diff --git a/terraform/azure/high-availability-existing-vnet/README.md b/terraform/azure/high-availability-existing-vnet/README.md index ec1d4c7b..57d7bd0b 100755 --- a/terraform/azure/high-availability-existing-vnet/README.md +++ b/terraform/azure/high-availability-existing-vnet/README.md @@ -70,74 +70,77 @@ This solution uses the following modules: terraform apply ### terraform.tfvars variables: - | Name | Description | Type | Allowed values | - | ------------- | ------------- |---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- | + | Name | Description | Type | Allowed values | + | ------------- | ------------- |------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- | | **client_secret** | passwordThe client secret of the Service Principal used to deploy the solution | string | - | | | | | | + | | | | | | | **client_id** | The client ID of the Service Principal used to deploy the solution | string | - | | | | | | + | | | | | | | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | - | | | | | | + | | | | | | | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | - | | | | | | + | | | | | | | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images. | string | - | | | | | | - | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | - | | | | | | - | **location** | The region where the resources will be deployed at. | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | - | | | | | | - | **cluster_name** | The name of the Check Point Cluster Object | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long | - | | | | | | - | **vnet_name** | Virtual Network name | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | - | | | | | | - | **vnet_resource_group** | Resource Group of the existing virtual network | string | The exact name of the existing vnet's resource group | - | | | | | | - | **frontend_subnet_name** | Specifies the name of the external subnet | string | The exact name of the existing external subnet | - | | | | | | - | **backend_subnet_name** | Specifies the name of the internal subnet | string | The exact name of the existing internal subnet | - | | | | | | + | | | | | | + | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | + | | | | | | + | **location** | The region where the resources will be deployed at. | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | + | | | | | | + | **cluster_name** | The name of the Check Point Cluster Object | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long | + | | | | | | + | **vnet_name** | Virtual Network name | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | + | | | | | | + | **vnet_resource_group** | Resource Group of the existing virtual network | string | The exact name of the existing vnet's resource group | + | | | | | | + | **frontend_subnet_name** | Specifies the name of the external subnet | string | The exact name of the existing external subnet | + | | | | | | + | **backend_subnet_name** | Specifies the name of the internal subnet | string | The exact name of the existing internal subnet | + | | | | | | | **frontend_IP_addresses** | A list of three whole numbers representing the private ip addresses of the members eth0 NICs and the cluster vip ip addresses. The numbers can be represented as binary integers with no more than the number of digits remaining in the address after the given frontend subnet prefix. The IP addresses are defined by their position in the frontend subnet. | list(number) | - | | | | | | + | | | | | | | **backend_IP_addresses** | A list of three whole numbers representing the private ip addresses of the members eth1 NICs and the backend lb ip addresses. The numbers can be represented as binary integers with no more than the number of digits remaining in the address after the given backend subnet prefix. The IP addresses are defined by their position in the backend subnet. | list(number) | - | | | | | | - | **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | - | | | | | | - | **smart_1_cloud_token_a** | Smart-1 Cloud token to connect automatically ***Member A*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | | - | | | | | | - | **smart_1_cloud_token_b** | Smart-1 Cloud token to connect automatically ***Member B*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501)| string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | | - | | | | | | - | **sic_key** | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | - | | | | | | + | | | | | | + | **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | + | | | | | | + | **smart_1_cloud_token_a** | Smart-1 Cloud token to connect automatically ***Member A*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | | + | | | | | | + | **smart_1_cloud_token_b** | Smart-1 Cloud token to connect automatically ***Member B*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501)| string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | | + | | | | | | + | **sic_key** | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | + | | | | | | | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | - | | | | | | - | **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB) | - | | | | | | - | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license for R80.40 and above;
"sg-ngtp" - NGTP PAYG license for R80.40 and above;
"sg-ngtx" - NGTX PAYG license for R80.40 and above; | - | | | | | | - | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r81.10";
"check-point-cg-r81.20"; | - | | | | | | - | **os_version** | GAIA OS version | string | "R80.40";
"R81";
"R81.10";
"R81.20"; | - | | | | | | - | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | - | | | | | | - | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | - | | | | | | - | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | - | | | | | | - | **availability_type** | Specifies whether to deploy the solution based on Azure Availability Set or based on Azure Availability Zone. | string | "Availability Zone";
"Availability Set"; | - | | | | | | - | **enable_custom_metrics** | Indicates whether CloudGuard Metrics will be use for Cluster members monitoring. | boolean | true;
false; | - | | | | | | - | **enable_floating_ip** | Indicates whether the load balancers will be deployed with floating IP. | boolean | true;
false; | - | | | | | | - | **use_public_ip_prefix** | Indicates whether the public IP resources will be deployed with public IP prefix. | boolean | true;
false; | - | | | | | | - | **create_public_ip_prefix** | Indicates whether the public IP prefix will created or an existing will be used. | boolean | true;
false; | - | | | | | | - | **existing_public_ip_prefix_id** | The existing public IP prefix resource id. | string | Existing public IP prefix resource id | - | | | | | | - | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | - + | | | | | | + | **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB) | + | | | | | | + | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license for R80.40 and above;
"sg-ngtp" - NGTP PAYG license for R80.40 and above;
"sg-ngtx" - NGTX PAYG license for R80.40 and above; | + | | | | | | + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r81.10";
"check-point-cg-r81.20"; | + | | | | | | + | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120"; | + | | | | | | + | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | + | | | | | | + | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | + | | | | | | + | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | + | | | | | | + | **availability_type** | Specifies whether to deploy the solution based on Azure Availability Set or based on Azure Availability Zone. | string | "Availability Zone";
"Availability Set"; | + | | | | | | + | **enable_custom_metrics** | Indicates whether CloudGuard Metrics will be use for Cluster members monitoring. | boolean | true;
false; | + | | | | | | + | **enable_floating_ip** | Indicates whether the load balancers will be deployed with floating IP. | boolean | true;
false; | + | | | | | | + | **use_public_ip_prefix** | Indicates whether the public IP resources will be deployed with public IP prefix. | boolean | true;
false; | + | | | | | | + | **create_public_ip_prefix** | Indicates whether the public IP prefix will created or an existing will be used. | boolean | true;
false; | + | | | | | | + | **existing_public_ip_prefix_id** | The existing public IP prefix resource id. | string | Existing public IP prefix resource id | + | | | | | | + | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | + | | | | | | + | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here. | string | + | | | | | | + | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here. | string | ## Conditional creation - To deploy the solution based on Azure Availability Set and create a new Availability Set for the virtual machines: ``` @@ -186,7 +189,7 @@ availability_type = "Availability Zone" disk_size = "110" vm_os_sku = "sg-byol" vm_os_offer = "check-point-cg-r8110" - os_version = "R81.10" + os_version = "R8110" bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" allow_upload_download = true authentication_type = "Password" @@ -197,6 +200,8 @@ availability_type = "Availability Zone" create_public_ip_prefix = false existing_public_ip_prefix_id = "" admin_shell = "/etc/cli.sh" + serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" ## Revision History In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) diff --git a/terraform/azure/high-availability-existing-vnet/cloud-init.sh b/terraform/azure/high-availability-existing-vnet/cloud-init.sh index 447b2e2f..0609bfcf 100755 --- a/terraform/azure/high-availability-existing-vnet/cloud-init.sh +++ b/terraform/azure/high-availability-existing-vnet/cloud-init.sh @@ -2,7 +2,7 @@ installationType="${installation_type}" allowUploadDownload="${allow_upload_download}" -osVersion= "${os_version}" +osVersion="${os_version}" templateName="${template_name}" templateVersion="${template_version}" templateType="${template_type}" @@ -18,3 +18,5 @@ customMetrics="${enable_custom_metrics}" adminShell="${admin_shell}" smart1CloudToken="${smart_1_cloud_token}" Vips='[{"name": "cluster-vip", "privateIPAddress": "${external_private_addresses}", "publicIPAddress": "${cluster_name}"}]' +passwordHash="${serial_console_password_hash}" +MaintenanceModePassword="${maintenance_mode_password_hash}" diff --git a/terraform/azure/high-availability-existing-vnet/main.tf b/terraform/azure/high-availability-existing-vnet/main.tf index c5f332fb..d145e84f 100755 --- a/terraform/azure/high-availability-existing-vnet/main.tf +++ b/terraform/azure/high-availability-existing-vnet/main.tf @@ -27,6 +27,8 @@ module "common" { vm_os_sku = var.vm_os_sku vm_os_offer = var.vm_os_offer authentication_type = var.authentication_type + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash } //********************** Networking **************************// @@ -373,6 +375,8 @@ resource "azurerm_virtual_machine" "vm-instance-availability-set" { enable_custom_metrics = var.enable_custom_metrics ? "yes" : "no" admin_shell = var.admin_shell smart_1_cloud_token = count.index == 0 ? var.smart_1_cloud_token_a : var.smart_1_cloud_token_b + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash }) } @@ -465,6 +469,8 @@ resource "azurerm_virtual_machine" "vm-instance-availability-zone" { enable_custom_metrics = var.enable_custom_metrics ? "yes" : "no" admin_shell = var.admin_shell smart_1_cloud_token = count.index == 0 ? var.smart_1_cloud_token_a : var.smart_1_cloud_token_b + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash }) } diff --git a/terraform/azure/high-availability-existing-vnet/terraform.tfvars b/terraform/azure/high-availability-existing-vnet/terraform.tfvars index 5b0d11f7..541113c2 100755 --- a/terraform/azure/high-availability-existing-vnet/terraform.tfvars +++ b/terraform/azure/high-availability-existing-vnet/terraform.tfvars @@ -21,7 +21,7 @@ vm_size = "PLEASE ENTER VM SIZE" disk_size = "PLEASE ENTER DISK SIZE" # "110" vm_os_sku = "PLEASE ENTER VM SKU" # "sg-byol" vm_os_offer = "PLEASE ENTER VM OFFER" # "check-point-cg-r8110" -os_version = "PLEASE ENTER GAIA OS VERSION" # "R81.10" +os_version = "PLEASE ENTER GAIA OS