From 82fa26d61c46b0ed02fe2c0901f5ed61d94f38df Mon Sep 17 00:00:00 2001 From: Yair Raviv <118274492+chkp-yairra@users.noreply.github.com> Date: Thu, 21 Sep 2023 12:01:29 +0300 Subject: [PATCH] Terraform GCP | Added single GW into new vpc template * Terraform GCP | Added Single GW into new VPC template --- .../gcp/single-into-existing-vpc/README.md | 2 +- .../gcp/single-into-existing-vpc/main.tf | 2 +- .../single-into-existing-vpc/terraform.tfvars | 2 +- .../gcp/single-into-existing-vpc/variables.tf | 2 +- terraform/gcp/single-into-new-vpc/README.md | 270 ++++++++++++++++++ terraform/gcp/single-into-new-vpc/main.tf | 90 ++++++ terraform/gcp/single-into-new-vpc/output.tf | 30 ++ .../gcp/single-into-new-vpc/terraform.tfvars | 45 +++ .../gcp/single-into-new-vpc/variables.tf | 256 +++++++++++++++++ 9 files changed, 695 insertions(+), 4 deletions(-) create mode 100755 terraform/gcp/single-into-new-vpc/README.md create mode 100755 terraform/gcp/single-into-new-vpc/main.tf create mode 100755 terraform/gcp/single-into-new-vpc/output.tf create mode 100755 terraform/gcp/single-into-new-vpc/terraform.tfvars create mode 100755 terraform/gcp/single-into-new-vpc/variables.tf diff --git a/terraform/gcp/single-into-existing-vpc/README.md b/terraform/gcp/single-into-existing-vpc/README.md index 3d22c88f..a3213acb 100755 --- a/terraform/gcp/single-into-existing-vpc/README.md +++ b/terraform/gcp/single-into-existing-vpc/README.md @@ -140,7 +140,7 @@ network_enableSctp= false network_sctpSourceRanges= [""] network_enableEsp= false network_espSourceRanges= [""] -numAdditionalNICs= 0 +numAdditionalNICs= 1 externalIP= "static" internal_network1_network= [""] internal_network1_subnetwork = [""] diff --git a/terraform/gcp/single-into-existing-vpc/main.tf b/terraform/gcp/single-into-existing-vpc/main.tf index dc09c821..aeab8b93 100755 --- a/terraform/gcp/single-into-existing-vpc/main.tf +++ b/terraform/gcp/single-into-existing-vpc/main.tf @@ -214,5 +214,5 @@ resource "google_compute_instance" "gateway" { }) } resource "google_compute_address" "static" { - name = "ipv4-address" + name = "ipv4-address-${random_string.random_string.result}" } \ No newline at end of file diff --git a/terraform/gcp/single-into-existing-vpc/terraform.tfvars b/terraform/gcp/single-into-existing-vpc/terraform.tfvars index 6ce213f7..8ac21504 100755 --- a/terraform/gcp/single-into-existing-vpc/terraform.tfvars +++ b/terraform/gcp/single-into-existing-vpc/terraform.tfvars @@ -34,7 +34,7 @@ network_enableSctp = "PLEASE ENTER NETWORK ENABLE SCTP" network_sctpSourceRanges = "PLEASE ENTER NETWORK SCTP SOURCE RANGES" # [""] network_enableEsp = "PLEASE ENTER NETWORK ENABLE ESP" # false network_espSourceRanges = "PLEASE ENTER NETWORK ESP SOURCE RANGES" # [""] -numAdditionalNICs = "PLEASE ENTER NUM ADDITIONAL NICS" # 0 +numAdditionalNICs = "PLEASE ENTER NUM ADDITIONAL NICS" # 1 externalIP = "PLEASE ENTER EXTERNAL IP" # "static" internal_network1_network = "PLEASE ENTER INTERNAL_NETWORK1_NETWORK" # [""] internal_network1_subnetwork = "PLEASE ENTER INTERNAL_NETWORK1_SUBNETWORK" # [""] diff --git a/terraform/gcp/single-into-existing-vpc/variables.tf b/terraform/gcp/single-into-existing-vpc/variables.tf index 2382bf55..0b4718bc 100755 --- a/terraform/gcp/single-into-existing-vpc/variables.tf +++ b/terraform/gcp/single-into-existing-vpc/variables.tf @@ -15,7 +15,7 @@ variable "zone" { } variable "image_name" { type = string - description = "The single gateway and management image name" + description = "The single gateway and management image name. You can