConfig = var.zone + region = var.region + os_version = var.os_version + maintenance_mode_password_hash = var.maintenance_mode_password_hash + }) +} \ No newline at end of file diff --git a/deprecated/terraform/gcp/separate-single-and-autoscale/common/cluster-member/output.tf b/deprecated/terraform/gcp/separate-single-and-autoscale/common/cluster-member/output.tf new file mode 100755 index 00000000..ab8ad2dc --- /dev/null +++ b/deprecated/terraform/gcp/separate-single-and-autoscale/common/cluster-member/output.tf @@ -0,0 +1,6 @@ +output "cluster_member_name" { + value = google_compute_instance.cluster_member.name +} +output "cluster_member_ip_address" { + value = google_compute_address.member_ip_address.address +} diff --git a/deprecated/terraform/gcp/separate-single-and-autoscale/common/cluster-member/variables.tf b/deprecated/terraform/gcp/separate-single-and-autoscale/common/cluster-member/variables.tf new file mode 100755 index 00000000..333e509f --- /dev/null +++ b/deprecated/terraform/gcp/separate-single-and-autoscale/common/cluster-member/variables.tf @@ -0,0 +1,184 @@ +variable "prefix" { + type = string + description = "(Optional) Resources name prefix" + default = "chkp-tf-ha" +} +variable "member_name" { + type = string +} +variable "region" { + type = string + default = "us-central1" +} +variable "zone" { + type = string + default = "us-central1-a" +} +variable "machine_type" { + type = string + description = "Machine types determine the specifications of your machines, such as the amount of memory, virtual cores, and persistent disk limits an instance will have." + default = "n1-standard-4" +} +variable "disk_size" { + type = number + description = "Disk size in GB - Persistent disk performance is tied to the size of the persistent disk volume. You are charged for the actual amount of provisioned disk space." + default = 100 +} +variable "disk_type" { + type = string + description = "Storage space is much less expensive for a standard Persistent Disk. An SSD Persistent Disk is better for random IOPS or streaming throughput with low latency." + default = "SSD Persistent Disk" +} +variable "image_name" { + type = string + description = "The High Availability (cluster) image name (e.g. check-point-r8120-gw-byol-cluster-123-456-v12345678). You can choose the desired cluster image value from: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/ha-byol/images.py" +} +variable "os_version" { + type = string + description = "GAIA OS version" + default = "R8120" +} +variable "cluster_network" { + type = list(string) + description = "Cluster external network ID in the chosen zone." +} +variable "cluster_network_subnetwork" { + type = list(string) + description = "Cluster subnet ID in the chosen network." +} +variable "mgmt_network" { + type = list(string) + description = "Management network ID in the chosen zone." +} +variable "mgmt_network_subnetwork" { + type = list(string) + description = "Management subnet ID in the chosen network." +} +variable "num_internal_networks" { + type = number + description = "A number in the range 1 - 6 of internal network interfaces." + default = 1 +} +variable "internal_network1_network" { + type = list(string) + description = "1st internal network ID in the chosen zone." + default = [] +} +variable "internal_network1_subnetwork" { + type = list(string) + description = "1st internal subnet ID in the chosen network." + default = [] +} +variable "internal_network2_network" { + type = list(string) + description = "2nd internal network ID in the chosen zone." + default = [] +} +variable "internal_network2_subnetwork" { + type = list(string) + description = "2nd internal subnet ID in the chosen network." + default = [] +} +variable "internal_network3_network" { + type = list(string) + description = "3rd internal network ID in the chosen zone." + default = [] +} +variable "internal_network3_subnetwork" { + type = list(string) + description = "3rd internal subnet ID in the chosen network." + default = [] +} +variable "internal_network4_network" { + type = list(string) + description = "4th internal network ID in the chosen zone." + default = [] +} +variable "internal_network4_subnetwork" { + type = list(string) + description = "4th internal subnet ID in the chosen network." + default = [] +} +variable "internal_network5_network" { + type = list(string) + description = "5th internal network ID in the chosen zone." + default = [] +} +variable "internal_network5_subnetwork" { + type = list(string) + description = "5th internal subnet ID in the chosen network." + default = [] +} +variable "internal_network6_network" { + type = list(string) + description = "6th internal network ID in the chosen zone." + default = [] +} +variable "internal_network6_subnetwork" { + type = list(string) + description = "6th internal subnet ID in the chosen network." + default = [] +} +variable "admin_SSH_key" { + type = string + description = "(Optional) The SSH public key for SSH authentication to the MIG instances. Leave this field blank to use all project-wide pre-configured SSH keys." + default = "" +} +variable "project" { + type = string + description = "Personal project id. The project indicates the default GCP project all of your resources will be created in." + default = "" +} +variable "generate_password" { + type = bool + description = "Automatically generate an administrator password." + default = false +} +variable "sic_key" { + type = string + description = "The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server. At least 8 alpha numeric characters. If SIC is not provided and needed, a key will be automatically generated" +} +variable "allow_upload_download" { + type = bool + description = "Allow download from/upload to Check Point." + default = false +} +variable "enable_monitoring" { + type = bool + description = "Enable Stackdriver monitoring" + default = false +} +variable "admin_shell" { + type = string + description = "Change the admin shell to enable advanced command line configuration." + default = "/etc/cli.sh" +} +variable "smart_1_cloud_token_a" { + type = string + description ="(Optional) Smart-1 cloud token for member A to connect this Gateway to Check Point's Security Management as a Service" + default = "" +} +variable "smart_1_cloud_token_b" { + type = string + description ="(Optional) Smart-1 cloud token for member B to connect this Gateway to Check Point's Security Management as a Service" + default = "" +} +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string + default = "" +} +variable "management_network" { + type = string + description = "Security Management Server address - The public address of the Security Management Server, in CIDR notation. If using Smart-1 Cloud management, insert 'S1C'. VPN peers addresses cannot be in this CIDR block, so this value cannot be the zero-address." +} +variable "generated_admin_password" { + type = string + description = "administrator password" +} +variable "primary_cluster_address_name" { + type = string +} +variable "secondary_cluster_address_name" { + type = string +} \ No newline at end of file diff --git a/deprecated/terraform/gcp/separate-single-and-autoscale/common/common/main.tf b/deprecated/terraform/gcp/separate-single-and-autoscale/common/common/main.tf new file mode 100755 index 00000000..139597f9 --- /dev/null +++ b/deprecated/terraform/gcp/separate-single-and-autoscale/common/common/main.tf @@ -0,0 +1,2 @@ + + diff --git a/deprecated/terraform/gcp/separate-single-and-autoscale/common/common/output.tf b/deprecated/terraform/gcp/separate-single-and-autoscale/common/common/output.tf new file mode 100755 index 00000000..e69de29b diff --git a/deprecated/terraform/gcp/separate-single-and-autoscale/common/common/variables.tf b/deprecated/terraform/gcp/separate-single-and-autoscale/common/common/variables.tf new file mode 100755 index 00000000..d8b4f110 --- /dev/null +++ b/deprecated/terraform/gcp/separate-single-and-autoscale/common/common/variables.tf @@ -0,0 +1,85 @@ +variable "installation_type" { + type = string + description = "Installation type" + default = "Gateway only" +} +variable "os_version" { + type = string + description = "GAIA OS version" + default = "R8120" +} +locals { + version_allowed_values = [ + "R81", + "R8110", + "R8120", + "R82"] + + validate_os_version = index(local.version_allowed_values, var.os_version) +} +variable "image_name" { + type = string + description = "The single gateway and management image name" +} +locals { + regex_validate_mgmt_image_name = "^check-point-${lower(var.os_version)}-[^(gw)].*[0-9]{3}-([0-9]{3,}|[a-z]+)-v[0-9]{8,}.*" + regex_validate_gw_image_name = "^check-point-${lower(var.os_version)}-gw-.*[0-9]{3}-([0-9]{3,}|[a-z]+)-v[0-9]{8,}.*" + regex_validate_image_name = contains(["Gateway only", "Cluster", "AutoScale"], var.installation_type) ? local.regex_validate_gw_image_name : local.regex_validate_mgmt_image_name + regex_image_name = length(regexall(local.regex_validate_image_name, var.image_name)) > 0 ? 0 : "Variable [image_name] must be a valid Check Point image name of the correct version." + index_image_name = index(["0"], local.regex_image_name) +} +variable "license" { + type = string + description = "Checkpoint license (BYOL or PAYG)." + default = "BYOL" +} +locals { + license_allowed_values = [ + "BYOL", + "PAYG"] + // will fail if [var.license] is invalid: + validate_license = index(local.license_allowed_values, upper(var.license)) +} +variable "admin_SSH_key" { + type = string + description = "(Optional) The SSH public key for SSH authentication to the template instances. Leave this field blank to use all project-wide pre-configured SSH keys." + default = "" +} +locals { + regex_valid_admin_SSH_key = "^(^$|ssh-rsa AAAA[0-9A-Za-z+/]+[=]{0,3})" + // Will fail if var.admin_SSH_key is invalid + regex_admin_SSH_key = length(regexall(local.regex_valid_admin_SSH_key, var.admin_SSH_key)) > 0 ? 0 : "Please enter a valid SSH public key or leave empty" + index_admin_SSH_key = index(["0"], local.regex_admin_SSH_key) +} +variable "admin_shell" { + type = string + description = "Change the admin shell to enable advanced command line configuration." + default = "/etc/cli.sh" +} +locals { + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh"] + // Will fail if var.admin_shell is invalid + validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell) +} +variable "externalIP" { + type = string + description = "External IP address type" + default = "static" + validation { + condition = contains(["static", "ephemeral", "none"], var.externalIP) + error_message = "Invalid value for externalIP. Allowed values are 'static', 'ephemeral' or 'none'." + } +} +locals { + external_ip_allowed_values = [ + "static", + "ephemeral", + "none" + ] + validate_external_ip = index(local.external_ip_allowed_values, var.externalIP) +} + diff --git a/deprecated/terraform/gcp/separate-single-and-autoscale/common/firewall-rule/main.tf b/deprecated/terraform/gcp/separate-single-and-autoscale/common/firewall-rule/main.tf new file mode 100755 index 00000000..9f440b4a --- /dev/null +++ b/deprecated/terraform/gcp/separate-single-and-autoscale/common/firewall-rule/main.tf @@ -0,0 +1,10 @@ +resource "google_compute_firewall" "firewall_rules" { + name = var.rule_name + network = var.network[0] + allow { + protocol = var.protocol + } + source_ranges = var.source_ranges + target_tags = [ + "checkpoint-gateway"] +} \ No newline at end of file diff --git a/deprecated/terraform/gcp/separate-single-and-autoscale/common/firewall-rule/output.tf b/deprecated/terraform/gcp/separate-single-and-autoscale/common/firewall-rule/output.tf new file mode 100755 index 00000000..e6088959 --- /dev/null +++ b/deprecated/terraform/gcp/separate-single-and-autoscale/common/firewall-rule/output.tf @@ -0,0 +1,3 @@ +output "firewall_rule_name" { + value = google_compute_firewall.firewall_rules.name +} \ No newline at end of file diff --git a/deprecated/terraform/gcp/separate-single-and-autoscale/common/firewall-rule/variables.tf b/deprecated/terraform/gcp/separate-single-and-autoscale/common/firewall-rule/variables.tf new file mode 100755 index 00000000..39ac095b --- /dev/null +++ b/deprecated/terraform/gcp/separate-single-and-autoscale/common/firewall-rule/variables.tf @@ -0,0 +1,17 @@ +variable "protocol" { + type = string + description = "The IP protocol to which this rule applies." +} +variable "source_ranges" { + type = list(string) + description = "(Optional) Source IP ranges for the protocol traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. Please leave empty list to unable this protocol traffic." + default = [] +} +variable "rule_name" { + type = string + description = "Firewall rule name." +} +variable "network" { + type = list(string) + description = "The name or self_link of the network to attach this firewall to." +} \ No newline at end of file diff --git a/deprecated/terraform/gcp/separate-single-and-autoscale/common/network-and-subnet/main.tf b/deprecated/terraform/gcp/separate-single-and-autoscale/common/network-and-subnet/main.tf new file mode 100755 index 00000000..b34b72c0 --- /dev/null +++ b/deprecated/terraform/gcp/separate-single-and-autoscale/common/network-and-subnet/main.tf @@ -0,0 +1,21 @@ +locals { + create_network_condition = var.network_cidr == "" ? false : true +} + +resource "google_compute_network" "network" { + count = local.create_network_condition ? 1 : 0 + name = "${replace(var.prefix, "--", "-")}-${replace(replace(var.type, "(", ""), ")", "")}" + auto_create_subnetworks = false +} +resource "google_compute_subnetwork" "subnetwork" { + count = local.create_network_condition ? 1 : 0 + name = "${replace(var.prefix, "--", "-")}-${replace(replace(replace(var.type, "(", ""), ")", ""), "--", "-")}-subnet" + ip_cidr_range = var.network_cidr + private_ip_google_access = true + region = var.region + network = google_compute_network.network[count.index].id +} +data "google_compute_network" "network_name" { + count = local.create_network_condition ? 