VERSION" # "R8110" bootstrap_script = "PLEASE ENTER CUSTOM SCRIPT OR LEAVE EMPTY DOUBLE QUOTES" # "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" allow_upload_download = "PLEASE ENTER true or false" # true authentication_type = "PLEASE ENTER AUTHENTICATION TYPE" # "Password" @@ -31,4 +31,6 @@ enable_floating_ip = "PLEASE ENTER true or false" use_public_ip_prefix = "PLEASE ENTER true or false" # false create_public_ip_prefix = "PLEASE ENTER true or false" # false existing_public_ip_prefix_id = "PLEASE ENTER IP PREFIX RESOURCE ID" # "" -admin_shell = "PLEASE ETNER ADMIN SHELL" # "/etc/cli.sh" \ No newline at end of file +admin_shell = "PLEASE ETNER ADMIN SHELL" # "/etc/cli.sh +serial_console_password_hash = "PLEASE ENTER SERIAL CONSOLE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \ No newline at end of file diff --git a/terraform/azure/high-availability-existing-vnet/variables.tf b/terraform/azure/high-availability-existing-vnet/variables.tf index cc8465fd..e71ffe87 100755 --- a/terraform/azure/high-availability-existing-vnet/variables.tf +++ b/terraform/azure/high-availability-existing-vnet/variables.tf @@ -46,6 +46,16 @@ variable "admin_password" { type = string } +variable "serial_console_password_hash" { + description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + type = string +} + +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string +} + variable "smart_1_cloud_token_a" { description = "Smart-1 Cloud Token, for configuring member A" type = string @@ -105,10 +115,10 @@ variable "os_version" { locals { // locals for 'vm_os_offer' allowed values os_version_allowed_values = [ - "R80.40", + "R8040", "R81", - "R81.10", - "R81.20" + "R8110", + "R8120" ] // will fail if [var.os_version] is invalid: validate_os_version_value = index(local.os_version_allowed_values, var.os_version) diff --git a/terraform/azure/high-availability-new-vnet/README.md b/terraform/azure/high-availability-new-vnet/README.md index 7872cc5b..9873dd99 100755 --- a/terraform/azure/high-availability-new-vnet/README.md +++ b/terraform/azure/high-availability-new-vnet/README.md @@ -74,68 +74,71 @@ This solution uses the following modules: terraform apply ### terraform.tfvars variables: - | Name | Description | Type | Allowed values | - | ------------- | ------------- |---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- | + | Name | Description | Type | Allowed values | + | ------------- | ------------- |------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- | | **client_secret** | passwordThe client secret of the Service Principal used to deploy the solution | string | - | | | | | | + | | | | | | | **client_id** | The client ID of the Service Principal used to deploy the solution | string | - | | | | | | + | | | | | | | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | - | | | | | | + | | | | | | | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | - | | | | | | + | | | | | | | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images. | string | - | | | | | | - | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | - | | | | | | - | **location** | The region where the resources will be deployed at. | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | - | | | | | | - | **cluster_name** | The name of the Check Point Cluster Object | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long | - | | | | | | - | **vnet_name** | The name of virtual network that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | - | | | | | | - | **address_space** | The address prefixes of the virtual network | string | Valid CIDR block | - | | | | | | - | **subnet_prefixes** | The address prefixes to be used for created subnets | string | The subnets need to contain within the address space for this virtual network(defined by address_space variable) | - | | | | | | - | **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | - | | | | | | - | **smart_1_cloud_token_a** | Smart-1 Cloud token to connect automatically ***Member A*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | | - | | | | | | - | **smart_1_cloud_token_b** | Smart-1 Cloud token to connect automatically ***Member B*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | | - | | | | | | - | **sic_key** | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | - | | | | | | + | | | | | | + | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | + | | | | | | + | **location** | The region where the resources will be deployed at. | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | + | | | | | | + | **cluster_name** | The name of the Check Point Cluster Object | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long | + | | | | | | + | **vnet_name** | The name of virtual network that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | + | | | | | | + | **address_space** | The address prefixes of the virtual network | string | Valid CIDR block | + | | | | | | + | **subnet_prefixes** | The address prefixes to be used for created subnets | string | The subnets need to contain within the address space for this virtual network(defined by address_space variable) | + | | | | | | + | **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | + | | | | | | + | **smart_1_cloud_token_a** | Smart-1 Cloud token to connect automatically ***Member A*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | | + | | | | | | + | **smart_1_cloud_token_b** | Smart-1 Cloud token to connect automatically ***Member B*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | | + | | | | | | + | **sic_key** | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | + | | | | | | | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | - | | | | | | - | **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB) | - | | | | | | - | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license for R80.40 and above;
"sg-ngtp" - NGTP PAYG license for R80.40 and above;
"sg-ngtx" - NGTX PAYG license for R80.40 and above | - | | | | | | - | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | - | | | | | | - | **os_version** | GAIA OS version | string | "R80.40";
"R81";
"R81.10";
"R81.20"; | - | | | | | | - | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | - | | | | | | - | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | - | | | | | | - | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | - | | | | | | - | **availability_type** | Specifies whether to deploy the solution based on Azure Availability Set or based on Azure Availability Zone. | string | "Availability Zone";
"Availability Set"; | - | | | | | | - | **enable_custom_metrics** | Indicates whether CloudGuard Metrics will be use for Cluster members monitoring. | boolean | true;
false; | - | | | | | | - | **enable_floating_ip** | Indicates whether the load balancers will be deployed with floating IP. | boolean | true;
false; | - | | | | | | - | **use_public_ip_prefix** | Indicates whether the public IP resources will be deployed with public IP prefix. | boolean | true;
false; | - | | | | | | - | **create_public_ip_prefix** | Indicates whether the public IP prefix will created or an existing will be used. | boolean | true;
false; | - | | | | | | - | **existing_public_ip_prefix_id** | The existing public IP prefix resource id. | string | Existing public IP prefix resource id | - | | | | | | - | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | - + | | | | | | + | **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB) | + | | | | | | + | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license for R80.40 and above;
"sg-ngtp" - NGTP PAYG license for R80.40 and above;
"sg-ngtx" - NGTX PAYG license for R80.40 and above | + | | | | | | + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | + | | | | | | + | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120"; | + | | | | | | + | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | + | | | | | | + | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | + | | | | | | + | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | + | | | | | | + | **availability_type** | Specifies whether to deploy the solution based on Azure Availability Set or based on Azure Availability Zone. | string | "Availability Zone";
"Availability Set"; | + | | | | | | + | **enable_custom_metrics** | Indicates whether CloudGuard Metrics will be use for Cluster members monitoring. | boolean | true;
false; | + | | | | | | + | **enable_floating_ip** | Indicates whether the load balancers will be deployed with floating IP. | boolean | true;
false; | + | | | | | | + | **use_public_ip_prefix** | Indicates whether the public IP resources will be deployed with public IP prefix. | boolean | true;
false; | + | | | | | | + | **create_public_ip_prefix** | Indicates whether the public IP prefix will created or an existing will be used. | boolean | true;
false; | + | | | | | | + | **existing_public_ip_prefix_id** | The existing public IP prefix resource id. | string | Existing public IP prefix resource id | + | | | | | | + | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | + | | | | | | + | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here. | string | + | | | | | | + | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here. | string | ## Conditional creation - To deploy the solution based on Azure Availability Set and create a new Availability Set for the virtual machines: ``` @@ -181,7 +184,7 @@ availability_type = "Availability Zone" disk_size = "110" vm_os_sku = "sg-byol" vm_os_offer = "check-point-cg-r8110" - os_version = "R81.10" + os_version = "R8110" bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" allow_upload_download = true authentication_type = "Password" @@ -192,6 +195,8 @@ availability_type = "Availability Zone" create_public_ip_prefix = false existing_public_ip_prefix_id = "" admin_shell = "/etc/cli.sh" + serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" ## Revision History In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) diff --git a/terraform/azure/high-availability-new-vnet/cloud-init.sh b/terraform/azure/high-availability-new-vnet/cloud-init.sh index 447b2e2f..0609bfcf 100755 --- a/terraform/azure/high-availability-new-vnet/cloud-init.sh +++ b/terraform/azure/high-availability-new-vnet/cloud-init.sh @@ -2,7 +2,7 @@ installationType="${installation_type}" allowUploadDownload="${allow_upload_download}" -osVersion= "${os_version}" +osVersion="${os_version}" templateName="${template_name}" templateVersion="${template_version}" templateType="${template_type}" @@ -18,3 +18,5 @@ customMetrics="${enable_custom_metrics}" adminShell="${admin_shell}" smart1CloudToken="${smart_1_cloud_token}" Vips='[{"name": "cluster-vip", "privateIPAddress": "${external_private_addresses}", "publicIPAddress": "${cluster_name}"}]' +passwordHash="${serial_console_password_hash}" +MaintenanceModePassword="${maintenance_mode_password_hash}" diff --git a/terraform/azure/high-availability-new-vnet/main.tf b/terraform/azure/high-availability-new-vnet/main.tf index ad0b7391..a24c1a9e 100755 --- a/terraform/azure/high-availability-new-vnet/main.tf +++ b/terraform/azure/high-availability-new-vnet/main.tf @@ -26,6 +26,8 @@ module "common" { vm_os_sku = var.vm_os_sku vm_os_offer = var.vm_os_offer authentication_type = var.authentication_type + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash } //********************** Networking **************************// @@ -393,7 +395,9 @@ resource "azurerm_virtual_machine" "vm-instance-availability-set" { external_private_addresses = azurerm_network_interface.nic_vip.ip_configuration[1].private_ip_address enable_custom_metrics = var.enable_custom_metrics ? "yes" : "no" admin_shell = var.admin_shell - smart_1_cloud_token = count.index == 0 ? var.smart_1_cloud_token_a : var.smart_1_cloud_token_b + smart_1_cloud_token = count.index == 0 ? var.smart_1_cloud_token_a : var.smart_1_cloud_token_b + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash }) } @@ -486,6 +490,8 @@ resource "azurerm_virtual_machine" "vm-instance-availability-zone" { enable_custom_metrics = var.enable_custom_metrics ? "yes" : "no" admin_shell = var.admin_shell smart_1_cloud_token = count.index == 0 ? var.smart_1_cloud_token_a : var.smart_1_cloud_token_b + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash }) } diff --git a/terraform/azure/high-availability-new-vnet/terraform.tfvars b/terraform/azure/high-availability-new-vnet/terraform.tfvars index 30eac7d7..8da5b3f2 100755 --- a/terraform/azure/high-availability-new-vnet/terraform.tfvars +++ b/terraform/azure/high-availability-new-vnet/terraform.tfvars @@ -18,7 +18,7 @@ vm_size = "PLEASE ENTER VM SIZE" disk_size = "PLEASE ENTER DISK SIZE" # "110" vm_os_sku = "PLEASE ENTER VM SKU" # "sg-byol" vm_os_offer = "PLEASE ENTER VM OFFER" # "check-point-cg-r8110" -os_version = "PLEASE ENTER GAIA OS VERSION" # "R81.10" +os_version = "PLEASE ENTER GAIA OS VERSION" # "R8110" bootstrap_script = "PLEASE ENTER CUSTOM SCRIPT OR LEAVE EMPTY DOUBLE QUOTES" # "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" allow_upload_download = "PLEASE ENTER true or false" # true authentication_type = "PLEASE ENTER AUTHENTICATION TYPE" # "Password" @@ -28,4 +28,6 @@ enable_floating_ip = "PLEASE ENTER true or false" use_public_ip_prefix = "PLEASE ENTER true or false" # false create_public_ip_prefix = "PLEASE ENTER true or false" # false existing_public_ip_prefix_id = "PLEASE ENTER IP PREFIX RESOURCE ID" # "" -admin_shell = "PLEASE ETNER ADMIN SHELL" # "/etc/cli.sh" \ No newline at end of file +admin_shell = "PLEASE ETNER ADMIN SHELL" # "/etc/cli.sh" +serial_console_password_hash = "PLEASE ENTER SERIAL CONSOLE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \ No newline at end of file diff --git a/terraform/azure/high-availability-new-vnet/variables.tf b/terraform/azure/high-availability-new-vnet/variables.tf index 8a1730e6..e02bd80a 100755 --- a/terraform/azure/high-availability-new-vnet/variables.tf +++ b/terraform/azure/high-availability-new-vnet/variables.tf @@ -46,6 +46,16 @@ variable "admin_password" { type = string } +variable "serial_console_password_hash" { + description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + type = string +} + +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string +} + variable "smart_1_cloud_token_a" { description = "Smart-1 Cloud Token, for configuring member A" type = string @@ -105,10 +115,10 @@ variable "os_version" { locals { // locals for 'vm_os_offer' allowed values os_version_allowed_values = [ - "R80.40", + "R8040", "R81", - "R81.10", - "R81.20" + "R8110", + "R8120" ] // will fail if [var.os_version] is invalid: validate_os_version_value = index(local.os_version_allowed_values, var.os_version) diff --git a/terraform/azure/management-existing-vnet/README.md b/terraform/azure/management-existing-vnet/README.md index ead3b999..88420291 100755 --- a/terraform/azure/management-existing-vnet/README.md +++ b/terraform/azure/management-existing-vnet/README.md @@ -70,56 +70,59 @@ This solution uses the following modules: terraform apply ### terraform.tfvars variables: - | Name | Description | Type | Allowed values | - | ------------- | ------------- |---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- | + | Name | Description | Type | Allowed values | + | ------------- | ------------- |------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- | | **client_secret** | passwordThe client secret of the Service Principal used to deploy the solution | string | - | | | | | | + | | | | | | | **client_id** | The client ID of the Service Principal used to deploy the solution | string | - | | | | | | + | | | | | | | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | - | | | | | | + | | | | | | | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | - | | | | | | + | | | | | | | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images. | string | - | | | | | | - | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | - | | | | | | + | | | | | | + | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | + | | | | | | | **mgmt_name** | Management name. | string | - | | | | | | - | **location** | The region where the resources will be deployed at. | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | - | | | | | | - | **vnet_name** | Virtual Network name | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | - | | | | | | - | **vnet_resource_group** | Resource Group of the existing virtual network | string | The exact name of the existing vnet's resource group | - | | | | | | - | **management_subnet_name** | Management subnet name | string | The exact name of the existing subnet | - | | | | | | + | | | | | | + | **location** | The region where the resources will be deployed at. | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | + | | | | | | + | **vnet_name** | Virtual Network name | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | + | | | | | | + | **vnet_resource_group** | Resource Group of the existing virtual network | string | The exact name of the existing vnet's resource group | + | | | | | | + | **management_subnet_name** | Management subnet name | string | The exact name of the existing subnet | + | | | | | | | **subnet_1st_Address** | The first available address of the subnet | string | - | | | | | | + | | | | | | | **management_GUI_client_network** | Allowed GUI clients - GUI clients network CIDR. | string | - | | | | | | - | **mgmt_enable_api** | Enable api access to the management. | string | - "all";
- "management_only";
- "gui_clients"
- "disable"; - | | | | | | - | **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | - | | | | | | + | | | | | | + | **mgmt_enable_api** | Enable api access to the management. | string | - "all";
- "management_only";
- "gui_clients"
- "disable"; + | | | | | | + | **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | + | | | | | | | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | - | | | | | | - | **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB) | - | | | | | | - | **vm_os_sku** | A sku of the image to be deployed | string | "mgmt-byol" - BYOL license for R80.40 and above;
"mgmt-25" - PAYG for R80.40 and above; | - | | | | | | - | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | - | | | | | | - | **os_version** | GAIA OS version | string | "R80.40";
"R81";
"R81.10";
"R81.20"; | - | | | | | | - | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | - | | | | | | - | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | - | | | | | | - | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | - | | | | | | - | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | - + | | | | | | + | **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB) | + | | | | | | + | **vm_os_sku** | A sku of the image to be deployed | string | "mgmt-byol" - BYOL license for R80.40 and above;
"mgmt-25" - PAYG for R80.40 and above; | + | | | | | | + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | + | | | | | | + | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120"; | + | | | | | | + | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | + | | | | | | + | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | + | | | | | | + | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | + | | | | | | + | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | + | | | | | | + | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here. | string | + | | | | | | + | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here. | string | ## Example @@ -142,11 +145,13 @@ This solution uses the following modules: disk_size = "110" vm_os_sku = "mgmt-byol" vm_os_offer = "check-point-cg-r8110" - os_version = "R81.10" + os_version = "R8110" bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" allow_upload_download = true authentication_type = "Password" admin_shell = "/etc/cli.sh" + serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" ## Revision History In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) diff --git a/terraform/azure/management-existing-vnet/cloud-init.sh b/terraform/azure/management-existing-vnet/cloud-init.sh index ebb936cf..4639554e 100755 --- a/terraform/azure/management-existing-vnet/cloud-init.sh +++ b/terraform/azure/management-existing-vnet/cloud-init.sh @@ -2,7 +2,7 @@ installationType="${installation_type}" allowUploadDownload="${allow_upload_download}" -osVersion= "${os_version}" +osVersion="${os_version}" templateName="${template_name}" templateVersion="${template_version}" templateType="${template_type}" @@ -12,3 +12,5 @@ location="${location}" managementGUIClientNetwork="${management_GUI_client_network}" enableApi="${enable_api}" adminShell="${admin_shell}" +passwordHash="${serial_console_password_hash}" +MaintenanceModePassword="${maintenance_mode_password_hash}" diff --git a/terraform/azure/management-existing-vnet/main.tf b/terraform/azure/management-existing-vnet/main.tf index 0c7548db..8050d61c 100755 --- a/terraform/azure/management-existing-vnet/main.tf +++ b/terraform/azure/management-existing-vnet/main.tf @@ -26,6 +26,8 @@ module "common" { vm_os_sku = var.vm_os_sku vm_os_offer = var.vm_os_offer authentication_type = var.authentication_type + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash } //********************** Networking **************************// @@ -260,6 +262,8 @@ resource "azurerm_virtual_machine" "mgmt-vm-instance" { management_GUI_client_network = var.management_GUI_client_network enable_api = var.mgmt_enable_api admin_shell = var.admin_shell + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash }) } diff --git a/terraform/azure/management-existing-vnet/terraform.tfvars b/terraform/azure/management-existing-vnet/terraform.tfvars index 0d5ba85b..b6bb59bd 100755 --- a/terraform/azure/management-existing-vnet/terraform.tfvars +++ b/terraform/azure/management-existing-vnet/terraform.tfvars @@ -18,8 +18,10 @@ vm_size = "PLEASE ENTER VM SIZE" disk_size = "PLEASE ENTER DISK SIZE" # "110" vm_os_sku = "PLEASE ENTER VM SKU" # "mgmt-byol" vm_os_offer = "PLEASE ENTER VM OFFER" # "check-point-cg-r8110" -os_version = "PLEASE ENTER GAIA OS VERSION" # "R81.10" +os_version = "PLEASE ENTER GAIA OS VERSION" # "R8110" bootstrap_script = "PLEASE ENTER CUSTOM SCRIPT OR LEAVE EMPTY DOUBLE QUOTES" # "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" allow_upload_download = "PLEASE ENTER true or false" # true authentication_type = "PLEASE ENTER AUTHENTICATION TYPE" # "Password" admin_shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" +serial_console_password_hash = "PLEASE ENTER SERIAL CONSOLE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" diff --git a/terraform/azure/management-existing-vnet/variables.tf b/terraform/azure/management-existing-vnet/variables.tf index 27af4c05..aa648953 100755 --- a/terraform/azure/management-existing-vnet/variables.tf +++ b/terraform/azure/management-existing-vnet/variables.tf @@ -31,6 +31,16 @@ variable "admin_password" { type = string } +variable "serial_console_password_hash" { + description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + type = string +} + +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string +} + variable "authentication_type" { description = "Specifies whether a password authentication or SSH Public Key authentication should be used" type = string @@ -79,10 +89,10 @@ variable "os_version" { locals { // locals for 'vm_os_offer' allowed values os_version_allowed_values = [ - "R80.40", + "R8040", "R81", - "R81.10", - "R81.20" + "R8110", + "R8120" ] // will fail if [var.os_version] is invalid: validate_os_version_value = index(local.os_version_allowed_values, var.os_version) diff --git a/terraform/azure/management-new-vnet/README.md b/terraform/azure/management-new-vnet/README.md index 66b35155..0e9e2419 100755 --- a/terraform/azure/management-new-vnet/README.md +++ b/terraform/azure/management-new-vnet/README.md @@ -72,54 +72,57 @@ This solution uses the following modules: terraform apply ### terraform.tfvars variables: - | Name | Description | Type | Allowed values | - | ------------- | ------------- |---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- | + | Name | Description | Type | Allowed values | + | ------------- | ------------- |------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- | | **client_secret** | passwordThe client secret of the Service Principal used to deploy the solution | string | - | | | | | | + | | | | | | | **client_id** | The client ID