choose the desired image value from: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/single-byol/images.py" } variable "installationType" { type = string diff --git a/terraform/gcp/single-into-new-vpc/README.md b/terraform/gcp/single-into-new-vpc/README.md new file mode 100755 index 00000000..857b7c75 --- /dev/null +++ b/terraform/gcp/single-into-new-vpc/README.md @@ -0,0 +1,270 @@ +# Check Point single gateway and management Terraform module for GCP + +Terraform module which deploys a single gateway and management of Check Point Security Gateways. + +These types of Terraform resources are supported: + [Instance Template](https://www.terraform.io/docs/providers/google/r/compute_instance_template.html) + [Firewall](https://www.terraform.io/docs/providers/google/r/compute_firewall.html) - conditional creation + [Instance Group Manager](https://www.terraform.io/docs/providers/google/r/compute_region_instance_group_manager.html) + [Compute instance](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance) + + +See Check Point's documentation for Single [here](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk114577) + +Terraform is controlled via a very easy to use command-line interface (CLI). Terraform is only a single command-line application: terraform. + +## Before you begin +1. Create a project in the [Google Cloud Console](https://console.cloud.google.com/) and set up billing on that project. +2. [Install Terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli) and read the Terraform getting started guide that follows. This guide will assume basic proficiency with Terraform - it is an introduction to the Google provider. + +## Configuring the Provider +The main.tf file includes the following provider configuration block used to configure the credentials you use to authenticate with GCP, as well as a default project and location for your resources: +``` +provider "google" { + credentials = file(var.service_account_path) + project = var.project +} +... +``` + +1. [Create a Service Account](https://cloud.google.com/docs/authentication/getting-started) (or use the existing one). Next, download the JSON key file. Name it something you can remember and store it somewhere secure on your machine.
+2. Select "Editor" Role or verify you have the following permissions: + ``` + compute.addresses.get + compute.addresses.use + compute.addresses.create + compute.disks.create + compute.disks.delete + compute.firewalls.create + compute.firewalls.delete + compute.firewalls.get + compute.images.get + compute.images.useReadOnly + compute.images.getFromFamily + compute.instanceTemplates.create + compute.instanceTemplates.delete + compute.instanceTemplates.get + compute.instanceTemplates.useReadOnly + compute.instances.addAccessConfig + compute.instances.create + compute.instances.delete + compute.instances.get + compute.instances.setMetadata + compute.instances.setTags + compute.instances.setLabels + compute.networks.get + compute.networks.updatePolicy + compute.regions.list + compute.subnetworks.get + compute.subnetworks.use + compute.subnetworks.useExternalIp + compute.zones.get + iam.serviceAccountKeys.get + iam.serviceAccountKeys.list + iam.serviceAccounts.actAs + iam.serviceAccounts.get + iam.serviceAccounts.list + iam.serviceAccounts.set + ``` +3. ```credentials``` - Your service account key file is used to complete a two-legged OAuth 2.0 flow to obtain access tokens to authenticate with the GCP API as needed; Terraform will use it to reauthenticate automatically when tokens expire.
