diff --git a/.gitignore b/.gitignore
index b19ec88e..61049654 100755
--- a/.gitignore
+++ b/.gitignore
@@ -137,4 +137,7 @@ dmypy.json
.pytype/
# Cython debug symbols
-cython_debug/
\ No newline at end of file
+cython_debug/
+
+# deprecated files
+deprecated/
\ No newline at end of file
diff --git a/aws/templates/cluster/README.md b/aws/templates/cluster/README.md
index 03bbe934..4ffc3c43 100644
--- a/aws/templates/cluster/README.md
+++ b/aws/templates/cluster/README.md
@@ -23,4 +23,18 @@
-
\ No newline at end of file
+
+## Revision History
+In order to check the template version, please refer to [sk125252](https://support.checkpoint.com/results/sk/sk125252#ToggleR8120gateway)
+
+| Template Version | Description |
+|------------------|------------------------------------------------------------------------------------------------------------------|
+| 20240704 | - R80.40 version deprecation.
- R81 version deprecation. |
+| 20240519 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20230923 | Add support for C5d instance type. |
+| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname |
+| 20230503 | Template version 20230503 and above supports Smart-1 Cloud token validation. |
+| 20230411 | Improved deployment experience for gateways and clusters managed by Smart-1 Cloud. |
+| 20221123 | Templates version 20221120 and above support R81.20 |
+| 20220606 | New instance type support |
+| 20210309 | First release of Check Point Security Management Server & Security Gateway (Standalone) Terraform module for AWS |
diff --git a/aws/templates/geo-cluster/README.md b/aws/templates/geo-cluster/README.md
index e6e30d5d..15f20e38 100644
--- a/aws/templates/geo-cluster/README.md
+++ b/aws/templates/geo-cluster/README.md
@@ -23,4 +23,18 @@
-
\ No newline at end of file
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|------------------------------------------------------------------------------------------------------------------|
+| 20240704 | - R80.40 version deprecation.
- R81 version deprecation |
+| 20240519 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20230923 | Add support for C5d instance type. |
+| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname |
+| 20230503 | Template version 20230503 and above supports Smart-1 Cloud token validation. |
+| 20230411 | Improved deployment experience for gateways and clusters managed by Smart-1 Cloud. |
+| 20221123 | Templates version 20221120 and above support R81.20 |
+| 20220606 | New instance type support |
+| 20210309 | First release of Check Point Security Management Server & Security Gateway (Standalone) Terraform module for AWS |
diff --git a/aws/templates/gwlb-asg/README.md b/aws/templates/gwlb-asg/README.md
index 26eda643..2eab3fa0 100644
--- a/aws/templates/gwlb-asg/README.md
+++ b/aws/templates/gwlb-asg/README.md
@@ -56,3 +56,18 @@
+
+## Revision History
+In order to check the template version, please refer to [sk125252](https://support.checkpoint.com/results/sk/sk125252#ToggleR8120gateway)
+
+| Template Version | Description |
+|------------------|---------------------------------------------------------------------------------------------------------------|
+| 20240704 | - R80.40 version deprecation.
- R81 version deprecation |
+| 20240519 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20240414 | Add support for Elastic Load Balancer Health Checks. |
+| 20230923 | Add support for C5d instance type. |
+| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname |
+| 20221226 | Support ASG Launch Template instead of Launch Configuration. |
+| 20221123 | Templates version 20221120 and above support R81.20 |
+| 20220606 | New instance type support |
+| 20220414 | First release of Check Point Auto Scaling GWLB Terraform module for AWS |
diff --git a/aws/templates/management/README.md b/aws/templates/management/README.md
index f8565c48..8b1950f0 100644
--- a/aws/templates/management/README.md
+++ b/aws/templates/management/README.md
@@ -19,4 +19,17 @@
-
\ No newline at end of file
+
+## Revision History
+In order to check the template version, please refer to [sk125252](https://support.checkpoint.com/results/sk/sk125252#ToggleR8120gateway)
+
+| Template Version | Description |
+|------------------|---------------------------------------------------------------------------------------------------------------|
+| 20240704 | - R80.40 version deprecation.
- R81 version deprecation. |
+| 20240519 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20230923 | Add support for C5d instance type |
+| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname |
+| 20221123 | Templates version 20221120 and above support R81.20 |
+| 20220606 | New instance type support |
+| 20210329 | Stability fixes |
+| 20210309 | First release of Check Point Security Management Server Terraform module for AWS |
diff --git a/aws/templates/single-gw/README.md b/aws/templates/single-gw/README.md
index 34e01aba..81e7b828 100644
--- a/aws/templates/single-gw/README.md
+++ b/aws/templates/single-gw/README.md
@@ -23,3 +23,18 @@
+
+## Revision History
+In order to check the template version, please refer to [sk125252](https://support.checkpoint.com/results/sk/sk125252#ToggleR8120gateway)
+
+| Template Version | Description |
+|------------------|---------------------------------------------------------------------------------------------------------------|
+| 20240704 | - R80.40 version deprecation.
- R81 version deprecation. |
+| 20240519 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20231113 | Stability fixes. |
+| 20230923 | Add support for C5d instance type. |
+| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname |
+| 20230503 | Template version 20230503 and above supports Smart-1 Cloud token validation. |
+| 20230411 | Improved deployment experience for gateways and clusters managed by Smart-1 Cloud |
+| 20221123 | Templates version 20221120 and above support R81.20 |
+| 20220606 | New instance type support. |
diff --git a/aws/templates/standalone/README.md b/aws/templates/standalone/README.md
index b7afb4c3..2cc7031d 100644
--- a/aws/templates/standalone/README.md
+++ b/aws/templates/standalone/README.md
@@ -24,3 +24,18 @@
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|-------------------------------------------------------------------------------------------------------------------|
+| 20240704 | - R80.40 version deprecation.
- R81 version deprecation. |
+| 20240519 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20231113 | - Stability fixes.
- Add support for BYOL license type for Standalone. |
+| 20230923 | Add support for C5d instance type |
+| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname |
+| 20221123 | Templates version 20221120 and above support R81.20 |
+| 20220606 | New instance type support |
+| 20210329 | Stability fixes |
+| 20210309 | First release of Check Point Security Management Server & Security Gateway (Standalone) Terraform module for AWS |
diff --git a/aws/templates/tgw-asg/README.md b/aws/templates/tgw-asg/README.md
index 1ea088d6..668bebf8 100644
--- a/aws/templates/tgw-asg/README.md
+++ b/aws/templates/tgw-asg/README.md
@@ -24,3 +24,17 @@
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|------------------------------------------------------------------------------------------|
+| 20240704 | - R80.40 version deprecation.
- R81 version deprecation. |
+| 20240519 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20240414 | Add support for Elastic Load Balancer Health Checks. |
+| 20230923 | Add support for C5d instance type. |
+| 20221226 | Support ASG Launch Template instead of Launch Configuration. |
+| 20221123 | Templates version 20221120 and above support R81.20 |
+| 20220606 | New instance type support. |
+| 20210329 | First release of Check Point Transit Gateway Auto Scaling Group Terraform module for AWS |
diff --git a/aws/templates/tgw-cross-az-cluster/README.md b/aws/templates/tgw-cross-az-cluster/README.md
index f1a6b492..e4c4eec2 100644
--- a/aws/templates/tgw-cross-az-cluster/README.md
+++ b/aws/templates/tgw-cross-az-cluster/README.md
@@ -23,4 +23,16 @@
-
\ No newline at end of file
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 20240519 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20230923 | Add support for C5d instance type. |
+| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname |
+| 20230503 | Smart-1 Cloud token validation. |
+| 20230411 | - Improved deployment experience for gateways and clusters managed by Smart-1 Cloud.
- Multiple VIPs support for Cross Availability Zone Cluster. |
+| 20221229 | Removed unsupported versions. |
+| 20221123 | Templates version 20221120 and above support R81.20 |
diff --git a/aws/templates/tgw-ha/README.md b/aws/templates/tgw-ha/README.md
index f069cdd5..a2754f4a 100644
--- a/aws/templates/tgw-ha/README.md
+++ b/aws/templates/tgw-ha/README.md
@@ -23,4 +23,17 @@
-
\ No newline at end of file
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|------------------------------------------------------------------------------------------------------------------|
+| 20240519 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20230923 | Add support for C5d instance type. |
+| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname |
+| 20230503 | Template version 20230503 and above supports Smart-1 Cloud token validation. |
+| 20230411 | Improved deployment experience for gateways and clusters managed by Smart-1 Cloud. |
+| 20221123 | Templates version 20221120 and above support R81.20 |
+| 20220606 | New instance type support |
+| 20210309 | First release of Check Point Security Management Server & Security Gateway (Standalone) Terraform module for AWS |
diff --git a/deprecated/aws/templates/gateway-r7730/README.md b/deprecated/aws/templates/R77.30/gateway-r7730/README.md
old mode 100644
new mode 100755
similarity index 100%
rename from deprecated/aws/templates/gateway-r7730/README.md
rename to deprecated/aws/templates/R77.30/gateway-r7730/README.md
diff --git a/deprecated/aws/templates/gateway-r7730/gateway-2-nic-existing-vpc.json b/deprecated/aws/templates/R77.30/gateway-r7730/gateway-2-nic-existing-vpc.json
similarity index 100%
rename from deprecated/aws/templates/gateway-r7730/gateway-2-nic-existing-vpc.json
rename to deprecated/aws/templates/R77.30/gateway-r7730/gateway-2-nic-existing-vpc.json
diff --git a/deprecated/aws/templates/gateways-r7730/README.md b/deprecated/aws/templates/R77.30/gateways-r7730/README.md
old mode 100644
new mode 100755
similarity index 100%
rename from deprecated/aws/templates/gateways-r7730/README.md
rename to deprecated/aws/templates/R77.30/gateways-r7730/README.md
diff --git a/deprecated/aws/templates/gateways-r7730/inter-az-cluster.json b/deprecated/aws/templates/R77.30/gateways-r7730/inter-az-cluster.json
similarity index 100%
rename from deprecated/aws/templates/gateways-r7730/inter-az-cluster.json
rename to deprecated/aws/templates/R77.30/gateways-r7730/inter-az-cluster.json
diff --git a/deprecated/aws/templates/instance-r7730/README.md b/deprecated/aws/templates/R77.30/instance-r7730/README.md
old mode 100644
new mode 100755
similarity index 100%
rename from deprecated/aws/templates/instance-r7730/README.md
rename to deprecated/aws/templates/R77.30/instance-r7730/README.md
diff --git a/deprecated/aws/templates/instance-r7730/gwinvpc.json b/deprecated/aws/templates/R77.30/instance-r7730/gwinvpc.json
similarity index 100%