0 : 1 + name = var.network_name +} \ No newline at end of file diff --git a/deprecated/terraform/gcp/separate-single-and-autoscale/common/network-and-subnet/output.tf b/deprecated/terraform/gcp/separate-single-and-autoscale/common/network-and-subnet/output.tf new file mode 100755 index 00000000..862f84e4 --- /dev/null +++ b/deprecated/terraform/gcp/separate-single-and-autoscale/common/network-and-subnet/output.tf @@ -0,0 +1,18 @@ +output "new_created_network_link" { + value = google_compute_network.network[*].self_link +} +output "new_created_subnet_link" { + value = google_compute_subnetwork.subnetwork[*].self_link +} +output "existing_network_link" { + value = data.google_compute_network.network_name[*].self_link +} +output "new_created_network_name" { + value = google_compute_network.network[*].name +} +output "new_created_subnet_name" { + value = google_compute_subnetwork.subnetwork[*].name +} +output "existing_network_name" { + value = data.google_compute_network.network_name[*].name +} \ No newline at end of file diff --git a/deprecated/terraform/gcp/separate-single-and-autoscale/common/network-and-subnet/variables.tf b/deprecated/terraform/gcp/separate-single-and-autoscale/common/network-and-subnet/variables.tf new file mode 100755 index 00000000..333d4f35 --- /dev/null +++ b/deprecated/terraform/gcp/separate-single-and-autoscale/common/network-and-subnet/variables.tf @@ -0,0 +1,27 @@ +variable "prefix" { + type = string + description = "(Optional) Resources name prefix" + default = "chkp-tf-ha" +} +variable "type" { + type = string +} +variable "network_cidr" { + type = string + description = "External subnet CIDR. If the variable's value is not empty double quotes, a new network will be created." + default = "10.0.0.0/24" +} +variable "private_ip_google_access" { + type = bool + description = "When enabled, VMs in this subnetwork without external IP addresses can access Google APIs and services by using Private Google Access." + default = true +} +variable "region" { + type = string + default = "us-central1" +} +variable "network_name" { + type = string + description = "External network ID in the chosen zone. The network determines what network traffic the instance can access.If you have specified a CIDR block at var.network_cidr, this network name will not be used." + default = "" +} \ No newline at end of file diff --git a/deprecated/terraform/gcp/separate-single-and-autoscale/common/startup-script.sh b/deprecated/terraform/gcp/separate-single-and-autoscale/common/startup-script.sh new file mode 100755 index 00000000..6140c974 --- /dev/null +++ b/deprecated/terraform/gcp/separate-single-and-autoscale/common/startup-script.sh @@ -0,0 +1,3 @@ +#cloud-config +runcmd: + - 'python3 /etc/cloud_config.py generatePassword=\"${generatePassword}\" allowUploadDownload=\"${allowUploadDownload}\" templateName=\"${templateName}\" templateVersion=\"${templateVersion}\" mgmtNIC="X${mgmtNIC}X" hasInternet=\"${hasInternet}\" config_url=\"${config_url}\" config_path=\"${config_path}\" installationType="X${installation_type}X" enableMonitoring=\"${enableMonitoring}\" shell=\"${shell}\" computed_sic_key=\"${computed_sic_key}\" sicKey=\"${sicKey}\" managementGUIClientNetwork=\"${managementGUIClientNetwork}\" primary_cluster_address_name=\"${primary_cluster_address_name}\" secondary_cluster_address_name=\"${secondary_cluster_address_name}\" managementNetwork=\"${managementNetwork}\" numAdditionalNICs=\"${numAdditionalNICs}\" smart1CloudToken="X${smart_1_cloud_token}X" name=\"${name}\" zone=\"${zoneConfig}\" region=\"${region}\" osVersion=\"${os_version}\" MaintenanceModePassword=\"${maintenance_mode_password_hash}\"' \ No newline at end of file diff --git a/terraform/gcp/single-into-existing-vpc/README.md b/deprecated/terraform/gcp/separate-single-and-autoscale/single-into-existing-vpc/README.md similarity index 100% rename from terraform/gcp/single-into-existing-vpc/README.md rename to deprecated/terraform/gcp/separate-single-and-autoscale/single-into-existing-vpc/README.md diff --git a/terraform/gcp/single-into-existing-vpc/locals.tf b/deprecated/terraform/gcp/separate-single-and-autoscale/single-into-existing-vpc/locals.tf similarity index 100% rename from terraform/gcp/single-into-existing-vpc/locals.tf rename to deprecated/terraform/gcp/separate-single-and-autoscale/single-into-existing-vpc/locals.tf diff --git a/terraform/gcp/single-into-existing-vpc/main.tf b/deprecated/terraform/gcp/separate-single-and-autoscale/single-into-existing-vpc/main.tf similarity index 100% rename from terraform/gcp/single-into-existing-vpc/main.tf rename to deprecated/terraform/gcp/separate-single-and-autoscale/single-into-existing-vpc/main.tf diff --git a/terraform/gcp/single-into-existing-vpc/output.tf b/deprecated/terraform/gcp/separate-single-and-autoscale/single-into-existing-vpc/output.tf similarity index 100% rename from terraform/gcp/single-into-existing-vpc/output.tf rename to deprecated/terraform/gcp/separate-single-and-autoscale/single-into-existing-vpc/output.tf diff --git a/terraform/gcp/single-into-existing-vpc/terraform.tfvars b/deprecated/terraform/gcp/separate-single-and-autoscale/single-into-existing-vpc/terraform.tfvars similarity index 100% rename from terraform/gcp/single-into-existing-vpc/terraform.tfvars rename to deprecated/terraform/gcp/separate-single-and-autoscale/single-into-existing-vpc/terraform.tfvars diff --git a/terraform/gcp/single-into-existing-vpc/variables.tf b/deprecated/terraform/gcp/separate-single-and-autoscale/single-into-existing-vpc/variables.tf similarity index 100% rename from terraform/gcp/single-into-existing-vpc/variables.tf rename to deprecated/terraform/gcp/separate-single-and-autoscale/single-into-existing-vpc/variables.tf diff --git a/terraform/gcp/single-into-new-vpc/README.md b/deprecated/terraform/gcp/separate-single-and-autoscale/single-into-new-vpc/README.md similarity index 100% rename from terraform/gcp/single-into-new-vpc/README.md rename to deprecated/terraform/gcp/separate-single-and-autoscale/single-into-new-vpc/README.md diff --git a/terraform/gcp/single-into-new-vpc/main.tf b/deprecated/terraform/gcp/separate-single-and-autoscale/single-into-new-vpc/main.tf similarity index 100% rename from terraform/gcp/single-into-new-vpc/main.tf rename to deprecated/terraform/gcp/separate-single-and-autoscale/single-into-new-vpc/main.tf diff --git a/terraform/gcp/single-into-new-vpc/output.tf b/deprecated/terraform/gcp/separate-single-and-autoscale/single-into-new-vpc/output.tf similarity index 100% rename from terraform/gcp/single-into-new-vpc/output.tf rename to deprecated/terraform/gcp/separate-single-and-autoscale/single-into-new-vpc/output.tf diff --git a/terraform/gcp/single-into-new-vpc/terraform.tfvars b/deprecated/terraform/gcp/separate-single-and-autoscale/single-into-new-vpc/terraform.tfvars similarity index 100% rename from terraform/gcp/single-into-new-vpc/terraform.tfvars rename to deprecated/terraform/gcp/separate-single-and-autoscale/single-into-new-vpc/terraform.tfvars diff --git a/terraform/gcp/single-into-new-vpc/variables.tf b/deprecated/terraform/gcp/separate-single-and-autoscale/single-into-new-vpc/variables.tf similarity index 100% rename from terraform/gcp/single-into-new-vpc/variables.tf rename to deprecated/terraform/gcp/separate-single-and-autoscale/single-into-new-vpc/variables.tf diff --git a/terraform/gcp/autoscale/README.md b/terraform/gcp/autoscale/README.md new file mode 100644 index 00000000..d279e6b1 --- /dev/null +++ b/terraform/gcp/autoscale/README.md @@ -0,0 +1,257 @@ +# Check Point Autoscale into VPC (MIG) Terraform module for GCP + +Terraform module which deploys an Auto Scaling Group of Check Point Security Gateways on GCP. + +These types of Terraform resources are supported: +* [Instance Template](https://www.terraform.io/docs/providers/google/r/compute_instance_template.html) +* [Firewall](https://www.terraform.io/docs/providers/google/r/compute_firewall.html) - conditional creation +* [Instance Group Manager](https://www.terraform.io/docs/providers/google/r/compute_region_instance_group_manager.html) +* [Autoscaler](https://www.terraform.io/docs/providers/google/r/compute_region_autoscaler.html) + + +For additional information, +please see the [CloudGuard Network for GCP Autoscaling MIG Deployment Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_GCP_Autoscaling_MIG/Default.htm) + +Terraform is controlled via a very easy to use command-line interface (CLI). Terraform is only a single command-line application: **terraform**. + +## Before you begin +1. Create a project in the [Google Cloud Console](https://console.cloud.google.com/) and set up billing on that project. +2. [Install Terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli) and read the Terraform getting started guide that follows. This guide will assume basic proficiency with Terraform - it is an introduction to the Google provider. + +## Configuring the Provider +The **main.tf** file includes the following provider configuration block used to configure the credentials you use to authenticate with GCP, as well as a default project and location for your resources: +``` +provider "google" { + credentials = file(var.service_account_path) + project = var.project + region = var.region +} +... +``` + +1. [Create a Service Account](https://cloud.google.com/docs/authentication/getting-started) (or use the existing one). Next, download the JSON key file. Name it something you can remember and store it somewhere secure on your machine.
+2. Select "Editor" Role or verify you have the following permissions: + ``` + compute.autoscalers.create + compute.autoscalers.delete + compute.autoscalers.get + compute.autoscalers.update + compute.disks.create + compute.firewalls.create + compute.firewalls.delete + compute.firewalls.get + compute.firewalls.update + compute.instanceGroupManagers.create + compute.instanceGroupManagers.delete + compute.instanceGroupManagers.get + compute.instanceGroupManagers.use + compute.instanceGroups.delete + compute.instanceTemplates.create + compute.instanceTemplates.delete + compute.instanceTemplates.get + compute.instanceTemplates.useReadOnly + compute.instances.create + compute.instances.setMetadata + compute.instances.setTags + compute.networks.get + compute.networks.updatePolicy + compute.regions.list + compute.subnetworks.get + compute.subnetworks.use + compute.subnetworks.useExternalIp + iam.serviceAccounts.actAs + ``` +3. ```credentials``` - Your service account key file is used to complete a two-legged OAuth 2.0 flow to obtain access tokens to authenticate with the GCP API as needed; Terraform will use it to reauthenticate automatically when tokens expire.
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#credentials-1). + - Static credentials can be provided by adding the path to your service-account json file, project-id and region in /gcp/modules/autoscale-into-new-vpc/**terraform.tfvars** file as follows: + ``` + service_account_path = "service-accounts/service-account-file-name.json" + project = "project-id" + region = "us-central1" + ``` + - In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in the main.tf file, in the provider google resource, need to be deleted or commented: + ``` + provider "google" { + // credentials = file(var.service_account_path) + // project = var.project + + region = var.region + } + ``` + b.In the terraform.tfvars file leave empty double quotes for credentials and project variables: + ``` + service_account_path = "" + project = "" + ``` +## Usage +- Fill all variables in the /gcp/autoscale-into-existing-vpc/**terraform.tfvars** file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + ``` + terraform init + ``` +- Create an execution plan: + ``` + terraform plan + ``` +- Create or modify the deployment: + ``` + terraform apply + ``` + +#### Variables are configured in autoscale-into-existing-vpc/**terraform.tfvars** file as follows: +``` +# --- Google Provider --- +service_account_path = "service-accounts/service-account-file-name.json" +project = "project-id" + +# --- Check Point--- +prefix = "chkp-tf-mig" +license = "BYOL" +image_name = "check-point-r8120-gw-byol-mig-631-991001669-v20240923" +os_version = "R8120" +management_nic = "Ephemeral Public IP (eth0)" +management_name = "tf-checkpoint-management" +configuration_template_name = "tf-asg-autoprov-tmplt" +generate_password = true +admin_SSH_key = "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" +maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +network_defined_by_routes = true +admin_shell = "/etc/cli.sh" +allow_upload_download = true + +# --- Networking --- +region = "us-central1" +external_network_name = "" +external_subnetwork_name = "" +external_network_cidr = "10.0.1.0/24" +internal_network_name = "" +internal_subnetwork_name = "" +internal_network_cidr = "10.0.2.0/24" +ICMP_traffic = ["123.123.0.0/24", "234.234.0.0/24"] +TCP_traffic = ["0.0.0.0/0"] +UDP_traffic = [] +SCTP_traffic = [] +ESP_traffic = [] + +# --- Instance Configuration --- +machine_type = "n1-standard-4" +cpu_usage = 60 +instances_min_group_size = 2 +instances_max_group_size = 10 +disk_type = "SSD Persistent Disk" +disk_size = 100 +enable_monitoring = false +``` + +- To tear down your resources: + ``` + terraform destroy + ``` + +## Conditional creation +
1. For each network and subnet variable, you can choose whether to create a new network with a new subnet or to use an existing one. + +- If you want to create a new network and subnet, please input a subnet CIDR block for the desired new network - In this case, the network name and subnetwork name will not be used: + +``` + external_network_name = "not-use" + external_subnetwork_name = "not-use" + external_network_cidr = "10.0.1.0/24" +``` + +- Otherwise, if you want to use existing network and subnet, please leave empty double quotes in the CIDR variable for the desired network: + +``` + external_network_name = "network name" + external_subnetwork_name = "subnetwork name" + external_network_cidr = "10.0.1.0/24" +``` + +
2. To create Firewall and allow traffic for ICMP, TCP, UDP, SCTP or/and ESP - enter list of Source IP ranges. +``` +ICMP_traffic = ["123.123.0.0/24", "234.234.0.0/24"] +TCP_traffic = ["0.0.0.0/0"] +UDP_traffic = [] +SCTP_traffic = [] +ESP_traffic = [] +``` +Please leave empty list for a protocol if you want to disable traffic for it. + +## Inputs +| Name | Description | Type | Allowed values | Default | Required | +| ------------- | ------------- | ------------- | ------------- | ------------- | ------------- | +| service_account_path | User service account path in JSON format - From the service account key page in the Cloud Console choose an existing account or create a new one. Next, download the JSON key file. Name it something you can remember, store it somewhere secure on your machine, and supply the path to the location is stored. (e.g. "service-accounts/service-account-name.json") | string | N/A | "" | yes | +| project | Personal project ID. The project indicates the default GCP project all of your resources will be created in. The project ID must be 6-30 characters long, start with a letter, and can only include lowercase letters, numbers, hyphenst and cannot end with a hyphen. | string | N/A | "" | yes | +| | | | | | +| prefix | (Optional) Resources name prefix.