of the Service Principal used to deploy the solution | string | - | | | | | | + | | | | | | | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | - | | | | | | + | | | | | | | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | - | | | | | | + | | | | | | | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images. | string | - | | | | | | - | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | - | | | | | | + | | | | | | + | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | + | | | | | | | **mgmt_name** | Management name. | string | - | | | | | | - | **location** | The region where the resources will be deployed at. | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | - | | | | | | - | **vnet_name** | The name of virtual network that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | - | | | | | | - | **address_space** | The address space that is used by a Virtual Network. | string | A valid address in CIDR notation. | - | | | | | | - | **subnet_prefix** | Address prefix to be used for network subnet | string | A valid address in CIDR notation. | - | | | | | | + | | | | | | + | **location** | The region where the resources will be deployed at. | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | + | | | | | | + | **vnet_name** | The name of virtual network that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | + | | | | | | + | **address_space** | The address space that is used by a Virtual Network. | string | A valid address in CIDR notation. | + | | | | | | + | **subnet_prefix** | Address prefix to be used for network subnet | string | A valid address in CIDR notation. | + | | | | | | | **management_GUI_client_network** | Allowed GUI clients - GUI clients network CIDR. | string | - | | | | | | - | **mgmt_enable_api** | Enable api access to the management. | string | - "all";
- "management_only";
- "gui_clients"
- "disable"; - | | | | | | - | **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | - | | | | | | + | | | | | | + | **mgmt_enable_api** | Enable api access to the management. | string | - "all";
- "management_only";
- "gui_clients"
- "disable"; + | | | | | | + | **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | + | | | | | | | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | - | | | | | | - | **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB) | - | | | | | | - | **vm_os_sku** | A sku of the image to be deployed | string | "mgmt-byol" - BYOL license for R80.40 and above;
"mgmt-25" - PAYG for R80.40 and above; | - | | | | | | - | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | - | | | | | | - | **os_version** | GAIA OS version | string | "R80.40";
"R81";
"R81.10";
"R81.20"; | - | | | | | | - | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | - | | | | | | - | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | - | | | | | | - | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | - | | | | | | - | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | - + | | | | | | + | **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB) | + | | | | | | + | **vm_os_sku** | A sku of the image to be deployed | string | "mgmt-byol" - BYOL license for R80.40 and above;
"mgmt-25" - PAYG for R80.40 and above; | + | | | | | | + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | + | | | | | | + | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120"; | + | | | | | | + | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | + | | | | | | + | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | + | | | | | | + | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | + | | | | | | + | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | + | | | | | | + | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here. | string | + | | | | | | + | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here. | string | ## Example @@ -141,11 +144,13 @@ This solution uses the following modules: disk_size = "110" vm_os_sku = "mgmt-byol" vm_os_offer = "check-point-cg-r8110" - os_version = "R81.10" + os_version = "R8110" bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" allow_upload_download = true authentication_type = "Password" admin_shell = "/etc/cli.sh" + serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" ## Revision History In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) diff --git a/terraform/azure/management-new-vnet/cloud-init.sh b/terraform/azure/management-new-vnet/cloud-init.sh index ebb936cf..4639554e 100755 --- a/terraform/azure/management-new-vnet/cloud-init.sh +++ b/terraform/azure/management-new-vnet/cloud-init.sh @@ -2,7 +2,7 @@ installationType="${installation_type}" allowUploadDownload="${allow_upload_download}" -osVersion= "${os_version}" +osVersion="${os_version}" templateName="${template_name}" templateVersion="${template_version}" templateType="${template_type}" @@ -12,3 +12,5 @@ location="${location}" managementGUIClientNetwork="${management_GUI_client_network}" enableApi="${enable_api}" adminShell="${admin_shell}" +passwordHash="${serial_console_password_hash}" +MaintenanceModePassword="${maintenance_mode_password_hash}" diff --git a/terraform/azure/management-new-vnet/main.tf b/terraform/azure/management-new-vnet/main.tf index fd1e4d6f..3ac18c91 100755 --- a/terraform/azure/management-new-vnet/main.tf +++ b/terraform/azure/management-new-vnet/main.tf @@ -26,6 +26,8 @@ module "common" { vm_os_sku = var.vm_os_sku vm_os_offer = var.vm_os_offer authentication_type = var.authentication_type + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash } //********************** Networking **************************// @@ -266,6 +268,8 @@ resource "azurerm_virtual_machine" "mgmt-vm-instance" { management_GUI_client_network = var.management_GUI_client_network enable_api = var.mgmt_enable_api admin_shell = var.admin_shell + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash }) } diff --git a/terraform/azure/management-new-vnet/terraform.tfvars b/terraform/azure/management-new-vnet/terraform.tfvars index 3b90b131..e37216dd 100755 --- a/terraform/azure/management-new-vnet/terraform.tfvars +++ b/terraform/azure/management-new-vnet/terraform.tfvars @@ -17,8 +17,10 @@ vm_size = "PLEASE ENTER VM SIZE" disk_size = "PLEASE ENTER DISK SIZE" # "110" vm_os_sku = "PLEASE ENTER VM SKU" # "mgmt-byol" vm_os_offer = "PLEASE ENTER VM OFFER" # "check-point-cg-r8110" -os_version = "PLEASE ENTER GAIA OS VERSION" # "R81.10" +os_version = "PLEASE ENTER GAIA OS VERSION" # "R8110" bootstrap_script = "PLEASE ENTER CUSTOM SCRIPT OR LEAVE EMPTY DOUBLE QUOTES" # "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" allow_upload_download = "PLEASE ENTER true or false" # true authentication_type = "PLEASE ENTER AUTHENTICATION TYPE" # "Password" -admin_shell = "PLEASE ETNER ADMIN SHELL" # "/etc/cli.sh" \ No newline at end of file +admin_shell = "PLEASE ETNER ADMIN SHELL" # "/etc/cli.sh" +serial_console_password_hash = "PLEASE ENTER SERIAL CONSOLE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \ No newline at end of file diff --git a/terraform/azure/management-new-vnet/variables.tf b/terraform/azure/management-new-vnet/variables.tf index e6c050bb..1582e333 100755 --- a/terraform/azure/management-new-vnet/variables.tf +++ b/terraform/azure/management-new-vnet/variables.tf @@ -31,6 +31,16 @@ variable "admin_password" { type = string } +variable "serial_console_password_hash" { + description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + type = string +} + +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string +} + variable "authentication_type" { description = "Specifies whether a password authentication or SSH Public Key authentication should be used" type = string @@ -78,10 +88,10 @@ variable "os_version" { locals { // locals for 'vm_os_offer' allowed values os_version_allowed_values = [ - "R80.40", + "R8040", "R81", - "R81.10", - "R81.20", + "R8110", + "R8120", ] // will fail if [var.os_version] is invalid: validate_os_version_value = index(local.os_version_allowed_values, var.os_version) diff --git a/terraform/azure/mds-existing-vnet/README.md b/terraform/azure/mds-existing-vnet/README.md index c42185a0..dc8dff16 100755 --- a/terraform/azure/mds-existing-vnet/README.md +++ b/terraform/azure/mds-existing-vnet/README.md @@ -129,7 +129,10 @@ This solution uses the following modules: | **secondary** | Indicates if the installation type is mds-secondary | boolean | true;
false; | | | | | | | | **logserver** | Indicates if the installation type is mds-logserver | boolean | true;
false; | - + | | | | | | + | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here. | string | + | | | | | | + | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here. | string | ## Example @@ -152,7 +155,7 @@ This solution uses the following modules: disk_size = "110" vm_os_sku = "mgmt-byol" vm_os_offer = "check-point-cg-r8110" - os_version = "R81.10" + os_version = "R8110" bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" allow_upload_download = true authentication_type = "Password" @@ -162,6 +165,8 @@ This solution uses the following modules: primary = "true" secondary = "false" logserver = "false" + serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" ## Revision History In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) diff --git a/terraform/azure/mds-existing-vnet/azure_public_key b/terraform/azure/mds-existing-vnet/azure_public_key new file mode 100755 index 00000000..e69de29b diff --git a/terraform/azure/mds-existing-vnet/cloud-init.sh b/terraform/azure/mds-existing-vnet/cloud-init.sh index 5a96e349..627de012 100755 --- a/terraform/azure/mds-existing-vnet/cloud-init.sh +++ b/terraform/azure/mds-existing-vnet/cloud-init.sh @@ -2,7 +2,7 @@ installationType="${installation_type}" allowUploadDownload="${allow_upload_download}" -osVersion= "${os_version}" +osVersion="${os_version}" templateName="${template_name}" templateVersion="${template_version}" templateType="${template_type}" @@ -16,3 +16,5 @@ sicKey="${sic_key}" primary="${primary}" secondary="${secondary}" logserver="${logserver}" +passwordHash="${serial_console_password_hash}" +MaintenanceModePassword="${maintenance_mode_password_hash}" diff --git a/terraform/azure/mds-existing-vnet/main.tf b/terraform/azure/mds-existing-vnet/main.tf index d6a9a4bb..57d1f095 100755 --- a/terraform/azure/mds-existing-vnet/main.tf +++ b/terraform/azure/mds-existing-vnet/main.tf @@ -26,6 +26,8 @@ module "common" { vm_os_sku = var.vm_os_sku vm_os_offer = var.vm_os_offer authentication_type = var.authentication_type + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash } //********************** Networking **************************// @@ -264,6 +266,8 @@ resource "azurerm_virtual_machine" "mds-vm-instance" { primary = var.primary secondary = var.secondary logserver = var.logserver + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash }) } diff --git a/terraform/azure/mds-existing-vnet/terraform.tfvars b/terraform/azure/mds-existing-vnet/terraform.tfvars index d9fd964d..700f850d 100755 --- a/terraform/azure/mds-existing-vnet/terraform.tfvars +++ b/terraform/azure/mds-existing-vnet/terraform.tfvars @@ -18,7 +18,7 @@ vm_size = "PLEASE ENTER VM SIZE" disk_size = "PLEASE ENTER DISK SIZE" # "110" vm_os_sku = "PLEASE ENTER VM SKU" # "mgmt-byol" vm_os_offer = "PLEASE ENTER VM OFFER" # "check-point-cg-r8110" -os_version = "PLEASE ENTER GAIA OS VERSION" # "R81.10" +os_version = "PLEASE ENTER GAIA OS VERSION" # "R8110" bootstrap_script = "PLEASE ENTER CUSTOM SCRIPT OR LEAVE EMPTY DOUBLE QUOTES" # "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" allow_upload_download = "PLEASE ENTER true or false" # true authentication_type = "PLEASE ENTER AUTHENTICATION TYPE" # "Password" @@ -27,4 +27,6 @@ sic_key = "PLEASE ENTER SIC KEY" installation_type = "PLEASE ENTER INSTALLATION TYPE" # "mds-primary" primary = "PLEASE ENTER true or false" # "true" secondary = "PLEASE ENTER true or false" # "false" -logserver = "PLEASE ENTER true or false" # "false" \ No newline at end of file +logserver = "PLEASE ENTER true or false" # "false" +serial_console_password_hash = "PLEASE ENTER SERIAL CONSOLE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \ No newline at end of file diff --git a/terraform/azure/mds-existing-vnet/variables.tf b/terraform/azure/mds-existing-vnet/variables.tf index 30d2d464..0951961f 100755 --- a/terraform/azure/mds-existing-vnet/variables.tf +++ b/terraform/azure/mds-existing-vnet/variables.tf @@ -31,6 +31,16 @@ variable "admin_password" { type = string } +variable "serial_console_password_hash" { + description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + type = string +} + +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string +} + variable "authentication_type" { description = "Specifies whether a password authentication or SSH Public Key authentication should be used" type = string @@ -99,10 +109,10 @@ variable "os_version" { locals { // locals for 'vm_os_offer' allowed values os_version_allowed_values = [ - "R80.40", + "R8040", "R81", - "R81.10", - "R81.20" + "R8110", + "R8120" ] // will fail if [var.os_version] is invalid: validate_os_version_value = index(local.os_version_allowed_values, var.os_version) diff --git a/terraform/azure/mds-new-vnet/README.md b/terraform/azure/mds-new-vnet/README.md index a5c325b6..b126b29a 100755 --- a/terraform/azure/mds-new-vnet/README.md +++ b/terraform/azure/mds-new-vnet/README.md @@ -123,7 +123,10 @@ This solution uses the following modules: | **sic_key** | Set the Secure Internal Communication one time secret used to set up trust between the primary and secondary servers. SIC key must be provided if installing a secondary Multi-Domain Server | | | | | | | | **installation_type** | Enables to select installation type- gateway/standalone | string | mds-primary;