rename from deprecated/aws/templates/instance-r7730/gwinvpc.json
rename to deprecated/aws/templates/R77.30/instance-r7730/gwinvpc.json
diff --git a/deprecated/aws/templates/management-r7730/README.md b/deprecated/aws/templates/R77.30/management-r7730/README.md
old mode 100644
new mode 100755
similarity index 100%
rename from deprecated/aws/templates/management-r7730/README.md
rename to deprecated/aws/templates/R77.30/management-r7730/README.md
diff --git a/deprecated/aws/templates/management-r7730/r7730-management.json b/deprecated/aws/templates/R77.30/management-r7730/r7730-management.json
similarity index 100%
rename from deprecated/aws/templates/management-r7730/r7730-management.json
rename to deprecated/aws/templates/R77.30/management-r7730/r7730-management.json
diff --git a/deprecated/aws/templates/asg-r8030/README.md b/deprecated/aws/templates/R80.30/asg-r8030/README.md
old mode 100644
new mode 100755
similarity index 100%
rename from deprecated/aws/templates/asg-r8030/README.md
rename to deprecated/aws/templates/R80.30/asg-r8030/README.md
diff --git a/deprecated/aws/templates/asg-r8030/autoscale.json b/deprecated/aws/templates/R80.30/asg-r8030/autoscale.json
similarity index 100%
rename from deprecated/aws/templates/asg-r8030/autoscale.json
rename to deprecated/aws/templates/R80.30/asg-r8030/autoscale.json
diff --git a/deprecated/aws/templates/cluster-r8030/README.md b/deprecated/aws/templates/R80.30/cluster-r8030/README.md
old mode 100644
new mode 100755
similarity index 100%
rename from deprecated/aws/templates/cluster-r8030/README.md
rename to deprecated/aws/templates/R80.30/cluster-r8030/README.md
diff --git a/deprecated/aws/templates/cluster-r8030/cluster-into-vpc.json b/deprecated/aws/templates/R80.30/cluster-r8030/cluster-into-vpc.json
old mode 100644
new mode 100755
similarity index 100%
rename from deprecated/aws/templates/cluster-r8030/cluster-into-vpc.json
rename to deprecated/aws/templates/R80.30/cluster-r8030/cluster-into-vpc.json
diff --git a/deprecated/aws/templates/cluster-r8030/cluster.json b/deprecated/aws/templates/R80.30/cluster-r8030/cluster.json
old mode 100644
new mode 100755
similarity index 100%
rename from deprecated/aws/templates/cluster-r8030/cluster.json
rename to deprecated/aws/templates/R80.30/cluster-r8030/cluster.json
diff --git a/deprecated/aws/templates/management-r8030/README.md b/deprecated/aws/templates/R80.30/management-r8030/README.md
old mode 100644
new mode 100755
similarity index 100%
rename from deprecated/aws/templates/management-r8030/README.md
rename to deprecated/aws/templates/R80.30/management-r8030/README.md
diff --git a/deprecated/aws/templates/management-r8030/management.json b/deprecated/aws/templates/R80.30/management-r8030/management.json
similarity index 100%
rename from deprecated/aws/templates/management-r8030/management.json
rename to deprecated/aws/templates/R80.30/management-r8030/management.json
diff --git a/deprecated/aws/templates/mds-r8030/README.md b/deprecated/aws/templates/R80.30/mds-r8030/README.md
old mode 100644
new mode 100755
similarity index 100%
rename from deprecated/aws/templates/mds-r8030/README.md
rename to deprecated/aws/templates/R80.30/mds-r8030/README.md
diff --git a/deprecated/aws/templates/mds-r8030/mds.json b/deprecated/aws/templates/R80.30/mds-r8030/mds.json
similarity index 100%
rename from deprecated/aws/templates/mds-r8030/mds.json
rename to deprecated/aws/templates/R80.30/mds-r8030/mds.json
diff --git a/deprecated/aws/templates/single-gw-r8030/README.md b/deprecated/aws/templates/R80.30/single-gw-r8030/README.md
old mode 100644
new mode 100755
similarity index 100%
rename from deprecated/aws/templates/single-gw-r8030/README.md
rename to deprecated/aws/templates/R80.30/single-gw-r8030/README.md
diff --git a/deprecated/aws/templates/single-gw-r8030/gateway-into-vpc.json b/deprecated/aws/templates/R80.30/single-gw-r8030/gateway-into-vpc.json
old mode 100644
new mode 100755
similarity index 100%
rename from deprecated/aws/templates/single-gw-r8030/gateway-into-vpc.json
rename to deprecated/aws/templates/R80.30/single-gw-r8030/gateway-into-vpc.json
diff --git a/deprecated/aws/templates/single-gw-r8030/gateway.json b/deprecated/aws/templates/R80.30/single-gw-r8030/gateway.json
old mode 100644
new mode 100755
similarity index 100%
rename from deprecated/aws/templates/single-gw-r8030/gateway.json
rename to deprecated/aws/templates/R80.30/single-gw-r8030/gateway.json
diff --git a/deprecated/aws/templates/tgw-asg-r8030/README.md b/deprecated/aws/templates/R80.30/tgw-asg-r8030/README.md
old mode 100644
new mode 100755
similarity index 100%
rename from deprecated/aws/templates/tgw-asg-r8030/README.md
rename to deprecated/aws/templates/R80.30/tgw-asg-r8030/README.md
diff --git a/deprecated/aws/templates/tgw-asg-r8030/checkpoint-tgw-asg-master.yaml b/deprecated/aws/templates/R80.30/tgw-asg-r8030/checkpoint-tgw-asg-master.yaml
similarity index 100%
rename from deprecated/aws/templates/tgw-asg-r8030/checkpoint-tgw-asg-master.yaml
rename to deprecated/aws/templates/R80.30/tgw-asg-r8030/checkpoint-tgw-asg-master.yaml
diff --git a/deprecated/aws/templates/tgw-asg-r8030/checkpoint-tgw-asg.yaml b/deprecated/aws/templates/R80.30/tgw-asg-r8030/checkpoint-tgw-asg.yaml
similarity index 100%
rename from deprecated/aws/templates/tgw-asg-r8030/checkpoint-tgw-asg.yaml
rename to deprecated/aws/templates/R80.30/tgw-asg-r8030/checkpoint-tgw-asg.yaml
diff --git a/deprecated/aws/templates/transit-vpc-r8030/README.md b/deprecated/aws/templates/R80.30/transit-vpc-r8030/README.md
old mode 100644
new mode 100755
similarity index 100%
rename from deprecated/aws/templates/transit-vpc-r8030/README.md
rename to deprecated/aws/templates/R80.30/transit-vpc-r8030/README.md
diff --git a/deprecated/aws/templates/transit-vpc-r8030/checkpoint-transit-master.yaml b/deprecated/aws/templates/R80.30/transit-vpc-r8030/checkpoint-transit-master.yaml
similarity index 100%
rename from deprecated/aws/templates/transit-vpc-r8030/checkpoint-transit-master.yaml
rename to deprecated/aws/templates/R80.30/transit-vpc-r8030/checkpoint-transit-master.yaml
diff --git a/deprecated/aws/templates/transit-vpc-r8030/checkpoint-transit.yaml b/deprecated/aws/templates/R80.30/transit-vpc-r8030/checkpoint-transit.yaml
similarity index 100%
rename from deprecated/aws/templates/transit-vpc-r8030/checkpoint-transit.yaml
rename to deprecated/aws/templates/R80.30/transit-vpc-r8030/checkpoint-transit.yaml
diff --git a/deprecated/aws/templates/transit-vpc-r8030/transit-master.yaml b/deprecated/aws/templates/R80.30/transit-vpc-r8030/transit-master.yaml
similarity index 100%
rename from deprecated/aws/templates/transit-vpc-r8030/transit-master.yaml
rename to deprecated/aws/templates/R80.30/transit-vpc-r8030/transit-master.yaml
diff --git a/deprecated/aws/templates/transit-vpc-r8030/transit.yaml b/deprecated/aws/templates/R80.30/transit-vpc-r8030/transit.yaml
similarity index 100%
rename from deprecated/aws/templates/transit-vpc-r8030/transit.yaml
rename to deprecated/aws/templates/R80.30/transit-vpc-r8030/transit.yaml
diff --git a/deprecated/aws/templates/R80.40/autoscale/autoscale.yaml b/deprecated/aws/templates/R80.40/autoscale/autoscale.yaml
new file mode 100755
index 00000000..ce35a882
--- /dev/null
+++ b/deprecated/aws/templates/R80.40/autoscale/autoscale.yaml
@@ -0,0 +1,612 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Create an Auto Scaling group of Check Point gateways (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: VPC Network Configuration
+ Parameters:
+ - VPC
+ - GatewaysSubnets
+ - Label:
+ default: EC2 Instances Configuration
+ Parameters:
+ - GatewayName
+ - GatewayInstanceType
+ - KeyName
+ - VolumeSize
+ - VolumeType
+ - EnableVolumeEncryption
+ - EnableInstanceConnect
+ - MetaDataToken
+ - Label:
+ default: Auto Scaling Configuration
+ Parameters:
+ - GatewaysMinSize
+ - GatewaysMaxSize
+ - AdminEmail
+ - GatewaysTargetGroups
+ - Label:
+ default: Check Point Settings
+ Parameters:
+ - GatewayVersion
+ - Shell
+ - GatewayPasswordHash
+ - GatewayMaintenancePasswordHash
+ - GatewaySICKey
+ - AllowUploadDownload
+ - CloudWatch
+ - GatewayBootstrapScript
+ - Label:
+ default: Automatic Provisioning with Security Management Server Settings
+ Parameters:
+ - ControlGatewayOverPrivateOrPublicAddress
+ - ManagementServer
+ - ConfigurationTemplate
+ - Label:
+ default: Proxy Configuration (optional)
+ Parameters:
+ - ELBType
+ - ELBPort
+ - ELBClients
+ ParameterLabels:
+ VPC:
+ default: VPC
+ GatewaysSubnets:
+ default: Gateways subnets
+ GatewayName:
+ default: Gateways name
+ GatewayInstanceType:
+ default: Gateways instance type
+ KeyName:
+ default: Key name
+ VolumeSize:
+ default: Root volume size (GB)
+ VolumeType:
+ default: Volume Type
+ EnableVolumeEncryption:
+ default: Enable volume encryption
+ EnableInstanceConnect:
+ default: Enable AWS Instance Connect
+ MetaDataToken:
+ default: Metadata HTTP token
+ GatewaysMinSize:
+ default: Minimum Gateway group size
+ GatewaysMaxSize:
+ default: Maximum Gateway group size
+ AdminEmail:
+ default: Email address
+ GatewaysTargetGroups:
+ default: Gateways target groups
+ GatewayVersion:
+ default: Gateways version & license
+ Shell:
+ default: Admin shell
+ GatewayPasswordHash:
+ default: Gateways Password hash
+ GatewayMaintenancePasswordHash:
+ default: Gateway Maintenance Password hash
+ GatewaySICKey:
+ default: Gateways SIC key
+ AllowUploadDownload:
+ default: Allow upload & download
+ CloudWatch:
+ default: CloudWatch metrics
+ GatewayBootstrapScript:
+ default: Gateways bootstrap script
+ ControlGatewayOverPrivateOrPublicAddress:
+ default: Gateways addresses
+ ManagementServer:
+ default: Management Server
+ ConfigurationTemplate:
+ default: Configuration template
+ ELBType:
+ default: Proxy type
+ ELBPort:
+ default: Proxy port
+ ELBClients:
+ default: Allowed proxy clients
+Parameters:
+ VPC:
+ Description: Select an existing VPC.
+ Type: AWS::EC2::VPC::Id
+ MinLength: 1
+ GatewaysSubnets:
+ Description: Select at least 2 public subnets in the VPC.
+ Type: List
+ MinLength: 2
+ GatewayName:
+ Description: The name tag of the Security Gateway instances. (optional)
+ Type: String
+ Default: Check-Point-Gateway
+ GatewayInstanceType:
+ Description: The instance type of the Secutiry Gateways.
+ Type: String
+ Default: c5.xlarge
+ AllowedValues:
+ - c4.large
+ - c4.xlarge
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: must be a valid EC2 instance type.
+ KeyName:
+ Description: The EC2 Key Pair to allow SSH access to the instances.
+ Type: AWS::EC2::KeyPair::KeyName
+ MinLength: 1
+ ConstraintDescription: Must be the name of an existing EC2 KeyPair.
+ VolumeSize:
+ Type: Number
+ Default: 100
+ MinValue: 100
+ VolumeType:
+ Description: General Purpose SSD Volume Type
+ Type: String
+ Default: gp3
+ AllowedValues:
+ - gp3
+ - gp2
+ EnableVolumeEncryption:
+ Description: Encrypt Auto Scaling instances volume with default AWS KMS key.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ EnableInstanceConnect:
+ Description: Enable SSH connection over AWS web console.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ MetaDataToken:
+ Description: Set true to deploy the instance with metadata v2 token required.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ GatewaysMinSize:
+ Description: The minimal number of gateways in the Auto Scaling group.
+ Type: Number
+ Default: 2
+ MinValue: 1
+ GatewaysMaxSize:
+ Description: The maximal number of gateways in the Auto Scaling group.