Note: resource name must not contain reserved words based on: sk40179. | string | N/A | "chkp-tf-mig" | no | +| license | Checkpoint license (BYOL or PAYG). | string | - BYOL
- PAYG
| "BYOL" | no | +| image_name | The autoscaling (MIG) image name (e.g. ccheck-point-r8120-gw-byol-mig-631-991001669-v20240923). You can choose the desired mig image value from [Github](https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/autoscale-byol/images.py). | string | N/A | N/A | yes | +| os_version |GAIA OS Version | string | R81;
R8110;
R8120;
R82; | R8120 | yes | +| | | | | | +| management_nic | Management Interface - Autoscaling Security Gateways in GCP can be managed by an ephemeral public IP or using the private IP of the internal interface (eth1). | string | Ephemeral Public IP (eth0)
- Private IP (eth1) | "Ephemeral Public IP (eth0)" | no | +| management_name | The name of the Security Management Server as appears in autoprovisioning configuration. (Please enter a valid Security Management name including lowercase letters, digits and hyphens only). | string | N/A | "checkpoint-management" | no | +| configuration_template_name | Specify the provisioning configuration template name (for autoprovisioning). (Please enter a valid autoprovisioing configuration template name including lowercase letters, digits and hyphens only). | string | N/A | "gcp-asg-autoprov-tmplt" | no | +| generate_password | Automatically generate an administrator password. | bool | true/false | false | no | +| admin_SSH_key | Public SSH key for the user 'admin' - The SSH public key for SSH authentication to the MIG instances. Leave this field blank to use all project-wide pre-configured SSH keys. | string | A valid public ssh key | "" | no | +| maintenance_mode_password_hash | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here. | string | N/A | "" | no | +| network_defined_by_routes | Set eth1 topology to define the networks behind this interface by the routes configured on the gateway. | bool | true/false | true | no | +| admin_shell | Change the admin shell to enable advanced command line configuration. | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | "/etc/cli.sh" | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| | | | | | +| region | GCP region | string | N/A | N/A | yes | +| external_network_name | The network determines what network traffic the instance can access. | string | N/A | N/A | yes | +| external_subnetwork_name | Assigns the instance an IPv4 address from the subnetwork’s range. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network. | string | N/A | N/A | yes | +| external_network_cidr | The range of internal addresses that are owned by this network, only IPv4 is supported (e.g. "10.0.0.0/8" or "192.168.0.0/16"). | string | N/A |"10.0.1.0/24" | no| +| internal_network_name | The network determines what network traffic the instance can access. | string | N/A | N/A | yes | +| internal_subnetwork_name | Assigns the instance an IPv4 address from the subnetwork’s range. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network. | string | N/A | N/A | yes | +| internal_network_cidr | The range of internal addresses that are owned by this network, only IPv4 is supported (e.g. "10.0.0.0/8" or "192.168.0.0/16"). | string | N/A |"10.0.2.0/24" | no| +| ICMP_traffic | (Optional) Source IP ranges for ICMP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable ICMP traffic. | list(string) | N/A | [] | no | +| TCP_traffic | (Optional) Source IP ranges for TCP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable TCP traffic. | list(string) | N/A | [] | no | +| UDP_traffic | (Optional) Source IP ranges for UDP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable UDP traffic. | list(string) | N/A | [] | no | +| SCTP_traffic | (Optional) Source IP ranges for SCTP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable SCTP traffic. | list(string) | N/A | [] | no | +| ESP_traffic | (Optional) Source IP ranges for ESP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable ESP traffic. | list(string) | N/A | [] | no | +| | | | | | +| machine_type | Machine Type. | string | N/A | "n1-standard-4" | no | +| cpu_usage | Target CPU usage (%) - Autoscaling adds or removes instances in the group to maintain this level of CPU usage on each instance. | number | number between 10 and 90 | 60 | no | +| instances_min_group_size | The minimal number of instances | number | N/A | 2 | no | +| instances_max_group_size | The maximal number of instances | number | N/A | 10 | no | +| disk_type | Storage space is much less expensive for a standard Persistent Disk. An SSD Persistent Disk is better for random IOPS or streaming throughput with low latency. | string | - SSD Persistent Disk
- Balanced Persistent Disk
- Standard Persistent Disk | "SSD Persistent Disk" | no | +| disk_size | Disk size in GB - Persistent disk performance is tied to the size of the persistent disk volume. You are charged for the actual amount of provisioned disk space. | number | number between 100 and 4096 | 100 | no | +| enable_monitoring | Enable Stackdriver monitoring | bool | true/false | false | no | + + + +## Outputs +| Name | Description | +| ------------- | ------------- | +| SIC_key | Secure Internal Communication (SIC) initiation key. | +| management_name | Security Management server name. | +| configuration_template_name | Provisioning configuration template name. | +| instance_template_name | Instance template name. | +| instance_group_manager_name | Instance group manager name. | +| autoscaler_name | Autoscaler name. | +| external_network | If external_network_cidr has been set - it will create new network | +| external_subnet | If external_network_cider has been set - it will create new subnet in the new network | +| internal_network | If internal_network_cidr has been set - it will create new network | +| internal_subnet | If internal_network_cider has been set - it will create new subnet in the new network | +| ICMP_firewall_rules_name | If enable - the ICMP firewall rules name, otherwise, an empty list. | +| TCP_firewall_rules_name | If enable - the TCP firewall rules name, otherwise, an empty list. | +| UDP_firewall_rules_name | If enable - the UDP firewall rules name, otherwise, an empty list. | +| SCTP_firewall_rules_name | If enable - the SCTP firewall rules name, otherwise, an empty list. | +| ESP_firewall_rules_name | If enable - the ESP firewall rules name, otherwise, an empty list. | + +## Revision History +In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +| ---------------- | ------------- | +| 20240909 | Merged autoscale-into-new-vpc and autoscale-into-existing-vpc to autoscale template + + +## Authors + + +## License + +This project is licensed under the MIT License - see the [LICENSE](../../../LICENSE) file for details \ No newline at end of file diff --git a/terraform/gcp/autoscale/locals.tf b/terraform/gcp/autoscale/locals.tf new file mode 100644 index 00000000..c2d4166a --- /dev/null +++ b/terraform/gcp/autoscale/locals.tf @@ -0,0 +1,9 @@ +locals{ + create_external_network_condition = var.external_network_cidr == "" ? false : true + create_internal_network_condition = var.internal_network_cidr == "" ? false : true + ICMP_traffic_condition = length(var.ICMP_traffic) == 0 ? false : true + TCP_traffic_condition = length(var.TCP_traffic) == 0 ? false : true + UDP_traffic_condition = length(var.UDP_traffic) == 0 ? false : true + SCTP_traffic_condition = length(var.SCTP_traffic) == 0 ? false : true + ESP_traffic_condition = length(var.ESP_traffic) == 0 ? false : true +} \ No newline at end of file diff --git a/terraform/gcp/autoscale/main.tf b/terraform/gcp/autoscale/main.tf new file mode 100644 index 00000000..bcd18e93 --- /dev/null +++ b/terraform/gcp/autoscale/main.tf @@ -0,0 +1,130 @@ +provider "google" { + credentials = file(var.service_account_path) + project = var.project + region = var.region +} +resource "random_string" "mig_random_string" { + length = 5 + special = false + upper = false + keepers = {} +} +resource "random_string" "random_string" { + length = 5 + special = false + upper = false + keepers = {} +} +module "common" { + source = "../common/common" + installation_type = "AutoScale" + os_version = var.os_version + image_name = var.image_name + admin_shell = var.admin_shell + license = var.license + admin_SSH_key = var.admin_SSH_key +} + +module "external_network_and_subnet" { + source = "../common/network-and-subnet" + prefix = "${var.prefix}-ext-network-${random_string.mig_random_string.result}" + type = "autoscale" + network_cidr = var.external_network_cidr + private_ip_google_access = true + region = var.region + network_name = var.external_network_name + +} +module "internal_network_and_subnet" { + source = "../common/network-and-subnet" + prefix = "${var.prefix}-int-network-${random_string.mig_random_string.result}" + type = "autoscale" + network_cidr = var.internal_network_cidr + private_ip_google_access = true + region = var.region + network_name = var.internal_network_name + +} + +module "network_ICMP_firewall_rules" { + count = local.ICMP_traffic_condition == true ? 1 :0 + source = "../common/firewall-rule" + protocol = "icmp" + source_ranges = var.ICMP_traffic + rule_name = "${var.prefix}-icmp-${random_string.random_string.result}" + network = local.create_external_network_condition ? module.external_network_and_subnet.new_created_network_link : module.external_network_and_subnet.existing_network_link +} +module "network_TCP_firewall_rules" { + count = local.TCP_traffic_condition == true ? 1 :0 + source = "../common/firewall-rule" + protocol = "tcp" + source_ranges = var.TCP_traffic + rule_name = "${var.prefix}-tcp-${random_string.random_string.result}" + network = local.create_external_network_condition ? module.external_network_and_subnet.new_created_network_link : module.external_network_and_subnet.existing_network_link +} +module "network_UDP_firewall_rules" { + count = local.UDP_traffic_condition == true ? 1 :0 + source = "../common/firewall-rule" + protocol = "udp" + source_ranges = var.UDP_traffic + rule_name = "${var.prefix}-udp-${random_string.random_string.result}" + network = local.create_external_network_condition ? module.external_network_and_subnet.new_created_network_link : module.external_network_and_subnet.existing_network_link +} +module "network_SCTP_firewall_rules" { + count = local.SCTP_traffic_condition == true ? 1 :0 + source = "../common/firewall-rule" + protocol = "sctp" + source_ranges = var.UDP_traffic + rule_name = "${var.prefix}-sctp-${random_string.random_string.result}" + network = local.create_external_network_condition ? module.external_network_and_subnet.new_created_network_link : module.external_network_and_subnet.existing_network_link +} +module "network_ESP_firewall_rules" { + count = local.ESP_traffic_condition == true ? 1 :0 + source = "../common/firewall-rule" + protocol = "esp" + source_ranges = var.ESP_traffic + rule_name = "${var.prefix}-esp-${random_string.random_string.result}" + network = local.create_external_network_condition ? module.external_network_and_subnet.new_created_network_link : module.external_network_and_subnet.existing_network_link +} + +module "autoscale" { + source = "../common/autoscale-common" + + service_account_path = var.service_account_path + project = var.project + + # --- Check Point--- + prefix = var.prefix + image_name = var.image_name + os_version = var.os_version + management_nic = var.management_nic + management_name = var.management_name + configuration_template_name = var.configuration_template_name + generate_password = var.generate_password + admin_SSH_key = var.admin_SSH_key + maintenance_mode_password_hash = var.maintenance_mode_password_hash + network_defined_by_routes = var.network_defined_by_routes + admin_shell = var.admin_shell + allow_upload_download = var.allow_upload_download + + # --- Networking --- + region = var.region + external_network = local.create_external_network_condition ? module.external_network_and_subnet.new_created_network_link : module.external_network_and_subnet.existing_network_link + external_subnetwork = local.create_external_network_condition ? module.external_network_and_subnet.new_created_subnet_link : [var.external_subnetwork_name] + internal_network = local.create_internal_network_condition ? module.internal_network_and_subnet.new_created_network_link : module.internal_network_and_subnet.existing_network_link + internal_subnetwork = local.create_internal_network_condition ? module.internal_network_and_subnet.new_created_subnet_link : [var.internal_subnetwork_name] + ICMP_traffic = var.ICMP_traffic + TCP_traffic = var.TCP_traffic + UDP_traffic = var.UDP_traffic + SCTP_traffic = var.SCTP_traffic + ESP_traffic = var.ESP_traffic + + # --- Instance Configuration --- + machine_type = var.machine_type + cpu_usage = var.cpu_usage + instances_min_group_size = var.instances_min_group_size + instances_max_group_size = var.instances_max_group_size + disk_type = var.disk_type + disk_size = var.disk_size + enable_monitoring = var.enable_monitoring +} \ No newline at end of file diff --git a/terraform/gcp/autoscale/output.tf b/terraform/gcp/autoscale/output.tf new file mode 100644 index 00000000..d2de2ce4 --- /dev/null +++ b/terraform/gcp/autoscale/output.tf @@ -0,0 +1,42 @@ +output "external_network_name" { + value = module.external_network_and_subnet.new_created_network_name +} +output "external_subnetwork_name" { + value = module.external_network_and_subnet.new_created_subnet_name +} +output "internal_network_name" { + value = module.internal_network_and_subnet.new_created_network_name +} +output "internal_subnetwork_name" { + value = module.internal_network_and_subnet.new_created_subnet_name +} +output "network_ICMP_firewall_rule" { + value = module.network_ICMP_firewall_rules[*].firewall_rule_name +} +output "network_TCP_firewall_rule" { + value = module.network_TCP_firewall_rules[*].firewall_rule_name +} +output "network_UDP_firewall_rule" { + value = module.network_UDP_firewall_rules[*].firewall_rule_name +} +output "network_SCTP_firewall_rule" { + value = module.network_SCTP_firewall_rules[*].firewall_rule_name +} +output "network_ESP_firewall_rule" { + value = module.network_ESP_firewall_rules[*].firewall_rule_name +} +output "SIC_key"{ + value = module.autoscale.SIC_key +} +output "management_name"{ + value = module.autoscale.configuration_template_name +} +output "instance_template_name"{ + value = module.autoscale.instance_template_name +} +output "instance_group_manager_name"{ + value = module.autoscale.instance_group_manager_name +} +output "autoscaler_name"{ + value = module.autoscale.autoscaler_name +} \ No newline at end of file diff --git a/terraform/gcp/autoscale/terraform.tfvars b/terraform/gcp/autoscale/terraform.tfvars new file mode 100644 index 00000000..763ff50a --- /dev/null +++ b/terraform/gcp/autoscale/terraform.tfvars @@ -0,0 +1,41 @@ +# --- Google Provider --- +service_account_path = "PLEASE ENTER SERVICE ACCOUNT PATH" # "service-accounts/service-account-file-name.json" +project = "PLEASE ENTER PROJECT ID" # "project-id" + +# --- Check Point--- +prefix = "PLEASE ENTER PREFIX" # "chkp-tf-mig" +license = "PLEASE ENTER LICENSE" # "BYOL" +image_name = "PLEASE ENTER IMAGE NAME" # "check-point-r8120-gw-byol-mig-631-991001669-v20240923" +os_version = "PLEASE ENTER GAIA OS VERSION" # "R8120" +management_nic = "PLEASE ENTER MANAGEMENT INTERFACE" # "Ephemeral Public IP (eth0)" +management_name = "PLEASE ENTER MANAGEMENT NAME" # "tf-checkpoint-management" +configuration_template_name = "PLEASE ENTER CONFIGURATION TEMPLATE NAME" # "tf-asg-autoprov-tmplt" +generate_password = "PLEASE ENTER true or false" # false +admin_SSH_key = "PLEASE ENTER ADMIN SSH KEY" # "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +network_defined_by_routes = "PLEASE ENTER true OR false" # true +admin_shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" +allow_upload_download = "PLEASE ENTER true OR false" # true + +# --- Networking --- +region = "PLEASE ENTER REGION" # "us-central1" +external_network_name = "PLEASE ENTER EXTERNAL NETWORK NAME" # "" +external_subnetwork_name = "PLEASE ENTER EXTERNAL SUBNETWORK NAME" # "" +external_network_cidr = "PLEASE ENTER EXTERNAL NETWORK CIDR" # "10.0.1.0/24" +internal_network_name = "PLEASE ENTER INTERNAL NETWORK NAME" # "" +internal_subnetwork_name = "PLEASE ENTER INTERNAL SUBNETWORK NAME" # "" +internal_network_cidr = "PLEASE ENTER INTERNAL NETWORK CIDR" # "10.0.2.0/24" +ICMP_traffic = "PLEASE ENTER ICMP SOURCE IP RANGES" # ["123.123.0.0/24", "234.234.0.0/24"] +TCP_traffic = "PLEASE ENTER TCP SOURCE IP RANGES" # ["0.0.0.0/0"] +UDP_traffic = "PLEASE ENTER UDP SOURCE IP RANGES" # [] +SCTP_traffic = "PLEASE ENTER SCTP SOURCE IP RANGES" # [] +ESP_traffic = "PLEASE ENTER ESP SOURCE IP RANGES" # [] + +# --- Instance Configuration --- +machine_type = "PLEASE ENTER MACHINE TYPE" # "n1-standard-4" +cpu_usage = "PLEASE ENTER CPU USAGE" # 60 +instances_min_group_size = "PLEASE ENTER INSTANCES MIN GROUP SIZE" # 2 +instances_max_group_size = "PLEASE ENTER INSTANCES MAX GROUP SIZE" # 10 +disk_type = "PLEASE ENTER DISK TYPE" # "SSD Persistent Disk" +disk_size = "PLEASE ENTER DISK SIZE" # 100 +enable_monitoring = "PLEASE ENTER true OR false" # false \ No newline at end of file diff --git a/terraform/gcp/autoscale/variables.tf b/terraform/gcp/autoscale/variables.tf new file mode 100644 index 00000000..6bd3c7a4 --- /dev/null +++ b/terraform/gcp/autoscale/variables.tf @@ -0,0 +1,206 @@ +# Check Point CloudGuard IaaS Autoscaling - Terraform Template + +# --- Google Provider --- +variable "service_account_path" { + type = string + description = "User service account path in JSON format - From the service account key page in the Cloud Console choose an existing account or create a new one. Next, download the JSON key file. Name it something you can remember, store it somewhere secure on your machine, and supply the path to the location is stored." + default = "" +} +variable "project" { + type = string + description = "Personal project id. The project indicates the default GCP project all of