mds-secondary;
mds-logserver; | - + | | | | | | + | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here. | string | + | | | | | | + | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here. | string | ## Example @@ -145,7 +148,7 @@ This solution uses the following modules: disk_size = "110" vm_os_sku = "mgmt-byol" vm_os_offer = "check-point-cg-r8110" - os_version = "R81.10" + os_version = "R8110" bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" allow_upload_download = true authentication_type = "Password" @@ -155,6 +158,8 @@ This solution uses the following modules: primary = "true" secondary = "false" logserver = "false" + serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" ## Revision History In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) diff --git a/terraform/azure/mds-new-vnet/azure_public_key b/terraform/azure/mds-new-vnet/azure_public_key new file mode 100755 index 00000000..e69de29b diff --git a/terraform/azure/mds-new-vnet/cloud-init.sh b/terraform/azure/mds-new-vnet/cloud-init.sh index 5a96e349..627de012 100755 --- a/terraform/azure/mds-new-vnet/cloud-init.sh +++ b/terraform/azure/mds-new-vnet/cloud-init.sh @@ -2,7 +2,7 @@ installationType="${installation_type}" allowUploadDownload="${allow_upload_download}" -osVersion= "${os_version}" +osVersion="${os_version}" templateName="${template_name}" templateVersion="${template_version}" templateType="${template_type}" @@ -16,3 +16,5 @@ sicKey="${sic_key}" primary="${primary}" secondary="${secondary}" logserver="${logserver}" +passwordHash="${serial_console_password_hash}" +MaintenanceModePassword="${maintenance_mode_password_hash}" diff --git a/terraform/azure/mds-new-vnet/main.tf b/terraform/azure/mds-new-vnet/main.tf index b28f39e5..0b78214f 100755 --- a/terraform/azure/mds-new-vnet/main.tf +++ b/terraform/azure/mds-new-vnet/main.tf @@ -26,6 +26,8 @@ module "common" { vm_os_sku = var.vm_os_sku vm_os_offer = var.vm_os_offer authentication_type = var.authentication_type + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash } //********************** Networking **************************// @@ -270,6 +272,8 @@ resource "azurerm_virtual_machine" "mds-vm-instance" { primary = var.primary secondary = var.secondary logserver = var.logserver + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash }) } diff --git a/terraform/azure/mds-new-vnet/terraform.tfvars b/terraform/azure/mds-new-vnet/terraform.tfvars index 3da17c62..9c789043 100755 --- a/terraform/azure/mds-new-vnet/terraform.tfvars +++ b/terraform/azure/mds-new-vnet/terraform.tfvars @@ -17,7 +17,7 @@ vm_size = "PLEASE ENTER VM SIZE" disk_size = "PLEASE ENTER DISK SIZE" # "110" vm_os_sku = "PLEASE ENTER VM SKU" # "mgmt-byol" vm_os_offer = "PLEASE ENTER VM OFFER" # "check-point-cg-r8110" -os_version = "PLEASE ENTER GAIA OS VERSION" # "R81.10" +os_version = "PLEASE ENTER GAIA OS VERSION" # "R8110" bootstrap_script = "PLEASE ENTER CUSTOM SCRIPT OR LEAVE EMPTY DOUBLE QUOTES" # "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" allow_upload_download = "PLEASE ENTER true or false" # true authentication_type = "PLEASE ENTER AUTHENTICATION TYPE" # "Password" @@ -26,4 +26,6 @@ sic_key = "PLEASE ENTER SIC KEY" installation_type = "PLEASE ENTER INSTALLATION TYPE" # "mds-primary" primary = "PLEASE ENTER true or false" # "true" secondary = "PLEASE ENTER true or false" # "false" -logserver = "PLEASE ENTER true or false" # "false" \ No newline at end of file +logserver = "PLEASE ENTER true or false" # "false" +serial_console_password_hash = "PLEASE ENTER SERIAL CONSOLE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \ No newline at end of file diff --git a/terraform/azure/mds-new-vnet/variables.tf b/terraform/azure/mds-new-vnet/variables.tf index 7877ca55..49d00ff5 100755 --- a/terraform/azure/mds-new-vnet/variables.tf +++ b/terraform/azure/mds-new-vnet/variables.tf @@ -31,6 +31,16 @@ variable "admin_password" { type = string } +variable "serial_console_password_hash" { + description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + type = string +} + +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string +} + variable "authentication_type" { description = "Specifies whether a password authentication or SSH Public Key authentication should be used" type = string @@ -98,10 +108,10 @@ variable "os_version" { locals { // locals for 'vm_os_offer' allowed values os_version_allowed_values = [ - "R80.40", + "R8040", "R81", - "R81.10", - "R81.20" + "R8110", + "R8120" ] // will fail if [var.os_version] is invalid: validate_os_version_value = index(local.os_version_allowed_values, var.os_version) diff --git a/terraform/azure/modules/common/variables.tf b/terraform/azure/modules/common/variables.tf index 2d59d38e..4a5c6fb9 100755 --- a/terraform/azure/modules/common/variables.tf +++ b/terraform/azure/modules/common/variables.tf @@ -26,6 +26,16 @@ variable "admin_password" { type = string } +variable "serial_console_password_hash" { + description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + type = string +} + +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string +} + variable "tags" { type = map(string) description = "A map of the tags to use on the resources that are deployed with this module." @@ -67,10 +77,10 @@ variable "os_version"{ locals { // locals for 'os_version' allowed values os_version_allowed_values = [ - "R80.40", + "R8040", "R81", - "R81.10", - "R81.20" + "R8110", + "R8120" ] // will fail if [var.installation_type] is invalid: validate_os_version_value = index(local.os_version_allowed_values, var.os_version) diff --git a/terraform/azure/single-gateway-existing-vnet/README.md b/terraform/azure/single-gateway-existing-vnet/README.md index 092238dc..d057b4a6 100755 --- a/terraform/azure/single-gateway-existing-vnet/README.md +++ b/terraform/azure/single-gateway-existing-vnet/README.md @@ -127,7 +127,10 @@ This solution uses the following modules: | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | | | | | | | | **installation_type** | Enables to select installation type- gateway/standalone | string | gateway;
standalone; | - + | | | | | | + | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here. | string | + | | | | | | + | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here. | string | ## Conditional creation - To enable CloudGuard metrics in order to send statuses and statistics collected from the gateway instance to the Azure Monitor service: @@ -158,13 +161,15 @@ This solution uses the following modules: disk_size = "110" vm_os_sku = "sg-byol" vm_os_offer = "check-point-cg-r8110" - os_version = "R81.10" + os_version = "R8110" bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" allow_upload_download = true authentication_type = "Password" enable_custom_metrics = true admin_shell = "/etc/cli.sh" installation_type = "gateway" + serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" ## Revision History In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) diff --git a/terraform/azure/single-gateway-existing-vnet/azure_public_key b/terraform/azure/single-gateway-existing-vnet/azure_public_key new file mode 100755 index 00000000..e69de29b diff --git a/terraform/azure/single-gateway-existing-vnet/cloud-init.sh b/terraform/azure/single-gateway-existing-vnet/cloud-init.sh index 3e1b6830..71bf3916 100755 --- a/terraform/azure/single-gateway-existing-vnet/cloud-init.sh +++ b/terraform/azure/single-gateway-existing-vnet/cloud-init.sh @@ -2,7 +2,7 @@ installationType="${installation_type}" allowUploadDownload="${allow_upload_download}" -osVersion= "${os_version}" +osVersion="${os_version}" templateName="${template_name}" templateVersion="${template_version}" templateType="${template_type}" @@ -13,4 +13,6 @@ adminShell="${admin_shell}" sicKey="${sic_key}" managementGUIClientNetwork="${management_GUI_client_network}" smart1CloudToken="${smart_1_cloud_token}" -customMetrics="${enable_custom_metrics}" \ No newline at end of file +customMetrics="${enable_custom_metrics}" +passwordHash="${serial_console_password_hash}" +MaintenanceModePassword="${maintenance_mode_password_hash}" \ No newline at end of file diff --git a/terraform/azure/single-gateway-existing-vnet/main.tf b/terraform/azure/single-gateway-existing-vnet/main.tf index bb69816e..ae237a2b 100755 --- a/terraform/azure/single-gateway-existing-vnet/main.tf +++ b/terraform/azure/single-gateway-existing-vnet/main.tf @@ -26,6 +26,8 @@ module "common" { vm_os_sku = var.vm_os_sku vm_os_offer = var.vm_os_offer authentication_type = var.authentication_type + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash } //********************** Networking **************************// @@ -201,6 +203,8 @@ resource "azurerm_virtual_machine" "single-gateway-vm-instance" { management_GUI_client_network = var.management_GUI_client_network smart_1_cloud_token = var.smart_1_cloud_token enable_custom_metrics = var.enable_custom_metrics ? "yes" : "no" + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash }) } diff --git a/terraform/azure/single-gateway-existing-vnet/terraform.tfvars b/terraform/azure/single-gateway-existing-vnet/terraform.tfvars index 972e8948..b790e590 100755 --- a/terraform/azure/single-gateway-existing-vnet/terraform.tfvars +++ b/terraform/azure/single-gateway-existing-vnet/terraform.tfvars @@ -21,10 +21,12 @@ vm_size = "PLEASE ENTER VM SIZE" disk_size = "PLEASE ENTER DISK SIZE" # "110" vm_os_sku = "PLEASE ENTER VM SKU" # "sg-byol" vm_os_offer = "PLEASE ENTER VM OFFER" # "check-point-cg-r8110" -os_version = "PLEASE ENTER GAIA OS VERSION" # "R81.10" +os_version = "PLEASE ENTER GAIA OS VERSION" # "R8110" bootstrap_script = "PLEASE ENTER CUSTOM SCRIPT OR LEAVE EMPTY DOUBLE QUOTES" # "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" allow_upload_download = "PLEASE ENTER true or false" # true authentication_type = "PLEASE ENTER AUTHENTICATION TYPE" # "Password" enable_custom_metrics = "PLEASE ENTER true or false" # true admin_shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" -installation_type = "PLEASE ENTER INSTALLATION TYPE" # "gateway" \ No newline at end of file +installation_type = "PLEASE ENTER INSTALLATION TYPE" # "gateway" +serial_console_password_hash = "PLEASE ENTER SERIAL CONSOLE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \ No newline at end of file diff --git a/terraform/azure/single-gateway-existing-vnet/variables.tf b/terraform/azure/single-gateway-existing-vnet/variables.tf index 5cdd4c62..00782ca7 100755 --- a/terraform/azure/single-gateway-existing-vnet/variables.tf +++ b/terraform/azure/single-gateway-existing-vnet/variables.tf @@ -32,6 +32,16 @@ variable "admin_password" { type = string } +variable "serial_console_password_hash" { + description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + type = string +} + +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string +} + variable "smart_1_cloud_token" { description = "Smart-1 Cloud Token" type = string @@ -92,10 +102,10 @@ variable "os_version" { locals { // locals for 'vm_os_offer' allowed values os_version_allowed_values = [ - "R80.40", + "R8040", "R81", - "R81.10", - "R81.20" + "R8110", + "R8120" ] // will fail if [var.os_version] is invalid: validate_os_version_value = index(local.os_version_allowed_values, var.os_version) diff --git a/terraform/azure/single-gateway-new-vnet/README.md b/terraform/azure/single-gateway-new-vnet/README.md index f17cb846..a9821d54 100755 --- a/terraform/azure/single-gateway-new-vnet/README.md +++ b/terraform/azure/single-gateway-new-vnet/README.md @@ -127,6 +127,10 @@ This solution uses the following modules: | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | | | | | | | | **installation_type** | Enables to select installation type- gateway/standalone | string | gateway;