+ Type: Number
+ Default: 10
+ MinValue: 1
+ AdminEmail:
+ Description: Notifications about scaling events will be sent to this email address. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$'
+ ConstraintDescription: Must be a valid email address.
+ GatewaysTargetGroups:
+ Description: A list of Target Groups to associate with the Auto Scaling.
+ group (comma separated list of ARNs, without spaces) (optional)
+ Type: String
+ Default: ''
+ GatewayVersion:
+ Type: String
+ Default: R80.40-BYOL
+ AllowedValues:
+ - R80.40-BYOL
+ - R80.40-PAYG-NGTP
+ - R80.40-PAYG-NGTX
+ Shell:
+ Description: Change the admin shell to enable advanced command line configuration.
+ Type: String
+ Default: /etc/cli.sh
+ AllowedValues:
+ - /etc/cli.sh
+ - /bin/bash
+ - /bin/csh
+ - /bin/tcsh
+ GatewayPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD".
+ to get the PASSWORD's hash) (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+ NoEcho: true
+ GatewayMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ GatewaySICKey:
+ Description: The Secure Internal Communication key creates trusted connections.
+ between Check Point components. Choose a random string consisting of at least
+ 8 alphanumeric characters.
+ Type: String
+ AllowedPattern: '^[a-zA-Z0-9]{8,}$'
+ ConstraintDescription: At least 8 alpha numeric characters.
+ NoEcho: true
+ AllowUploadDownload:
+ Description: Automatically download updates and share statistical data for product improvement purpose.
+ Improve product experience by sending data to Check Point
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ CloudWatch:
+ Description: Report Check Point specific CloudWatch metrics.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ GatewayBootstrapScript:
+ Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+ Type: String
+ Default: ''
+ NoEcho: true
+ ControlGatewayOverPrivateOrPublicAddress:
+ Description: Determines if the gateways are provisioned using their private or public address.
+ Type: String
+ Default: private
+ AllowedValues:
+ - private
+ - public
+ ManagementServer:
+ Description: The name that represents the Security Management Server in the automatic provisioning configuration.
+ Type: String
+ Default: management-server
+ MinLength: 1
+ ConfigurationTemplate:
+ Description: A name of a gateway configuration template in the automatic provisioning configuration.
+ Type: String
+ Default: ASG-configuration
+ MinLength: 1
+ MaxLength: 30
+ ELBType:
+ Type: String
+ Default: none
+ AllowedValues:
+ - none
+ - internal
+ - internet-facing
+ ELBPort:
+ Type: Number
+ Default: 8080
+ ELBClients:
+ Type: String
+ Default: 0.0.0.0/0
+ AllowedPattern: '^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})$'
+Conditions:
+ ProvidedAdminEmail: !Not [!Equals [!Ref AdminEmail, '']]
+ ProvidedTargetGroups: !Not [!Equals [!Ref GatewaysTargetGroups, '']]
+ EnableCloudWatch: !Equals [!Ref CloudWatch, true]
+ CreateELB: !Not [!Equals [!Ref ELBType, none]]
+ EnableMetaDataToken: !Equals [!Ref MetaDataToken, true]
+Resources:
+ ChkpGatewayRole:
+ Type: AWS::IAM::Role
+ Condition: EnableCloudWatch
+ Properties:
+ AssumeRolePolicyDocument:
+ Version: 2012-10-17
+ Statement:
+ - Effect: Allow
+ Principal:
+ Service:
+ - ec2.amazonaws.com
+ Action:
+ - sts:AssumeRole
+ Path: /
+ CloudwatchPolicy:
+ Condition: EnableCloudWatch
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/iam/cloudwatch-policy.yaml
+ Parameters:
+ PolicyName: ChkpGatewayPolicy
+ PolicyRole: !Ref ChkpGatewayRole
+ InstanceProfile:
+ Type: AWS::IAM::InstanceProfile
+ Condition: EnableCloudWatch
+ Properties:
+ Path: /
+ Roles:
+ - !Ref ChkpGatewayRole
+ AMI:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/utils/amis.yaml
+ Parameters:
+ Version: !Join ['-', [!Ref GatewayVersion, GW]]
+ NotificationTopic:
+ Type: AWS::SNS::Topic
+ Condition: ProvidedAdminEmail
+ Properties:
+ Subscription:
+ - Endpoint: !Ref AdminEmail
+ Protocol: email
+ ElasticLoadBalancer:
+ Type: AWS::ElasticLoadBalancing::LoadBalancer
+ Condition: CreateELB
+ Properties:
+ CrossZone: true
+ Listeners:
+ - LoadBalancerPort: !Ref ELBPort
+ InstancePort: !Ref ELBPort
+ Protocol: TCP
+ HealthCheck:
+ Target: !Join [':', [TCP, !Ref ELBPort]]
+ HealthyThreshold: 3
+ UnhealthyThreshold: 5
+ Interval: 30
+ Timeout: 5
+ Scheme: !Ref ELBType
+ Subnets: !Ref GatewaysSubnets
+ Policies:
+ - PolicyName: EnableProxyProtocol
+ PolicyType: ProxyProtocolPolicyType
+ Attributes:
+ - Name: ProxyProtocol
+ Value: true
+ InstancePorts:
+ - !Ref ELBPort
+ SecurityGroups:
+ - !Ref ELBSecurityGroup
+ PermissiveSecurityGroup:
+ Type: AWS::EC2::SecurityGroup
+ Properties:
+ Tags:
+ - Key: Name
+ Value: !Join ['_', [!Ref 'AWS::StackName', PermissiveSecurityGroup]]
+ GroupDescription: Permissive security group.
+ VpcId: !Ref VPC
+ SecurityGroupIngress:
+ - IpProtocol: -1
+ CidrIp: 0.0.0.0/0
+ GatewayGroup:
+ Type: AWS::AutoScaling::AutoScalingGroup
+ DependsOn: GatewayLaunchTemplate
+ Properties:
+ VPCZoneIdentifier: !Ref GatewaysSubnets
+ LaunchTemplate:
+ LaunchTemplateId: !Ref GatewayLaunchTemplate
+ Version: !GetAtt GatewayLaunchTemplate.LatestVersionNumber
+ MinSize: !Ref GatewaysMinSize
+ MaxSize: !Ref GatewaysMaxSize
+ LoadBalancerNames: !If [CreateELB, [!Ref ElasticLoadBalancer], !Ref 'AWS::NoValue']
+ TargetGroupARNs: !If [ProvidedTargetGroups, !Split [',', !Ref GatewaysTargetGroups], !Ref 'AWS::NoValue']
+ HealthCheckType: ELB
+ HealthCheckGracePeriod: 3600
+ NotificationConfiguration: !If
+ - ProvidedAdminEmail
+ - TopicARN: !Ref NotificationTopic
+ NotificationTypes:
+ - autoscaling:EC2_INSTANCE_LAUNCH
+ - autoscaling:EC2_INSTANCE_LAUNCH_ERROR
+ - autoscaling:EC2_INSTANCE_TERMINATE
+ - autoscaling:EC2_INSTANCE_TERMINATE_ERROR
+ - !Ref 'AWS::NoValue'
+ Tags:
+ - Key: Name
+ Value: !Ref GatewayName
+ PropagateAtLaunch: true
+ - Key: x-chkp-tags
+ Value: !Join
+ - ':'
+ - - !Join ['=', [management, !Ref ManagementServer]]
+ - !Join ['=', [template, !Ref ConfigurationTemplate]]
+ - !Join ['=', [ip-address, !Ref ControlGatewayOverPrivateOrPublicAddress]]
+ PropagateAtLaunch: true
+ GatewayLaunchTemplate:
+ Type: AWS::EC2::LaunchTemplate
+ Properties:
+ LaunchTemplateData:
+ NetworkInterfaces:
+ - DeviceIndex: 0
+ AssociatePublicIpAddress: true
+ Groups:
+ - !Ref PermissiveSecurityGroup
+ Monitoring:
+ Enabled: true
+ KeyName: !Ref KeyName
+ ImageId: !GetAtt AMI.Outputs.ImageId
+ InstanceType: !Ref GatewayInstanceType
+ MetadataOptions:
+ HttpTokens: !If [EnableMetaDataToken, required, optional]
+ BlockDeviceMappings:
+ - DeviceName: '/dev/xvda'
+ Ebs:
+ Encrypted: !Ref EnableVolumeEncryption
+ VolumeType: !Ref VolumeType
+ VolumeSize: !Ref VolumeSize
+ IamInstanceProfile:
+ Name: !If [EnableCloudWatch, !Ref InstanceProfile, !Ref 'AWS::NoValue']
+ UserData:
+ 'Fn::Base64':
+ !Join
+ - |+
+
+ - - '#cloud-config'
+ - 'runcmd:'
+ - ' - |'
+ - ' set -e'
+ - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect}'
+ - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']]
+ - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']]
+ - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']]
+ - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']]
+ - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}]
+ - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" sicKey=\"${sic}\" installationType=\"autoscale\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"autoscale\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" bootstrapScript64=\"${bootstrap}\"'
+ VersionDescription: Initial template version
+ GatewayScaleUpPolicy:
+ Type: AWS::AutoScaling::ScalingPolicy
+ Properties:
+ AdjustmentType: ChangeInCapacity
+ AutoScalingGroupName: !Ref GatewayGroup
+ Cooldown: 300
+ ScalingAdjustment: 1
+ GatewayScaleDownPolicy:
+ Type: AWS::AutoScaling::ScalingPolicy
+ Properties:
+ AdjustmentType: ChangeInCapacity
+ AutoScalingGroupName: !Ref GatewayGroup
+ Cooldown: 300
+ ScalingAdjustment: -1
+ CPUAlarmHigh:
+ Type: AWS::CloudWatch::Alarm
+ Properties:
+ AlarmDescription: Scale-up if CPU > 80% for 10 minutes.
+ MetricName: CPUUtilization
+ Namespace: AWS/EC2
+ Statistic: Average
+ Period: 300
+ EvaluationPeriods: 2
+ Threshold: 80
+ AlarmActions:
+ - !Ref GatewayScaleUpPolicy
+ Dimensions:
+ - Name: AutoScalingGroupName
+ Value: !Ref GatewayGroup
+ ComparisonOperator: GreaterThanThreshold
+ CPUAlarmLow:
+ Type: AWS::CloudWatch::Alarm
+ Properties:
+ AlarmDescription: Scale-down if CPU < 60% for 10 minutes.
+ MetricName: CPUUtilization
+ Namespace: AWS/EC2
+ Statistic: Average
+ Period: 300
+ EvaluationPeriods: 2
+ Threshold: 60
+ AlarmActions:
+ - !Ref GatewayScaleDownPolicy
+ Dimensions:
+ - Name: AutoScalingGroupName
+ Value: !Ref GatewayGroup
+ ComparisonOperator: LessThanThreshold
+ ELBSecurityGroup:
+ Type: AWS::EC2::SecurityGroup
+ Condition: CreateELB
+ Properties:
+ GroupDescription: ELB security group.
+ VpcId: !Ref VPC
+ SecurityGroupIngress:
+ - IpProtocol: tcp
+ CidrIp: !Ref ELBClients
+ FromPort: !Ref ELBPort
+ ToPort: !Ref ELBPort
+Outputs:
+ URL:
+ Description: The URL of the Proxy.
+ Condition: CreateELB
+ Value: !Join ['', ['http://', !GetAtt ElasticLoadBalancer.DNSName]]
+ SecurityGroup:
+ Description: The Security Group of the Auto Scaling group.
