diff --git a/azure/templates/marketplace-gateway-load-balancer/createUiDefinition.json b/azure/templates/marketplace-gateway-load-balancer/createUiDefinition.json index 010c785a..67b81e1e 100644 --- a/azure/templates/marketplace-gateway-load-balancer/createUiDefinition.json +++ b/azure/templates/marketplace-gateway-load-balancer/createUiDefinition.json @@ -1038,6 +1038,100 @@ "hideConfirmation": false } }, + { + "name": "SerialPasswordInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[bool(basics('auth').sshPublicKey)]", + "options": { + "icon": "Info", + "text": "Check Point recommends setting serial console password and maintenance-mode password for recovery purposes. For R81.10 and below the serial console password is used also as maintenance-mode password" + } + }, + { + "visible": "[bool(basics('auth').sshPublicKey)]", + "name": "EnableSerialConsolePassword", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Serial console password", + "defaultValue": "Yes", + "toolTip": "A unique password hash to enable VM connection via serial console.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": true + }, + { + "label": "No", + "value": false + } + ] + } + }, + { + "name": "AdditionalPassword", + "type": "Microsoft.Common.PasswordBox", + "toolTip": "Serial console password hash, used to enable password authentication (using serial console). To generate password hash use the command 'openssl passwd -6 PASSWORD'", + "visible": "[and(bool(basics('auth').sshPublicKey), steps('chkp').EnableSerialConsolePassword)]", + "label": { + "password": "Password hash", + "confirmPassword": "Confirm password" + }, + "constraints": { + "required": true, + "regex": "^.{12,300}$", + "validationMessage": "The value must be the output of the hash command." + }, + "options": { + "hideConfirmation": false + } + }, + { + "name": "MaintenanceModeInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[and(bool(basics('auth').password), not(contains('R80.40 R81 R81.10', steps('chkp').cloudGuardVersion)))]", + "options": { + "icon": "Info", + "text": "Check Point recommends setting a maintenance-mode password for recovery purposes." + } + }, + { + "visible": "[not(contains('R80.40 R81 R81.10', steps('chkp').cloudGuardVersion))]", + "name": "EnableMaintenanceMode", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Maintenance Mode", + "defaultValue": "Yes", + "toolTip": "A unique password hash to enable VM maintenance mode.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": true + }, + { + "label": "No", + "value": false + } + ] + } + }, + { + "visible": "[and(not(contains('R80.40 R81 R81.10', steps('chkp').cloudGuardVersion)), steps('chkp').EnableMaintenanceMode)]", + "name": "MaintenanceModePassword", + "type": "Microsoft.Common.PasswordBox", + "defaultValue": "", + "toolTip": "To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here.", + "label": { + "password": "Maintenance Mode password hash", + "confirmPassword": "Confirm Password" + }, + "constraints": { + "required": true, + "validationMessage": "The value must be the output of the hash command." + }, + "options": { + "hideConfirmation": false + } + }, { "name": "bootstrapScript", "type": "Microsoft.Common.FileUpload", @@ -1307,7 +1401,9 @@ "tagsByResource": "[steps('tags').tagsByResource]", "deployNewNSG": "[steps('network').NSG]", "ExistingNSG": "[steps('network').nsgSelector]", - "NewNsgName": "[steps('network').NSGName]" + "NewNsgName": "[steps('network').NSGName]", + "SerialConsolePasswordHash": "[steps('chkp').AdditionalPassword]", + "MaintenanceModePasswordHash": "[steps('chkp').MaintenanceModePassword]" } } } diff --git a/azure/templates/marketplace-gateway-load-balancer/mainTemplate.json b/azure/templates/marketplace-gateway-load-balancer/mainTemplate.json index 7887219d..0dbb61af 100644 --- a/azure/templates/marketplace-gateway-load-balancer/mainTemplate.json +++ b/azure/templates/marketplace-gateway-load-balancer/mainTemplate.json @@ -64,13 +64,6 @@ "description": "Email address to notify if there are any scaling operations" } }, - "adminPassword": { - "type": "securestring", - "metadata": { - "description": "Administrator password" - }, - "defaultValue": "" - }, "authenticationType": { "type": "string", "allowedValues": [ @@ -89,6 +82,27 @@ "description": "Administrator SSH public key" } }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "MaintenanceModePasswordHash": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "Description": "Maintenance