standalone; | | string | gateway;
standalone; | + | | | | | | + | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here. | string | + | | | | | | + | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here. | string | ## Conditional creation @@ -156,13 +160,15 @@ This solution uses the following modules: disk_size = "110" vm_os_sku = "sg-byol" vm_os_offer = "check-point-cg-r8110" - os_version = "R81.10" + os_version = "R8110" bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" allow_upload_download = true authentication_type = "Password" enable_custom_metrics = true admin_shell = "/etc/cli.sh" installation_type = "gateway" + serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" ## Revision History In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) diff --git a/terraform/azure/single-gateway-new-vnet/azure_public_key b/terraform/azure/single-gateway-new-vnet/azure_public_key new file mode 100755 index 00000000..e69de29b diff --git a/terraform/azure/single-gateway-new-vnet/cloud-init.sh b/terraform/azure/single-gateway-new-vnet/cloud-init.sh index 3e1b6830..71bf3916 100755 --- a/terraform/azure/single-gateway-new-vnet/cloud-init.sh +++ b/terraform/azure/single-gateway-new-vnet/cloud-init.sh @@ -2,7 +2,7 @@ installationType="${installation_type}" allowUploadDownload="${allow_upload_download}" -osVersion= "${os_version}" +osVersion="${os_version}" templateName="${template_name}" templateVersion="${template_version}" templateType="${template_type}" @@ -13,4 +13,6 @@ adminShell="${admin_shell}" sicKey="${sic_key}" managementGUIClientNetwork="${management_GUI_client_network}" smart1CloudToken="${smart_1_cloud_token}" -customMetrics="${enable_custom_metrics}" \ No newline at end of file +customMetrics="${enable_custom_metrics}" +passwordHash="${serial_console_password_hash}" +MaintenanceModePassword="${maintenance_mode_password_hash}" \ No newline at end of file diff --git a/terraform/azure/single-gateway-new-vnet/main.tf b/terraform/azure/single-gateway-new-vnet/main.tf index 52e36dd6..7e2bb8a1 100755 --- a/terraform/azure/single-gateway-new-vnet/main.tf +++ b/terraform/azure/single-gateway-new-vnet/main.tf @@ -26,6 +26,8 @@ module "common" { vm_os_offer = var.vm_os_offer is_blink = var.is_blink authentication_type = var.authentication_type + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash } //********************** Networking **************************// @@ -201,6 +203,8 @@ resource "azurerm_virtual_machine" "single-gateway-vm-instance" { management_GUI_client_network = var.management_GUI_client_network smart_1_cloud_token = var.smart_1_cloud_token enable_custom_metrics = var.enable_custom_metrics ? "yes" : "no" + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash }) } diff --git a/terraform/azure/single-gateway-new-vnet/terraform.tfvars b/terraform/azure/single-gateway-new-vnet/terraform.tfvars index 583a059e..1eaa4e3f 100755 --- a/terraform/azure/single-gateway-new-vnet/terraform.tfvars +++ b/terraform/azure/single-gateway-new-vnet/terraform.tfvars @@ -19,10 +19,12 @@ vm_size = "PLEASE ENTER VM SIZE" disk_size = "PLEASE ENTER DISK SIZE" # "110" vm_os_sku = "PLEASE ENTER VM SKU" # "sg-byol" vm_os_offer = "PLEASE ENTER VM OFFER" # "check-point-cg-r8110" -os_version = "PLEASE ENTER GAIA OS VERSION" # "R81.10" +os_version = "PLEASE ENTER GAIA OS VERSION" # "R8110" bootstrap_script = "PLEASE ENTER CUSTOM SCRIPT OR LEAVE EMPTY DOUBLE QUOTES" # "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" allow_upload_download = "PLEASE ENTER true or false" # true authentication_type = "PLEASE ENTER AUTHENTICATION TYPE" # "Password" enable_custom_metrics = "PLEASE ENTER true or false" # true admin_shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" -installation_type = "PLEASE ENTER INSTALLATION TYPE" # "gateway" \ No newline at end of file +installation_type = "PLEASE ENTER INSTALLATION TYPE" # "gateway" +serial_console_password_hash = "PLEASE ENTER SERIAL CONSOLE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \ No newline at end of file diff --git a/terraform/azure/single-gateway-new-vnet/variables.tf b/terraform/azure/single-gateway-new-vnet/variables.tf index 828dccb3..9edcd860 100755 --- a/terraform/azure/single-gateway-new-vnet/variables.tf +++ b/terraform/azure/single-gateway-new-vnet/variables.tf @@ -31,6 +31,16 @@ variable "admin_password" { type = string } +variable "serial_console_password_hash" { + description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + type = string +} + +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string +} + variable "smart_1_cloud_token" { description = "Smart-1 Cloud Token" type = string @@ -91,10 +101,10 @@ variable "os_version" { locals { // locals for 'vm_os_offer' allowed values os_version_allowed_values = [ - "R80.40", + "R8040", "R81", - "R81.10", - "R81.20" + "R8110", + "R8120" ] // will fail if [var.os_version] is invalid: validate_os_version_value = index(local.os_version_allowed_values, var.os_version) diff --git a/terraform/azure/vmss-existing-vnet/README.md b/terraform/azure/vmss-existing-vnet/README.md index fd3918cc..ccc6c3bf 100755 --- a/terraform/azure/vmss-existing-vnet/README.md +++ b/terraform/azure/vmss-existing-vnet/README.md @@ -70,81 +70,85 @@ This solution uses the following modules: terraform apply ### terraform.tfvars variables: - | Name | Description | Type | Allowed values | - | ------------- | ------------- |---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- | + | Name | Description | Type | Allowed values | + | ------------- | ------------- |------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- | | **client_secret** | passwordThe client secret of the Service Principal used to deploy the solution | string | - | | | | | | + | | | | | | | **client_id** | The client ID of the Service Principal used to deploy the solution | string | - | | | | | | + | | | | | | | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | - | | | | | | + | | | | | | | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | - | | | | | | + | | | | | | | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images. | string | - | | | | | | - | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | - | | | | | | - | **location** | The region where the resources will be deployed at. | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | - | | | | | | - | **vmss_name** | The name of the Check Point VMSS Object | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long | - | | | | | | - | **vnet_name** | Virtual Network name | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | - | | | | | | - | **vnet_resource_group** | Resource Group of the existing virtual network | string | The exact name of the existing vnet's resource group | - | | | | | | - | **frontend_subnet_name** | Specifies the name of the external subnet | string | The exact name of the existing external subnet | - | | | | | | - | **backend_subnet_name** | Specifies the name of the internal subnet | string | The exact name of the existing internal subnet | - | | | | | | - | **backend_lb_IP_address** | Is a whole number that can be represented as a binary integer with no more than the number of digits remaining in the address after the given prefix| string | Starting from 5-th IP address in a subnet. For example: subnet - 10.0.1.0/24, backend_lb_IP_address = 4 , the LB IP is 10.0.1.4 | - | | | | | | - | **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | - | | | | | | - | **sic_key** | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | - | | | | | | + | | | | | | + | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | + | | | | | | + | **location** | The region where the resources will be deployed at. | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | + | | | | | | + | **vmss_name** | The name of the Check Point VMSS Object | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long | + | | | | | | + | **vnet_name** | Virtual Network name | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | + | | | | | | + | **vnet_resource_group** | Resource Group of the existing virtual network | string | The exact name of the existing vnet's resource group | + | | | | | | + | **frontend_subnet_name** | Specifies the name of the external subnet | string | The exact name of the existing external subnet | + | | | | | | + | **backend_subnet_name** | Specifies the name of the internal subnet | string | The exact name of the existing internal subnet | + | | | | | | + | **backend_lb_IP_address** | Is a whole number that can be represented as a binary integer with no more than the number of digits remaining in the address after the given prefix| string | Starting from 5-th IP address in a subnet. For example: subnet - 10.0.1.0/24, backend_lb_IP_address = 4 , the LB IP is 10.0.1.4 | + | | | | | | + | **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | + | | | | | | + | **sic_key** | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | + | | | | | | | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | - | | | | | | - | **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB) | - | | | | | | - | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license for R80.40 and above;
"sg-ngtp" - NGTP PAYG license for R80.40 and above;
"sg-ngtx" - NGTX PAYG license for R80.40 and above; | - | | | | | | - | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | - | | | | | | - | **os_version** | GAIA OS version | string | "R80.40";
"R81";
"R81.10";
"R81.20"; | - | | | | | | - | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | - | | | | | | - | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | - | | | | | | - | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | - | | | | | | - | **availability_zones_num** | A list of a single item of the Availability Zone which the Virtual Machine should be allocated in | string | "centralus", "eastus2", "francecentral", "northeurope", "southeastasia", "westeurope", "westus2", "eastus", "uksouth" | - | | | | | | - | **minimum_number_of_vm_instances** | The minimum number of VMSS instances for this resource | number | Valid values are in the range 0 - 10 | - | | | | | | - | **maximum_number_of_vm_instances** | The maximum number of VMSS instances for this resource | number | Valid values are in the range 0 - 10 | - | | | | | | - | **management_name** | The name of the management server as it appears in the configuration file | string | Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long | - | | | | | | - | **management_IP** | The IP address used to manage the VMSS instances | string | A valid IP address | - | | | | | | - | **management_interface** | Management option for the Gateways in the VMSS | string | "eth0-public" - Manages the GWs using their external NIC's public IP address;
"eth0-private" -Manages the GWs using their external NIC's private IP address;
"eth1-private" - Manages the GWs using their internal NIC's private IP address | - | | | | | | - | **configuration_template_name** | The configuration template name as it appears in the configuration file | string | Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long | - | | | | | | - | **frontend_load_distribution** | The load balancing distribution method for the External Load Balancer | string | "Default" - None(5-tuple);