+ Value: !GetAtt PermissiveSecurityGroup.GroupId
+
diff --git a/deprecated/aws/templates/R80.40/autoscale/custom-autoscale.yaml b/deprecated/aws/templates/R80.40/autoscale/custom-autoscale.yaml
new file mode 100755
index 00000000..70782d13
--- /dev/null
+++ b/deprecated/aws/templates/R80.40/autoscale/custom-autoscale.yaml
@@ -0,0 +1,226 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Create an Auto Scaling group of workload servers (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: VPC Network Configuration
+ Parameters:
+ - VPC
+ - ServersSubnets
+ - Label:
+ default: EC2 Instances Configuration
+ Parameters:
+ - ServerAMI
+ - ServerName
+ - ServerInstanceType
+ - KeyName
+ - AllocatePublicAddress
+ - Label:
+ default: Auto Scaling Configuration
+ Parameters:
+ - ServersMinSize
+ - ServersMaxSize
+ - AdminEmail
+ - ServersTargetGroups
+ - SourceSecurityGroup
+ ParameterLabels:
+ VPC:
+ default: VPC
+ ServersSubnets:
+ default: Servers subnets
+ ServerAMI:
+ default: Amazon Image ID
+ ServerName:
+ default: Instance Name
+ ServerInstanceType:
+ default: Instance type
+ KeyName:
+ default: Key name
+ AllocatePublicAddress:
+ default: Allocate an Elastic IP
+ ServersMinSize:
+ default: Minimum group size
+ ServerMaxSize:
+ default: Maximum group size
+ AdminEmail:
+ default: Email address
+ ServersTargetGroups:
+ default: Target Groups
+ SourceSecurityGroup:
+ default: Source Security Group
+Parameters:
+ VPC:
+ Description: Select an existing VPC.
+ Type: AWS::EC2::VPC::Id
+ MinLength: 1
+ ServersSubnets:
+ Description: Select at least 2 subnets in the VPC.
+ Type: List
+ MinLength: 2
+ ServerAMI:
+ Description: AMI of the servers.
+ Type: String
+ AllowedPattern: '^(ami-(([0-9a-f]{8})|([0-9a-f]{17})))?$'
+ ConstraintDescription: Must be a valid Amazon Machine Image ID.
+ ServerName:
+ Description: The servers name tag.
+ Type: String
+ Default: Server
+ ServerInstanceType:
+ Description: The instance type of the servers.
+ Type: String
+ Default: t3.micro
+ AllowedValues:
+ - t3.nano
+ - t3.micro
+ - t3.small
+ - t3.medium
+ - t3.large
+ - t3.xlarge
+ - t3.2xlarge
+ ConstraintDescription: must be a valid EC2 instance type.
+ KeyName:
+ Description: The EC2 Key Pair to allow SSH access to the instances.
+ Type: AWS::EC2::KeyPair::KeyName
+ MinLength: 1
+ ConstraintDescription: Must be the name of an existing EC2 KeyPair.
+ AllocatePublicAddress:
+ Description: Allocate an elastic IP for each server.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ ServersMinSize:
+ Description: The minimal number of servers in the Auto Scaling group.
+ Type: Number
+ Default: 2
+ MinValue: 1
+ ServersMaxSize:
+ Description: The maximal number of servers in the Auto Scaling group.
+ Type: Number
+ Default: 10
+ MinValue: 1
+ AdminEmail:
+ Description: Notifications about scaling events will be sent to this email address.
+ (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '(|([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))'
+ ConstraintDescription: Must be a valid email address.
+ ServersTargetGroups:
+ Description: An optional list of Target Groups to associate with the Auto Scaling group (comma separated list of ARNs, without spaces).
+ Type: String
+ Default: ''
+ SourceSecurityGroup:
+ Description: The ID of Security Group from which access will be allowed to the instances in this Auto Scaling group.
+ Type: String
+ Default: ''
+Conditions:
+ ProvidedAdminEmail: !Not [!Equals [!Ref AdminEmail, '']]
+ ProvidedTargetGroups: !Not [!Equals [!Ref ServersTargetGroups, '']]
+ NotProvidedSecurityGroup: !Equals [!Ref SourceSecurityGroup, '']
+Resources:
+ NotificationTopic:
+ Type: AWS::SNS::Topic
+ Condition: ProvidedAdminEmail
+ Properties:
+ Subscription:
+ - Endpoint: !Ref AdminEmail
+ Protocol: email
+ ServersSecurityGroup:
+ Type: AWS::EC2::SecurityGroup
+ Condition: NotProvidedSecurityGroup
+ Properties:
+ Tags:
+ - Key: Name
+ Value: !Join ['_', [!Ref 'AWS::StackName', ServersSecurityGroup]]
+ GroupDescription: Servers security group.
+ VpcId: !Ref VPC
+ SecurityGroupIngress:
+ - IpProtocol: -1
+ CidrIp: 0.0.0.0/0
+ ServersLaunchTemplate:
+ Type: AWS::EC2::LaunchTemplate
+ Properties:
+ LaunchTemplateData:
+ NetworkInterfaces:
+ - DeviceIndex: 0
+ AssociatePublicIpAddress: !Ref AllocatePublicAddress
+ Groups: !If [NotProvidedSecurityGroup, [!Ref ServersSecurityGroup], [!Ref SourceSecurityGroup]]
+ Monitoring:
+ Enabled: true
+ KeyName: !Ref KeyName
+ ImageId: !Ref ServerAMI
+ InstanceType: !Ref ServerInstanceType
+ VersionDescription: Initial template version
+ ServersGroup:
+ Type: AWS::AutoScaling::AutoScalingGroup
+ Properties:
+ VPCZoneIdentifier: !Ref ServersSubnets
+ LaunchTemplate:
+ LaunchTemplateId: !Ref ServersLaunchTemplate
+ Version: !GetAtt ServersLaunchTemplate.LatestVersionNumber
+ MinSize: !Ref ServersMinSize
+ MaxSize: !Ref ServersMaxSize
+ TargetGroupARNs: !If [ProvidedTargetGroups, !Split [',', !Ref ServersTargetGroups], !Ref 'AWS::NoValue']
+ NotificationConfiguration: !If
+ - ProvidedAdminEmail
+ - TopicARN: !Ref NotificationTopic
+ NotificationTypes:
+ - autoscaling:EC2_INSTANCE_LAUNCH
+ - autoscaling:EC2_INSTANCE_LAUNCH_ERROR
+ - autoscaling:EC2_INSTANCE_TERMINATE
+ - autoscaling:EC2_INSTANCE_TERMINATE_ERROR
+ - !Ref 'AWS::NoValue'
+ Tags:
+ - Key: Name
+ Value: !Ref ServerName
+ PropagateAtLaunch: true
+ ScaleUpPolicy:
+ Type: AWS::AutoScaling::ScalingPolicy
+ Properties:
+ AdjustmentType: ChangeInCapacity
+ AutoScalingGroupName: !Ref ServersGroup
+ Cooldown: 300
+ ScalingAdjustment: 1
+ ScaleDownPolicy:
+ Type: AWS::AutoScaling::ScalingPolicy
+ Properties:
+ AdjustmentType: ChangeInCapacity
+ AutoScalingGroupName: !Ref ServersGroup
+ Cooldown: 300
+ ScalingAdjustment: -1
+ CPUAlarmHigh:
+ Type: AWS::CloudWatch::Alarm
+ Properties:
+ AlarmDescription: Scale-up if CPU > 80% for 10 minutes.
+ MetricName: CPUUtilization
+ Namespace: AWS/EC2
+ Statistic: Average
+ Period: 300
+ EvaluationPeriods: 2
+ Threshold: 80
+ AlarmActions:
+ - !Ref ScaleUpPolicy
+ Dimensions:
+ - Name: AutoScalingGroupName
+ Value: !Ref ServersGroup
+ ComparisonOperator: GreaterThanThreshold
+ CPUAlarmLow:
+ Type: AWS::CloudWatch::Alarm
+ Properties:
+ AlarmDescription: Scale-down if CPU < 60% for 10 minutes.
+ MetricName: CPUUtilization
+ Namespace: AWS/EC2
+ Statistic: Average
+ Period: 300
+ EvaluationPeriods: 2
+ Threshold: 60
+ AlarmActions:
+ - !Ref ScaleDownPolicy
+ Dimensions:
+ - Name: AutoScalingGroupName
+ Value: !Ref ServersGroup
+ ComparisonOperator: LessThanThreshold
diff --git a/deprecated/aws/templates/R80.40/autoscale/tgw-asg-master.yaml b/deprecated/aws/templates/R80.40/autoscale/tgw-asg-master.yaml
new file mode 100755
index 00000000..e2ba00b4
--- /dev/null
+++ b/deprecated/aws/templates/R80.40/autoscale/tgw-asg-master.yaml
@@ -0,0 +1,684 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Deploy an Auto Scaling Group of CloudGuard Security Gateways for Transit Gateway with an optional Management Server in a new VPC (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: Network Configuration
+ Parameters:
+ - AvailabilityZones
+ - NumberOfAZs
+ - VPCCIDR
+ - PublicSubnet1CIDR
+ - PublicSubnet2CIDR
+ - PublicSubnet3CIDR
+ - PublicSubnet4CIDR
+ - Label:
+ default: General Settings
+ Parameters:
+ - KeyName
+ - EnableVolumeEncryption
+ - VolumeSize
+ - VolumeType
+ - EnableInstanceConnect
+ - TerminationProtection
+ - MetaDataToken
+ - AllowUploadDownload
+ - Label:
+ default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration
+ Parameters:
+ - GatewayName
+ - GatewayInstanceType
+ - GatewaysMinSize
+ - GatewaysMaxSize
+ - GatewayVersion
+ - GatewayPasswordHash
+ - GatewayMaintenancePasswordHash
+ - GatewaySICKey
+ - CloudWatch
+ - ASN
+ - AdminEmail
+ - Label:
+ default: Check Point CloudGuard IaaS Security Management Server Configuration
+ Parameters:
+ - ManagementDeploy
+ - ManagementInstanceType
+ - ManagementVersion
+ - ManagementPasswordHash
+ - ManagementMaintenancePasswordHash
+ - ManagementPermissions
+ - ManagementPredefinedRole
+ - GatewaysBlades
+ - AdminCIDR
+ - GatewayManagement
+ - GatewaysAddresses
+ - Label:
+ default: Automatic Provisioning with Security Management Server Settings
+ Parameters:
+ - ControlGatewayOverPrivateOrPublicAddress
+ - ManagementServer
+ - ConfigurationTemplate
+ ParameterLabels:
+ AvailabilityZones:
+ default: Availability Zones
+ NumberOfAZs:
+ default: Number of AZs
+ VPCCIDR:
+ default: VPC CIDR
+ PublicSubnet1CIDR:
+ default: Public Subnet 1
+ PublicSubnet2CIDR:
+ default: Public Subnet 2
+ PublicSubnet3CIDR:
+ default: Public Subnet 3
+ PublicSubnet4CIDR:
+ default: Public Subnet 4
+ KeyName:
+ default: Key name
+ EnableVolumeEncryption:
+ default: Enable environment volume encryption
+ VolumeSize:
+ default: Root volume size (GB)
+ VolumeType:
+ default: Volume Type
+ EnableInstanceConnect:
+ default: Enable AWS Instance Connect
+ TerminationProtection:
+ default: Termination Protection
+ MetaDataToken:
+ default: Metadata HTTP token
+ AllowUploadDownload:
+ default: Allow upload & download
+ GatewayName:
+ default: GatewayName
+ GatewayInstanceType:
+ default: Gateways instance type
+ GatewaysMinSize:
+ default: Minimum group size
+ GatewaysMaxSize:
+ default: Maximum group size
+ GatewayVersion:
+ default: Gateways version & license
+ GatewayPasswordHash:
+ default: Password hash
+ GatewayMaintenancePasswordHash:
+ default: Gateway Maintenance Password hash
+ GatewaySICKey:
+ default: SIC key
+ CloudWatch:
+ default: CloudWatch metrics
+ ASN:
+ default: BGP ASN
+ AdminEmail:
+ default: Email address
+ ManagementDeploy:
+ default: Deploy Management Server
+ ManagementInstanceType:
+ default: Instance type
+ ManagementVersion:
+ default: Version & license
+ ManagementPasswordHash:
+ default: Password hash
+ ManagementMaintenancePasswordHash:
+ default: Management Maintenance Password hash
+ ManagementPermissions:
+ default: IAM role
+ ManagementPredefinedRole:
+ default: Existing IAM role name
+ GatewaysBlades:
+ default: Default Blades
+ AdminCIDR:
+ default: Administrator addresses
+ GatewayManagement:
+ default: Manage Gateways
+ GatewaysAddresses:
+ default: Gateways addresses
+ ControlGatewayOverPrivateOrPublicAddress:
+ default: Gateways addresses
+ ManagementServer:
+ default: Management Server
+ ConfigurationTemplate:
+ default: Configuration template
+Parameters:
+ AvailabilityZones:
+ Description: List of Availability Zones (AZs) to use for the subnets in the VPC. Select at least two.