your resources will be created in." + default = "" + validation { + condition = can(regex("^[a-z][a-z0-9-]{4,28}[a-z0-9]$", var.project)) && length(var.project) >= 6 && length(var.project) <= 30 + error_message = "The project ID must be 6-30 characters long, start with a letter, and can only include lowercase letters, numbers, hyphenst and cannot end with a hyphen." + } +} + +# --- Check Point--- +variable "prefix" { + type = string + description = "(Optional) Resources name prefix" + default = "chkp-tf-mig" +} +variable "license" { + type = string + description = "Checkpoint license (BYOL or PAYG)." + default = "BYOL" + validation { + condition = contains(["BYOL" , "PAYG"] , var.license) + error_message = "Allowed licenses are 'BYOL' , 'PAYG'" + } +} +variable "image_name" { + type = string + description = "The autoscaling (MIG) image name (e.g. check-point-r8120-gw-byol-mig-123-456-v12345678). You can choose the desired mig image value from: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/autoscale-byol/images.py" +} +variable "os_version" { + type = string + description = "GAIA OS version" + default = "R8120" + validation { + condition = contains(["R8110", "R8120" , "R81", "R82"], var.os_version) + error_message = "Allowed values for os-version are 'R81', 'R8110' , 'R8120', 'R82'" + } +} +variable "management_nic" { + type = string + description = "Management Interface - Autoscaling Security Gateways in GCP can be managed by an ephemeral public IP or using the private IP of the internal interface (eth1)." + default = "Ephemeral Public IP (eth0)" + validation { + condition = contains(["Ephemeral Public IP (eth0)", "Private IP (eth1)"], var.management_nic) + error_message = "Allowed values for management_nic are 'Ephemeral Public IP (eth0)ad', 'Private IP (eth1)'" + } +} +variable "management_name" { + type = string + description = "The name of the Security Management Server as appears in autoprovisioning configuration. (Please enter a valid Security Management name including ascii characters only)" + default = "tf-checkpoint-management" +} +variable "configuration_template_name" { + type = string + description = "Specify the provisioning configuration template name (for autoprovisioning). (Please enter a valid autoprovisioing configuration template name including ascii characters only)" + default = "tf-asg-autoprov-tmplt" +} +variable "generate_password" { + type = bool + description = "Automatically generate an administrator password" + default = false +} +variable "admin_SSH_key" { + type = string + description = "(Optional) The SSH public key for SSH authentication to the MIG instances. Leave this field blank to use all project-wide pre-configured SSH keys." + default = "" +} +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string + default = "" +} +variable "network_defined_by_routes" { + type = bool + description = "Set eth1 topology to define the networks behind this interface by the routes configured on the gateway." + default = true +} +variable "admin_shell" { + type = string + description = "Change the admin shell to enable advanced command line configuration." + default = "/etc/cli.sh" + validation { + condition = contains(["/etc/cli.sh", "/bin/bash", "/bin/tcsh", "/bin/csh"], var.admin_shell) + error_message = "Valid shells are '/etc/cli.sh', '/bin/bash', '/bin/tcsh', '/bin/csh'" + } +} +variable "allow_upload_download" { + type = bool + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + default = true +} + +# --- Networking --- +data "google_compute_regions" "available_regions" { +} +variable "region" { + type = string + default = "us-central1" +} + +variable "external_network_cidr" { + type = string + description = "The range of external addresses that are owned by this network, only IPv4 is supported (e.g. \"10.0.0.0/8\" or \"192.168.0.0/16\")." +} +variable "internal_network_cidr" { + type = string + description = "The range of internal addresses that are owned by this network, only IPv4 is supported (e.g. \"10.0.0.0/8\" or \"192.168.0.0/16\")." +} +variable "ICMP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for ICMP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable ICMP traffic." + default = [] +} +variable "TCP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for TCP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable TCP traffic." + default = [] +} +variable "UDP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for UDP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable UDP traffic." + default = [] +} +variable "SCTP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for SCTP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable SCTP traffic." + default = [] +} +variable "ESP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for ESP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable ESP traffic." + default = [] +} + +# --- Instance Configuration --- +variable "machine_type" { + type = string + default = "n1-standard-4" +} +variable "cpu_usage" { + type = number + description = "Target CPU usage (%) - Autoscaling adds or removes instances in the group to maintain this level of CPU usage on each instance." + default = 60 +} +resource "null_resource" "cpu_usage_validation" { + // Will fail if var.cpu_usage is less than 10 or more than 90 + count = var.cpu_usage >= 10 && var.cpu_usage <= 90 ? 0 : "variable cpu_usage must be a number between 10 and 90" +} +variable "instances_min_group_size" { + type = number + description = "The minimal number of instances" + default = 2 +} +variable "instances_max_group_size" { + type = number + description = "The maximal number of instances" + default = 10 +} +variable "external_network_name" { + type = string + description = "The network determines what network traffic the instance can access" + default = "" +} +variable "external_subnetwork_name" { + type = string + description = "Assigns the instance an IPv4 address from the subnetwork’s range. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network." +} +variable "internal_network_name" { + type = string + description = "The network determines what network traffic the instance can access" +} +variable "internal_subnetwork_name" { + type = string + description = "Assigns the instance an IPv4 address from the subnetwork’s range. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network." +} +variable "disk_type" { + type = string + description = "Storage space is much less expensive for a standard Persistent Disk. An SSD Persistent Disk is better for random IOPS or streaming throughput with low latency." + default = "SSD Persistent Disk" + validation { + condition = contains(["SSD Persistent Disk" , "Standard Persistent Disk"] , var.disk_type) + error_message = "Allowed values for diskType are : 'SSD Persistent Disk' , 'Standard Persistent Disk'" + } +} +variable "disk_size" { + type = number + description = "Disk size in GB - Persistent disk performance is tied to the size of the persistent disk volume. You are charged for the actual amount of provisioned disk space." + default = 100 +} +resource "null_resource" "disk_size_validation" { + // Will fail if var.disk_size is less than 100 or more than 4096 + count = var.disk_size >= 100 && var.disk_size <= 4096 ? 0 : "variable disk_size must be a number between 100 and 4096" +} +variable "enable_monitoring" { + type = bool + description = "Enable Stackdriver monitoring" + default = false +} \ No newline at end of file diff --git a/terraform/gcp/autoscale/versions.tf b/terraform/gcp/autoscale/versions.tf new file mode 100644 index 00000000..8212362e --- /dev/null +++ b/terraform/gcp/autoscale/versions.tf @@ -0,0 +1,18 @@ +terraform { + required_version = ">= 0.13" + required_providers { + google = { + source = "hashicorp/google" + version = ">= 3.53, < 5.0" + } + + random = { + source = "hashicorp/random" + version = "~>3.4" + } + } + + provider_meta "google" { + module_name = "blueprints/terraform/canonical-mp/v0.0.1" + } +} \ No newline at end of file diff --git a/terraform/gcp/common/autoscale-common/main.tf b/terraform/gcp/common/autoscale-common/main.tf new file mode 100644 index 00000000..b2136573 --- /dev/null +++ b/terraform/gcp/common/autoscale-common/main.tf @@ -0,0 +1,150 @@ +locals{ + mgmt_nic_condition = var.management_nic == "Ephemeral Public IP (eth0)" ? true : false + mgmt_nic_ip_address_condition = local.mgmt_nic_condition ? "x-chkp-ip-address--public" : "x-chkp-ip-address--private" + mgmt_nic_interface_condition = local.mgmt_nic_condition ? "x-chkp-management-interface--eth0" : "x-chkp-management-interface--eth1" + network_defined_by_routes_condition = var.network_defined_by_routes ? "x-chkp-topology-eth1--internal" : "" + network_defined_by_routes_settings_condition = var.network_defined_by_routes ? "x-chkp-topology-settings-eth1--network-defined-by-routes" : "" + admin_SSH_key_condition = var.admin_SSH_key != "" ? true : false + disk_type_condition = var.disk_type == "SSD Persistent Disk" ? "pd-ssd" : var.disk_type == "Standard Persistent Disk" ? "pd-standard" : "" +} +provider "google" { + credentials = file(var.service_account_path) + project = var.project + region = var.region +} +resource "random_string" "random_sic_key" { + length = 12 + special = false +} +resource "random_string" "generated_password" { + length = 12 + special = false +} +resource "random_string" "random_string" { + length = 5 + special = false + upper = false + keepers = {} +} +resource "google_compute_instance_template" "instance_template" { + name = "${var.prefix}-tmplt-${random_string.random_string.result}" + machine_type = var.machine_type + can_ip_forward = true + + + disk { + source_image = "checkpoint-public/${var.image_name}" + auto_delete = true + boot = true + device_name = "${var.prefix}-boot-${random_string.random_string.result}" + disk_type = local.disk_type_condition + disk_size_gb = var.disk_size + mode = "READ_WRITE" + type = "PERSISTENT" + } + + network_interface { + network = var.external_network[0] + subnetwork = var.external_subnetwork[0] + dynamic "access_config" { + for_each = local.mgmt_nic_condition ? [ + 1] : [] + content { + network_tier = local.mgmt_nic_condition ? "PREMIUM" : "STANDARD" + } + } + } + + network_interface { + network = var.internal_network[0] + subnetwork = var.internal_subnetwork[0] + } + + scheduling { + automatic_restart = true + on_host_maintenance = "MIGRATE" + preemptible = false + } + + service_account { + email = "default" + scopes = [ + "https://www.googleapis.com/auth/devstorage.read_only", + "https://www.googleapis.com/auth/logging.write", + "https://www.googleapis.com/auth/monitoring.write", + "https://www.googleapis.com/auth/pubsub", + "https://www.googleapis.com/auth/service.management.readonly", + "https://www.googleapis.com/auth/servicecontrol", + "https://www.googleapis.com/auth/trace.append"] + } + tags = [ + format("x-chkp-management--%s", var.management_name), + format("x-chkp-template--%s", var.configuration_template_name), + "checkpoint-gateway", + local.mgmt_nic_ip_address_condition, + local.mgmt_nic_interface_condition, + local.network_defined_by_routes_condition, + local.network_defined_by_routes_settings_condition] + + metadata = local.admin_SSH_key_condition ? { + serial-port-enable = "true" + instanceSSHKey = var.admin_SSH_key + adminPasswordSourceMetadata = var.generate_password ?random_string.generated_password.result : "" + } : { + serial-port-enable = "true" + adminPasswordSourceMetadata = var.generate_password?random_string.generated_password.result : "" + } + + metadata_startup_script = templatefile("${path.module}/../startup-script.sh", { + // script's arguments + generatePassword = var.generate_password + config_url = "" + config_path = "" + sicKey = "" + allowUploadDownload = var.allow_upload_download + templateName = "autoscale_tf" + templateVersion = "20230910" + templateType = "terraform" + mgmtNIC = var.management_nic + hasInternet = "false" + enableMonitoring = var.enable_monitoring + shell = var.admin_shell + installation_type = "AutoScale" + computed_sic_key = random_string.random_sic_key.result + managementGUIClientNetwork = "" + primary_cluster_address_name = "" + secondary_cluster_address_name = "" + managementNetwork = "" + numAdditionalNICs = "" + smart_1_cloud_token = "" + name = "" + zoneConfig = "" + region = "" + os_version = var.os_version + maintenance_mode_password_hash = var.maintenance_mode_password_hash + }) +} +resource "google_compute_region_instance_group_manager" "instance_group_manager" { + region = var.region + name = "${var.prefix}-igm-${random_string.random_string.result}" + version { + instance_template = google_compute_instance_template.instance_template.id + name = "${var.prefix}-tmplt" + } + base_instance_name = "${var.prefix}-${random_string.random_string.result}" +} +resource "google_compute_region_autoscaler" "autoscaler" { + region = var.region + name = "${var.prefix}-autoscaler-${random_string.random_string.result}" + target = google_compute_region_instance_group_manager.instance_group_manager.id + + autoscaling_policy { + max_replicas = var.instances_max_group_size + min_replicas = var.instances_min_group_size + cooldown_period = 90 + + cpu_utilization { + target = var.cpu_usage/100 + } + } +} \ No newline at end of file diff --git a/terraform/gcp/common/autoscale-common/output.tf b/terraform/gcp/common/autoscale-common/output.tf new file mode 100644 index 00000000..5e19f52c --- /dev/null +++ b/terraform/gcp/common/autoscale-common/output.tf @@ -0,0 +1,18 @@ +output "SIC_key" { + value = random_string.random_sic_key.result +} +output "management_name" { + value = var.management_name +} +output "configuration_template_name" { + value = var.configuration_template_name +} +output "instance_template_name" { + value = google_compute_instance_template.instance_template.name +} +output "instance_group_manager_name" { + value = google_compute_region_instance_group_manager.instance_group_manager.name +} +output "autoscaler_name" { + value = google_compute_region_autoscaler.autoscaler.name +} \ No newline at end of file diff --git a/terraform/gcp/common/autoscale-common/variables.tf b/terraform/gcp/common/autoscale-common/variables.tf new file mode 100644 index 00000000..96de950d --- /dev/null +++ b/terraform/gcp/common/autoscale-common/variables.tf @@ -0,0 +1,179 @@ +# Check Point CloudGuard IaaS Autoscaling - Terraform Template + +# --- Google Provider --- +variable "service_account_path" { + type = string + description = "User service account path in JSON format - From the service account key page in the Cloud Console choose an existing account or create a new one. Next, download the JSON key file. Name it something you can remember, store it somewhere secure on your machine, and supply the path to the location is stored." + default = "" +} +variable "project" { + type = string + description = "Personal project id. The project indicates the default GCP project all of your resources will be created in." + default = "" +} + +# --- Check Point--- +variable "prefix" { + type = string + description = "(Optional) Resources name prefix" + default = "chkp-tf-mig" +} +variable "license" { + type = string + description = "Checkpoint license (BYOL or PAYG)." + default = "BYOL" +} +variable "image_name" { + type = string + description = "The autoscaling (MIG) image name (e.g. check-point-r8120-gw-byol-mig-123-456-v12345678). You can choose the desired mig image value from: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/autoscale-byol/images.py" +} +variable "os_version" { + type = string + description = "GAIA OS version" + default = "R8120" +} +variable "management_nic" { + type = string + description = "Management Interface - Autoscaling Security Gateways in GCP can be managed by an ephemeral public IP or using the private IP of the internal interface (eth1)." + default = "Ephemeral Public IP (eth0)" +} +variable "management_name" { + type = string + description = "The name of the Security Management Server as appears in autoprovisioning configuration. (Please enter a valid Security Management name including ascii characters only)" + default = "tf-checkpoint-management" +} +variable "configuration_template_name" { + type = string + description = "Specify the provisioning configuration template name (for autoprovisioning). (Please enter a valid autoprovisioing configuration template name including ascii characters only)" + default = "tf-asg-autoprov-tmplt" +} +variable "admin_SSH_key" { + type = string + description = "(Optional) The SSH public key for SSH authentication to the MIG instances. Leave this field blank to use all project-wide pre-configured SSH keys." + default = "" +} +variable "generate_password" { + type = bool + description = "Automatically generate an administrator password" + default = false +} +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string + default = "" +} +variable "network_defined_by_routes" { + type = bool + description = "Set eth1 topology to define the networks behind this interface by the routes configured on the gateway." + default = true +} +variable "admin_shell" { + type = string + description = "Change the admin shell to enable advanced command line configuration." + default = "/etc/cli.sh" +} +variable "allow_upload_download" { + type = bool + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + default = true +} + +# --- Networking --- +data "google_compute_regions" "available_regions" { +} +variable "region" { + type = string + default = "us-central1" +} + +variable "external_network" { + type = list(string) + description = "The network determines what network traffic the instance can access" + default = ["default"] +} +variable "external_subnetwork" { + type = list(string) + description = "The subnetwork determines what network traffic the instance can access" + default = ["default"] +} + +variable "internal_network" { + type = list(string) + description = "The network determines what network traffic the instance can access" + default = ["default"] +} +variable "internal_subnetwork" { + type = list(string) + description = "The subnetwork determines what network traffic the instance can access" + default = ["default"] +} + +variable "ICMP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for ICMP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable ICMP traffic." + default = [] +} +variable "TCP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for TCP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable TCP traffic." + default = [] +} +variable "UDP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for UDP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable UDP traffic." + default = [] +} +variable "SCTP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for SCTP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable SCTP traffic." + default = [] +} +variable "ESP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for ESP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable ESP traffic." + default = [] +} + +# --- Instance Configuration --- +variable "machine_type" { + type = string + default = "n1-standard-4" +} +variable "cpu_usage" { + type = number + description = "Target CPU usage (%) - Autoscaling adds or removes instances in the group to maintain this level of CPU usage on each instance." + default = 60 +} +resource "null_resource" "cpu_usage_validation" { + // Will fail if var.cpu_usage is less than 10 or more than 90 + count = var.cpu_usage >= 10 && var.cpu_usage <= 90 ? 