Skip to content

Commit

Permalink
Azure vWAN | Updated routing-intent deploymnet
Browse files Browse the repository at this point in the history
  • Loading branch information
@chkp-yairra
chkp-yairra committed Feb 28, 2024
1 parent 69b22f2 commit 347f5b1
Show file tree
Hide file tree
Showing 9 changed files with 95 additions and 115 deletions.
29 changes: 0 additions & 29 deletions terraform/azure/modules/add-routing-intent.py
View file

This file was deleted.

69 changes: 34 additions & 35 deletions terraform/azure/nva-into-existing-hub/README.md
View file

Large diffs are not rendered by default.

32 changes: 18 additions & 14 deletions terraform/azure/nva-into-existing-hub/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,8 +40,8 @@ data "http" "image-versions" {
}

locals {
image_versions = tolist([for version in jsondecode(data.http.image-versions.response_body).properties.availableVersions : version if substr(version, 0, 4) == substr(lower(var.os-version), 1, 4)])
routing_intent-internet-policy = {
image_versions = tolist([for version in jsondecode(data.http.image-versions.response_body).properties.availableVersions : version if substr(version, 0, 4) == substr(lower(var.os-version), 1, 4)])
routing_intent-internet-policy = {
"name": "InternetTraffic",
"destinations": [
"Internet"
Expand All @@ -55,9 +55,9 @@ locals {
],
"nextHop": "/subscriptions/${var.subscription_id}/resourcegroups/${var.nva-rg-name}/providers/Microsoft.Network/networkVirtualAppliances/${var.nva-name}"
}
routing-intent-policies = var.routing-intent-internet-traffic == "yes" ? (var.routing-intent-private-traffic == "yes" ? tolist([local.routing_intent-internet-policy, local.routing_intent-private-policy]) : tolist([local.routing_intent-internet-policy])) : (var.routing-intent-private-traffic == "yes" ? tolist([local.routing_intent-private-policy]) : [])
req_body = jsonencode({"properties": {"routingPolicies": local.routing-intent-policies}})
req_url = "https://management.azure.com/subscriptions/${var.subscription_id}/resourceGroups/${var.vwan-hub-resource-group}/providers/Microsoft.Network/virtualHubs/${var.vwan-hub-name}/routingIntent/hubRoutingIntent?api-version=2022-01-01"
routing-intent-policies = var.routing-intent-internet-traffic ? (var.routing-intent-private-traffic ? tolist([local.routing_intent-internet-policy, local.routing_intent-private-policy]) : tolist([local.routing_intent-internet-policy])) : (var.routing-intent-private-traffic ? tolist([local.routing_intent-private-policy]) : [])


}

//********************** Marketplace Terms & Solution Registration **************************//
Expand Down Expand Up @@ -105,7 +105,7 @@ resource "azurerm_managed_application" "nva" {
name = "vwan-app"
product = "cp-vwan-managed-app"
publisher = "checkpoint"
version = "1.0.8"
version = "1.0.10"
}
parameter_values = jsonencode({
location = {
Expand Down Expand Up @@ -173,14 +173,18 @@ resource "azurerm_managed_application" "nva" {

//********************** Routing Intent **************************//


data "external" "update-routing-intent" {
count = length(local.routing-intent-policies) != 0 ? 1 : 0
resource "azurerm_virtual_hub_routing_intent" "routing-intent" {
count = (var.routing-intent-internet-traffic || var.routing-intent-private-traffic) ? 1 : 0
depends_on = [azurerm_managed_application.nva]
program = ["python", "../modules/add-routing-intent.py", "${local.req_url}", "${local.req_body}", "${local.access_token}"]
}

output "api_request_result" {
value = length(local.routing-intent-policies) != 0 ? data.external.update-routing-intent[0].result : {routing-intent: "not changed"}
name = "hubRoutingIntent"
virtual_hub_id = data.azurerm_virtual_hub.vwan-hub.id
dynamic "routing_policy" {
for_each = local.routing-intent-policies
content {
name = routing_policy.value["name"]
destinations = routing_policy.value["destinations"]
next_hop = routing_policy.value["nextHop"]
}
}
}