+ Type: List
+ MinLength: 2
+ NumberOfAZs:
+ Description: Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter.
+ Type: Number
+ Default: 2
+ MinValue: 2
+ MaxValue: 4
+ VPCCIDR:
+ Description: CIDR block for the VPC.
+ Type: String
+ Default: 10.0.0.0/16
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PublicSubnet1CIDR:
+ Description: CIDR block for public subnet 1 located in the 1st Availability Zone. If you choose to deploy a Security Management Server it will be deployed in this subnet.
+ Type: String
+ Default: 10.0.10.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PublicSubnet2CIDR:
+ Description: CIDR block for public subnet 2 located in the 2nd Availability Zone.
+ Type: String
+ Default: 10.0.20.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PublicSubnet3CIDR:
+ Description: CIDR block for public subnet 3 located in the 3rd Availability Zone.
+ Type: String
+ Default: 10.0.30.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PublicSubnet4CIDR:
+ Description: CIDR block for public subnet 4 located in the 4th Availability Zone.
+ Type: String
+ Default: 10.0.40.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ KeyName:
+ Description: The EC2 Key Pair to allow SSH access to the instances created by this stack.
+ Type: AWS::EC2::KeyPair::KeyName
+ MinLength: 1
+ ConstraintDescription: Must be the name of an existing EC2 KeyPair.
+ EnableVolumeEncryption:
+ Description: Encrypt Environment instances volume with default AWS KMS key.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ VolumeSize:
+ Type: Number
+ MinValue: 100
+ Default: 100
+ VolumeType:
+ Description: General Purpose SSD Volume Type
+ Type: String
+ Default: gp3
+ AllowedValues:
+ - gp3
+ - gp2
+ EnableInstanceConnect:
+ Description: Enable SSH connection over AWS web console.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ TerminationProtection:
+ Description: Prevents an instance from accidental termination.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ MetaDataToken:
+ Description: Set true to deploy the instance with metadata v2 token required.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ AllowUploadDownload:
+ Description: Automatically download updates and share statistical data for product improvement purpose.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ GatewayName:
+ Description: The name tag of the Security Gateway instances. (optional)
+ Type: String
+ Default: Check-Point-Gateway
+ GatewayInstanceType:
+ Description: The EC2 instance type for the Security Gateways.
+ Type: String
+ Default: c5.xlarge
+ AllowedValues:
+ - c4.large
+ - c4.xlarge
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: Must be a valid EC2 instance type
+ GatewaysMinSize:
+ Description: The minimal number of Security Gateways.
+ Type: Number
+ Default: 2
+ MinValue: 1
+ GatewaysMaxSize:
+ Description: The maximal number of Security Gateways.
+ Type: Number
+ Default: 10
+ MinValue: 1
+ GatewayVersion:
+ Description: The version and license to install on the Security Gateways.
+ Type: String
+ Default: R80.40-BYOL
+ AllowedValues:
+ - R80.40-BYOL
+ - R80.40-PAYG-NGTP
+ - R80.40-PAYG-NGTX
+ GatewayPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+ NoEcho: true
+ GatewayMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ GatewaySICKey:
+ Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters.
+ Type: String
+ AllowedPattern: '[a-zA-Z0-9]{8,}'
+ ConstraintDescription: Secure Internal Communication activation key should contain only alpha numeric characters and be at least 8 characters long.
+ NoEcho: true
+ CloudWatch:
+ Description: Report Check Point specific CloudWatch metrics.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ ASN:
+ Description: The organization Autonomous System Number (ASN) that identifies the routing domain for the Security Gateways.
+ Type: String
+ AllowedPattern: '^[0-9]+$'
+ Default: 65000
+ AdminEmail:
+ Description: Notifications about scaling events will be sent to this email address. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$'
+ ConstraintDescription: Must be a valid email address.
+ ManagementDeploy:
+ Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ ManagementInstanceType:
+ Description: The EC2 instance type of the Security Management Server.
+ Type: String
+ Default: m5.xlarge
+ AllowedValues:
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: Must be a valid EC2 instance type
+ ManagementVersion:
+ Description: The version and license to install on the Security Management Server.
+ Type: String
+ Default: R80.40-BYOL
+ AllowedValues:
+ - R80.40-BYOL
+ - R80.40-PAYG
+ ManagementPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+ NoEcho: true
+ ManagementMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ ManagementPermissions:
+ Description: IAM role to attach to the instance profile.
+ Type: String
+ Default: Create with read-write permissions
+ AllowedValues:
+ - None (configure later)
+ - Use existing (specify an existing IAM role name)
+ - Create with assume role permissions (specify an STS role ARN)
+ - Create with read permissions
+ - Create with read-write permissions
+ ManagementPredefinedRole:
+ Description: A predefined IAM role to attach to the instance profile. Ignored if IAM role is not set to 'Use existing'.
+ Type: String
+ Default: ''
+ GatewaysBlades:
+ Description: Turn on the Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (these and additional Blades can be manually turned on or off later).
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ AdminCIDR:
+ Description: Allow web, SSH, and graphical clients only from this network to communicate with the Security Management Server.
+ Type: String
+ AllowedPattern: '^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2])))?$'
+ GatewayManagement:
+ Description: Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address.
+ Type: String
+ Default: Locally managed
+ AllowedValues:
+ - Locally managed
+ - Over the internet
+ GatewaysAddresses:
+ Description: Allow gateways only from this network to communicate with the Security Management Server.
+ Type: String
+ AllowedPattern: '^$|^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+ ControlGatewayOverPrivateOrPublicAddress:
+ Description: Determines if the gateways are provisioned using their private or public address.
+ Type: String
+ Default: private
+ AllowedValues:
+ - private
+ - public
+ ManagementServer:
+ Description: The name that represents the Security Management Server in the automatic provisioning configuration.
+ Type: String
+ Default: management-server
+ MinLength: 1
+ ConfigurationTemplate:
+ Description: A name of a gateway configuration template in the automatic provisioning configuration.
+ Type: String
+ Default: TGW-ASG-configuration
+ MinLength: 1
+ MaxLength: 30
+Conditions:
+ 4AZs: !Equals [!Ref NumberOfAZs, 4]
+ 3AZs: !Or [!Equals [!Ref NumberOfAZs, 3], !Condition 4AZs]
+ DeployManagement: !Equals [!Ref ManagementDeploy, true]
+Resources:
+ VPCStack:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/utils/vpc.yaml
+ Parameters:
+ AvailabilityZones: !Join [',', !Ref AvailabilityZones]
+ NumberOfAZs: !Ref NumberOfAZs
+ VPCCIDR: !Ref VPCCIDR
+ PublicSubnet1CIDR: !Ref PublicSubnet1CIDR
+ PublicSubnet2CIDR: !Ref PublicSubnet2CIDR
+ PublicSubnet3CIDR: !Ref PublicSubnet3CIDR
+ PublicSubnet4CIDR: !Ref PublicSubnet4CIDR
+ CreatePrivateSubnets: false
+ MainStack:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/autoscale/tgw-asg.yaml
+ Parameters:
+ VPC: !GetAtt VPCStack.Outputs.VPCID
+ GatewaysSubnets: !Join
+ - ','
+ - - !GetAtt VPCStack.Outputs.PublicSubnet1ID
+ - !GetAtt VPCStack.Outputs.PublicSubnet2ID
+ - !If [3AZs, !GetAtt VPCStack.Outputs.PublicSubnet3ID, !Ref 'AWS::NoValue']
+ - !If [4AZs, !GetAtt VPCStack.Outputs.PublicSubnet4ID, !Ref 'AWS::NoValue']
+ KeyName: !Ref KeyName
+ EnableVolumeEncryption: !Ref EnableVolumeEncryption
+ VolumeType: !Ref VolumeType
+ VolumeSize: !Ref VolumeSize
+ EnableInstanceConnect: !Ref EnableInstanceConnect
+ TerminationProtection: !Ref TerminationProtection
+ MetaDataToken: !Ref MetaDataToken
+ AllowUploadDownload: !Ref AllowUploadDownload
+ GatewayName: !Ref GatewayName
+ GatewayInstanceType: !Ref GatewayInstanceType
+ GatewaysMinSize: !Ref GatewaysMinSize
+ GatewaysMaxSize: !Ref GatewaysMaxSize
+ GatewayVersion: !Ref GatewayVersion
+ GatewayPasswordHash: !Ref GatewayPasswordHash
+ GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
+ GatewaySICKey: !Ref GatewaySICKey
+ CloudWatch: !Ref CloudWatch
+ ASN: !Ref ASN
+ AdminEmail: !Ref AdminEmail
+ ManagementDeploy: !Ref ManagementDeploy
+ ManagementInstanceType: !Ref ManagementInstanceType
+ ManagementVersion: !Ref ManagementVersion
+ ManagementPasswordHash: !Ref ManagementPasswordHash
+ ManagementMaintenancePasswordHash: !Ref ManagementMaintenancePasswordHash
+ ManagementPermissions: !Ref ManagementPermissions
+ ManagementPredefinedRole: !Ref ManagementPredefinedRole
+ GatewaysBlades: !Ref GatewaysBlades
+ AdminCIDR: !Ref AdminCIDR
+ GatewayManagement: !Ref GatewayManagement
+ GatewaysAddresses: !Ref GatewaysAddresses
+ ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress
+ ManagementServer: !Ref ManagementServer
+ ConfigurationTemplate: !Ref ConfigurationTemplate
+Outputs:
+ ManagementName:
+ Description: The name that represents the Security Management Server.
+ Value: !Ref ManagementServer
+ ConfigurationTemplateName:
+ Description: The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name.
+ Value: !Ref ConfigurationTemplate
+ ControllerName:
+ Description: The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name.
+ Value: !GetAtt MainStack.Outputs.ControllerName
+ ManagementPublicAddress:
+ Description: The public address of the management servers.