0 : "variable cpu_usage must be a number between 10 and 90" +} +variable "instances_min_group_size" { + type = number + description = "The minimal number of instances" + default = 2 +} +variable "instances_max_group_size" { + type = number + description = "The maximal number of instances" + default = 10 +} +variable "disk_type" { + type = string + description = "Storage space is much less expensive for a standard Persistent Disk. An SSD Persistent Disk is better for random IOPS or streaming throughput with low latency." + default = "SSD Persistent Disk" +} +variable "disk_size" { + type = number + description = "Disk size in GB - Persistent disk performance is tied to the size of the persistent disk volume. You are charged for the actual amount of provisioned disk space." + default = 100 +} +resource "null_resource" "disk_size_validation" { + // Will fail if var.disk_size is less than 100 or more than 4096 + count = var.disk_size >= 100 && var.disk_size <= 4096 ? 0 : "variable disk_size must be a number between 100 and 4096" +} +variable "enable_monitoring" { + type = bool + description = "Enable Stackdriver monitoring" + default = false +} \ No newline at end of file diff --git a/terraform/gcp/common/cluster-member/main.tf b/terraform/gcp/common/cluster-member/main.tf index c5ae7eda..3027c8fa 100755 --- a/terraform/gcp/common/cluster-member/main.tf +++ b/terraform/gcp/common/cluster-member/main.tf @@ -115,7 +115,7 @@ resource "google_compute_instance" "cluster_member" { hasInternet = "true" enableMonitoring = var.enable_monitoring shell = var.admin_shell - installationType = "Cluster" + installation_type = "Cluster" computed_sic_key = "" managementGUIClientNetwork = "" primary_cluster_address_name = var.primary_cluster_address_name diff --git a/terraform/gcp/common/common/main.tf b/terraform/gcp/common/common/main.tf new file mode 100755 index 00000000..139597f9 --- /dev/null +++ b/terraform/gcp/common/common/main.tf @@ -0,0 +1,2 @@ + + diff --git a/terraform/gcp/common/common/output.tf b/terraform/gcp/common/common/output.tf new file mode 100755 index 00000000..e69de29b diff --git a/terraform/gcp/common/common/variables.tf b/terraform/gcp/common/common/variables.tf new file mode 100755 index 00000000..d8b4f110 --- /dev/null +++ b/terraform/gcp/common/common/variables.tf @@ -0,0 +1,85 @@ +variable "installation_type" { + type = string + description = "Installation type" + default = "Gateway only" +} +variable "os_version" { + type = string + description = "GAIA OS version" + default = "R8120" +} +locals { + version_allowed_values = [ + "R81", + "R8110", + "R8120", + "R82"] + + validate_os_version = index(local.version_allowed_values, var.os_version) +} +variable "image_name" { + type = string + description = "The single gateway and management image name" +} +locals { + regex_validate_mgmt_image_name = "^check-point-${lower(var.os_version)}-[^(gw)].*[0-9]{3}-([0-9]{3,}|[a-z]+)-v[0-9]{8,}.*" + regex_validate_gw_image_name = "^check-point-${lower(var.os_version)}-gw-.*[0-9]{3}-([0-9]{3,}|[a-z]+)-v[0-9]{8,}.*" + regex_validate_image_name = contains(["Gateway only", "Cluster", "AutoScale"], var.installation_type) ? local.regex_validate_gw_image_name : local.regex_validate_mgmt_image_name + regex_image_name = length(regexall(local.regex_validate_image_name, var.image_name)) > 0 ? 0 : "Variable [image_name] must be a valid Check Point image name of the correct version." + index_image_name = index(["0"], local.regex_image_name) +} +variable "license" { + type = string + description = "Checkpoint license (BYOL or PAYG)." + default = "BYOL" +} +locals { + license_allowed_values = [ + "BYOL", + "PAYG"] + // will fail if [var.license] is invalid: + validate_license = index(local.license_allowed_values, upper(var.license)) +} +variable "admin_SSH_key" { + type = string + description = "(Optional) The SSH public key for SSH authentication to the template instances. Leave this field blank to use all project-wide pre-configured SSH keys." + default = "" +} +locals { + regex_valid_admin_SSH_key = "^(^$|ssh-rsa AAAA[0-9A-Za-z+/]+[=]{0,3})" + // Will fail if var.admin_SSH_key is invalid + regex_admin_SSH_key = length(regexall(local.regex_valid_admin_SSH_key, var.admin_SSH_key)) > 0 ? 0 : "Please enter a valid SSH public key or leave empty" + index_admin_SSH_key = index(["0"], local.regex_admin_SSH_key) +} +variable "admin_shell" { + type = string + description = "Change the admin shell to enable advanced command line configuration." + default = "/etc/cli.sh" +} +locals { + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh"] + // Will fail if var.admin_shell is invalid + validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell) +} +variable "externalIP" { + type = string + description = "External IP address type" + default = "static" + validation { + condition = contains(["static", "ephemeral", "none"], var.externalIP) + error_message = "Invalid value for externalIP. Allowed values are 'static', 'ephemeral' or 'none'." + } +} +locals { + external_ip_allowed_values = [ + "static", + "ephemeral", + "none" + ] + validate_external_ip = index(local.external_ip_allowed_values, var.externalIP) +} + diff --git a/terraform/gcp/common/members-a-b/main.tf b/terraform/gcp/common/members-a-b/main.tf index 8424e7d8..7796ac4c 100755 --- a/terraform/gcp/common/members-a-b/main.tf +++ b/terraform/gcp/common/members-a-b/main.tf @@ -4,7 +4,7 @@ module "member_a" { prefix = var.prefix member_name = "${var.prefix}-member-a" region = var.region - zone = var.zoneA + zone = var.zone_a machine_type = var.machine_type disk_size = var.disk_size disk_type = var.disk_type @@ -49,7 +49,7 @@ module "member_b" { prefix = var.prefix member_name = "${var.prefix}-member-b" region = var.region - zone = var.zoneB + zone = var.zone_b machine_type = var.machine_type disk_size = var.disk_size disk_type = var.disk_type diff --git a/terraform/gcp/common/members-a-b/variables.tf b/terraform/gcp/common/members-a-b/variables.tf index 6fa8b30c..4ac48bc2 100755 --- a/terraform/gcp/common/members-a-b/variables.tf +++ b/terraform/gcp/common/members-a-b/variables.tf @@ -7,11 +7,11 @@ variable "region" { type = string default = "us-central1" } -variable "zoneA" { +variable "zone_a" { type = string default = "us-central1-a" } -variable "zoneB" { +variable "zone_b" { type = string default = "us-central1-a" } diff --git a/terraform/gcp/common/network-and-subnet/main.tf b/terraform/gcp/common/network-and-subnet/main.tf index 7665da7c..b34b72c0 100755 --- a/terraform/gcp/common/network-and-subnet/main.tf +++ b/terraform/gcp/common/network-and-subnet/main.tf @@ -4,12 +4,12 @@ locals { resource "google_compute_network" "network" { count = local.create_network_condition ? 1 : 0 - name = "${var.prefix}-${var.type}" + name = "${replace(var.prefix, "--", "-")}-${replace(replace(var.type, "(", ""), ")", "")}" auto_create_subnetworks = false } resource "google_compute_subnetwork" "subnetwork" { count = local.create_network_condition ? 1 : 0 - name = "${var.prefix}-${var.type}-subnet" + name = "${replace(var.prefix, "--", "-")}-${replace(replace(replace(var.type, "(", ""), ")", ""), "--", "-")}-subnet" ip_cidr_range = var.network_cidr private_ip_google_access = true region = var.region diff --git a/terraform/gcp/common/single-common/main.tf b/terraform/gcp/common/single-common/main.tf new file mode 100644 index 00000000..7fc25538 --- /dev/null +++ b/terraform/gcp/common/single-common/main.tf @@ -0,0 +1,156 @@ +locals { + disk_type_condition = var.disk_type == "SSD Persistent Disk" ? "pd-ssd" : var.disk_type == "Standard Persistent Disk" ? "pd-standard" : "" + admin_SSH_key_condition = var.admin_SSH_key != "" ? true : false +} + +resource "random_string" "random_string" { + length = 5 + special = false + upper = false + keepers = {} +} + +resource "random_string" "generated_password" { + length = 12 + special = false +} +resource "google_compute_address" "static" { + name = "ipv4-address-${random_string.random_string.result}" +} +resource "google_compute_instance" "gateway" { + name = "${var.prefix}-${random_string.random_string.result}" + description = "Check Point Security ${replace(var.installation_type,"(Standalone)","--")==var.installation_type?split(" ",var.installation_type)[0]:" Gateway and Management"}" + zone = var.zone + labels = {goog-dm = "${var.prefix}-${random_string.random_string.result}"} + tags =replace(var.installation_type,"(Standalone)","--")==var.installation_type?[ + "checkpoint-${split(" ",lower(var.installation_type))[0]}","${var.prefix}${random_string.random_string.result}" + ]:["checkpoint-gateway","checkpoint-management","${var.prefix}${random_string.random_string.result}"] + machine_type = var.machine_type + can_ip_forward = var.installation_type == "Management only"? false:true + boot_disk { + auto_delete = true + device_name = "chkp-single-boot-${random_string.random_string.result}" + initialize_params { + size = var.disk_size + type = local.disk_type_condition + image = "checkpoint-public/${var.image_name}" + } + } + network_interface { + network = var.network[0] + subnetwork = var.subnetwork[0] + dynamic "access_config" { + for_each = var.external_ip == "none"? []:[1] + content { + nat_ip = var.external_ip=="static" ? google_compute_address.static.address : null + } + } + + } + dynamic "network_interface" { + for_each = var.num_additional_networks >= 1 ? [ + 1] : [] + content { + network = var.internal_network1_network[0] + subnetwork = var.internal_network1_subnetwork[0] + } + } + dynamic "network_interface" { + for_each = var.num_additional_networks >= 2 ? [ + 1] : [] + content { + network = var.internal_network2_network[0] + subnetwork = var.internal_network2_subnetwork[0] + } + } + dynamic "network_interface" { + for_each = var.num_additional_networks >= 3 ? [ + 1] : [] + content { + network = var.internal_network3_network[0] + subnetwork = var.internal_network3_subnetwork[0] + } + } + dynamic "network_interface" { + for_each = var.num_additional_networks >= 4 ? [ + 1] : [] + content { + network = var.internal_network4_network[0] + subnetwork = var.internal_network4_subnetwork[0] + } + } + dynamic "network_interface" { + for_each = var.num_additional_networks >= 5 ? [ + 1] : [] + content { + network = var.internal_network5_network[0] + subnetwork = var.internal_network5_subnetwork[0] + } + } + dynamic "network_interface" { + for_each = var.num_additional_networks == 6 ? [ + 1] : [] + content { + network = var.internal_network6_network[0] + subnetwork = var.internal_network6_subnetwork[0] + } + } + dynamic "network_interface" { + for_each = var.num_additional_networks == 7 ? [ + 1] : [] + content { + network = var.internal_network7_network[0] + subnetwork = var.internal_network7_subnetwork[0] + } + } + dynamic "network_interface" { + for_each = var.num_additional_networks == 8 ? [ + 1] : [] + content { + network = var.internal_network8_network[0] + subnetwork = var.internal_network8_subnetwork[0] + } + } + + service_account { + scopes = [ + "https://www.googleapis.com/auth/cloudruntimeconfig", + "https://www.googleapis.com/auth/monitoring.write"] + } + + metadata = local.admin_SSH_key_condition ? { + instanceSSHKey = var.admin_SSH_key + adminPasswordSourceMetadata = var.generate_password ?random_string.generated_password.result : "" + } : {adminPasswordSourceMetadata = var.generate_password?random_string.generated_password.result : ""} + + metadata_startup_script = templatefile("${path.module}/../startup-script.sh", { + // script's arguments + generatePassword = var.generate_password + config_url = "https://runtimeconfig.googleapis.com/v1beta1/projects/${var.project}/configs/-config" + config_path = "projects/${var.project}/configs/-config" + sicKey = "" + allowUploadDownload = var.allow_upload_download + templateName = "single_tf" + templateVersion = "20230910" + templateType = "terraform" + hasInternet = "true" + enableMonitoring = var.enable_monitoring + shell = var.admin_shell + installation_type = var.installation_type + computed_sic_key = var.sic_key + managementGUIClientNetwork = var.management_gui_client_network + installSecurityManagement = true + primary_cluster_address_name = "" + secondary_cluster_address_name = "" + subnet_router_meta_path = "" + mgmtNIC = var.management_nic + managementNetwork = "" + numAdditionalNICs = "" + smart_1_cloud_token = var.smart_1_cloud_token + name = "" + zoneConfig = "" + region = "" + os_version = var.os_version + maintenance_mode_password_hash = var.maintenance_mode_password_hash + }) +} \ No newline at end of file diff --git a/terraform/gcp/common/single-common/output.tf b/terraform/gcp/common/single-common/output.tf new file mode 100644 index 00000000..f15b3241 --- /dev/null +++ b/terraform/gcp/common/single-common/output.tf @@ -0,0 +1,3 @@ +output "external_nat_ip" { + value = google_compute_instance.gateway.network_interface[0].access_config[0].nat_ip +} \ No newline at end of file diff --git a/terraform/gcp/common/single-common/variables.tf b/terraform/gcp/common/single-common/variables.tf new file mode 100644 index 00000000..21f8168e --- /dev/null +++ b/terraform/gcp/common/single-common/variables.tf @@ -0,0 +1,226 @@ + +variable "project" { + type = string + description = "Personal project id. The project indicates the default GCP project all of your resources will be created in." + default = "" + validation { + condition = can(regex("^[a-z][a-z0-9-]{4,28}[a-z0-9]$", var.project)) && length(var.project) >= 6 && length(var.project) <= 30 + error_message = "The project ID must be 6-30 characters long, start with a letter, and can only include lowercase letters, numbers, hyphenst and cannot end with a hyphen." + } +} +variable "zone" { + type = string + description = "The zone determines what computing resources are available and where your data is stored and used" + default = "us-central1-a" +} +variable "image_name" { + type = string + description = "The single gateway and management image name" +} +variable "os_version" { + type = string + description = "GAIA OS version" + default = "R8120" + validation { + condition = contains(["R8110", "R8120", "R82"], var.os_version) + error_message = "Allowed values for os-version are 'R8110', 'R8120', 'R82'" + } +} +variable "installation_type" { + type = string + description = "Installation type and version" + default = "Gateway only" + validation { + condition = contains(["Gateway only" , "Management only" , "Manual Configuration" , "Gateway and Management (Standalone)"] , var.installation_type) + error_message = "Allowed values for installationType are 'Gateway only' , 'Management only' , 'Manual Configuration' , 'Gateway and Management (Standalone)'" + } +} +variable "prefix" { + type = string + description = "(Optional) Resources name prefix" + default = "chkp-single-tf-" +} +variable "machine_type" { + type = string + default = "n1-standard-4" +} +variable "network" { + type = list(string) + description = "The network determines what network traffic the instance can access" + default = ["default"] +} +variable "subnetwork" { + type = list(string) + description = "Assigns the instance an IPv4 address from the subnetwork’s range. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network." + default = ["default"] +} +variable "disk_type" { + type = string + description ="Disk type" + default = "SSD Persistent Disk" + validation { + condition = contains(["SSD Persistent Disk" , "Standard Persistent Disk"] , var.disk_type) + error_message = "Allowed values for diskType are : 'SSD Persistent Disk' , 'Standard Persistent Disk'" + } +} +variable "disk_size" { + type = number + description ="Disk size in GB" + default = 100 +} +variable "generate_password" { + type = bool + description ="Automatically generate an administrator password " + default = false +} +variable "management_nic" { + type = string + description = "Management Interface - Gateways in GCP can be managed by an ephemeral public IP or using the private IP of the internal interface (eth1)." + default = "Ephemeral Public IP (eth0)" +} +variable "allow_upload_download" { + type = string + description ="Allow download from/upload to Check Point" + default = true +} +variable "enable_monitoring" { + type = bool + description ="Enable Stackdriver monitoring" + default = false +} +variable "admin_shell" { + type = string + description = "Change the admin shell to enable advanced command line configuration." + default = "/etc/cli.sh" + validation { + condition = contains(["/etc/cli.sh", "/bin/bash", "/bin/tcsh", "/bin/csh"], var.admin_shell) + error_message = "Valid shells are '/etc/cli.sh', '/bin/bash', '/bin/tcsh', '/bin/csh'" + } +} +variable "admin_SSH_key" { + type = string + description = "(Optional) The SSH public key for SSH authentication to the template instances. Leave this field blank to use all project-wide pre-configured SSH keys." + default = "" +} +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string + default = "" +} +variable "sic_key" { + type = string + description ="The Secure Internal Communication one time secret used to set up trust between the single gateway object and the management server" + default = "" + validation { + condition = can(regex("^[a-z0-9A-Z]{12,30}$", var.sic_key)) + error_message = "Only alphanumeric characters are allowed, and the value must be 12-30 characters long." + } +} +variable "management_gui_client_network" { + type = string + description ="Allowed GUI clients " + default = "0.0.0.0/0" +} +variable "smart_1_cloud_token" { + type = string + description ="(Optional) Smart-1 cloud token to connect this Gateway to Check Point's Security Management as a Service" + default = "" +} +variable "num_additional_networks" { + type = number + description ="Number of additional network interfaces" + default = 0 + validation { + condition = var.num_additional_networks >= 0 && var.num_additional_networks <= 8 + error_message = "The number of internal networks must be between 0 and 8." + } +} +variable "external_ip" { + type = string + description = "External IP address type" + default = "static" + validation { + condition = contains(["static", "ephemeral", "none"], var.external_ip) + error_message = "Allowed values for externalIP are 'static' , 'ephemeral' , 'none'" + } +} +variable "internal_network1_network" { + type = list(string) + description = "1st internal network ID in the chosen zone." + default = [] +} +variable "internal_network1_subnetwork" { + type = list(string) + description = "1st internal subnet ID in the chosen network." + default = [] +} +variable "internal_network2_network" { + type = list(string) + description = "2nd internal network ID in the chosen zone." + default = [] +} +variable "internal_network2_subnetwork" { + type = list(string) + description = "2nd internal subnet ID in the chosen network." + default = [] +} +variable "internal_network3_network" { + type = list(string) + description = "3rd internal network ID in the chosen zone." + default = [] +} +variable "internal_network3_subnetwork" { + type = list(string) + description = "3rd internal subnet ID in the chosen network." + default = [] +} +variable "internal_network4_network" { + type = list(string) + description = "4th internal network ID in the chosen zone." + default = [] +} +variable "internal_network4_subnetwork" { + type = list(string) + description = "4th internal subnet ID in the chosen network." + default = [] +} +variable "internal_network5_network" { + type = list(string) + description = "5th internal network ID in the chosen zone." + default = [] +} +variable "internal_network5_subnetwork" { + type = list(string) + description = "5th internal subnet ID in the chosen network." + default = [] +} +variable "internal_network6_network" { + type = list(string) + description = "6th internal network ID in the chosen zone." + default = [] +} +variable "internal_network6_subnetwork" { + type = list(string) + description = "6th internal subnet ID in the chosen network." + default = [] +} +variable "internal_network7_network" { + type = list(string) + description = "7th internal network ID in the chosen zone." + default = [] +} +variable "internal_network7_subnetwork" { + type = list(string) + description = "7th internal subnet ID in the chosen network." + default = [] +} +variable "internal_network8_network" { + type = list(string) + description = "8th internal network ID in the chosen zone." + default = [] +} +variable "internal_network8_subnetwork" { + type = list(string) + description = "8th internal subnet ID in the chosen network." + default = [] +} diff --git a/terraform/gcp/common/startup-script.sh b/terraform/gcp/common/startup-script.sh index c8192303..6140c974 100755 --- a/terraform/gcp/common/startup-script.sh +++ b/terraform/gcp/common/startup-script.sh @@ -1,3 +1,3 @@ #cloud-config runcmd: - - 'python3 /etc/cloud_config.py generatePassword=\"${generatePassword}\" allowUploadDownload=\"${allowUploadDownload}\" templateName=\"${templateName}\" templateVersion=\"${templateVersion}\" mgmtNIC="X${mgmtNIC}X" hasInternet=\"${hasInternet}\" config_url=\"${config_url}\" config_path=\"${config_path}\" installationType="X${installationType}X" enableMonitoring=\"${enableMonitoring}\" shell=\"${shell}\" computed_sic_key=\"${computed_sic_key}\" sicKey=\"${sicKey}\" managementGUIClientNetwork=\"${managementGUIClientNetwork}\" primary_cluster_address_name=\"${primary_cluster_address_name}\" secondary_cluster_address_name=\"${secondary_cluster_address_name}\" managementNetwork=\"${managementNetwork}\" numAdditionalNICs=\"${numAdditionalNICs}\" smart1CloudToken="X${smart_1_cloud_token}X" name=\"${name}\" zone=\"${zoneConfig}\" region=\"${region}\" osVersion=\"${os_version}\" MaintenanceModePassword=\"${maintenance_mode_password_hash}\"' \ No newline at end of file + - 'python3 /etc/cloud_config.py generatePassword=\"${generatePassword}\" allowUploadDownload=\"${allowUploadDownload}\" templateName=\"${templateName}\" templateVersion=\"${templateVersion}\" mgmtNIC="X${mgmtNIC}X" hasInternet=\"${hasInternet}\" config_url=\"${config_url}\" config_path=\"${config_path}\" installationType="X${installation_type}X" enableMonitoring=\"${enableMonitoring}\" shell=\"${shell}\" computed_sic_key=\"${computed_sic_key}\" sicKey=\"${sicKey}\" managementGUIClientNetwork=\"${managementGUIClientNetwork}\" primary_cluster_address_name=\"${primary_cluster_address_name}\" secondary_cluster_address_name=\"${secondary_cluster_address_name}\" managementNetwork=\"${managementNetwork}\" numAdditionalNICs=\"${numAdditionalNICs}\" smart1CloudToken="X${smart_1_cloud_token}X" name=\"${name}\" zone=\"${zoneConfig}\" region=\"${region}\" osVersion=\"${os_version}\" MaintenanceModePassword=\"${maintenance_mode_password_hash}\"' \ No newline at end of file diff --git a/terraform/gcp/single/README.md b/terraform/gcp/single/README.md new file mode 100644 index 00000000..c586e46c --- /dev/null +++ b/terraform/gcp/single/README.md @@ -0,0 +1,253 @@ +# Check Point single gateway and management Terraform module for GCP + +Terraform module which deploys a single gateway and management of Check Point Security Gateways. + +These types of Terraform resources are supported: +[Instance Template](https://www.terraform.io/docs/providers/google/r/compute_instance_template.html) +[Firewall](https://www.terraform.io/docs/providers/google/r/compute_firewall.html) - conditional creation +[Instance Group Manager](https://www.terraform.io/docs/providers/google/r/compute_region_instance_group_manager.html) +[Compute instance](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance) + +See Check Point's documentation for Single [here](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk114577) + +Terraform is controlled via a very easy to use command-line interface (CLI). Terraform is only a single command-line application: terraform. + +## Before you begin + +1. Create a project in the [Google Cloud Console](https://console.cloud.google.com/) and set up billing on that project. +2. [Install Terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli) and read the Terraform getting started guide that follows. This guide will assume basic proficiency with Terraform - it is an introduction to the Google provider. + +## Configuring the Provider + +The main.tf file includes the following provider configuration block used to configure the credentials you use to authenticate with GCP, as well as a default project and location for your resources: + +``` +provider "google" { + credentials = file(var.service_account_path) + project = var.project +} +... +``` + +1. [Create a Service Account](https://cloud.google.com/docs/authentication/getting-started) (or use the existing one). Next, download the JSON key file. Name it something you can remember and store it somewhere secure on your machine.
+2. Select "Editor" Role or verify you have the following permissions: + ``` + compute.addresses.create + compute.addresses.delete + compute.addresses.get + compute.addresses.use + compute.disks.create + compute.firewalls.create + compute.firewalls.delete + compute.firewalls.get + compute.firewalls.update + compute.instances.create + compute.instances.delete + compute.instances.deleteAccessConfig + compute.instances.get + compute.instances.setLabels + compute.instances.setMachineType + compute.instances.setMetadata + compute.instances.setServiceAccount + compute.instances.setTags + compute.instances.updateNetworkInterface + compute.networks.create + compute.networks.delete + compute.networks.get + compute.networks.updatePolicy + compute.regionOperations.get + compute.regions.list + compute.subnetworks.create + compute.subnetworks.delete + compute.subnetworks.get + compute.subnetworks.use + compute.subnetworks.useExternalIp + compute.zones.get + iam.serviceAccounts.actAs + ``` +3. `credentials` - Your service account key file is used to complete a two-legged OAuth 2.0 flow to obtain access tokens to authenticate with the GCP API as needed; Terraform will use it to reauthenticate automatically when tokens expire.
+ The provider credentials can be provided either as static credentials or as [Environment Variables](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#credentials-1). - Static credentials can be provided by adding the path to your service-account json file, project-id and region in /gcp/modules/single/terraform.tfvars file as follows: + ` service_account_path = "service-accounts/service-account-file-name.json" +project = "project-id"` - In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in the main.tf file, in the provider google resource, need to be deleted or commented: + ` provider "google" { + // credentials = file(var.service_account_path) + // project = var.project + } + ``` + b.In the terraform.tfvars file leave empty double quotes for credentials and project variables: + ``` + service_account_path = "" + project = "" + ``` ` + +## Usage + +- Fill all variables in the /gcp/single/terraform.tfvars file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + ``` + terraform init + ``` +- Create an execution plan: + ``` + terraform plan + ``` +- Create or modify the deployment: + ``` + terraform apply + ``` + +#### Variables are configured in single/terraform.tfvars file as follows: + +``` +# --- Google Provider --- +service_account_path = "service-accounts/service-account-file-name.json" +project = "project-id" + +# --- Check Point--- +image_name = "check-point-r8120-gw-byol-single-631-991001669-v20240923" +os_version = "R8120" +installation_type = "Gateway only" +license = "BYOL" +prefix = "chkp-single-tf-" +management_nic = "Ephemeral Public IP (eth0)" +admin_shell = "/etc/cli.sh" +admin_SSH_key = "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" +maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +generate_password = false +allow_upload_download = true +sic_key = "xxxxxxxxx" +management_gui_client_network = "0.0.0.0/0" + +#--- Quick connect to Smart-1 Cloud --- +smart_1_cloud_token = "xxxxxxxxxxxxxxxxxxxxxxxx" + +# --- Networking --- +region = "us-central1" +zone = "us-central1-a" +network_name = "" +subnetwork_name = "" +network_cidr = "10.0.0.0/24" +TCP_traffic = ["0.0.0.0/0"] +ICMP_traffic = [] +UDP_traffic = [] +SCTP_traffic = [] +ESP_traffic = [] +num_additional_networks = 1 +external_ip = "static" +internal_network1_name = "" +internal_network1_subnetwork_name = "" +internal_network1_cidr = "10.0.1.0/24" + +# --- Instance Configuration --- +machine_type = "n1-standard-4" +disk_type = "SSD Persistent Disk" +disk_size = 100 +enable_monitoring = false + +``` + +- To tear down your resources: + ``` + terraform destroy + ``` + +## Conditional creation + +
1. For each network and subnet variable, you can choose whether to create a new network with a new subnet or to use an existing one. + +- If you want to create a new network and subnet, please input a subnet CIDR block for the desired new network - In this case, the network name and subnetwork name will not be used: + +``` + network_cidr = "10.0.1.0/24" + network_name = "not-use" + network_subnetwork_name = "not-use" +``` + +- Otherwise, if you want to use existing network and subnet, please leave empty double quotes in the CIDR variable for the desired network: + +``` + network_cidr = "" + network_name = "network_name" + network_subnetwork_name = "subnetwork_name" +``` + +
2. To create Firewall and allow traffic for ICMP, TCP, UDP, SCTP or/and ESP - enter list of Source IP ranges. + +``` +ICMP_traffic = ["123.123.0.0/24", "234.234.0.0/24"] +TCP_traffic = ["0.0.0.0/0"] +UDP_traffic = ["0.0.0.0/0"] +SCTP_traffic = ["0.0.0.0/0"] +ESP_traffic = ["0.0.0.0/0"] +``` + +Please leave empty list for a protocol if you want to disable traffic for it. + +## Inputs + +| Name | Description | Type | Allowed values | Default | Required | +| --------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------- | -------- | +| service_account_path | User service account path in JSON format - From the service account key page in the Cloud Console choose an existing account or create a new one. Next, download the JSON key file. Name it something you can remember, store it somewhere secure on your machine, and supply the path to the location is stored. (e.g. "service-accounts/service-account-name.json") | string | N/A | "" | yes | +| project | Personal project ID. The project indicates the default GCP project all of your resources will be created in. The project ID must be 6-30 characters long, start with a letter, and can only include lowercase letters, numbers, hyphenst and cannot end with a hyphen. | string | N/A | "" | yes | +| region | GCP region | string | N/A | N/A | yes | +| zone | The zone determines what computing resources are available and where your data is stored and used | string | List of allowed [Regions and Zones](https://cloud.google.com/compute/docs/regions-zones?_ga=2.31926582.-962483654.1585043745) | us-central1-a | yes | +| image_name | The single gateway or management image name (e.g. check-point-r8120-gw-byol-single-631-991001669-v20240923 for gateway or check-point-r8120-byol-634-991001641-v20240807 for management). You can choose the desired gateway image value from [Github](https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/single-byol/images.py). | string | N/A | N/A | yes | +| os_version | GAIA OS Version | string | R81;
R8110;
R8120;
R82; | R8120 | yes | +| installation_type | Installation type | string | Gateway only;
Management only;
Manual Configuration
Gateway and Management (Standalone) | Gateway only | yes | +| license | Checkpoint license (BYOL or PAYG). | string | BYOL;
PAYG; | BYOL | yes | +| prefix | (Optional) Resources name prefix | string | N\A | chkp-single-tf- | no | +| machine_type | Machine types determine the specifications of your machines, such as the amount of memory, virtual cores, and persistent disk limits an instance will have | string | [Learn more about Machine Types](https://cloud.google.com/compute/docs/machine-types?hl=en_US&_ga=2.267871494.-962483654.1585043745) | n1-standard-4 | no | +| network_name | network ID in the chosen zone. The network determines what network traffic the instance can access | string | N/A | N/A | no | +| subnetwork_name | subNetwork ID in the chosen zone. The subNetwork determines what network traffic the instance can access | string | N/A | N/A | no | +| network_cidr | The range of internal addresses that are owned by this network, only IPv4 is supported (e.g. "10.0.0.0/8" or "192.168.0.0/16"). | string | N/A | N/A | no | +| TCP_traffic | Allow TCP traffic from the Internet | list(string) | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009 [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | N/A | no | | +| ICMP_traffic | Source IP ranges for ICMP traffic | list(string) | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | N/A | no | +| UDP_traffic | Source IP ranges for UDP traffic | list(string) | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | N/A | no | +| SCTP_traffic | Source IP ranges for SCTP traffic | list(string) | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | N/A | no | +| ESP_traffic | Source IP ranges for ESP traffic | list(string) | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | N/A | no | +| disk_type | Disk type | string | SSD Persistent Disk;
standard-Persistent Disk;
Storage space is much less expensive for a standard persistent disk. An SSD persistent disk is better for random IOPS or streaming throughput with low latency. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.66020774.-962483654.1585043745#overview_of_disk_types) | SSD Persistent Disk | no | +| disk_size | Disk size in GB | number | Persistent disk performance is tied to the size of the persistent disk volume. You are charged for the actual amount of provisioned disk space. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.232680471.-962483654.1585043745#pdperformance) | 100 | no | +| generate_password | Automatically generate an administrator password | boolean | true;
false; | false | no | +| allow_upload_download | Allow download from/upload to Check Point | boolean | true;
false; | true | no | +| enable_monitoring | Enable Stackdriver monitoring | boolean | true;
false; | false | no | +| admin_shell | Change the admin shell to enable advanced command line configuration. | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh;
| /etc/cli.sh | no | +| admin_SSH_key | Public SSH key for the user 'admin' - The SSH public key for SSH authentication to the instances. Leave this field blank to use all project-wide pre-configured SSH keys. | string | A valid public ssh key | "" | no | +| maintenance_mode_password_hash | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here. | string | | "" | no | +| sic_key | The Secure Internal Communication one time secret used to set up trust between the single gateway object and the management server | string | At least 8 alpha numeric characters.