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#credentials-1). + - Static credentials can be provided by adding the path to your service-account json file, project-id and region in /gcp/modules/single/terraform.tfvars file as follows: + ``` + service_account_path = "service-accounts/service-account-file-name.json" + project = "project-id" + ``` + - In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in the main.tf file, in the provider google resource, need to be deleted or commented: + ``` + provider "google" { + // credentials = file(var.service_account_path) + // project = var.project + + } + ``` + b.In the terraform.tfvars file leave empty double quotes for credentials and project variables: + ``` + service_account_path = "" + project = "" + ``` +## Usage +- Fill all variables in the /gcp/single/terraform.tfvars file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + ``` + terraform init + ``` +- Create an execution plan: + ``` + terraform plan + ``` +- Create or modify the deployment: + ``` + terraform apply + ``` + +#### Variables are configured in single/terraform.tfvars file as follows: +``` +# --- Google Provider --- +service_account_path = "service-accounts/service-account-file-name.json" +project = "project-id" + +# --- Check Point--- +image_name = "check-point-r8120-gw-byol-single-631-991001335-v20230622" +installationType = "Gateway only" +license = "BYOL" +prefix = "chkp-single-tf-" +management_nic = "Ephemeral Public IP (eth0)" +admin_shell = "/etc/cli.sh" +admin_SSH_key = "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" +generatePassword = false +allow_upload_download = true +sicKey = "" +managementGUIClientNetwork = "0.0.0.0/0" + +#--- Quick connect to Smart-1 Cloud --- +smart_1_cloud_token = "xxxxxxxxxxxxxxxxxxxxxxxx" + +# --- Networking --- +region = "us-central1" +zone = "us-central1-a" +subnetwork_cidr = "10.0.0.0/24" +network_enableTcp= true +network_tcpSourceRanges= ["0.0.0.0/0"] +network_enableGwNetwork= false +network_gwNetworkSourceRanges= [] +network_enableIcmp= false +network_icmpSourceRanges = [] +network_enableUdp= false +network_udpSourceRanges= [] +network_enableSctp= false +network_sctpSourceRanges= [] +network_enableEsp= false +network_espSourceRanges= [] +numAdditionalNICs= 1 +externalIP= "static" +internal_subnetwork_cidr = "10.0.1.0/24" + +# --- Instance Configuration --- +machine_type = "n1-standard-4" +diskType = "SSD Persistent Disk" +bootDiskSizeGb = 100 +enableMonitoring = false + +``` + +- To tear down your resources: + ``` + terraform destroy + ``` + +## Conditional creation +To create Firewall and allow traffic for ICMP, TCP, UDP, SCTP or/and ESP - enter list of Source IP ranges. +``` +ICMP_traffic = ["123.123.0.0/24", "234.234.0.0/24"] +TCP_traffic = ["0.0.0.0/0"] +UDP_traffic = ["0.0.0.0/0"] +SCTP_traffic = ["0.0.0.0/0"] +ESP_traffic = ["0.0.0.0/0"] +``` +Please leave empty list for a protocol if you want to disable traffic for it. + +## Inputs +| Name | Description | Type | Allowed values |Default| Required | +| ------------- | ------------- | ------------- | ------------- |-------|---------------| +| service_account_path | User service account path in JSON format - From the service account key page in the Cloud Console choose an existing account or create a new one. Next, download the JSON key file. Name it something you can remember, store it somewhere secure on your machine, and supply the path to the location is stored. (e.g. "service-accounts/service-account-name.json") | string | N/A | "" | yes | +| | | | | | +| project | Personal project id. The project indicates the default GCP project all of your resources will be created in. | string | N/A | "" | yes | +| | | | | | +| region | GCP region | string | N/A | N/A | yes | +| | | | | | +| zone | The zone determines what computing resources are available and where your data is stored and used | string | List of allowed [Regions and Zones](https://cloud.google.com/compute/docs/regions-zones?_ga=2.31926582.-962483654.1585043745) |us-central1-a|yes| +| | | | | | +| image_name |The single gateway or management image name (e.g. check-point-r8120-gw-byol-single-631-991001335-v20230622 for gateway or check-point-r8120-byol-631-991001335-v20230621 for management). You can choose the desired gateway image value from [Github](https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/single-byol/images.py).| string | N/A | N/A | yes | +| | | | | | +| installationType | Installation type and version | string |Gateway only;
Management only;
Manual Configuration