"SourceIP" - ClientIP(2-tuple);
"SourceIPProtocol" - ClientIP and protocol(3-tuple) | - | | | | | | - | **backend_load_distribution** | The load balancing distribution method for the Internal Load Balancer | string | "Default" - None(5-tuple);
"SourceIP" - ClientIP(2-tuple);
"SourceIPProtocol" - ClientIP and protocol(3-tuple) | - | | | | | | - | **notification_email** | An email address to notify about scaling operations | string | Leave empty double quotes or enter a valid email address | - | | | | | | - | **enable_custom_metrics** | Indicates whether Custom Metrics will be used for VMSS Scaling policy and VM monitoring | boolean | true;
false; | - | | | | | | - | **enable_floating_ip** | Indicates whether the load balancers will be deployed with floating IP. | boolean | true;
false; | - | | | | | | - | **deployment_mode** | Indicates which load balancer need to be deployed. External + Internal, only External, only Internal. | string | Standard (Default);
External;
Internal; | - | | | | | | - | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | + | | | | | | + | **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB) | + | | | | | | + | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license for R80.40 and above;
"sg-ngtp" - NGTP PAYG license for R80.40 and above;
"sg-ngtx" - NGTX PAYG license for R80.40 and above; | + | | | | | | + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | + | | | | | | + | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120"; | + | | | | | | + | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | + | | | | | | + | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | + | | | | | | + | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | + | | | | | | + | **availability_zones_num** | A list of a single item of the Availability Zone which the Virtual Machine should be allocated in | string | "centralus", "eastus2", "francecentral", "northeurope", "southeastasia", "westeurope", "westus2", "eastus", "uksouth" | + | | | | | | + | **minimum_number_of_vm_instances** | The minimum number of VMSS instances for this resource | number | Valid values are in the range 0 - 10 | + | | | | | | + | **maximum_number_of_vm_instances** | The maximum number of VMSS instances for this resource | number | Valid values are in the range 0 - 10 | + | | | | | | + | **management_name** | The name of the management server as it appears in the configuration file | string | Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long | + | | | | | | + | **management_IP** | The IP address used to manage the VMSS instances | string | A valid IP address | + | | | | | | + | **management_interface** | Management option for the Gateways in the VMSS | string | "eth0-public" - Manages the GWs using their external NIC's public IP address;
"eth0-private" -Manages the GWs using their external NIC's private IP address;
"eth1-private" - Manages the GWs using their internal NIC's private IP address | + | | | | | | + | **configuration_template_name** | The configuration template name as it appears in the configuration file | string | Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long | + | | | | | | + | **frontend_load_distribution** | The load balancing distribution method for the External Load Balancer | string | "Default" - None(5-tuple);
"SourceIP" - ClientIP(2-tuple);
"SourceIPProtocol" - ClientIP and protocol(3-tuple) | + | | | | | | + | **backend_load_distribution** | The load balancing distribution method for the Internal Load Balancer | string | "Default" - None(5-tuple);
"SourceIP" - ClientIP(2-tuple);
"SourceIPProtocol" - ClientIP and protocol(3-tuple) | + | | | | | | + | **notification_email** | An email address to notify about scaling operations | string | Leave empty double quotes or enter a valid email address | + | | | | | | + | **enable_custom_metrics** | Indicates whether Custom Metrics will be used for VMSS Scaling policy and VM monitoring | boolean | true;
false; | + | | | | | | + | **enable_floating_ip** | Indicates whether the load balancers will be deployed with floating IP. | boolean | true;
false; | + | | | | | | + | **deployment_mode** | Indicates which load balancer need to be deployed. External + Internal, only External, only Internal. | string | Standard (Default);
External;
Internal; | + | | | | | | + | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | + | | | | | | + | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here. | string | + | | | | | | + | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here. | string | ## Conditional creation To create role assignment and enable CloudGuard metrics in order to send statuses and statistics collected from VMSS instances to the Azure Monitor service: @@ -172,7 +176,7 @@ enable_custom_metrics = true disk_size = "110" vm_os_sku = "sg-byol" vm_os_offer = "check-point-cg-r8110" - os_version = "R81.10" + os_version = "R8110" bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" allow_upload_download = true authentication_type = "Password" @@ -190,6 +194,8 @@ enable_custom_metrics = true enable_floating_ip = false deployment_mode = "Standard" admin_shell = "/etc/cli.sh" + serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" ## Deploy Without Public IP diff --git a/terraform/azure/vmss-existing-vnet/cloud-init.sh b/terraform/azure/vmss-existing-vnet/cloud-init.sh index a778fed2..f11f72c3 100755 --- a/terraform/azure/vmss-existing-vnet/cloud-init.sh +++ b/terraform/azure/vmss-existing-vnet/cloud-init.sh @@ -2,7 +2,7 @@ installationType="${installation_type}" allowUploadDownload="${allow_upload_download}" -osVersion= "${os_version}" +osVersion="${os_version}" templateName="${template_name}" templateVersion="${template_version}" templateType="${template_type}" @@ -13,3 +13,5 @@ sicKey="${sic_key}" vnet="${vnet}" customMetrics="${enable_custom_metrics}" adminShell="${admin_shell}" +passwordHash="${serial_console_password_hash}" +MaintenanceModePassword="${maintenance_mode_password_hash}" diff --git a/terraform/azure/vmss-existing-vnet/main.tf b/terraform/azure/vmss-existing-vnet/main.tf index 6c65e7a1..a7c29cae 100755 --- a/terraform/azure/vmss-existing-vnet/main.tf +++ b/terraform/azure/vmss-existing-vnet/main.tf @@ -38,6 +38,8 @@ module "common" { vm_os_sku = var.vm_os_sku vm_os_offer = var.vm_os_offer authentication_type = var.authentication_type + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash } //********************** Networking **************************// @@ -273,6 +275,8 @@ resource "azurerm_virtual_machine_scale_set" "vmss" { vnet=data.azurerm_subnet.frontend.address_prefix enable_custom_metrics=var.enable_custom_metrics ? "yes" : "no" admin_shell = var.admin_shell + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash }) } diff --git a/terraform/azure/vmss-existing-vnet/terraform.tfvars b/terraform/azure/vmss-existing-vnet/terraform.tfvars index ba35f68c..78ee10b9 100755 --- a/terraform/azure/vmss-existing-vnet/terraform.tfvars +++ b/terraform/azure/vmss-existing-vnet/terraform.tfvars @@ -18,7 +18,7 @@ vm_size = "PLEASE ENTER VM SIZE" disk_size = "PLEASE ENTER DISK SIZE" # "110" vm_os_sku = "PLEASE ENTER VM SKU" # "sg-byol" vm_os_offer = "PLEASE ENTER VM OFFER" # "check-point-cg-r8110" -os_version = "PLEASE ENTER GAIA OS VERSION" # "R81.10" +os_version = "PLEASE ENTER GAIA OS VERSION" # "R8110" bootstrap_script = "PLEASE ENTER CUSTOM SCRIPT OR LEAVE EMPTY DOUBLE QUOTES" # "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" allow_upload_download = "PLEASE ENTER true or false" # true authentication_type = "PLEASE ENTER AUTHENTICATION TYPE" # "Password" @@ -35,4 +35,6 @@ backend_load_distribution = "PLEASE ENTER INTERNAL LOAD BALANCER SESSION P enable_custom_metrics = "PLEASE ENTER true or false" # true enable_floating_ip = "PLEASE ENTER true or false" # false deployment_mode = "PLEASE ENTER DEPLOYMENT MODE" # "Standard" -admin_shell = "PLEASE ETNER ADMIN SHELL" # "/etc/cli.sh" \ No newline at end of file +admin_shell = "PLEASE ETNER ADMIN SHELL" # "/etc/cli.sh" +serial_console_password_hash = "PLEASE ENTER SERIAL CONSOLE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \ No newline at end of file diff --git a/terraform/azure/vmss-existing-vnet/variables.tf b/terraform/azure/vmss-existing-vnet/variables.tf index f1fdcecc..72ed67a4 100755 --- a/terraform/azure/vmss-existing-vnet/variables.tf +++ b/terraform/azure/vmss-existing-vnet/variables.tf @@ -31,6 +31,16 @@ variable "admin_password" { type = string } +variable "serial_console_password_hash" { + description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + type = string +} + +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string +} + variable "availability_zones_num" { description = "The number of availability zones to use for Scale Set. Note that the load balancers and their IP addresses will be redundant in any case" #Availability Zones are only supported in several regions at this time @@ -108,10 +118,10 @@ variable "os_version" { locals { // locals for 'vm_os_offer' allowed values os_version_allowed_values = [ - "R80.40", + "R8040", "R81", - "R81.10", - "R81.20" + "R8110", + "R8120" ] // will fail if [var.os_version] is invalid: validate_os_version_value = index(local.os_version_allowed_values, var.os_version) diff --git a/terraform/azure/vmss-new-vnet/README.md b/terraform/azure/vmss-new-vnet/README.md index e0153f55..6d604508 100755 --- a/terraform/azure/vmss-new-vnet/README.md +++ b/terraform/azure/vmss-new-vnet/README.md @@ -74,79 +74,83 @@ This solution uses the following modules: terraform apply ### terraform.tfvars variables: - | Name | Description | Type | Allowed values | - | ------------- | ------------- |---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- | + | Name | Description | Type | Allowed values | + | ------------- | ------------- |------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- | | **client_secret** | passwordThe client secret of the Service Principal used to deploy the solution | string | - | | | | | | + | | | | | | | **client_id** | The client ID of the Service Principal used to deploy the solution | string | - | | | | | | + | | | | | | | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | - | | | | | | + | | | | | | | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | - | | | | | | + | | | | | | | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images. | string | - | | | | | | - | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | - | | | | | | - | **location** | The region where the resources will be deployed at. | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | - | | | | | | - | **vmss_name** | The name of the Check Point VMSS Object | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long | - | | | | | | - | **vnet_name** | The name of virtual network that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | - | | | | | | - | **address_space** | The address prefixes of the virtual network | string | Valid CIDR block | - | | | | | | - | **subnet_prefixes** | The address prefixes to be used for created subnets | string | The subnets need to contain within the address space for this virtual network(defined by address_space variable) | - | | | | | | - | **backend_lb_IP_address** | Is a whole number that can be represented as a binary integer with no more than the number of digits remaining in the address after the given prefix| number | Starting from 5-th IP address in a subnet. For example: subnet - 10.0.1.0/24, backend_lb_IP_address = 4 , the LB IP is 10.0.1.4 | - | | | | | | - | **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | - | | | | | | - | **sic_key** | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | - | | | | | | + | | | | | | + | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | + | | | | | | + | **location** | The region where the resources will be deployed at. | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | + | | | | | | + | **vmss_name** | The name of the Check Point VMSS Object | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long | + | | | | | | + | **vnet_name** | The name of virtual network that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | + | | | | | | + | **address_space** | The address prefixes of the virtual network | string | Valid CIDR block | + | | | | | | + | **subnet_prefixes** | The address prefixes to be used for created subnets | string | The subnets need to contain within the address space for this virtual network(defined by address_space variable) | + | | | | | | + | **backend_lb_IP_address** | Is a whole number that can be represented as a binary integer with no more than the number of digits remaining in the address after the given prefix| number | Starting from 5-th IP address in a subnet. For example: subnet - 10.0.1.0/24, backend_lb_IP_address = 4 , the LB IP is 10.0.1.4 | + | | | | | | + | **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | + | | | | | | + | **sic_key** | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | + | | | | | | | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | - | | | | | | - | **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB) | - | | | | | | - | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license for R80.40 and above;