If SIC is not provided and needed, a key will be automatically generated | "" | no | +| management_gui_client_network | Allowed GUI clients | string | A valid IPv4 network CIDR (e.g. 0.0.0.0/0) | 0.0.0.0/0 | no | +| smart_1_cloud_token | Smart-1 Cloud token to connect this gateway to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal. | +| num_additional_networks | Number of additional network interfaces | number | A number in the range 1 - 8.
Multiple network interfaces deployment is described in [sk121637 - Deploy a CloudGuard for GCP with Multiple Network Interfaces](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk121637) | 0 | no | +| external_ip | External IP address type | string | static;
ephemeral;
An external IP address associated with this instance. Selecting "none" will result in the instance having no external internet access. [Learn more](https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address?_ga=2.259654658.-962483654.1585043745) | static | no | +| internal_network1_name | 1st internal network ID in the chosen zone. The network determines what network traffic the instance can access. If you have specified a CIDR block at var.internal_network1_cidr, this network name will not be used. | string | Available network in the chosen zone | N/A | no | +| internal_network1_subnetwork_name | 1st internal subnet ID in the chosen network. Assigns the instance an IPv4 address from the subnetwork’s range. If you have specified a CIDR block at var.internal_network1_cidr, this subnetwork will not be used. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network. | string | Available subNetwork in the chosen zone | N/A | no | +| internal_network1_cidr | The range of internal addresses that are owned by this subnetwork, only IPv4 is supported (e.g. "10.0.0.0/8" or "192.168.0.0/16"). | string | N/A | N/A | no | +| management_nic | Management Interface - Security Gateways in GCP can be managed by an ephemeral public IP or using the private IP of the internal interface (eth1). | string | Ephemeral Public IP (eth0)
- Private IP (eth1) | Ephemeral Public IP (eth0) | no | + +## Outputs + +| Name | Description | +| ------------------------ | ---------------------------------------------------------------------------- | +| network | If network_cidr has been set - it will create new network | +| subnet | If network_cider has been set - it will create new subnet in the new network | +| SIC_key | Secure Internal Communication (SIC) initiation key. | +| ICMP_firewall_rules_name | If enable - the ICMP firewall rules name, otherwise, an empty list. | +| TCP_firewall_rules_name | If enable - the TCP firewall rules name, otherwise, an empty list. | +| UDP_firewall_rules_name | If enable - the UDP firewall rules name, otherwise, an empty list. | +| SCTP_firewall_rules_name | If enable - the SCTP firewall rules name, otherwise, an empty list. | +| ESP_firewall_rules_name | If enable - the ESP firewall rules name, otherwise, an empty list. | + +## Revision History + +In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +| ---------------- | ------------------------------------------------------------------| +| 20240909 | Merged single-into-new-vpc and single-into-existing-vpc to single template| +| | | + +## Authors + +## License + +This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details diff --git a/terraform/gcp/single/locals.tf b/terraform/gcp/single/locals.tf new file mode 100644 index 00000000..a43ffaa9 --- /dev/null +++ b/terraform/gcp/single/locals.tf @@ -0,0 +1,23 @@ +locals { + create_network_condition = var.network_cidr == "" ? false : true + + create_internal_network1_condition = var.internal_network1_cidr != "" && var.num_additional_networks >= 1 ? true : false + create_internal_network2_condition = var.internal_network2_cidr != "" && var.num_additional_networks >= 2 ? true : false + create_internal_network3_condition = var.internal_network3_cidr != "" && var.num_additional_networks >= 3 ? true : false + create_internal_network4_condition = var.internal_network4_cidr != "" && var.num_additional_networks >= 4 ? true : false + create_internal_network5_condition = var.internal_network5_cidr != "" && var.num_additional_networks >= 5 ? true : false + create_internal_network6_condition = var.internal_network6_cidr != "" && var.num_additional_networks >= 6 ? true : false + create_internal_network7_condition = var.internal_network5_cidr != "" && var.num_additional_networks >= 7 ? true : false + create_internal_network8_condition = var.internal_network6_cidr != "" && var.num_additional_networks >= 8 ? true : false + + TCP_traffic_condition = length(var.TCP_traffic) == 0 ? 0 : 1 + ICMP_traffic_condition = length(var.ICMP_traffic) == 0 ? 0 : 1 + UDP_traffic_condition = length(var.UDP_traffic) == 0 ? 0 : 1 + SCTP_traffic_condition = length(var.SCTP_traffic) == 0 ? 0 : 1 + ESP_traffic_condition = length(var.ESP_traffic) == 0 ? 0 : 1 + + validate_management_without_public_ip = var.installation_type == "Management only" && var.external_ip == "none" ? index("error:" , "using management externalIP cannot be none") : 0 + validate_management_additional_networks = var.installation_type == "Management only" && var.num_additional_networks > 0 ? index("error:" , "If you create a management only installation, you cant have additional network") : 0 + + validate_gateway_additional_networks = var.installation_type == "Gateway only" && var.num_additional_networks <= 0 ? index("error:" , "If you create a gateway only installation, you need to have additional networks 1-8") : 0 +} \ No newline at end of file diff --git a/terraform/gcp/single/main.tf b/terraform/gcp/single/main.tf new file mode 100644 index 00000000..6cd02e5b --- /dev/null +++ b/terraform/gcp/single/main.tf @@ -0,0 +1,212 @@ +provider "google" { + credentials = file(var.service_account_path) + project = var.project + region = var.region +} +resource "random_string" "random_string" { + length = 5 + special = false + upper = false + keepers = {} +} +module "common" { + source = "../common/common" + installation_type = var.installation_type + os_version = var.os_version + image_name = var.image_name + admin_shell = var.admin_shell + license = var.license + admin_SSH_key = var.admin_SSH_key +} + +module "network_and_subnet" { + source = "../common/network-and-subnet" + prefix = "${var.prefix}-${random_string.random_string.result}" + type = replace(lower(var.installation_type), " ", "-") + network_cidr = var.network_cidr + private_ip_google_access = true + region = var.region + network_name = var.network_name + +} +module "network_ICMP_firewall_rules" { + count = local.ICMP_traffic_condition + source = "../common/firewall-rule" + protocol = "icmp" + source_ranges = var.ICMP_traffic + rule_name = "${var.prefix}-${replace(replace(replace(lower(var.installation_type), "(", ""), ")", ""), " ", "-")}-icmp-${random_string.random_string.result}" + network = local.create_network_condition ? module.network_and_subnet.new_created_network_link : module.network_and_subnet.existing_network_link +} +module "network_TCP_firewall_rules" { + count = local.TCP_traffic_condition + source = "../common/firewall-rule" + protocol = "tcp" + source_ranges = var.TCP_traffic + rule_name = "${var.prefix}-${replace(replace(replace(lower(var.installation_type), "(", ""), ")", ""), " ", "-")}-tcp-${random_string.random_string.result}" + network = local.create_network_condition ? module.network_and_subnet.new_created_network_link : module.network_and_subnet.existing_network_link +} +module "network_UDP_firewall_rules" { + count = local.UDP_traffic_condition + source = "../common/firewall-rule" + protocol = "udp" + source_ranges = var.UDP_traffic + rule_name = "${var.prefix}-${replace(replace(replace(lower(var.installation_type), "(", ""), ")", ""), " ", "-")}-udp-${random_string.random_string.result}" + network = local.create_network_condition ? module.network_and_subnet.new_created_network_link : module.network_and_subnet.existing_network_link +} +module "network_SCTP_firewall_rules" { + count = local.SCTP_traffic_condition + source = "../common/firewall-rule" + protocol = "sctp" + source_ranges = var.SCTP_traffic + rule_name = "${var.prefix}-${replace(replace(replace(lower(var.installation_type), "(", ""), ")", ""), " ", "-")}-sctp-${random_string.random_string.result}" + network = local.create_network_condition ? module.network_and_subnet.new_created_network_link : module.network_and_subnet.existing_network_link +} +module "network_ESP_firewall_rules" { + count = local.ESP_traffic_condition + source = "../common/firewall-rule" + protocol = "esp" + source_ranges = var.ESP_traffic + rule_name = "${var.prefix}-${replace(replace(replace(lower(var.installation_type), "(", ""), ")", ""), " ", "-")}-esp-${random_string.random_string.result}" + network = local.create_network_condition ? module.network_and_subnet.new_created_network_link : module.network_and_subnet.existing_network_link +} + +module "internal_network1_and_subnet" { + count = local.create_internal_network1_condition ? 1 : 0 + source = "../common/network-and-subnet" + + prefix = "${var.prefix}-${random_string.random_string.result}" + type = "internal-network1" + network_cidr = var.internal_network1_cidr + private_ip_google_access = false + region = var.region + network_name = var.internal_network1_name +} +module "internal_network2_and_subnet" { + count = local.create_internal_network2_condition ? 1 : 0 + source = "../common/network-and-subnet" + + prefix = "${var.prefix}-${random_string.random_string.result}" + type = "internal-network2" + network_cidr = var.internal_network2_cidr + private_ip_google_access = false + region = var.region + network_name = var.internal_network2_name +} +module "internal_network3_and_subnet" { + count = var.num_additional_networks < 3 ? 0 : 1 + source = "../common/network-and-subnet" + + prefix = "${var.prefix}-${random_string.random_string.result}" + type = "internal-network3" + network_cidr = var.internal_network3_cidr + private_ip_google_access = false + region = var.region + network_name = var.internal_network3_name +} +module "internal_network4_and_subnet" { + count = var.num_additional_networks < 4 ? 0 : 1 + source = "../common/network-and-subnet" + + prefix = "${var.prefix}-${random_string.random_string.result}" + type = "internal-network4" + network_cidr = var.internal_network4_cidr + private_ip_google_access = false + region = var.region + network_name = var.internal_network4_name +} +module "internal_network5_and_subnet" { + count = var.num_additional_networks < 5 ? 0 : 1 + source = "../common/network-and-subnet" + + prefix = "${var.prefix}-${random_string.random_string.result}" + type = "internal-network5" + network_cidr = var.internal_network5_cidr + private_ip_google_access = false + region = var.region + network_name = var.internal_network5_name +} +module "internal_network6_and_subnet" { + count = var.num_additional_networks < 6 ? 0 : 1 + source = "../common/network-and-subnet" + + prefix = "${var.prefix}-${random_string.random_string.result}" + type = "internal-network6" + network_cidr = var.internal_network6_cidr + private_ip_google_access = false + region = var.region + network_name = var.internal_network6_name +} +module "internal_network7_and_subnet" { + count = var.num_additional_networks < 7 ? 0 : 1 + source = "../common/network-and-subnet" + + prefix = "${var.prefix}-${random_string.random_string.result}" + type = "internal-network7" + network_cidr = var.internal_network7_cidr + private_ip_google_access = false + region = var.region + network_name = var.internal_network7_name +} +module "internal_network8_and_subnet" { + count = var.num_additional_networks < 8 ? 0 : 1 + source = "../common/network-and-subnet" + + prefix = "${var.prefix}-${random_string.random_string.result}" + type = "internal-network8" + network_cidr = var.internal_network8_cidr + private_ip_google_access = false + region = var.region + network_name = var.internal_network8_name +} +module "single" { + source = "../common/single-common" + project = var.project + + # Check Point Deployment + image_name = var.image_name + os_version = var.os_version + installation_type = var.installation_type + prefix = var.prefix + management_nic = var.management_nic + admin_shell = var.admin_shell + admin_SSH_key = var.admin_SSH_key + maintenance_mode_password_hash = var.maintenance_mode_password_hash + generate_password = var.generate_password + allow_upload_download = var.allow_upload_download + sic_key = var.sic_key + management_gui_client_network = var.management_gui_client_network + + # Smart-1 Cloud + smart_1_cloud_token = var.smart_1_cloud_token + + # Networking + zone = var.zone + network = local.create_network_condition ? module.network_and_subnet.new_created_network_link : module.network_and_subnet.existing_network_link + subnetwork = local.create_network_condition ? module.network_and_subnet.new_created_subnet_link : [var.subnetwork_name] + num_additional_networks = var.num_additional_networks + external_ip = var.external_ip + + #Internal networks + internal_network1_network = var.num_additional_networks < 1 ? [] : local.create_internal_network1_condition ? module.internal_network1_and_subnet[0].new_created_network_link : [var.internal_network1_name] + internal_network1_subnetwork = var.num_additional_networks < 1 ? [] : local.create_internal_network1_condition ? module.internal_network1_and_subnet[0].new_created_subnet_link : [var.internal_network1_subnetwork_name] + internal_network2_network = var.num_additional_networks < 2 ? [] : local.create_internal_network2_condition ? module.internal_network2_and_subnet[0].new_created_network_link : [var.internal_network2_name] + internal_network2_subnetwork = var.num_additional_networks < 2 ? [] : local.create_internal_network2_condition ? module.internal_network2_and_subnet[0].new_created_subnet_link : [var.internal_network2_subnetwork_name] + internal_network3_network = var.num_additional_networks < 3 ? [] : local.create_internal_network3_condition ? module.internal_network3_and_subnet[0].new_created_network_link : [var.internal_network3_name] + internal_network3_subnetwork = var.num_additional_networks < 3 ? [] :local.create_internal_network3_condition ? module.internal_network3_and_subnet[0].new_created_subnet_link : [var.internal_network3_subnetwork_name] + internal_network4_network = var.num_additional_networks < 4 ? [] : local.create_internal_network4_condition ? module.internal_network4_and_subnet[0].new_created_network_link : [var.internal_network4_name] + internal_network4_subnetwork = var.num_additional_networks < 4 ? [] : local.create_internal_network4_condition ? module.internal_network4_and_subnet[0].new_created_subnet_link : [var.internal_network4_subnetwork_name] + internal_network5_network = var.num_additional_networks < 5 ? [] : local.create_internal_network5_condition ? module.internal_network5_and_subnet[0].new_created_network_link : [var.internal_network5_name] + internal_network5_subnetwork = var.num_additional_networks < 5 ? [] : local.create_internal_network5_condition ? module.internal_network5_and_subnet[0].new_created_subnet_link : [var.internal_network5_subnetwork_name] + internal_network6_network = var.num_additional_networks < 6 ? [] : local.create_internal_network6_condition ? module.internal_network6_and_subnet[0].new_created_network_link : [var.internal_network6_name] + internal_network6_subnetwork = var.num_additional_networks < 6 ? [] : local.create_internal_network6_condition ? module.internal_network6_and_subnet[0].new_created_subnet_link : [var.internal_network6_subnetwork_name] + internal_network7_network = var.num_additional_networks < 7 ? [] : local.create_internal_network7_condition ? module.internal_network7_and_subnet[0].new_created_network_link : [var.internal_network7_name] + internal_network7_subnetwork = var.num_additional_networks < 7 ? [] : local.create_internal_network7_condition ? module.internal_network7_and_subnet[0].new_created_subnet_link : [var.internal_network7_subnetwork_name] + internal_network8_network = var.num_additional_networks < 8 ? [] : local.create_internal_network8_condition ? module.internal_network8_and_subnet[0].new_created_network_link : [var.internal_network8_name] + internal_network8_subnetwork = var.num_additional_networks < 8 ? [] : local.create_internal_network8_condition ? module.internal_network8_and_subnet[0].new_created_subnet_link : [var.internal_network8_subnetwork_name] + + # Instances configuration + machine_type = var.machine_type + disk_type = var.disk_type + disk_size = var.disk_size + enable_monitoring = var.enable_monitoring +} \ No newline at end of file diff --git a/terraform/gcp/single/output.tf b/terraform/gcp/single/output.tf new file mode 100644 index 00000000..1ac01859 --- /dev/null +++ b/terraform/gcp/single/output.tf @@ -0,0 +1,74 @@ +output "network" { + value = module.network_and_subnet.new_created_network_name +} + +output "subnetwork" { + value = module.network_and_subnet.new_created_subnet_name +} + +output "network_ICMP_firewall_rule" { + value = module.network_ICMP_firewall_rules[*].firewall_rule_name +} +output "network_TCP_firewall_rule" { + value = module.network_TCP_firewall_rules[*].firewall_rule_name +} +output "network_UDP_firewall_rule" { + value = module.network_UDP_firewall_rules[*].firewall_rule_name +} +output "network_SCTP_firewall_rule" { + value = module.network_SCTP_firewall_rules[*].firewall_rule_name +} +output "network_ESP_firewall_rule" { + value = module.network_ESP_firewall_rules[*].firewall_rule_name +} +output "external_ip" { + value = module.single.external_nat_ip +} +output "int_network1_new_created_network" { + value = module.internal_network1_and_subnet[*].new_created_network_name +} +output "int_network1_new_created_subnet" { + value = module.internal_network1_and_subnet[*].new_created_subnet_name +} +output "int_network2_new_created_network" { + value = module.internal_network2_and_subnet[*].new_created_network_name +} +output "int_network2_new_created_subnet" { + value = module.internal_network2_and_subnet[*].new_created_subnet_name +} +output "int_network3_new_created_network" { + value = module.internal_network3_and_subnet[*].new_created_network_name +} +output "int_network3_new_created_subnet" { + value = module.internal_network3_and_subnet[*].new_created_subnet_name +} +output "int_network4_new_created_network" { + value = module.internal_network4_and_subnet[*].new_created_network_name +} +output "int_network4_new_created_subnet" { + value = module.internal_network4_and_subnet[*].new_created_subnet_name +} +output "int_network5_new_created_network" { + value = module.internal_network5_and_subnet[*].new_created_network_name +} +output "int_network5_new_created_subnet" { + value = module.internal_network5_and_subnet[*].new_created_subnet_name +} +output "int_network6_new_created_network" { + value = module.internal_network6_and_subnet[*].new_created_network_name +} +output "int_network6_new_created_subnet" { + value = module.internal_network6_and_subnet[*].new_created_subnet_name +} +output "int_network7_new_created_network" { + value = module.internal_network7_and_subnet[*].new_created_network_name +} +output "int_network7_new_created_subnet" { + value = module.internal_network7_and_subnet[*].new_created_subnet_name +} +output "int_network8_new_created_network" { + value = module.internal_network8_and_subnet[*].new_created_network_name +} +output "int_network8_new_created_subnet" { + value = module.internal_network8_and_subnet[*].new_created_subnet_name +} \ No newline at end of file diff --git a/terraform/gcp/single/terraform.tfvars b/terraform/gcp/single/terraform.tfvars new file mode 100644 index 00000000..c8a37127 --- /dev/null +++ b/terraform/gcp/single/terraform.tfvars @@ -0,0 +1,46 @@ +# --- Google Provider --- +service_account_path = "PLEASE ENTER SERVICE_ACCOUNT_PATH" # "service-accounts/service-account-file-name.json" +project = "PLEASE ENTER PROJECT ID" # "project-id" + +# --- Check Point Deployment--- +image_name = "PLEASE ENTER IMAGE_NAME" # "check-point-r8120-gw-byol-single-631-991001669-v20240923" +os_version = "PLEASE ENTER GAIA OS VERSION" # "R8120" +installation_type = "PLEASE ENTER INSTALLATION TYPE" # "Gateway only" +license = "PLEASE ENTER LICENSE" # "BYOL" +prefix = "PLEASE ENTER PREFIX" # "chkp-single-tf-" +management_nic = "PLEASE ENTER MANAGEMENT_NIC" # "Ephemeral Public IP (eth0)" +admin_shell = "PLEASE ENTER ADMIN_SHELL" # "/etc/cli.sh" +admin_SSH_key = "PLEASE ENTER ADMIN_SSH_KEY" # "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +generate_password = "PLEASE ENTER GENERATE PASSWORD" # false +allow_upload_download = "PLEASE ENTER ALLOW UPLOAD DOWNLOAD" # true +sic_key = "PLEASE ENTER SIC KEY" # "" +management_gui_client_network = "PLEASE ENTER MANAGEMENT GUI CLIENT NETWORK" # "0.0.0.0/0" + + +# --- Quick connect to Smart-1 Cloud --- +smart_1_cloud_token = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL" # "" + +# --- Networking--- +region = "PLEASE ENTER REGION" # "us-central1" +zone = "PLEASE ENTER ZONE" # "us-central1-a" +network_name = "PLEASE ENTER NETWORK NAME" # "" +subnetwork_name = "PLEASE ENTER SUBNETWORK NAME" # "" +network_cidr = "PLEASE ENTER NETWORK CIDR" # "10.0.1.0/24" +TCP_traffic = "PLEASE ENTER NETWORK TCP SOURCE RANGES" # [] +ICMP_traffic = "PLEASE ENTER NETWORK ICMP SOURCE RANGES" # [] +UDP_traffic = "PLEASE ENTER NETWORK UDP SOURCE RANGES" # [] +SCTP_traffic = "PLEASE ENTER NETWORK SCTP SOURCE RANGES" # [] +ESP_traffic = "PLEASE ENTER NETWORK ESP SOURCE RANGES" # [] +num_additional_networks = "PLEASE ENTER NUM ADDITIONAL INTERNAL NETWORKS" # 1 +external_ip = "PLEASE ENTER EXTERNAL IP" # "static" +internal_network1_name = "PLEASE ENTER INTERNAL NETWORK1 NAME" # "" +internal_network1_subnetwork_name = "PLEASE ENTER INTERNAL SUBNETWORK1 NAME" # "" +internal_network1_cidr = "PLEASE ENTER INTERNAL NETWORK1 CIDR" # "10.0.2.0/24" + + +# --- Instances configuration--- +machine_type = "PLEASE ENTER MACHINE_TYPE" # "n1-standard-4" +disk_type = "PLEASE ENTER DISK TYPE" # "SSD Persistent Disk" +disk_size = "PLEASE ENTER BOOT DISK SIZE GB" # 100 +enable_monitoring = "PLEASE ENTER ENABLE MONITORING" # false diff --git a/terraform/gcp/single/variables.tf b/terraform/gcp/single/variables.tf new file mode 100644 index 00000000..d52441f8 --- /dev/null +++ b/terraform/gcp/single/variables.tf @@ -0,0 +1,309 @@ +variable "service_account_path" { + type = string + description = "User service account path in JSON format - From the service account key page in the Cloud Console choose an existing account or create a new one. Next, download the JSON key file. Name it something you can remember, store it somewhere secure on your machine, and supply the path to the location is stored." + default = "" +} +variable "project" { + type = string + description = "Personal project id. The project indicates the default GCP project all of your resources will be created in." + default = "" +} +variable "region" { + type = string + default = "us-central1" +} +variable "zone" { + type = string + description = "The zone determines what computing resources are available and where your data is stored and used" + default = "us-central1-a" +} +variable "image_name" { + type = string + description = "The single gateway and management image name" +} +variable "os_version" { + type = string + description = "GAIA OS version" + default = "R8120" + validation { + condition = contains(["R8110", "R8120" , "R81", "R82"], var.os_version) + error_message = "Allowed values for os-version are 'R8110', 'R8120' , 'R81', 'R82'" + } +} +variable "installation_type" { + type = string + description = "Installation type" + default = "Gateway only" + validation { + condition = contains(["Gateway only" , "Management only" , "Manual Configuration" , "Gateway and Management (Standalone)"] , var.installation_type) + error_message = "Allowed values for installationType are 'Gateway only' , 'Management only' , 'Manual Configuration' , 'Gateway and Management (Standalone)'" + } +} +variable "license" { + type = string + description = "Checkpoint license (BYOL or PAYG)." + default = "BYOL" + validation { + condition = contains(["BYOL" , "PAYG"] , var.license) + error_message = "Allowed licenses are 'BYOL' , 'PAYG'" + } +} +variable "prefix" { + type = string + description = "(Optional) Resources name prefix" + default = "chkp-single-tf-" +} +variable "machine_type" { + type = string + default = "n1-standard-4" +} +variable "network_name" { + type = string + description = "The network determines what network traffic the instance can access" + default = "default" +} +variable "subnetwork_name" { + type = string + description = "Assigns the instance an IPv4 address from the subnetwork’s range. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network." + default = "default" +} +variable "network_cidr" { + type = string + description = "The range of external addresses that are owned by this network, only IPv4 is supported (e.g. \"10.0.0.0/8\" or \"192.168.0.0/16\")." +} +variable "TCP_traffic" { + type = list(string) + description = "Allow TCP traffic from the Internet" + default = [] +} +variable "ICMP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for ICMP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable ICMP traffic." + default = [] +} +variable "UDP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for UDP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable UDP traffic." + default = [] +} +variable "SCTP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for SCTP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable SCTP traffic." + default = [] +} +variable "ESP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for ESP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable ESP traffic." + default = [] +} +variable "disk_type" { + type = string + description ="Disk type" + default = "SSD Persistent Disk" + validation { + condition = contains(["SSD Persistent Disk" , "Standard Persistent Disk"] , var.disk_type) + error_message = "Allowed values for diskType are : 'SSD Persistent Disk' , 'Standard Persistent Disk'" + } +} +variable "disk_size" { + type = number + description ="Disk size in GB" + default = 100 +} +variable "generate_password" { + type = bool + description ="Automatically generate an administrator password " + default = false +} +variable "management_nic" { + type = string + description = "Management Interface - Gateways in GCP can be managed by an ephemeral public IP or using the private IP of the internal interface (eth1)." + default = "Ephemeral Public IP (eth0)" +} +variable "allow_upload_download" { + type = bool + description ="Allow download from/upload to Check Point" + default = true +} +variable "enable_monitoring" { + type = bool + description ="Enable Stackdriver monitoring" + default = false +} +variable "admin_shell" { + type = string + description = "Change the admin shell to enable advanced command line configuration." + default = "/etc/cli.sh" + validation { + condition = contains(["/etc/cli.sh", "/bin/bash", "/bin/tcsh", "/bin/csh"], var.admin_shell) + error_message = "Valid shells are '/etc/cli.sh', '/bin/bash', '/bin/tcsh', '/bin/csh'" + } +} +variable "admin_SSH_key" { + type = string + description = "(Optional) The SSH public key for SSH authentication to the template instances. Leave this field blank to use all project-wide pre-configured SSH keys." + default = "" +} +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string + default = "" +} +variable "sic_key" { + type = string + description ="The Secure Internal Communication one time secret used to set up trust between the single gateway object and the management server" + default = "" + validation { + condition = can(regex("^[a-z0-9A-Z]{12,30}$", var.sic_key)) + error_message = "Only alphanumeric characters are allowed, and the value must be 12-30 characters long." + } + +} +variable "management_gui_client_network" { + type = string + description ="Allowed GUI clients " + default = "0.0.0.0/0" +} +variable "smart_1_cloud_token" { + type = string + description ="(Optional) Smart-1 cloud token to connect this Gateway to Check Point's Security Management as a Service" + default = "" +} +variable "num_additional_networks" { + type = number + description = "A number in the range 0 - 8 of internal network interfaces." + default = 0 + validation { + condition = var.num_additional_networks >= 0 && var.num_additional_networks <= 8 + error_message = "The number of internal networks must be between 0 and 8." + } +} +variable "external_ip" { + type = string + description = "External IP address type" + default = "static" + validation { + condition = contains(["static", "ephemeral", "none"], var.external_ip) + error_message = "Allowed values for external_ip are 'static' , 'ephemeral' , 'none'" + } +} +variable "internal_network1_cidr" { + type = string + description = "1st internal subnet CIDR. If the variable's value is not empty double quotes, a new subnet will be created. Assigns the cluster members an IPv4 address in this internal network." + default = "10.0.2.0/24" +} +variable "internal_network1_name" { + type = string + description = "1st internal network ID in the chosen zone." + default = "" +} +variable "internal_network1_subnetwork_name" { + type = string + description = "1st internal subnet ID in the chosen network." + default = "" +} +variable "internal_network2_cidr" { + type = string + description = "Used only if var.num_additional_networks is 2 or and above - 2nd internal subnet CIDR. If the variable's value is not empty double quotes, a new subnet will be created. Assigns the cluster members an IPv4 address in this internal network." + default = "" +} +variable "internal_network2_name" { + type = string + description = "2nd internal network ID in the chosen zone." + default = "" +} +variable "internal_network2_subnetwork_name" { + type = string + description = "2nd internal subnet ID in the chosen network." + default = "" +} +variable "internal_network3_cidr" { + type = string + description = "Used only if var.num_additional_networks is 3 or and above - 3rd internal subnet CIDR. If the variable's value is not empty double quotes, a new subnet will be created. Assigns the cluster members an IPv4 address in this internal network." + default = "" +} +variable "internal_network3_name" { + type = string + description = "3rd internal network ID in the chosen zone." + default = "" +} +variable "internal_network3_subnetwork_name" { + type = string + description = "3rd internal subnet ID in the chosen network." + default = "" +} +variable "internal_network4_cidr" { + type = string + description = "Used only if var.num_additional_networks is 4 or and above - 4th internal subnet CIDR. If the variable's value is not empty double quotes, a new subnet will be created. Assigns the cluster members an IPv4 address in this internal network." + default = "" +} +variable "internal_network4_name" { + type = string + description = "4th internal network ID in the chosen zone." + default = "" +} +variable "internal_network4_subnetwork_name" { + type = string + description = "4th internal subnet ID in the chosen network." + default = "" +} +variable "internal_network5_cidr" { + type = string + description = "Used only if var.num_additional_networks is 5 or and above - 5th internal subnet CIDR. If the variable's value is not empty double quotes, a new subnet will be created. Assigns the cluster members an IPv4 address in this internal network." + default = "" +} +variable "internal_network5_name" { + type = string + description = "5th internal network ID in the chosen zone." + default = "" +} +variable "internal_network5_subnetwork_name" { + type = string + description = "5th internal subnet ID in the chosen network." + default = "" +} +variable "internal_network6_cidr" { + type = string + description = "Used only if var.num_additional_networks equals 6 - 6th internal subnet CIDR. If the variable's value is not empty double quotes, a new subnet will be created. Assigns the cluster members an IPv4 address in this internal network." + default = "" +} +variable "internal_network6_name" { + type = string + description = "6th internal network ID in the chosen zone." + default = "" +} +variable "internal_network6_subnetwork_name" { + type = string + description = "6th internal subnet ID in the chosen network." + default = "" +} +variable "internal_network7_cidr" { + type = string + description = "Used only if var.num_additional_networks equals 7 - 7th internal subnet CIDR. If the variable's value is not empty double quotes, a new subnet will be created. Assigns the cluster members an IPv4 address in this internal network." + default = "" +} +variable "internal_network7_name" { + type = string + description = "7th internal network ID in the chosen zone." + default = "" +} +variable "internal_network7_subnetwork_name" { + type = string + description = "7th internal subnet ID in the chosen network." + default = "" +} +variable "internal_network8_cidr" { + type = string + description = "Used only if var.num_additional_networks equals 8 - 8th internal subnet CIDR. If the variable's value is not empty double quotes, a new subnet will be created. Assigns the cluster members an IPv4 address in this internal network." + default = "" +} +variable "internal_network8_name" { + type = string + description = "8th internal network ID in the chosen zone." + default = "" +} +variable "internal_network8_subnetwork_name" { + type = string + description = "8th internal subnet ID in the chosen network." + default = "" +} diff --git a/terraform/gcp/single/versions.tf b/terraform/gcp/single/versions.tf new file mode 100644 index 00000000..8212362e --- /dev/null +++ b/terraform/gcp/single/versions.tf @@ -0,0 +1,18 @@ +terraform { + required_version = ">= 0.13" + required_providers { + google = { + source = "hashicorp/google" + version = ">= 3.53, < 5.0" + } + + random = { + source = "hashicorp/random" + version = "~>3.4" + } + } + + provider_meta "google" { + module_name = "blueprints/terraform/canonical-mp/v0.0.1" + } +} \ No newline at end of file