Gateway and Management (Standalone) |Gateway only|yes| +| | | | | | +| license | Checkpoint license (BYOL or PAYG).|string|BYOL;
PAYG;|BYOL|yes| +| | | | | | +| prefix | (Optional) Resources name prefix|string|N\A|chkp-single-tf-|no| +| | | | | | +| machineType | Machine types determine the specifications of your machines, such as the amount of memory, virtual cores, and persistent disk limits an instance will have | string | [Learn more about Machine Types](https://cloud.google.com/compute/docs/machine-types?hl=en_US&_ga=2.267871494.-962483654.1585043745) | n1-standard-4|no| +| | | | | | +| subnetwork_cidr | The range of internal addresses that are owned by this subnetwork, only IPv4 is supported (e.g. "10.0.0.0/8" or "192.168.0.0/16"). | string | N/A | N/A | yes | +| | | | | | +| network_enableTcp | Allow TCP traffic from the Internet | boolean | true;
false; |false|no| +| | | | | | +| network_tcpSourceRanges | Allow TCP traffic from the Internet | list(string) | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009 [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) |N/A|no| +| | | | | | +| network_enableGwNetwork | This is relevant for Management only. The network in which managed gateways reside | boolean | true;
false; |false|no| +| | | | | | +| network_gwNetworkSourceRanges | Allow TCP traffic from the Internet | list(string) | Enter a valid IPv4 network CIDR (e.g. 0.0.0.0/0) |N/A|no| +| | | | | | +| network_enableIcmp | Allow ICMP traffic from the Internet | boolean | true;
false; |false|no| +| | | | | | +| network_icmpSourceRanges | Source IP ranges for ICMP traffic | list(string) | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) |N/A|no| +| | | | | | +| network_enableUdp | Allow UDP traffic from the Internet | boolean | true;
false; |false|no| +| | | | | | +| network_udpSourceRanges | Source IP ranges for UDP traffic | list(string) | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) |N/A|no| +| | | | | | +| network_enableSctp | Allow SCTP traffic from the Internet | boolean | true;
false; |false|no| +| | | | | | +| network_sctpSourceRanges | Source IP ranges for SCTP traffic | list(string) | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) |N/A|no| +| | | | | | +| network_enableEsp | Allow ESP traffic from the Internet | boolean | true;
false; |false|no| +| | | | | | +| network_espSourceRanges | Source IP ranges for ESP traffic | list(string) | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) |N/A|no| +| | | | | | +| diskType | Disk type | string | SSD Persistent Disk;
standard-Persistent Disk;
Storage space is much less expensive for a standard persistent disk. An SSD persistent disk is better for random IOPS or streaming throughput with low latency. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.66020774.-962483654.1585043745#overview_of_disk_types)|SSD Persistent Disk|no| +| | | | | | +| bootDiskSizeGb | Disk size in GB | number | Persistent disk performance is tied to the size of the persistent disk volume. You are charged for the actual amount of provisioned disk space. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.232680471.-962483654.1585043745#pdperformance)|100|no| +| | | | | | +| generatePassword | Automatically generate an administrator password | boolean | true;
false; |false|no| +| | | | | | +| allowUploadDownload | Allow download from/upload to Check Point | boolean | true;
false; |false|no| +| | | | | | +| enableMonitoring | Enable Stackdriver monitoring | boolean | true;
false; |false|no| +| | | | | | +| admin_shell | Change the admin shell to enable advanced command line configuration. | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh;
|/etc/cli.sh|no| +| | | | | | +| admin_SSH_key | Public SSH key for the user 'admin' - The SSH public key for SSH authentication to the instances. Leave this field blank to use all project-wide pre-configured SSH keys. | string | A valid public ssh key | "" | no | +| | | | | | +| sicKey | The Secure Internal Communication one time secret used to set up trust between the single gateway object and the management server | string | At least 8 alpha numeric characters.
If SIC is not provided and needed, a key will be automatically generated |""|no| +| | | | | | +| managementGUIClientNetwork | Allowed GUI clients | string | A valid IPv4 network CIDR (e.g. 0.0.0.0/0) |0.0.0.0/0|no| +| | | | | | +| smart_1_cloud_token | Smart-1 Cloud token to connect this gateway to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal.| +| | | | | | +| numAdditionalNICs | Number of additional network interfaces | number | A number in the range 0 - 8.