+ Value: !GetAtt MainStack.Outputs.ManagementPublicAddress
+ Condition: DeployManagement
+Rules:
+ GatewayAddressRule:
+ RuleCondition: !Equals [!Ref ManagementDeploy, 'true']
+ Assertions:
+ - AssertDescription: "Gateway's netowrk to communicate with the Security Management Server must be provided"
+ Assert: !Not [ !Equals [!Ref GatewaysAddresses, '']]
\ No newline at end of file
diff --git a/deprecated/aws/templates/R80.40/autoscale/tgw-asg.yaml b/deprecated/aws/templates/R80.40/autoscale/tgw-asg.yaml
new file mode 100755
index 00000000..1214a989
--- /dev/null
+++ b/deprecated/aws/templates/R80.40/autoscale/tgw-asg.yaml
@@ -0,0 +1,676 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: Deploy an Auto Scaling Group of CloudGuard Security Gateways for Transit Gateway with an optional Management Server into an existing VPC (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: Network Configuration
+ Parameters:
+ - VPC
+ - GatewaysSubnets
+ - Label:
+ default: General Settings
+ Parameters:
+ - KeyName
+ - EnableVolumeEncryption
+ - VolumeSize
+ - VolumeType
+ - EnableInstanceConnect
+ - TerminationProtection
+ - MetaDataToken
+ - AllowUploadDownload
+ - Label:
+ default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration
+ Parameters:
+ - GatewayName
+ - GatewayInstanceType
+ - GatewaysMinSize
+ - GatewaysMaxSize
+ - GatewayVersion
+ - GatewayPasswordHash
+ - GatewayMaintenancePasswordHash
+ - GatewaySICKey
+ - CloudWatch
+ - ASN
+ - AdminEmail
+ - Label:
+ default: Check Point CloudGuard IaaS Security Management Server Configuration
+ Parameters:
+ - ManagementDeploy
+ - ManagementInstanceType
+ - ManagementVersion
+ - ManagementPasswordHash
+ - ManagementMaintenancePasswordHash
+ - ManagementPermissions
+ - ManagementPredefinedRole
+ - GatewaysBlades
+ - AdminCIDR
+ - GatewayManagement
+ - GatewaysAddresses
+ - Label:
+ default: Automatic Provisioning with Security Management Server Settings
+ Parameters:
+ - ControlGatewayOverPrivateOrPublicAddress
+ - ManagementServer
+ - ConfigurationTemplate
+ ParameterLabels:
+ VPC:
+ default: VPC
+ GatewaysSubnets:
+ default: Subnets
+ KeyName:
+ default: Key name
+ EnableVolumeEncryption:
+ default: Enable environment volume encryption
+ VolumeSize:
+ default: Root volume size (GB)
+ VolumeType:
+ default: Volume Type
+ EnableInstanceConnect:
+ default: Enable AWS Instance Connect
+ TerminationProtection:
+ default: Termination Protection
+ MetaDataToken:
+ default: Metadata HTTP token
+ AllowUploadDownload:
+ default: Allow upload & download
+ GatewayName:
+ default: Name
+ GatewayInstanceType:
+ default: Instance type
+ GatewaysMinSize:
+ default: Minimum group size
+ GatewaysMaxSize:
+ default: Maximum group size
+ GatewayVersion:
+ default: Version & license
+ GatewayPasswordHash:
+ default: Password hash
+ GatewayMaintenancePasswordHash:
+ default: Gateway Maintenance Password hash
+ GatewaySICKey:
+ default: SIC key
+ CloudWatch:
+ default: CloudWatch metrics
+ ASN:
+ default: BGP ASN
+ AdminEmail:
+ default: Email address
+ ManagementDeploy:
+ default: Deploy Management Server
+ ManagementInstanceType:
+ default: Instance type
+ ManagementVersion:
+ default: Version & license
+ ManagementPasswordHash:
+ default: Password hash
+ ManagementMaintenancePasswordHash:
+ default: Management Maintenance Password hash
+ ManagementPermissions:
+ default: IAM role
+ ManagementPredefinedRole:
+ default: Existing IAM role name
+ GatewaysBlades:
+ default: Default Blades
+ AdminCIDR:
+ default: Administrator addresses
+ GatewaysAddresses:
+ default: Gateways addresses
+ GatewayManagement:
+ default: Manage Gateways
+ ControlGatewayOverPrivateOrPublicAddress:
+ default: Gateways addresses
+ ManagementServer:
+ default: Management Server
+ ConfigurationTemplate:
+ default: Configuration template
+Parameters:
+ VPC:
+ Description: Select an existing VPC.
+ Type: AWS::EC2::VPC::Id
+ MinLength: 1
+ ConstraintDescription: You must select a VPC.
+ GatewaysSubnets:
+ Description: Select at least 2 external subnets in the VPC. If you choose to deploy a Security Management Server it will be deployed in the first subnet.
+ Type: List
+ MinLength: 2
+ KeyName:
+ Description: The EC2 Key Pair to allow SSH access to the instances created by this stack.
+ Type: AWS::EC2::KeyPair::KeyName
+ MinLength: 1
+ ConstraintDescription: Must be the name of an existing EC2 KeyPair.
+ EnableVolumeEncryption:
+ Description: Encrypt Environment instances volume with default AWS KMS key.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ VolumeSize:
+ Type: Number
+ MinValue: 100
+ Default: 100
+ VolumeType:
+ Description: General Purpose SSD Volume Type
+ Type: String
+ Default: gp3
+ AllowedValues:
+ - gp3
+ - gp2
+ EnableInstanceConnect:
+ Description: Enable SSH connection over AWS web console.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ TerminationProtection:
+ Description: Prevents an instance from accidental termination.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ MetaDataToken:
+ Description: Set true to deploy the instance with metadata v2 token required.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ AllowUploadDownload:
+ Description: Automatically download updates and share statistical data for product improvement purpose.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ GatewayName:
+ Description: The name tag of the Security Gateway instances. (optional)
+ Type: String
+ Default: Check-Point-Gateway
+ GatewayInstanceType:
+ Description: The EC2 instance type for the Security Gateways.
+ Type: String
+ Default: c5.xlarge
+ AllowedValues:
+ - c4.large
+ - c4.xlarge
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: Must be a valid EC2 instance type
+ GatewaysMinSize:
+ Description: The minimal number of Security Gateways.
+ Type: Number
+ Default: 2
+ MinValue: 1
+ GatewaysMaxSize:
+ Description: The maximal number of Security Gateways.
+ Type: Number
+ Default: 10
+ MinValue: 1
+ GatewayVersion:
+ Description: The version and license to install on the Security Gateways.
+ Type: String
+ Default: R80.40-BYOL
+ AllowedValues:
+ - R80.40-BYOL
+ - R80.40-PAYG-NGTP
+ - R80.40-PAYG-NGTX
+ GatewayPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+ NoEcho: true
+ GatewayMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ GatewaySICKey:
+ Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters.
+ Type: String
+ AllowedPattern: '[a-zA-Z0-9]{8,}'
+ ConstraintDescription: Secure Internal Communication activation key should contain only alpha numeric characters and be at least 8 characters long.
+ NoEcho: true
+ CloudWatch:
+ Description: Report Check Point specific CloudWatch metrics.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ ASN:
+ Description: The organization Autonomous System Number (ASN) that identifies the routing domain for the Security Gateways.
+ Type: String
+ Default: 65000
+ AllowedPattern: '^[0-9]+$'
+ AdminEmail:
+ Description: Notifications about scaling events will be sent to this email address. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$'
+ ConstraintDescription: Must be a valid email address.
+ ManagementDeploy:
+ Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ ManagementInstanceType:
+ Description: The EC2 instance type of the Security Management Server.
+ Type: String
+ Default: m5.xlarge
+ AllowedValues:
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: Must be a valid EC2 instance type
+ ManagementVersion:
+ Description: The version and license to install on the Security Management Server.
+ Type: String
+ Default: R80.40-BYOL
+ AllowedValues:
+ - R80.40-BYOL
+ - R80.40-PAYG
+ ManagementPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ ManagementMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ ManagementPermissions:
+ Description: IAM role to attach to the instance profile.
+ Type: String
+ Default: Create with read-write permissions
+ AllowedValues:
+ - None (configure later)
+ - Use existing (specify an existing IAM role name)
+ - Create with assume role permissions (specify an STS role ARN)
+ - Create with read permissions
+ - Create with read-write permissions
+ ManagementPredefinedRole:
+ Description: A predefined IAM role to attach to the instance profile. Ignored if IAM role is not set to 'Use existing'.
+ Type: String
+ Default: ''
+ GatewaysBlades:
+ Description: Turn on the Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (these and additional Blades can be manually turned on or off later).
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ AdminCIDR:
+ Description: Allow web, SSH, and graphical clients only from this network to communicate with the Security Management Server.
+ Type: String
+ AllowedPattern: '^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2])))?$'
+ GatewayManagement:
+ Description: Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address.
+ Type: String
+ Default: Locally managed
+ AllowedValues:
+ - Locally managed
+ - Over the internet
+ GatewaysAddresses:
+ Description: Allow gateways only from this network to communicate with the Security Management Server.
+ Type: String
+ AllowedPattern: '^$|^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+ ControlGatewayOverPrivateOrPublicAddress:
+ Description: Determines if the gateways are provisioned using their private or public address.
+ Type: String
+ Default: private
+ AllowedValues:
+ - private
+ - public
+ ManagementServer:
+ Description: The name that represents the Security Management Server in the automatic provisioning configuration.
+ Type: String
+ Default: management-server
+ MinLength: 1
+ ConfigurationTemplate:
+ Description: A name of a gateway configuration template in the automatic provisioning configuration.
+ Type: String
+ Default: TGW-ASG-configuration
+ MinLength: 1
+ MaxLength: 30
+Conditions:
+ VolumeEncryption: !Equals [!Ref EnableVolumeEncryption, true]
+ DeployManagement: !Equals [!Ref ManagementDeploy, true]
+Resources:
+ ManagementStack:
+ Type: AWS::CloudFormation::Stack
+ Condition: DeployManagement
+ Properties:
+ TemplateURL: __URL__/management/management.yaml
+ Parameters:
+ VPC: !Ref VPC
+ ManagementSubnet: !Select [0, !Ref GatewaysSubnets]
+ ManagementName: !Ref ManagementServer
+ ManagementInstanceType: !Ref ManagementInstanceType
+ KeyName: !Ref KeyName
+ AllocatePublicAddress: true
+ VolumeEncryption: !If [VolumeEncryption, alias/aws/ebs, '']
+ VolumeType: !Ref VolumeType
+ VolumeSize: !Ref VolumeSize
+ EnableInstanceConnect: !Ref EnableInstanceConnect
+ TerminationProtection: !Ref TerminationProtection
+ MetaDataToken: !Ref MetaDataToken
+ ManagementPermissions: !Ref ManagementPermissions
+ ManagementPredefinedRole: !Ref ManagementPredefinedRole
+ ManagementVersion: !Ref ManagementVersion
+ ManagementPasswordHash: !Ref ManagementPasswordHash
+ ManagementMaintenancePasswordHash: !Ref ManagementMaintenancePasswordHash
+ AllowUploadDownload: !Ref AllowUploadDownload
+ AdminCIDR: !Ref AdminCIDR
+ GatewayManagement: !Ref GatewayManagement
+ GatewaysAddresses: !Ref GatewaysAddresses
+ ManagementBootstrapScript: !Join
+ - ';'
+ - - 'echo -e "\nStarting Bootstrap script\n"'
+ - 'echo "Setting up bootstrap parameters"'
+ - !Sub 'conf_template=${ConfigurationTemplate} ; mgmt=${ManagementServer} ; region=${AWS::Region} ; blades=${GatewaysBlades}'
+ - !Sub ['version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}]
+ - !Join ['', ['sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ' | base64 -d)"']]
+ - 'community="tgw-community" ; controller="tgw-controller"'
+ - 'echo "Adding tgw identifier to cloud-version"'
+ - 'template="management_tgw_asg"'
+ - 'cv_path="/etc/cloud-version"'
+ - 'if test -f ${cv_path}; then sed -i ''/template_name/c\template_name: ''"${template}"'''' /etc/cloud-version; fi'
+ - 'cv_json_path="/etc/cloud-version.json"'
+ - 'cv_json_path_tmp="/etc/cloud-version-tmp.json"'
+ - 'if test -f ${cv_json_path}; then cat ${cv_json_path} | jq ''.template_name = "''"${template}"''"'' > ${cv_json_path_tmp}; mv ${cv_json_path_tmp} ${cv_json_path}; fi'
+ - 'echo "Configuring VPN community: ${community}"'
+ - '[[ -d /opt/CPcme/menu/additions ]] && /opt/CPcme/menu/additions/config-community.sh "${community}" || /etc/fw/scripts/autoprovision/config-community.sh "${community}"'
+ - 'echo "Setting VPN rules"'
+ - 'mgmt_cli -r true add access-layer name "Inline"'
+ - 'mgmt_cli -r true add access-rule layer Network position 1 name "${community} VPN Traffic Rule" vpn.directional.1.from "${community}" vpn.directional.1.to "${community}" vpn.directional.2.from "${community}" vpn.directional.2.to External_clear action "Apply Layer" source "Any" destination "Any" service "Any" inline-layer "Inline"'
+ - 'mgmt_cli -r true add dynamic-object name "LocalGateway"'
+ - 'mgmt_cli -r true add nat-rule package standard position bottom install-on "Policy Targets" original-source All_Internet translated-source "LocalGateway" method hide'
+ - 'echo "Setting CME configurations"'
+ - 'autoprov_cfg -f init AWS -mn "${mgmt}" -tn "${conf_template}" -cn "${controller}" -po Standard -otp "${sic}" -r "${region}" -ver "${version}" -iam -dt TGW'
+ - 'autoprov_cfg -f set controller AWS -cn "${controller}" -sv -com "${community}"'
+ - 'autoprov_cfg -f set template -tn "${conf_template}" -vpn -vd "" -con "${community}"'
+ - '${blades} && autoprov_cfg -f set template -tn "${conf_template}" -ia -ips -appi -av -ab'
+ - 'echo -e "\nFinished Bootstrap script\n"'
+ SecurityGatewaysStack:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/autoscale/autoscale.yaml
+ Parameters:
+ VPC: !Ref VPC
+ GatewaysSubnets: !Join [',', !Ref GatewaysSubnets]
+ GatewayName: !Ref GatewayName
+ GatewayInstanceType: !Ref GatewayInstanceType
+ KeyName: !Ref KeyName
+ EnableVolumeEncryption: !Ref EnableVolumeEncryption
+ VolumeType: !Ref VolumeType
+ VolumeSize: !Ref VolumeSize
+ EnableInstanceConnect: !Ref EnableInstanceConnect
+ MetaDataToken: !Ref MetaDataToken
+ GatewaysMinSize: !Ref GatewaysMinSize
+ GatewaysMaxSize: !Ref GatewaysMaxSize
+ AdminEmail: !Ref AdminEmail
+ GatewayVersion: !Ref GatewayVersion
+ GatewayPasswordHash: !Ref GatewayPasswordHash
+ GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
+ GatewaySICKey: !Ref GatewaySICKey
+ AllowUploadDownload: !Ref AllowUploadDownload
+ CloudWatch: !Ref CloudWatch
+ GatewayBootstrapScript: !Join
+ - ';'
+ - - 'echo -e "\nStarting Bootstrap script\n"'
+ - 'echo "Setting up bootstrap parameters"'
+ - !Sub 'asn=${ASN}'
+ - 'echo "Adding tgw identifier to cloud-version"'
+ - 'template="autoscale_tgw"'
+ - 'cv_path="/etc/cloud-version"'
+ - 'if test -f ${cv_path}; then sed -i ''/template_name/c\template_name: ''"${template}"'''' /etc/cloud-version; fi'
+ - 'cv_json_path="/etc/cloud-version.json"'
+ - 'cv_json_path_tmp="/etc/cloud-version-tmp.json"'
+ - 'if test -f ${cv_json_path}; then cat ${cv_json_path} | jq ''.template_name = "''"${template}"''"'' > ${cv_json_path_tmp}; mv ${cv_json_path_tmp} ${cv_json_path}; fi'
+ - 'echo "Setting ASN to: ${asn}"'
+ - 'clish -c "set as ${asn}" -s'
+ - 'echo -e "\nFinished Bootstrap script\n"'
+ ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress
+ ManagementServer: !Ref ManagementServer
+ ConfigurationTemplate: !Ref ConfigurationTemplate
+Outputs:
+ ManagementName:
+ Description: The name that represents the Security Management Server.