mode password hash, relevant only for R81.20 and higher versions" + } + }, + "SerialConsolePasswordHash": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "Description": "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + } + }, "vmName": { "type": "string", "metadata": { @@ -401,7 +415,7 @@ "subnet1Name": "[parameters('subnet1Name')]", "storageAccountName": "[concat('bootdiag', uniqueString(variables('resourceGroup').id, deployment().name))]", "storageAccountType": "Standard_LRS", - "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'customMetrics=\"', variables('customMetrics'), '\"', '\n', 'adminShell=\"', parameters('adminShell'), '\"', '\n')]", + "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'customMetrics=\"', variables('customMetrics'), '\"', '\n', 'adminShell=\"', parameters('adminShell'), '\"', '\n', 'MaintenanceModePassword=\"', parameters('MaintenanceModePasswordHash'), '\"', '\n', 'passwordHash=\"', parameters('SerialConsolePasswordHash'), '\"', '\n')]", "imageOffer": "[concat('check-point-cg-', toLower(variables('osVersion')))]", "imagePublisher": "checkpoint", "imageReferenceBYOL": { diff --git a/azure/templates/marketplace-ha/createUiDefinition.json b/azure/templates/marketplace-ha/createUiDefinition.json index 85547ad5..a512e202 100644 --- a/azure/templates/marketplace-ha/createUiDefinition.json +++ b/azure/templates/marketplace-ha/createUiDefinition.json @@ -1368,6 +1368,100 @@ }, "visible": "true" }, + { + "name": "SerialPasswordInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[bool(basics('auth').sshPublicKey)]", + "options": { + "icon": "Info", + "text": "Check Point recommends setting serial console password and maintenance-mode password for recovery purposes. For R81.10 and below the serial console password is used also as maintenance-mode password" + } + }, + { + "visible": "[bool(basics('auth').sshPublicKey)]", + "name": "EnableSerialConsolePassword", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Serial console password", + "defaultValue": "Yes", + "toolTip": "A unique password hash to enable VM connection via serial console.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": true + }, + { + "label": "No", + "value": false + } + ] + } + }, + { + "name": "AdditionalPassword", + "type": "Microsoft.Common.PasswordBox", + "toolTip": "Serial console password hash, used to enable password authentication (using serial console). To generate password hash use the command 'openssl passwd -6 PASSWORD'", + "visible": "[and(bool(basics('auth').sshPublicKey), steps('chkp').EnableSerialConsolePassword)]", + "label": { + "password": "Password hash", + "confirmPassword": "Confirm password" + }, + "constraints": { + "required": true, + "regex": "^.{12,300}$", + "validationMessage": "The value must be the output of the hash command." + }, + "options": { + "hideConfirmation": false + } + }, + { + "name": "MaintenanceModeInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[and(bool(basics('auth').password), not(contains('R80.40 R81 R81.10', steps('chkp').cloudGuardVersion)))]", + "options": { + "icon": "Info", + "text": "Check Point recommends setting a maintenance-mode password for recovery purposes." + } + }, + { + "visible": "[not(contains('R80.40 R81 R81.10', steps('chkp').cloudGuardVersion))]", + "name": "EnableMaintenanceMode", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Maintenance Mode", + "defaultValue": "Yes", + "toolTip": "A unique password hash to enable VM maintenance mode.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": true + }, + { + "label": "No", + "value": false + } + ] + } + }, + { + "visible": "[and(not(contains('R80.40 R81 R81.10', steps('chkp').cloudGuardVersion)), steps('chkp').EnableMaintenanceMode)]", + "name": "MaintenanceModePassword", + "type": "Microsoft.Common.PasswordBox", + "defaultValue": "", + "toolTip": "To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here.", + "label": { + "password": "Maintenance Mode password hash", + "confirmPassword": "Confirm Password" + }, + "constraints": { + "required": true, + "validationMessage": "The value must be the output of the hash command." + }, + "options": { + "hideConfirmation": false + } + }, { "name": "managedSystemAssigned", "type": "Microsoft.Common.OptionsGroup", @@ -2056,7 +2150,9 @@ "ExistingNSG": "[steps('network').nsgSelector]", "NewNsgName": "[steps('network').NSGName]", "VipsNumber": "[int(steps('network').Vips_Number)]", - "VipNames": "[concat(steps('network').VIP_Names.VIP2_Name, ',', steps('network').VIP_Names.VIP3_Name, ',', steps('network').VIP_Names.VIP4_Name, ',', steps('network').VIP_Names.VIP5_Name, ',', steps('network').VIP_Names.VIP6_Name, ',', steps('network').VIP_Names.VIP7_Name, ',', steps('network').VIP_Names.VIP8_Name, ',', steps('network').VIP_Names.VIP9_Name, ',', steps('network').VIP_Names.VIP10_Name)]" + "VipNames": "[concat(steps('network').VIP_Names.VIP2_Name, ',', steps('network').VIP_Names.VIP3_Name, ',', steps('network').VIP_Names.VIP4_Name, ',', steps('network').VIP_Names.VIP5_Name, ',', steps('network').VIP_Names.VIP6_Name, ',', steps('network').VIP_Names.VIP7_Name, ',', steps('network').VIP_Names.VIP8_Name, ',', steps('network').VIP_Names.VIP9_Name, ',', steps('network').VIP_Names.VIP10_Name)]", + "SerialConsolePasswordHash": "[steps('chkp').AdditionalPassword]", + "MaintenanceModePasswordHash": "[steps('chkp').MaintenanceModePassword]" } } } \ No newline at end of file diff --git a/azure/templates/marketplace-ha/mainTemplate.json b/azure/templates/marketplace-ha/mainTemplate.json index 0f2399c5..02d26faa 100644 --- a/azure/templates/marketplace-ha/mainTemplate.json +++ b/azure/templates/marketplace-ha/mainTemplate.json @@ -30,13 +30,6 @@ "description": "Check Point CloudGuard version" } }, - "adminPassword": { - "type": "securestring", - "metadata": { - "description": "Administrator password" - }, - "defaultValue": "" - }, "authenticationType": { "type": "string", "allowedValues": [ @@ -55,6 +48,27 @@ "description": "Administrator SSH public key" } }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "MaintenanceModePasswordHash": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "Description": "Maintenance mode password hash, relevant only for R81.20 and higher versions" + } + }, + "SerialConsolePasswordHash": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "Description": "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + } + }, "floatingIP": { "type": "string", "allowedValues": [ @@ -381,7 +395,7 @@ "storageAccountType": "Standard_LRS", "diskSize100GB": 100, "diskSizeGB": "[add(parameters('additionalDiskSizeGB'), variables('diskSize100GB'))]", - "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'tenantId=\"', subscription().tenantId, '\"', '\n', 'virtualNetwork=\"', parameters('virtualNetworkName'), '\"', '\n', 'clusterName=\"', parameters('vmName'), '\"', '\n', 'customMetrics=\"', variables('customMetrics'), '\"', '\n', 'adminShell=\"', parameters('adminShell'), '\"', '\n')]", + "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'tenantId=\"', subscription().tenantId, '\"', '\n', 'virtualNetwork=\"', parameters('virtualNetworkName'), '\"', '\n', 'clusterName=\"', parameters('vmName'), '\"', '\n', 'customMetrics=\"', variables('customMetrics'), '\"', '\n', 'adminShell=\"', parameters('adminShell'), '\"', '\n', 'MaintenanceModePassword=\"', parameters('MaintenanceModePasswordHash'), '\"', '\n', 'passwordHash=\"', parameters('SerialConsolePasswordHash'), '\"', '\n')]", "imageOffer": "[concat('check-point-cg-', toLower(variables('osVersion')))]", "imagePublisher": "checkpoint", "imageReferenceBYOL": { diff --git a/azure/templates/marketplace-management/createUiDefinition.json b/azure/templates/marketplace-management/createUiDefinition.json index 8003021d..6bc6e5af 100644 --- a/azure/templates/marketplace-management/createUiDefinition.json +++ b/azure/templates/marketplace-management/createUiDefinition.json @@ -339,6 +339,100 @@ }, "count": 1 }, + { + "name": "SerialPasswordInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[bool(basics('auth').sshPublicKey)]", + "options": { + "icon": "Info", + "text": "Check Point recommends setting serial console password and maintenance-mode password for recovery purposes. For R81.10 and below the serial console password is used also as maintenance-mode password" + } + }, + { + "visible": "[bool(basics('auth').sshPublicKey)]", + "name": "EnableSerialConsolePassword", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Serial console password", + "defaultValue": "Yes", + "toolTip": "A unique password hash to enable VM connection via serial console.