4 changes: 2 additions & 2 deletions terraform/azure/nva-into-existing-hub/terraform.tfvars
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,8 @@ sic-key = "PLEASE ENTER SIC KEY"
ssh-public-key = "PLEASE ENTER SSH PUBLIC KEY" # "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key"
bgp-asn = "PLEASE ENTER BGP AUTONOMOUS SYSTEM NUMBER" # "64512"
custom-metrics = "PLEASE ENTER yes or no" # "yes"
routing-intent-internet-traffic = "PLEASE ENTER yes or no" # "yes"
routing-intent-private-traffic = "PLEASE ENTER yes or no" # "yes"
routing-intent-internet-traffic = "PLEASE ENTER true or false" # true
routing-intent-private-traffic = "PLEASE ENTER true or false" # true
smart1-cloud-token-a = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL FOR INSTANCE A OR LEAVE EMPTY DOUBLE QUOTES" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
smart1-cloud-token-b = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL FOR INSTANCE B OR LEAVE EMPTY DOUBLE QUOTES" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
smart1-cloud-token-c = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL FOR INSTANCE C OR LEAVE EMPTY DOUBLE QUOTES" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
Expand Down
14 changes: 8 additions & 6 deletions terraform/azure/nva-into-existing-hub/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -135,18 +135,20 @@ variable "custom-metrics" {
}

variable "routing-intent-internet-traffic" {
default = "yes"
type = bool
default = true
validation {
condition = contains(["yes", "no"], var.routing-intent-internet-traffic)
error_message = "Valid options are string('yes' or 'no')"
condition = contains([true, false], var.routing-intent-internet-traffic)
error_message = "Valid options are true or false"
}
}

variable "routing-intent-private-traffic" {
default = "yes"
type = bool
default = true
validation {
condition = contains(["yes", "no"], var.routing-intent-private-traffic)
error_message = "Valid options are string('yes' or 'no')"
condition = contains([true, false], var.routing-intent-private-traffic)
error_message = "Valid options are true or false"
}
}

Expand Down
17 changes: 8 additions & 9 deletions terraform/azure/nva-into-new-vwan/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,6 @@ As part of the deployment the following resources are created:

## Configurations
- Install and configure Terraform to provision Azure resources: [Configure Terraform for Azure](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/terraform-install-configure).
- In order to configure hub routing-intent policies it is **required** to have Python and 'requests' library installed.

## Usage
- Choose the preferred login method to Azure in order to deploy the solution:
Expand Down Expand Up @@ -106,10 +105,10 @@ As part of the deployment the following resources are created:
| | | | | |
| **custom-metrics** | Indicates whether CloudGuard Metrics will be use for gateway monitoring | string | yes; <br/>no; |
| | | | | |
| **routing-intent-internet-traffic** | Set routing intent policy to allow internet traffic through the new nva | string | yes; <br/>no;<br/>Please verify routing-intent is configured successfully post-deployment. |
| | | | | |
| **routing-intent-private-traffic** | Set routing intent policy to allow private traffic through the new nva | string | yes; <br/>no;<br/>Please verify routing-intent is configured successfully post-deployment. |
| | | | | |
| **routing-intent-internet-traffic** | | Set routing intent policy to allow internet traffic through the new nva | bool | true; <br/>false; |
| | | | | |
| **routing-intent-private-traffic** | Set routing intent policy to allow private traffic through the new nva | bool | true; <br/>false; |
| | | | | |
| **smart1-cloud-token-a** | Smart-1 Cloud token to connect automatically ***NVA instance a*** to Check Point's Security Management as a Service. <br/><br/> Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | |
| | | | | |
| **smart1-cloud-token-b** | Smart-1 Cloud token to connect automatically ***NVA instance b*** to Check Point's Security Management as a Service. <br/><br/> Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | |
Expand Down Expand Up @@ -150,8 +149,8 @@ As part of the deployment the following resources are created:
ssh-public-key = "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key"
bgp-asn = "64512"
custom-metrics = "yes"
routing-intent-internet-traffic = "yes"
routing-intent-private-traffic = "yes"
routing-intent-internet-traffic = true
routing-intent-private-traffic = true
smart1-cloud-token-a = ""
smart1-cloud-token-b = ""
smart1-cloud-token-c = ""
Expand All @@ -161,9 +160,9 @@ As part of the deployment the following resources are created:
## Revision History
In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)