+ Value: !Ref ManagementServer
+ ConfigurationTemplateName:
+ Description: The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name.
+ Value: !Ref ConfigurationTemplate
+ ControllerName:
+ Description: The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name.
+ Value: tgw-controller
+ ManagementPublicAddress:
+ Description: The public address of the management servers.
+ Value: !GetAtt ManagementStack.Outputs.PublicAddress
+ Condition: DeployManagement
+Rules:
+ GatewayAddressRule:
+ RuleCondition: !Equals [!Ref ManagementDeploy, 'true']
+ Assertions:
+ - AssertDescription: "Gateway's netowrk to communicate with the Security Management Server must be provided"
+ Assert: !Not [ !Equals [!Ref GatewaysAddresses, '']]
\ No newline at end of file
diff --git a/deprecated/aws/templates/R80.40/cluster/cluster-master.yaml b/deprecated/aws/templates/R80.40/cluster/cluster-master.yaml
new file mode 100755
index 00000000..37902602
--- /dev/null
+++ b/deprecated/aws/templates/R80.40/cluster/cluster-master.yaml
@@ -0,0 +1,512 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Deploy a Check Point Cluster in a new VPC (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: VPC Network Configuration
+ Parameters:
+ - AvailabilityZone
+ - VPCCIDR
+ - PublicSubnetCIDR
+ - PrivateSubnetCIDR
+ - Label:
+ default: EC2 Instance Configuration
+ Parameters:
+ - GatewayName
+ - GatewayInstanceType
+ - KeyName
+ - AllocatePublicAddress
+ - VolumeSize
+ - VolumeType
+ - VolumeEncryption
+ - EnableInstanceConnect
+ - GatewayPredefinedRole
+ - TerminationProtection
+ - MetaDataToken
+ - Label:
+ default: Check Point Settings
+ Parameters:
+ - GatewayVersion
+ - Shell
+ - GatewayPasswordHash
+ - GatewayMaintenancePasswordHash
+ - GatewaySICKey
+ - Label:
+ default: Quick connect to Smart-1 Cloud (Recommended)
+ Parameters:
+ - MemberAToken
+ - MemberBToken
+ - Label:
+ default: Advanced Settings
+ Parameters:
+ - ResourcesTagName
+ - GatewayHostname
+ - AllowUploadDownload
+ - CloudWatch
+ - GatewayBootstrapScript
+ - NTPPrimary
+ - NTPSecondary
+ ParameterLabels:
+ VPCCIDR:
+ default: VPC CIDR
+ AvailabilityZone:
+ default: Availability zone
+ PublicSubnetCIDR:
+ default: Public subnet CIDR
+ PrivateSubnetCIDR:
+ default: Private subnet CIDR
+ GatewayName:
+ default: Gateway Name
+ GatewayInstanceType:
+ default: Security Gateways instance type
+ KeyName:
+ default: Key name
+ AllocatePublicAddress:
+ default: Allocate Elastic IPs
+ VolumeSize:
+ default: Root volume size (GB)
+ VolumeType:
+ default: Volume Type
+ VolumeEncryption:
+ default: Volume encryption KMS key identifier
+ EnableInstanceConnect:
+ default: Enable AWS Instance Connect
+ GatewayPredefinedRole:
+ default: Existing IAM role name
+ TerminationProtection:
+ default: Termination Protection
+ MetaDataToken:
+ default: Metadata HTTP token
+ GatewayVersion:
+ default: Version & license
+ Shell:
+ default: Admin shell
+ GatewayPasswordHash:
+ default: Password hash
+ GatewayMaintenancePasswordHash:
+ default: Gateway Maintenance Password hash
+ GatewaySICKey:
+ default: SIC key
+ MemberAToken:
+ default: Smart-1 Cloud Token for member A
+ MemberBToken:
+ default: Smart-1 Cloud Token for member B
+ ResourcesTagName:
+ default: Resources prefix tag
+ GatewayHostname:
+ default: Gateway Hostname
+ AllowUploadDownload:
+ default: Allow upload & download
+ CloudWatch:
+ default: CloudWatch metrics
+ GatewayBootstrapScript:
+ default: Bootstrap Script
+ NTPPrimary:
+ default: Primary NTP server
+ NTPSecondary:
+ default: Secondary NTP server
+Parameters:
+ AvailabilityZone:
+ Description: The availability zone in which to deploy the cluster.
+ Type: AWS::EC2::AvailabilityZone::Name
+ MinLength: 1
+ VPCCIDR:
+ Description: The CIDR block for your VPC.
+ Type: String
+ Default: 10.0.0.0/16
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PublicSubnetCIDR:
+ Description: The external subnet of the cluster. The cluster's public IPs will be generated from this subnet.
+ Type: String
+ Default: 10.0.10.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PrivateSubnetCIDR:
+ Description: The internal subnet of the cluster. The cluster's private IPs will be generated from this subnet.
+ Type: String
+ Default: 10.0.11.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ GatewayName:
+ Description: The name tag of the Security Gateway instances. (optional)
+ Type: String
+ Default: Check-Point-Cluster
+ GatewayInstanceType:
+ Description: The instance type of the Secutiry Gateway.
+ Type: String
+ Default: c5.xlarge
+ AllowedValues:
+ - c4.large
+ - c4.xlarge
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: must be a valid EC2 instance type.
+ KeyName:
+ Description: The EC2 Key Pair to allow SSH access to the instance.
+ Type: AWS::EC2::KeyPair::KeyName
+ MinLength: 1
+ AllocatePublicAddress:
+ Description: Allocate an Elastic IP for each cluster member, in addition to the shared cluster Elastic IP.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ VolumeSize:
+ Type: Number
+ Default: 100
+ MinValue: 100
+ VolumeType:
+ Description: General Purpose SSD Volume Type
+ Type: String
+ Default: gp3
+ AllowedValues:
+ - gp3
+ - gp2
+ VolumeEncryption:
+ Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
+ Type: String
+ Default: alias/aws/ebs
+ EnableInstanceConnect:
+ Description: Enable SSH connection over AWS web console.
+ Default: false
+ Type: String
+ AllowedValues:
+ - true
+ - false
+ GatewayPredefinedRole:
+ Description: A predefined IAM role to attach to the cluster profile. (optional)
+ Type: String
+ Default: ''
+ TerminationProtection:
+ Description: Prevents an instance from accidental termination.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ MetaDataToken:
+ Description: Set true to deploy the instance with metadata v2 token required.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ GatewayVersion:
+ Type: String
+ Default: R80.40-BYOL
+ AllowedValues:
+ - R80.40-BYOL
+ - R80.40-PAYG-NGTP
+ - R80.40-PAYG-NGTX
+ Shell:
+ Description: Change the admin shell to enable advanced command line configuration.
+ Type: String
+ Default: /etc/cli.sh
+ AllowedValues:
+ - /etc/cli.sh
+ - /bin/bash
+ - /bin/csh
+ - /bin/tcsh
+ GatewayPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD".
+ to get the PASSWORD's hash) (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+ NoEcho: true
+ GatewayMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ GatewaySICKey:
+ Description: The Secure Internal Communication key creates trusted connections.
+ between Check Point components. Choose a random string consisting of at least
+ 8 alphanumeric characters
+ Type: String
+ AllowedPattern: '^[a-zA-Z0-9]{8,}$'
+ ConstraintDescription: At least 8 alpha numeric characters.
+ NoEcho: true
+ MemberAToken:
+ Description: Follow the instructions in sk180501 to quickly connect this Single AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+ AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+ Type: String
+ NoEcho: true
+ MemberBToken:
+ Description: Follow the instructions in sk180501 to quickly connect this Single AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+ AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+ Type: String
+ NoEcho: true
+ ResourcesTagName:
+ Description: Name tag prefix of the resources (optional).
+ Type: String
+ Default: ''
+ GatewayHostname:
+ Description: The host name will be appended with member-a/b accordingly (optional). The name must not contain reserved words. For details, refer to sk40179.
+ Type: String
+ Default: ''
+ AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z]))?$'
+ ConstraintDescription: A valid hostname label or an empty string.