Multiple network interfaces deployment is described in [sk121637 - Deploy a CloudGuard for GCP with Multiple Network Interfaces](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk121637) |0|no| +| | | | | | +| externalIP | External IP address type | string | Static;
Ephemeral;
An external IP address associated with this instance. Selecting "None" will result in the instance having no external internet access. [Learn more](https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address?_ga=2.259654658.-962483654.1585043745) |static|no| +| | | | | | +| internal_subnetwork_cidr | The range of internal addresses that are owned by this subnetwork, only IPv4 is supported (e.g. "10.0.0.0/8" or "192.168.0.0/16"). | string | N/A | N/A | yes | +| | | | | | +| management_nic | Management Interface - Security Gateways in GCP can be managed by an ephemeral public IP or using the private IP of the internal interface (eth1). | string | Ephemeral Public IP (eth0)
- Private IP (eth1) |XEphemeral Public IP (eth0)|no| +| | | | | | + +## Outputs +| Name | Description | +| ------------- | ------------- | +| SIC_key | Secure Internal Communication (SIC) initiation key. | +| ICMP_firewall_rules_name | If enable - the ICMP firewall rules name, otherwise, an empty list. | +| TCP_firewall_rules_name | If enable - the TCP firewall rules name, otherwise, an empty list. | +| UDP_firewall_rules_name | If enable - the UDP firewall rules name, otherwise, an empty list. | +| SCTP_firewall_rules_name | If enable - the SCTP firewall rules name, otherwise, an empty list. | +| ESP_firewall_rules_name | If enable - the ESP firewall rules name, otherwise, an empty list. | + +## Revision History +In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +|------------------|-------------------------------------| +| 20230921 | Added single-into-new-vpc template. | +| | | + +## Authors + + +## License + +This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details diff --git a/terraform/gcp/single-into-new-vpc/main.tf b/terraform/gcp/single-into-new-vpc/main.tf new file mode 100755 index 00000000..1597ae33 --- /dev/null +++ b/terraform/gcp/single-into-new-vpc/main.tf @@ -0,0 +1,90 @@ +provider "google" { + credentials = file(var.service_account_path) + project = var.project + region = var.region +} + +resource "random_string" "random_string" { + length = 5 + special = false + upper = false + keepers = {} +} + +resource "google_compute_network" "network" { + name = "${var.prefix}-network-${random_string.random_string.result}" + auto_create_subnetworks = false +} + +resource "google_compute_subnetwork" "subnetwork" { + name = "${var.prefix}-subnetwork-${random_string.random_string.result}" + ip_cidr_range = var.subnetwork_cidr + private_ip_google_access = true + region = var.region + network = google_compute_network.network.id +} + +resource "google_compute_network" "internal_network" { + name = "${var.prefix}-internal-network-${random_string.random_string.result}" + auto_create_subnetworks = false +} + +resource "google_compute_subnetwork" "internal_subnetwork" { + name = "${var.prefix}-internal-subnetwork-${random_string.random_string.result}" + ip_cidr_range = var.internal_subnetwork_cidr + private_ip_google_access = true + region = var.region + network = google_compute_network.internal_network.id +} + + +module "single-into-existing-vpc" { + source = "../single-into-existing-vpc" + + service_account_path = var.service_account_path + project = var.project + + + # --- Check Point Deployment--- + image_name = var.image_name + installationType = var.installationType + license = var.license + prefix = var.prefix + management_nic = var.management_nic + admin_shell = var.admin_shell + admin_SSH_key = var.admin_SSH_key + generatePassword = var.generatePassword + allowUploadDownload = var.allowUploadDownload + sicKey = var.sicKey + managementGUIClientNetwork = var.managementGUIClientNetwork + + # --- Quick connect to Smart-1 Cloud --- + smart_1_cloud_token = var.smart_1_cloud_token + + # --- Networking --- + zone = var.zone + network = [google_compute_network.network.name] + subnetwork = [google_compute_subnetwork.subnetwork.name] + network_enableTcp = var.network_enableTcp + network_tcpSourceRanges = var.network_tcpSourceRanges + network_enableGwNetwork = var.network_enableGwNetwork + network_gwNetworkSourceRanges = var.network_gwNetworkSourceRanges + network_enableIcmp = var.network_enableIcmp + network_icmpSourceRanges = var.network_icmpSourceRanges + network_enableUdp = var.network_enableUdp + network_udpSourceRanges = var.network_udpSourceRanges + network_enableSctp = var.network_enableSctp + network_sctpSourceRanges = var.network_sctpSourceRanges + network_enableEsp = var.network_enableEsp + network_espSourceRanges = var.network_espSourceRanges + numAdditionalNICs = var.numAdditionalNICs + externalIP = var.externalIP + internal_network1_network = [google_compute_network.internal_network.name] + internal_network1_subnetwork = [google_compute_subnetwork.internal_subnetwork.name] + + # --- Instances configuration--- + machine_type = var.machine_type + diskType = var.diskType + bootDiskSizeGb = var.bootDiskSizeGb + enableMonitoring = var.enableMonitoring +} \ No newline at end of file diff --git a/terraform/gcp/single-into-new-vpc/output.tf b/terraform/gcp/single-into-new-vpc/output.tf new file mode 100755 index 00000000..f1ba99cf --- /dev/null +++ b/terraform/gcp/single-into-new-vpc/output.tf @@ -0,0 +1,30 @@ +output "network" { + value = google_compute_network.network.name +} +output "subnetwork" { + value = google_compute_subnetwork.subnetwork.name +} +output "internal_network" { + value = google_compute_network.internal_network.name +} +output "internal_subnetwork" { + value = google_compute_subnetwork.internal_subnetwork.name +} +output "SIC_key" { + value = module.single-into-existing-vpc.SIC_key +} +output "ICMP_firewall_rules_name" { + value = module.single-into-existing-vpc.ICMP_firewall_rules_name +} +output "TCP_firewall_rules_name" { + value = module.single-into-existing-vpc.TCP_firewall_rules_name +} +output "UDP_firewall_rules_name" { + value = module.single-into-existing-vpc.UDP_firewall_rules_name +} +output "SCTP_firewall_rules_name" { + value = module.single-into-existing-vpc.SCTP_firewall_rules_name +} +output "ESP_firewall_rules_name" { + value = module.single-into-existing-vpc.ESP_firewall_rules_name +} diff --git a/terraform/gcp/single-into-new-vpc/terraform.tfvars b/terraform/gcp/single-into-new-vpc/terraform.tfvars new file mode 100755 index 00000000..b387fa3d --- /dev/null +++ b/terraform/gcp/single-into-new-vpc/terraform.tfvars @@ -0,0 +1,45 @@ +# --- Google Provider --- +service_account_path = "PLEASE ENTER SERVICE_ACCOUNT_PATH" # "service-accounts/service-account-file-name.json" +project = "PLEASE ENTER PROJECT ID" # "project-id" + +# --- Check Point Deployment--- +image_name = "PLEASE ENTER IMAGE_NAME" # "check-point-r8120-gw-byol-single-631-991001335-v20230622" +installationType = "PLEASE ENTER INSTALLATION TYPE" # "Gateway only" +license = "PLEASE ENTER LICENSE" # "BYOL" +prefix = "PLEASE ENTER PREFIX" # "chkp-single-tf-" +management_nic = "PLEASE ENTER MANAGEMENT_NIC" # "Ephemeral Public IP (eth0)" +admin_shell = "PLEASE ENTER ADMIN_SHELL" # "/etc/cli.sh" +admin_SSH_key = "PLEASE ENTER ADMIN_SSH_KEY" # "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" +generatePassword = "PLEASE ENTER GENERATE PASSWORD" # false +allowUploadDownload = "PLEASE ENTER ALLOW UPLOAD DOWNLOAD" # false +sicKey = "PLEASE ENTER SIC KEY" # "" +managementGUIClientNetwork = "PLEASE ENTER MANAGEMENT GUI CLIENT NETWORK" # "0.0.0.0/0" + +# --- Quick connect to Smart-1 Cloud --- +smart_1_cloud_token = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL" # "" + +# --- Networking--- +region = "PLEASE ENTER REGION" # "us-central1" +zone = "PLEASE ENTER ZONE" # "us-central1-a" +subnetwork_cidr = "PLEASE ENTER SUBNETWORK CIDR" # "10.0.1.0/24" +network_enableTcp = "PLEASE ENTER NETWORK ENABLE TCP" # false +network_tcpSourceRanges = "PLEASE ENTER NETWORK TCP SOURCE RANGES" # [] +network_enableGwNetwork = "PLEASE ENTER NETWORK ENABLE GW NETWORK" # false +network_gwNetworkSourceRanges = "PLEASE ENTER NETWORK GW NETWORK SOURCE RANGES" # [] +network_enableIcmp = "PLEASE ENTER NETWORK ENABLE ICMP" # false +network_icmpSourceRanges = "PLEASE ENTER NETWORK ICMP SOURCE RANGES" # [] +network_enableUdp = "PLEASE ENTER NETWORK ENABLE UDP" # false +network_udpSourceRanges = "PLEASE ENTER NETWORK UDP SOURCE RANGES" # [] +network_enableSctp = "PLEASE ENTER NETWORK ENABLE SCTP" # false +network_sctpSourceRanges = "PLEASE ENTER NETWORK SCTP SOURCE RANGES" # [] +network_enableEsp = "PLEASE ENTER NETWORK ENABLE ESP" # false +network_espSourceRanges = "PLEASE ENTER NETWORK