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": true + }, + { + "label": "No", + "value": false + } + ] + } + }, + { + "name": "AdditionalPassword", + "type": "Microsoft.Common.PasswordBox", + "toolTip": "Serial console password hash, used to enable password authentication (using serial console). To generate password hash use the command 'openssl passwd -6 PASSWORD'", + "visible": "[and(bool(basics('auth').sshPublicKey), steps('chkp').EnableSerialConsolePassword)]", + "label": { + "password": "Password hash", + "confirmPassword": "Confirm password" + }, + "constraints": { + "required": true, + "regex": "^.{12,300}$", + "validationMessage": "The value must be the output of the hash command." + }, + "options": { + "hideConfirmation": false + } + }, + { + "name": "MaintenanceModeInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[and(bool(basics('auth').password), not(contains('R80.40 R81 R81.10', steps('chkp').cloudGuardVersion)))]", + "options": { + "icon": "Info", + "text": "Check Point recommends setting a maintenance-mode password for recovery purposes." + } + }, + { + "visible": "[not(contains('R80.40 R81 R81.10', steps('chkp').cloudGuardVersion))]", + "name": "EnableMaintenanceMode", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Maintenance Mode", + "defaultValue": "Yes", + "toolTip": "A unique password hash to enable VM maintenance mode.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": true + }, + { + "label": "No", + "value": false + } + ] + } + }, + { + "visible": "[and(not(contains('R80.40 R81 R81.10', steps('chkp').cloudGuardVersion)), steps('chkp').EnableMaintenanceMode)]", + "name": "MaintenanceModePassword", + "type": "Microsoft.Common.PasswordBox", + "defaultValue": "", + "toolTip": "To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here.", + "label": { + "password": "Maintenance Mode password hash", + "confirmPassword": "Confirm Password" + }, + "constraints": { + "required": true, + "validationMessage": "The value must be the output of the hash command." + }, + "options": { + "hideConfirmation": false + } + }, { "name": "installationType", "type": "Microsoft.Common.DropDown", @@ -690,7 +784,9 @@ "tagsByResource": "[steps('tags').tagsByResource]", "deployNewNSG": "[steps('network').NSG]", "ExistingNSG": "[steps('network').nsgSelector]", - "NewNsgName": "[steps('network').NSGName]" + "NewNsgName": "[steps('network').NSGName]", + "SerialConsolePasswordHash": "[steps('chkp').AdditionalPassword]", + "MaintenanceModePasswordHash": "[steps('chkp').MaintenanceModePassword]" } } } \ No newline at end of file diff --git a/azure/templates/marketplace-management/mainTemplate.json b/azure/templates/marketplace-management/mainTemplate.json index f62b9c2e..ef70b1dc 100644 --- a/azure/templates/marketplace-management/mainTemplate.json +++ b/azure/templates/marketplace-management/mainTemplate.json @@ -26,13 +26,6 @@ "description": "Version of Check Point CloudGuard" } }, - "adminPassword": { - "type": "securestring", - "metadata": { - "description": "Administrator password" - }, - "defaultValue": "" - }, "authenticationType": { "type": "string", "allowedValues": [ @@ -51,6 +44,27 @@ "description": "Administrator SSH public key" } }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "MaintenanceModePasswordHash": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "Description": "Maintenance mode password hash, relevant only for R81.20 and higher versions" + } + }, + "SerialConsolePasswordHash": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "Description": "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + } + }, "vmName": { "type": "string", "metadata": { @@ -274,7 +288,7 @@ "storageAccountType": "Standard_LRS", "diskSize100GB": 100, "diskSizeGB": "[add(parameters('additionalDiskSizeGB'), variables('diskSize100GB'))]", - "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', parameters('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'managementGUIClientNetwork=\"', variables('managementGUIClientNetwork'), '\"', '\n', 'enableApi=\"', parameters('enableApi'), '\"', '\n', 'adminShell=\"', parameters('adminShell'), '\"', '\n')]", + "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', parameters('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'managementGUIClientNetwork=\"', variables('managementGUIClientNetwork'), '\"', '\n', 'enableApi=\"', parameters('enableApi'), '\"', '\n', 'adminShell=\"', parameters('adminShell'), '\"', '\n', 'MaintenanceModePassword=\"', parameters('MaintenanceModePasswordHash'), '\"', '\n', 