"sg-ngtp" - NGTP PAYG license for R80.40 and above;
"sg-ngtx" - NGTX PAYG license for R80.40 and above; | - | | | | | | - | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | - | | | | | | - | **os_version** | GAIA OS version | string | "R80.40";
"R81";
"R81.10";
"R81.20"; | - | | | | | | - | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | - | | | | | | - | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | - | | | | | | - | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | - | | | | | | - | **availability_zones_num** | A list of a single item of the Availability Zone which the Virtual Machine should be allocated in | string | "centralus", "eastus2", "francecentral", "northeurope", "southeastasia", "westeurope", "westus2", "eastus", "uksouth" | - | | | | | | - | **minimum_number_of_vm_instances** | The minimum number of VMSS instances for this resource | number | Valid values are in the range 0 - 10 | - | | | | | | - | **maximum_number_of_vm_instances** | The maximum number of VMSS instances for this resource | number | Valid values are in the range 0 - 10 | - | | | | | | - | **management_name** | The name of the management server as it appears in the configuration file | string | Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long | - | | | | | | - | **management_IP** | The IP address used to manage the VMSS instances | string | A valid IP address | - | | | | | | - | **management_interface** | Management option for the Gateways in the VMSS | string | "eth0-public" - Manages the GWs using their external NIC's public IP address;
"eth0-private" -Manages the GWs using their external NIC's private IP address;
"eth1-private" - Manages the GWs using their internal NIC's private IP address | - | | | | | | - | **configuration_template_name** | The configuration template name as it appears in the configuration file | string | Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long | - | | | | | | - | **frontend_load_distribution** | The load balancing distribution method for the External Load Balancer | string | "Default" - None(5-tuple);
"SourceIP" - ClientIP(2-tuple);
"SourceIPProtocol" - ClientIP and protocol(3-tuple) | - | | | | | | - | **backend_load_distribution** | The load balancing distribution method for the Internal Load Balancer | string | "Default" - None(5-tuple);
"SourceIP" - ClientIP(2-tuple);
"SourceIPProtocol" - ClientIP and protocol(3-tuple) | - | | | | | | - | **notification_email** | An email address to notify about scaling operations | string | Leave empty double quotes or enter a valid email address | - | | | | | | - | **enable_custom_metrics** | Indicates whether Custom Metrics will be used for VMSS Scaling policy and VM monitoring | boolean | true;
false; | - | | | | | | - | **enable_floating_ip** | Indicates whether the load balancers will be deployed with floating IP. | boolean | true;
false; | - | | | | | | - | **deployment_mode** | Indicates which load balancer need to be deployed. External + Internal, only External, only Internal. | string | Standard (Default);
External;
Internal; | - | | | | | | - | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | + | | | | | | + | **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB) | + | | | | | | + | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license for R80.40 and above;
"sg-ngtp" - NGTP PAYG license for R80.40 and above;
"sg-ngtx" - NGTX PAYG license for R80.40 and above; | + | | | | | | + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | + | | | | | | + | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120"; | + | | | | | | + | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | + | | | | | | + | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | + | | | | | | + | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | + | | | | | | + | **availability_zones_num** | A list of a single item of the Availability Zone which the Virtual Machine should be allocated in | string | "centralus", "eastus2", "francecentral", "northeurope", "southeastasia", "westeurope", "westus2", "eastus", "uksouth" | + | | | | | | + | **minimum_number_of_vm_instances** | The minimum number of VMSS instances for this resource | number | Valid values are in the range 0 - 10 | + | | | | | | + | **maximum_number_of_vm_instances** | The maximum number of VMSS instances for this resource | number | Valid values are in the range 0 - 10 | + | | | | | | + | **management_name** | The name of the management server as it appears in the configuration file | string | Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long | + | | | | | | + | **management_IP** | The IP address used to manage the VMSS instances | string | A valid IP address | + | | | | | | + | **management_interface** | Management option for the Gateways in the VMSS | string | "eth0-public" - Manages the GWs using their external NIC's public IP address;
"eth0-private" -Manages the GWs using their external NIC's private IP address;
"eth1-private" - Manages the GWs using their internal NIC's private IP address | + | | | | | | + | **configuration_template_name** | The configuration template name as it appears in the configuration file | string | Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long | + | | | | | | + | **frontend_load_distribution** | The load balancing distribution method for the External Load Balancer | string | "Default" - None(5-tuple);
"SourceIP" - ClientIP(2-tuple);
"SourceIPProtocol" - ClientIP and protocol(3-tuple) | + | | | | | | + | **backend_load_distribution** | The load balancing distribution method for the Internal Load Balancer | string | "Default" - None(5-tuple);
"SourceIP" - ClientIP(2-tuple);
"SourceIPProtocol" - ClientIP and protocol(3-tuple) | + | | | | | | + | **notification_email** | An email address to notify about scaling operations | string | Leave empty double quotes or enter a valid email address | + | | | | | | + | **enable_custom_metrics** | Indicates whether Custom Metrics will be used for VMSS Scaling policy and VM monitoring | boolean | true;
false; | + | | | | | | + | **enable_floating_ip** | Indicates whether the load balancers will be deployed with floating IP. | boolean | true;
false; | + | | | | | | + | **deployment_mode** | Indicates which load balancer need to be deployed. External + Internal, only External, only Internal. | string | Standard (Default);
External;
Internal; | + | | | | | | + | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | + | | | | | | + | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here. | string | + | | | | | | + | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here. | string | ## Conditional creation To create role assignment and enable CloudGuard metrics in order to send statuses and statistics collected from VMSS instances to the Azure Monitor service: @@ -191,6 +195,8 @@ enable_custom_metrics = true enable_floating_ip = false deployment_mode = "Standard" admin_shell = "/etc/cli.sh" + serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" ## Deploy Without Public IP diff --git a/terraform/azure/vmss-new-vnet/cloud-init.sh b/terraform/azure/vmss-new-vnet/cloud-init.sh index a778fed2..f11f72c3 100755 --- a/terraform/azure/vmss-new-vnet/cloud-init.sh +++ b/terraform/azure/vmss-new-vnet/cloud-init.sh @@ -2,7 +2,7 @@ installationType="${installation_type}" allowUploadDownload="${allow_upload_download}" -osVersion= "${os_version}" +osVersion="${os_version}" templateName="${template_name}" templateVersion="${template_version}" templateType="${template_type}" @@ -13,3 +13,5 @@ sicKey="${sic_key}" vnet="${vnet}" customMetrics="${enable_custom_metrics}" adminShell="${admin_shell}" +passwordHash="${serial_console_password_hash}" +MaintenanceModePassword="${maintenance_mode_password_hash}" diff --git a/terraform/azure/vmss-new-vnet/main.tf b/terraform/azure/vmss-new-vnet/main.tf index e2b283f5..c4c02de6 100755 --- a/terraform/azure/vmss-new-vnet/main.tf +++ b/terraform/azure/vmss-new-vnet/main.tf @@ -38,6 +38,8 @@ module "common" { vm_os_sku = var.vm_os_sku vm_os_offer = var.vm_os_offer authentication_type = var.authentication_type + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash } //********************** Networking **************************// @@ -290,6 +292,8 @@ resource "azurerm_virtual_machine_scale_set" "vmss" { vnet=module.vnet.subnet_prefixes[0] enable_custom_metrics=var.enable_custom_metrics ? "yes" : "no" admin_shell = var.admin_shell + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash }) } diff --git a/terraform/azure/vmss-new-vnet/terraform.tfvars b/terraform/azure/vmss-new-vnet/terraform.tfvars index 1d4e9522..7ec1a18f 100755 --- a/terraform/azure/vmss-new-vnet/terraform.tfvars +++ b/terraform/azure/vmss-new-vnet/terraform.tfvars @@ -17,7 +17,7 @@ vm_size = "PLEASE ENTER VM SIZE" disk_size = "PLEASE ENTER DISK SIZE" # "110" vm_os_sku = "PLEASE ENTER VM SKU" # "sg-byol" vm_os_offer = "PLEASE ENTER VM OFFER" # "check-point-cg-r8110" -os_version = "PLEASE ENTER GAIA OS VERSION" # "R81.10" +os_version = "PLEASE ENTER GAIA OS VERSION" # "R8110" bootstrap_script = "PLEASE ENTER CUSTOM SCRIPT OR LEAVE EMPTY DOUBLE QUOTES" # "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" allow_upload_download = "PLEASE ENTER true or false" # true authentication_type = "PLEASE ENTER AUTHENTICATION TYPE" # "Password" @@ -34,4 +34,6 @@ backend_load_distribution = "PLEASE ENTER INTERNAL LOAD BALANCER SESSION P enable_custom_metrics = "PLEASE ENTER true or false" # true enable_floating_ip = "PLEASE ENTER true or false" # false deployment_mode = "PLEASE ENTER DEPLOYMENT MODE" # "Standard" -admin_shell = "PLEASE ETNER ADMIN SHELL" # "/etc/cli.sh" \ No newline at end of file +admin_shell = "PLEASE ETNER ADMIN SHELL" # "/etc/cli.sh" +serial_console_password_hash = "PLEASE ENTER SERIAL CONSOLE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \ No newline at end of file diff --git a/terraform/azure/vmss-new-vnet/variables.tf b/terraform/azure/vmss-new-vnet/variables.tf index 42a48f99..519e620c 100755 --- a/terraform/azure/vmss-new-vnet/variables.tf +++ b/terraform/azure/vmss-new-vnet/variables.tf @@ -31,6 +31,16 @@ variable "admin_password" { type = string } +variable "serial_console_password_hash" { + description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + type = string +} + +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string +} + variable "availability_zones_num" { description = "The number of availability zones to use for Scale Set. Note that the load balancers and their IP addresses will be redundant in any case" #Availability Zones are only supported in several regions at this time @@ -108,10 +118,10 @@ variable "os_version" { locals { // locals for 'vm_os_offer' allowed values os_version_allowed_values = [ - "R80.40", + "R8040", "R81", - "R81.10", - "R81.20", + "R8110", + "R8120", ] // will fail if [var.os_version] is invalid: validate_os_version_value = index(local.os_version_allowed_values, var.os_version)