ESP SOURCE RANGES" # [] +numAdditionalNICs = "PLEASE ENTER NUM ADDITIONAL NICS" # 1 +externalIP = "PLEASE ENTER EXTERNAL IP" # "static" +internal_subnetwork_cidr = "PLEASE ENTER INTERNAL SUBNETWORK CIDR" # "10.0.2.0/24" + +# --- Instances configuration--- +machine_type = "PLEASE ENTER MACHINE_TYPE" # "n1-standard-4" +diskType = "PLEASE ENTER DISK TYPE" # "SSD Persistent Disk" +bootDiskSizeGb = "PLEASE ENTER BOOT DISK SIZE GB" # 100 +enableMonitoring = "PLEASE ENTER ENABLE MONITORING" # false \ No newline at end of file diff --git a/terraform/gcp/single-into-new-vpc/variables.tf b/terraform/gcp/single-into-new-vpc/variables.tf new file mode 100755 index 00000000..51d15492 --- /dev/null +++ b/terraform/gcp/single-into-new-vpc/variables.tf @@ -0,0 +1,256 @@ +variable "service_account_path" { + type = string + description = "User service account path in JSON format - From the service account key page in the Cloud Console choose an existing account or create a new one. Next, download the JSON key file. Name it something you can remember, store it somewhere secure on your machine, and supply the path to the location is stored." + default = "" +} +variable "project" { + type = string + description = "Personal project id. The project indicates the default GCP project all of your resources will be created in." + default = "" +} +variable "region" { + type = string + default = "us-central1" +} +variable "zone" { + type = string + description = "The zone determines what computing resources are available and where your data is stored and used" + default = "us-central1-a" +} +variable "image_name" { + type = string + description = "The single gateway and management image name. You can choose the desired image value from: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/single-byol/images.py" +} +variable "installationType" { + type = string + description = "Installation type and version" + default = "Gateway only" +} +variable "license" { + type = string + description = "Checkpoint license (BYOL or PAYG)." + default = "BYOL" +} +variable "prefix" { + type = string + description = "(Optional) Resources name prefix" + default = "chkp-single-tf-" +} +variable "machine_type" { + type = string + default = "n1-standard-4" +} +variable "subnetwork_cidr" { + type = string + description = "The range of external addresses that are owned by this subnetwork, only IPv4 is supported (e.g. \"10.0.0.0/8\" or \"192.168.0.0/16\")." +} +variable "internal_subnetwork_cidr" { + type = string + description = "The range of internal addresses that are owned by this subnetwork, only IPv4 is supported (e.g. \"10.0.0.0/8\" or \"192.168.0.0/16\")." +} +variable "network_enableTcp" { + type = bool + description = "Allow TCP traffic from the Internet" + default = false +} +variable "network_tcpSourceRanges" { + type = list(string) + description = "Allow TCP traffic from the Internet" + default = [] +} +variable "network_enableGwNetwork" { + type = bool + description = "This is relevant for Management only. The network in which managed gateways reside" + default = false +} +variable network_gwNetworkSourceRanges{ + type = list(string) + description = "Allow TCP traffic from the Internet" + default = [] +} +variable "network_enableIcmp" { + type = bool + description ="Allow ICMP traffic from the Internet" + default = false +} +variable "network_icmpSourceRanges" { + type = list(string) + description = "(Optional) Source IP ranges for ICMP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable ICMP traffic." + default = [] +} +variable network_enableUdp{ + type = bool + description ="Allow UDP traffic from the Internet" + default = false +} +variable "network_udpSourceRanges" { + type = list(string) + description = "(Optional) Source IP ranges for UDP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable UDP traffic." + default = [] +} +variable "network_enableSctp" { + type = bool + description ="Allow SCTP traffic from the Internet" + default = false +} +variable "network_sctpSourceRanges" { + type = list(string) + description = "(Optional) Source IP ranges for SCTP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable SCTP traffic." + default = [] +} + +variable "network_enableEsp" { + type = bool + description ="Allow ESP traffic from the Internet " + default = false +} +variable "network_espSourceRanges" { + type = list(string) + description = "(Optional) Source IP ranges for ESP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable ESP traffic." + default = [] +} +variable "diskType" { + type = string + description ="Disk type" + default = "pd-ssd" +} +variable "bootDiskSizeGb" { + type = number + description ="Disk size in GB" + default = 100 +} +variable "generatePassword" { + type = bool + description ="Automatically generate an administrator password " + default = false +} +variable "management_nic" { + type = string + description = "Management Interface - Gateways in GCP can be managed by an ephemeral public IP or using the private IP of the internal interface (eth1)." + default = "Ephemeral Public IP (eth0)" +} +variable "allowUploadDownload" { + type = string + description ="Allow download from/upload to Check Point" + default = true +} +variable "enableMonitoring" { + type = bool + description ="Enable Stackdriver monitoring" + default = false +} +variable "admin_shell" { + type = string + description = "Change the admin shell to enable advanced command line configuration." + default = "/etc/cli.sh" +} +variable "admin_SSH_key" { + type = string + description = "(Optional) The SSH public key for SSH authentication to the template instances. Leave this field blank to use all project-wide pre-configured SSH keys." + default = "" +} +variable "sicKey" { + type = string + description ="The Secure Internal Communication one time secret used to set up trust between the single gateway object and the management server" + default = "" +} +variable "managementGUIClientNetwork" { + type = string + description ="Allowed GUI clients " + default = "0.0.0.0/0" +} +variable "smart_1_cloud_token" { + type = string + description ="(Optional) Smart-1 cloud token to connect this Gateway to Check Point's Security Management as a Service" + default = "" +} +variable "numAdditionalNICs" { + type = number + description ="Number of additional network interfaces" + default = 0 +} +variable "externalIP" { + type = string + description = "External IP address type" + default = "static" +} +variable "internal_network1_network" { + type = list(string) + description = "1st internal network ID in the chosen zone." + default = [] +} +variable "internal_network1_subnetwork" { + type = list(string) + description = "1st internal subnet ID in the chosen network." + default = [] +} +variable "internal_network2_network" { + type = list(string) + description = "2nd internal network ID in the chosen zone." + default = [] +} +variable "internal_network2_subnetwork" { + type = list(string) + description = "2nd internal subnet ID in the chosen network." + default = [] +} +variable "internal_network3_network" { + type = list(string) + description = "3rd internal network ID in the chosen zone." + default = [] +} +variable "internal_network3_subnetwork" { + type = list(string) + description = "3rd internal subnet ID in the chosen network." + default = [] +} +variable "internal_network4_network" { + type = list(string) + description = "4th internal network ID in the chosen zone." + default = [] +} +variable "internal_network4_subnetwork" { + type = list(string) + description = "4th internal subnet ID in the chosen network." + default = [] +} +variable "internal_network5_network" { + type = list(string) + description = "5th internal network ID in the chosen zone." + default = [] +} +variable "internal_network5_subnetwork" { + type = list(string) + description = "5th internal subnet ID in the chosen network." + default = [] +} +variable "internal_network6_network" { + type = list(string) + description = "6th internal network ID in the chosen zone." + default = [] +} +variable "internal_network6_subnetwork" { + type = list(string) + description = "6th internal subnet ID in the chosen network." + default = [] +} +variable "internal_network7_network" { + type = list(string) + description = "7th internal network ID in the chosen zone." + default = [] +} +variable "internal_network7_subnetwork" { + type = list(string) + description = "7th internal subnet ID in the chosen network." + default = [] +} +variable "internal_network8_network" { + type = list(string) + description = "8th internal network ID in the chosen zone." + default = [] +} +variable "internal_network8_subnetwork" { + type = list(string) + description = "8th internal subnet ID in the chosen network." + default = [] +}