'passwordHash=\"', parameters('SerialConsolePasswordHash'), '\"', '\n')]", "customData64": "[base64(variables('customData'))]", "imageOffer": "[concat('check-point-cg-', toLower(variables('osVersion')))]", "imagePublisher": "checkpoint", diff --git a/azure/templates/marketplace-mds/createUiDefinition.json b/azure/templates/marketplace-mds/createUiDefinition.json index 8f311f6f..550dd1b6 100644 --- a/azure/templates/marketplace-mds/createUiDefinition.json +++ b/azure/templates/marketplace-mds/createUiDefinition.json @@ -299,6 +299,100 @@ }, "visible": "[not(equals(steps('chkp').installationType, 'mds-primary'))]" }, + { + "name": "SerialPasswordInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[bool(basics('auth').sshPublicKey)]", + "options": { + "icon": "Info", + "text": "Check Point recommends setting serial console password and maintenance-mode password for recovery purposes. For R81.10 and below the serial console password is used also as maintenance-mode password" + } + }, + { + "visible": "[bool(basics('auth').sshPublicKey)]", + "name": "EnableSerialConsolePassword", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Serial console password", + "defaultValue": "Yes", + "toolTip": "A unique password hash to enable VM connection via serial console.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": true + }, + { + "label": "No", + "value": false + } + ] + } + }, + { + "name": "AdditionalPassword", + "type": "Microsoft.Common.PasswordBox", + "toolTip": "Serial console password hash, used to enable password authentication (using serial console). To generate password hash use the command 'openssl passwd -6 PASSWORD'", + "visible": "[and(bool(basics('auth').sshPublicKey), steps('chkp').EnableSerialConsolePassword)]", + "label": { + "password": "Password hash", + "confirmPassword": "Confirm password" + }, + "constraints": { + "required": true, + "regex": "^.{12,300}$", + "validationMessage": "The value must be the output of the hash command." + }, + "options": { + "hideConfirmation": false + } + }, + { + "name": "MaintenanceModeInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[and(bool(basics('auth').password), not(contains('R80.40 R81 R81.10', steps('chkp').cloudGuardVersion)))]", + "options": { + "icon": "Info", + "text": "Check Point recommends setting a maintenance-mode password for recovery purposes." + } + }, + { + "visible": "[not(contains('R80.40 R81 R81.10', steps('chkp').cloudGuardVersion))]", + "name": "EnableMaintenanceMode", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Maintenance Mode", + "defaultValue": "Yes", + "toolTip": "A unique password hash to enable VM maintenance mode.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": true + }, + { + "label": "No", + "value": false + } + ] + } + }, + { + "visible": "[and(not(contains('R80.40 R81 R81.10', steps('chkp').cloudGuardVersion)), steps('chkp').EnableMaintenanceMode)]", + "name": "MaintenanceModePassword", + "type": "Microsoft.Common.PasswordBox", + "defaultValue": "", + "toolTip": "To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here.", + "label": { + "password": "Maintenance Mode password hash", + "confirmPassword": "Confirm Password" + }, + "constraints": { + "required": true, + "validationMessage": "The value must be the output of the hash command." + }, + "options": { + "hideConfirmation": false + } + }, { "name": "bootstrapScript", "type": "Microsoft.Common.FileUpload", @@ -567,7 +661,9 @@ "tagsByResource": "[steps('tags').tagsByResource]", "deployNewNSG": "[steps('network').NSG]", "ExistingNSG": "[steps('network').nsgSelector]", - "NewNsgName": "[steps('network').NSGName]" + "NewNsgName": "[steps('network').NSGName]", + "SerialConsolePasswordHash": "[steps('chkp').AdditionalPassword]", + "MaintenanceModePasswordHash": "[steps('chkp').MaintenanceModePassword]" } } } \ No newline at end of file diff --git a/azure/templates/marketplace-mds/mainTemplate.json b/azure/templates/marketplace-mds/mainTemplate.json index ce2fade1..67f87bd4 100644 --- a/azure/templates/marketplace-mds/mainTemplate.json +++ b/azure/templates/marketplace-mds/mainTemplate.json @@ -22,13 +22,6 @@ "description": "Version of Check Point CloudGuard" } }, - "adminPassword": { - "type": "securestring", - "metadata": { - "description": "Administrator password" - }, - "defaultValue": "" - }, "authenticationType": { "type": "string", "allowedValues": [ @@ -47,6 +40,27 @@ "description": "Administrator SSH public