| Template Version | Description |
| Template Version | Description |
|------------------|---------------------------------------------------------------------------------------------------|
| 20231226 | First release of Check Point CloudGuard Network Security Virtual WAN Terraform deployment for Azure | | |
| 20231226 | First release of Check Point CloudGuard Network Security Virtual WAN Terraform deployment for Azure | | |


## License
Expand Down
27 changes: 15 additions & 12 deletions terraform/azure/nva-into-new-vwan/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,10 +64,7 @@ locals {
],
"nextHop": "/subscriptions/${var.subscription_id}/resourcegroups/${var.nva-rg-name}/providers/Microsoft.Network/networkVirtualAppliances/${var.nva-name}"
}
routing-intent-policies = var.routing-intent-internet-traffic == "yes" ? (var.routing-intent-private-traffic == "yes" ? tolist([local.routing_intent-internet-policy, local.routing_intent-private-policy]) : tolist([local.routing_intent-internet-policy])) : (var.routing-intent-private-traffic == "yes" ? tolist([local.routing_intent-private-policy]) : [])
req_body = jsonencode({"properties": {"routingPolicies": local.routing-intent-policies}})
req_url = "https://management.azure.com/subscriptions/${var.subscription_id}/resourceGroups/${azurerm_resource_group.managed-app-rg.name}/providers/Microsoft.Network/virtualHubs/${var.vwan-hub-name}/routingIntent/hubRoutingIntent?api-version=2022-01-01"

routing-intent-policies = var.routing-intent-internet-traffic ? (var.routing-intent-private-traffic ? tolist([local.routing_intent-internet-policy, local.routing_intent-private-policy]) : tolist([local.routing_intent-internet-policy])) : (var.routing-intent-private-traffic ? tolist([local.routing_intent-private-policy]) : [])
}

//********************** Marketplace Terms & Solution Registration **************************//
Expand Down Expand Up @@ -115,7 +112,7 @@ resource "azurerm_managed_application" "nva" {
name = "vwan-app"
product = "cp-vwan-managed-app"
publisher = "checkpoint"
version = "1.0.8"
version = "1.0.10"
}
parameter_values = jsonencode({
location = {
Expand Down Expand Up @@ -182,12 +179,18 @@ resource "azurerm_managed_application" "nva" {
}

//********************** Routing Intent **************************//
data "external" "update-routing-intent" {
count = length(local.routing-intent-policies) != 0 ? 1 : 0
depends_on = [azurerm_managed_application.nva]
program = ["python", "../modules/add-routing-intent.py", "${local.req_url}", "${local.req_body}", "${local.access_token}"]
}

output "api_request_result" {
value = length(local.routing-intent-policies) != 0 ? data.external.update-routing-intent[0].result : {routing-intent: "not changed"}
resource "azurerm_virtual_hub_routing_intent" "routing-intent" {
count = (var.routing-intent-internet-traffic || var.routing-intent-private-traffic) ? 1 : 0
depends_on = [azurerm_managed_application.nva]
name = "hubRoutingIntent"
virtual_hub_id = azurerm_virtual_hub.vwan-hub.id
dynamic "routing_policy" {
for_each = local.routing-intent-policies
content {
name = routing_policy.value["name"]
destinations = routing_policy.value["destinations"]
next_hop = routing_policy.value["nextHop"]
}
}
}
Loading

0 comments on commit 347f5b1

Please sign in to comment.