key" } }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "MaintenanceModePasswordHash": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "Description": "Maintenance mode password hash, relevant only for R81.20 and higher versions" + } + }, + "SerialConsolePasswordHash": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "Description": "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + } + }, "vmName": { "type": "string", "metadata": { @@ -260,7 +274,7 @@ "storageAccountType": "Standard_LRS", "diskSize100GB": 100, "diskSizeGB": "[add(parameters('additionalDiskSizeGB'), variables('diskSize100GB'))]", - "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', parameters('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'managementGUIClientNetwork=\"', variables('managementGUIClientNetwork'), '\"', '\n', 'sicKey=\"', parameters('sicKey'), '\"', '\n', 'primary=\"', variables('primary'), '\"', '\n', 'secondary=\"', variables('secondary'), '\"', '\n', 'logserver=\"', variables('logserver'), '\"', '\n', 'adminShell=\"', parameters('adminShell'), '\"', '\n')]", + "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', parameters('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'managementGUIClientNetwork=\"', variables('managementGUIClientNetwork'), '\"', '\n', 'sicKey=\"', parameters('sicKey'), '\"', '\n', 'primary=\"', variables('primary'), '\"', '\n', 'secondary=\"', variables('secondary'), '\"', '\n', 'logserver=\"', variables('logserver'), '\"', '\n', 'adminShell=\"', parameters('adminShell'), '\"', '\n', 'MaintenanceModePassword=\"', parameters('MaintenanceModePasswordHash'), '\"', '\n', 'passwordHash=\"', parameters('SerialConsolePasswordHash'), '\"', '\n')]", "customData64": "[base64(variables('customData'))]", "imageOffer": "[concat('check-point-cg-', toLower(variables('osVersion')))]", "imagePublisher": "checkpoint", diff --git a/azure/templates/marketplace-single/createUiDefinition.json b/azure/templates/marketplace-single/createUiDefinition.json index 8944a842..3dc92225 100644 --- a/azure/templates/marketplace-single/createUiDefinition.json +++ b/azure/templates/marketplace-single/createUiDefinition.json @@ -1409,6 +1409,100 @@ }, "visible": "[not(equals(steps('chkp').installationType, 'standalone'))]" }, + { + "name": "SerialPasswordInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[bool(basics('auth').sshPublicKey)]", + "options": { + "icon": "Info", + "text": "Check Point recommends setting serial console password and maintenance-mode password for recovery purposes. For R81.10 and below the serial console password is used also as maintenance-mode password" + } + }, + { + "visible": "[bool(basics('auth').sshPublicKey)]", + "name": "EnableSerialConsolePassword", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Serial console password", + "defaultValue": "Yes", + "toolTip": "A unique password hash to enable VM connection via serial console.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": true + }, + { + "label": "No", + "value": false + } + ] + } + }, + { + "name": "AdditionalPassword", + "type": "Microsoft.Common.PasswordBox", + "toolTip": "Serial console password hash, used to enable password authentication (using serial console). To generate password hash use the command 'openssl passwd -6 PASSWORD'", + "visible": "[and(bool(basics('auth').sshPublicKey), steps('chkp').EnableSerialConsolePassword)]", + "label": { + "password": "Password hash", + "confirmPassword": "Confirm password" + }, + "constraints": { + "required": true, + "regex": "^.{12,300}$", + "validationMessage": "The value must be the output of the hash command." + }, + "options": { + "hideConfirmation": false + } + }, + { + "name": "MaintenanceModeInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[and(bool(basics('auth').password), not(contains('R80.40 R81 R81.10', steps('chkp').cloudGuardVersion)))]", + "options": { + "icon": "Info", + "text": "Check Point recommends setting a maintenance-mode password for recovery purposes." + } + }, + { + "visible": "[not(contains('R80.40 R81 R81.10', steps('chkp').cloudGuardVersion))]", + "name": "EnableMaintenanceMode", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Maintenance Mode", + "defaultValue": "Yes", + "toolTip": "A unique password hash to enable VM maintenance mode.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": true + }, + { + "label": "No", + "value": false + } + ] + } + }, + { + "visible": "[and(not(contains('R80.40 R81 R81.10', steps('chkp').cloudGuardVersion)), steps('chkp').EnableMaintenanceMode)]", + "name": "MaintenanceModePassword", + "type": "Microsoft.Common.PasswordBox", + "defaultValue": "", + "toolTip": "To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here.", + "label": { + "password": "Maintenance Mode password hash", + "confirmPassword": "Confirm Password" + }, + "constraints": { + "required": true, + "validationMessage": "The value must be the output of the hash command." + }, + "options": { + "hideConfirmation": false + } + }, { "name": "bootstrapScript", "type": "Microsoft.Common.FileUpload", @@ -1759,7 +1853,9 @@ "tagsByResource": "[steps('tags').tagsByResource]", "deployNewNSG": "[steps('network').NSG]", "ExistingNSG": "[steps('network').nsgSelector]", - "NewNsgName": "[steps('network').NSGName]" + "NewNsgName": "[steps('network').NSGName]", + "SerialConsolePasswordHash": "[steps('chkp').AdditionalPassword]", + "MaintenanceModePasswordHash": "[steps('chkp').MaintenanceModePassword]" } } } diff --git a/azure/templates/marketplace-single/mainTemplate.json b/azure/templates/marketplace-single/mainTemplate.json index 2f5f8a7a..ea865347 100644 --- a/azure/templates/marketplace-single/mainTemplate.json +++ b/azure/templates/marketplace-single/mainTemplate.json @@ -37,13 +37,6 @@ "description": "Version of Check Point CloudGuard" } }, - "adminPassword": { - "type": "securestring", - "metadata": { - "description": "Administrator password" - }, - "defaultValue": "" - }, "authenticationType": { "type": "string", "allowedValues": [ @@ -62,6 +55,27 @@ "description": "Administrator SSH public key" } }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "MaintenanceModePasswordHash": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "Description": "Maintenance mode password hash, relevant only for R81.20 and higher versions" + } + }, + "SerialConsolePasswordHash": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "Description": "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + } + }, "vmName": { "type": "string", "metadata": { @@ -322,7 +336,7 @@ "storageAccountType": "Standard_LRS", "diskSize100GB": 100, "diskSizeGB": "[add(parameters('additionalDiskSizeGB'), variables('diskSize100GB'))]", - "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'managementGUIClientNetwork=\"', variables('managementGUIClientNetwork'), '\"', '\n', 'customMetrics=\"', variables('customMetrics'), '\"', '\n', 'adminShell=\"', parameters('adminShell'), '\"', '\n', 'smart1CloudToken=\"', parameters('smart1CloudToken'), '\"', '\n')]", + "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'managementGUIClientNetwork=\"', variables('managementGUIClientNetwork'), '\"', '\n', 'customMetrics=\"', variables('customMetrics'), '\"', '\n', 'adminShell=\"', parameters('adminShell'), '\"', '\n', 'smart1CloudToken=\"', parameters('smart1CloudToken'), '\"', '\n', 'MaintenanceModePassword=\"', parameters('MaintenanceModePasswordHash'), '\"', '\n', 'passwordHash=\"', parameters('SerialConsolePasswordHash'), '\"', '\n')]", "imageOffer": "[concat('check-point-cg-', toLower(variables('osVersion')))]", "imagePublisher": "checkpoint", "imageSku": "[if(and(equals(parameters('installationType'), 'standalone'), or(equals(variables('osVersion'),'R8040'), equals(variables('osVersion'),'R81'), equals(variables('osVersion'),'R8110'), equals(variables('osVersion'),'R8120'))), 'mgmt-byol', 'sg-byol')]", diff --git a/azure/templates/marketplace-vmss/createUiDefinition.json b/azure/templates/marketplace-vmss/createUiDefinition.json index 931ada2b..85659909 100644 --- a/azure/templates/marketplace-vmss/createUiDefinition.json +++ b/azure/templates/marketplace-vmss/createUiDefinition.json @@ -1953,6 +1953,100 @@ "hideConfirmation": false } }, + { + "name": "SerialPasswordInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[bool(basics('auth').sshPublicKey)]", + "options": { + "icon": "Info", + "text": "Check Point recommends setting serial console password and maintenance-mode password for recovery purposes. For R81.10 and below the serial console password is used also as maintenance-mode password" + } + }, + { + "visible": "[bool(basics('auth').sshPublicKey)]", + "name": "EnableSerialConsolePassword", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Serial console password", + "defaultValue": "Yes", + "toolTip": "A unique password hash to enable VM connection via serial console.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": true + }, + { + "label": "No", + "value": false + } + ] + } + }, + { + "name": "AdditionalPassword", + "type": "Microsoft.Common.PasswordBox", + "toolTip": "Serial console password hash, used to enable password authentication (using serial console). To generate password hash use the command 'openssl passwd -6 PASSWORD'", + "visible": "[and(bool(basics('auth').sshPublicKey), steps('chkp').EnableSerialConsolePassword)]", + "label": { + "password": "Password hash", + "confirmPassword": "Confirm password" + }, + "constraints": { + "required": true, + "regex": "^.{12,300}$", + "validationMessage": "The value must be the output of the hash command." + }, + "options": { + "hideConfirmation": false + } + }, + { + "name": "MaintenanceModeInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[and(bool(basics('auth').password), not(contains('R80.40 R81 R81.10', steps('chkp').cloudGuardVersion)))]", + "options": { + "icon": "Info", + "text": "Check Point recommends setting a maintenance-mode password for recovery purposes." + } + }, + { + "visible": "[not(contains('R80.40 R81 R81.10', steps('chkp').cloudGuardVersion))]", + "name": "EnableMaintenanceMode", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Maintenance Mode", + "defaultValue": "Yes", + "toolTip": "A unique password hash to enable VM maintenance mode.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": true + }, + { + "label": "No", + "value": false + } + ] + } + }, + { + "visible": "[and(not(contains('R80.40 R81 R81.10', steps('chkp').cloudGuardVersion)), steps('chkp').EnableMaintenanceMode)]", + "name": "MaintenanceModePassword", + "type": "Microsoft.Common.PasswordBox", + "defaultValue": "", + "toolTip": "To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here.", + "label": { + "password": "Maintenance Mode password hash", + "confirmPassword": "Confirm Password" + }, + "constraints": { + "required": true, + "validationMessage": "The value must be the output of the hash command." + }, + "options": { + "hideConfirmation": false + } + }, { "name": "bootstrapScript", "type": "Microsoft.Common.FileUpload", @@ -2250,7 +2344,9 @@ "tagsByResource": "[steps('tags').tagsByResource]", "deployNewNSG": "[steps('network').NSG]", "ExistingNSG": "[steps('network').nsgSelector]", - "NewNsgName": "[steps('network').NSGName]" + "NewNsgName": "[steps('network').NSGName]", + "SerialConsolePasswordHash": "[steps('chkp').AdditionalPassword]", + "MaintenanceModePasswordHash": "[steps('chkp').MaintenanceModePassword]" } } } diff --git a/azure/templates/marketplace-vmss/mainTemplate.json b/azure/templates/marketplace-vmss/mainTemplate.json index 7360c6f5..541cee05 100644 --- a/azure/templates/marketplace-vmss/mainTemplate.json +++ b/azure/templates/marketplace-vmss/mainTemplate.json @@ -70,13 +70,6 @@ "description": "Email address to notify if there are any scaling operations" } }, - "adminPassword": { - "type": "securestring", - "metadata": { - "description": "Administrator password" - }, - "defaultValue": "" - }, "authenticationType": { "type": "string", "allowedValues": [ @@ -95,6 +88,27 @@ "description": "Administrator SSH public key" } }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "MaintenanceModePasswordHash": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "Description": "Maintenance mode password hash, relevant only for R81.20 and higher versions" + } + }, + "SerialConsolePasswordHash": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "Description": "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + } + }, "vmName": { "type": "string", "metadata": { @@ -533,7 +547,7 @@ "storageAccountName": "[concat('bootdiag', uniqueString(variables('resourceGroup').id, deployment().name))]", "storageAccountType": "Standard_LRS", "enableFloatingIP": "[equals(parameters('floatingIP'), 'yes')]", - "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'customMetrics=\"', variables('customMetrics'), '\"', '\n', 'adminShell=\"', parameters('adminShell'), '\"', '\n')]", + "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'customMetrics=\"', variables('customMetrics'), '\"', '\n', 'adminShell=\"', parameters('adminShell'), '\"', '\n', 'MaintenanceModePassword=\"', parameters('MaintenanceModePasswordHash'), '\"', '\n', 'passwordHash=\"', parameters('SerialConsolePasswordHash'), '\"', '\n')]", "imageOffer": "[concat('check-point-cg-', toLower(variables('osVersion')))]", "imagePublisher": "checkpoint", "imageReferenceBYOL": {