+ AllowUploadDownload:
+ Description: Automatically download updates and share statistical data for product improvement purpose.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ CloudWatch:
+ Description: Report Check Point specific CloudWatch metrics.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ GatewayBootstrapScript:
+ Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+ Type: String
+ Default: ''
+ NoEcho: true
+ NTPPrimary:
+ Description: (optional)
+ Type: String
+ Default: 169.254.169.123
+ AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+ NTPSecondary:
+ Description: (optional)
+ Type: String
+ Default: 0.pool.ntp.org
+ AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+Conditions:
+ AllocateAddress: !Equals [!Ref AllocatePublicAddress, true]
+Resources:
+ VPCStack:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/utils/vpc.yaml
+ Parameters:
+ AvailabilityZones: !Ref AvailabilityZone
+ NumberOfAZs: 1
+ VPCCIDR: !Ref VPCCIDR
+ PublicSubnet1CIDR: !Ref PublicSubnetCIDR
+ PrivateSubnet1CIDR: !Ref PrivateSubnetCIDR
+ InternalRouteTable:
+ Type: AWS::EC2::RouteTable
+ DependsOn: VPCStack
+ Properties:
+ VpcId: !GetAtt VPCStack.Outputs.VPCID
+ Tags:
+ - Key: Name
+ Value: Private Subnets Route Table
+ ClusterStack:
+ Type: AWS::CloudFormation::Stack
+ DependsOn: VPCStack
+ Properties:
+ TemplateURL: __URL__/cluster/cluster.yaml
+ Parameters:
+ VPC: !GetAtt VPCStack.Outputs.VPCID
+ PublicSubnet: !GetAtt VPCStack.Outputs.PublicSubnet1ID
+ PrivateSubnet: !GetAtt VPCStack.Outputs.PrivateSubnet1ID
+ InternalRouteTable: !Ref InternalRouteTable
+ GatewayName: !Ref GatewayName
+ GatewayInstanceType: !Ref GatewayInstanceType
+ KeyName: !Ref KeyName
+ AllocatePublicAddress: !Ref AllocatePublicAddress
+ VolumeSize: !Ref VolumeSize
+ VolumeType: !Ref VolumeType
+ VolumeEncryption: !Ref VolumeEncryption
+ EnableInstanceConnect: !Ref EnableInstanceConnect
+ GatewayPredefinedRole: !Ref GatewayPredefinedRole
+ TerminationProtection: !Ref TerminationProtection
+ MetaDataToken: !Ref MetaDataToken
+ GatewayVersion: !Ref GatewayVersion
+ Shell: !Ref Shell
+ GatewayPasswordHash: !Ref GatewayPasswordHash
+ GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
+ GatewaySICKey: !Ref GatewaySICKey
+ MemberAToken: !Ref MemberAToken
+ MemberBToken: !Ref MemberBToken
+ ResourcesTagName: !Ref ResourcesTagName
+ GatewayHostname: !Ref GatewayHostname
+ AllowUploadDownload: !Ref AllowUploadDownload
+ CloudWatch: !Ref CloudWatch
+ GatewayBootstrapScript: !Ref GatewayBootstrapScript
+ NTPPrimary: !Ref NTPPrimary
+ NTPSecondary: !Ref NTPSecondary
+Outputs:
+ ClusterPublicAddress:
+ Description: The public address of the cluster.
+ Value: !GetAtt ClusterStack.Outputs.ClusterPublicAddress
+ MemberAPublicAddress:
+ Condition: AllocateAddress
+ Description: The public address of member A.
+ Value: !GetAtt ClusterStack.Outputs.MemberAPublicAddress
+ MemberASSH:
+ Condition: AllocateAddress
+ Description: SSH command to member A.
+ Value: !GetAtt ClusterStack.Outputs.MemberASSH
+ MemberAURL:
+ Condition: AllocateAddress
+ Description: URL to the member A portal.
+ Value: !GetAtt ClusterStack.Outputs.MemberAURL
+ MemberAExternalInterface:
+ Condition: AllocateAddress
+ Description: The external interface of member A.
+ Value: !GetAtt ClusterStack.Outputs.MemberAExternalInterface
+ MemberAPrivateExternalAddress:
+ Description: The private external address of member A.
+ Value: !GetAtt ClusterStack.Outputs.MemberAPrivateExternalAddress
+ MemberAPrivateInternalAddress:
+ Description: The private internal address of member A.
+ Value: !GetAtt ClusterStack.Outputs.MemberAPrivateInternalAddress
+ MemberBPublicAddress:
+ Condition: AllocateAddress
+ Description: The public address of member B.
+ Value: !GetAtt ClusterStack.Outputs.MemberBPublicAddress
+ MemberBSSH:
+ Condition: AllocateAddress
+ Description: SSH command to member B.
+ Value: !GetAtt ClusterStack.Outputs.MemberBSSH
+ MemberBURL:
+ Condition: AllocateAddress
+ Description: URL to the member B portal.
+ Value: !GetAtt ClusterStack.Outputs.MemberBURL
+ MemberBPrivateExternalAddress:
+ Description: The private external address of member B.
+ Value: !GetAtt ClusterStack.Outputs.MemberBPrivateExternalAddress
+ MemberBPrivateInternalAddress:
+ Description: The private internal address of member B.
+ Value: !GetAtt ClusterStack.Outputs.MemberBPrivateInternalAddress
+ ClusterPrivateAliasExternalAddress:
+ Description: The secondary external private IP address of the cluster.
+ Value: !GetAtt ClusterStack.Outputs.ClusterPrivateAliasExternalAddress
+ ClusterPrivateAliasInternalAddress:
+ Description: The secondary internal private IP address of the cluster.
+ Value: !GetAtt ClusterStack.Outputs.ClusterPrivateAliasInternalAddress
+Rules:
+ MemberATokenNotProvided:
+ RuleCondition: !Equals [!Ref MemberAToken, '']
+ Assertions:
+ - AssertDescription: "Smart-1 Cloud Token for member A can not be empty"
+ Assert: !Equals [!Ref MemberBToken, '']
+ MemberBTokenNotProvided:
+ RuleCondition: !Equals [ !Ref MemberBToken, '' ]
+ Assertions:
+ - AssertDescription: "Smart-1 Cloud Token for member B can not be empty"
+ Assert: !Equals [ !Ref MemberAToken, '' ]
+ MembersTokenValueEquals:
+ RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ]
+ Assertions:
+ - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+ Assert: !Equals [ !Ref MemberAToken, '' ]
+ - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+ Assert: !Equals [ !Ref MemberBToken, '' ]
\ No newline at end of file
diff --git a/deprecated/aws/templates/R80.40/cluster/cluster.yaml b/deprecated/aws/templates/R80.40/cluster/cluster.yaml
new file mode 100755
index 00000000..4b1c93e4
--- /dev/null
+++ b/deprecated/aws/templates/R80.40/cluster/cluster.yaml
@@ -0,0 +1,762 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Deploys a Check Point Cluster into an existing VPC (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: VPC Network Configuration
+ Parameters:
+ - VPC
+ - PublicSubnet
+ - PrivateSubnet
+ - InternalRouteTable
+ - Label:
+ default: EC2 Instance Configuration
+ Parameters:
+ - GatewayName
+ - GatewayInstanceType
+ - KeyName
+ - AllocatePublicAddress
+ - VolumeSize
+ - VolumeType
+ - VolumeEncryption
+ - EnableInstanceConnect
+ - GatewayPredefinedRole
+ - TerminationProtection
+ - MetaDataToken
+ - Label:
+ default: Check Point Settings
+ Parameters:
+ - GatewayVersion
+ - Shell
+ - GatewayPasswordHash
+ - GatewayMaintenancePasswordHash
+ - GatewaySICKey
+ - Label:
+ default: Quick connect to Smart-1 Cloud (Recommended)
+ Parameters:
+ - MemberAToken
+ - MemberBToken
+ - Label:
+ default: Advanced Settings
+ Parameters:
+ - ResourcesTagName
+ - GatewayHostname
+ - AllowUploadDownload
+ - CloudWatch
+ - GatewayBootstrapScript
+ - NTPPrimary
+ - NTPSecondary
+ ParameterLabels:
+ VPC:
+ default: VPC
+ PublicSubnet:
+ default: Public subnet
+ PrivateSubnet:
+ default: Private subnet
+ InternalRouteTable:
+ default: Internal route table
+ GatewayName:
+ default: Gateway Name
+ GatewayInstanceType:
+ default: Security Gateways instance type
+ KeyName:
+ default: Key name
+ AllocatePublicAddress:
+ default: Allocate Elastic IPs
+ VolumeSize:
+ default: Root volume size (GB)
+ VolumeType:
+ default: Volume Type
+ VolumeEncryption:
+ default: Volume encryption KMS key identifier
+ EnableInstanceConnect:
+ default: Enable AWS Instance Connect
+ GatewayPredefinedRole:
+ default: Existing IAM role name
+ TerminationProtection:
+ default: Termination Protection
+ MetaDataToken:
+ default: Metadata HTTP token
+ GatewayVersion:
+ default: Version & license
+ Shell:
+ default: Admin shell
+ GatewayPasswordHash:
+ default: Password hash
+ GatewayMaintenancePasswordHash:
+ default: Gateway Maintenance Password hash
+ GatewaySICKey:
+ default: SIC key
+ MemberAToken:
+ default: Smart-1 Cloud Token for member A
+ MemberBToken:
+ default: Smart-1 Cloud Token for member B
+ ResourcesTagName:
+ default: Resources prefix tag
+ GatewayHostname:
+ default: Gateway Hostname
+ AllowUploadDownload:
+ default: Allow upload & download
+ CloudWatch:
+ default: CloudWatch metrics
+ GatewayBootstrapScript:
+ default: Bootstrap Script
+ NTPPrimary:
+ default: Primary NTP server
+ NTPSecondary:
+ default: Secondary NTP server
+Parameters:
+ VPC:
+ Description: Select an existing VPC.
+ Type: AWS::EC2::VPC::Id
+ MinLength: 1
+ PublicSubnet:
+ Description: The public subnet of the cluster. The cluster's public IPs will be generated from this subnet. The subnet's route table must have 0.0.0.0/0 route to Internet Gateway.
+ Type: AWS::EC2::Subnet::Id
+ MinLength: 1
+ PrivateSubnet:
+ Description: The private subnet of the cluster. The cluster's private IPs will be generated from this subnet.
+ Type: AWS::EC2::Subnet::Id
+ MinLength: 1
+ InternalRouteTable:
+ Description: The route table id in which to set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route. If empty - traffic will not be routed through the Security Cluster, this requires manual configuration in the route table. (optional)
+ Type: String
+ Default: ''
+ GatewayName:
+ Description: The name tag of the Security Gateway instances. (optional)
+ Type: String
+ Default: Check-Point-Cluster
+ GatewayInstanceType:
+ Description: The instance type of the Secutiry Gateway.
+ Type: String
+ Default: c5.xlarge
+ AllowedValues:
+ - c4.large
+ - c4.xlarge
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: must be a valid EC2 instance type.
+ KeyName:
+ Description: The EC2 Key Pair to allow SSH access to the instance.
+ Type: AWS::EC2::KeyPair::KeyName
+ MinLength: 1
+ ConstraintDescription: must be the name of an existing EC2 KeyPair.
+ AllocatePublicAddress:
+ Description: Allocate an Elastic IP for each cluster member, in addition to the shared cluster Elastic IP.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ VolumeSize:
+ Type: Number
+ Default: 100
+ MinValue: 100
+ VolumeType:
+ Description: General Purpose SSD Volume Type
+ Type: String
+ Default: gp3
+ AllowedValues:
+ - gp3
+ - gp2
+ VolumeEncryption:
+ Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
+ Type: String
+ Default: alias/aws/ebs
+ EnableInstanceConnect:
+ Description: Enable SSH connection over AWS web console.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ GatewayPredefinedRole:
+ Description: A predefined IAM role to attach to the cluster profile. (optional)
+ Type: String
+ Default: ''
+ TerminationProtection:
+ Description: Prevents an instance from accidental termination.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ MetaDataToken:
+ Description: Set true to deploy the instance with metadata v2 token required.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ GatewayVersion:
+ Type: String
+ Default: R80.40-BYOL
+ AllowedValues:
+ - R80.40-BYOL
+ - R80.40-PAYG-NGTP
+ - R80.40-PAYG-NGTX
+ Shell:
+ Description: Change the admin shell to enable advanced command line configuration.
+ Type: String
+ Default: /etc/cli.sh
+ AllowedValues:
+ - /etc/cli.sh
+ - /bin/bash
+ - /bin/csh
+ - /bin/tcsh
+ GatewayPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD".
+ to get the PASSWORD's hash) (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+ NoEcho: true
+ GatewayMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ GatewaySICKey:
+ Description: The Secure Internal Communication key creates trusted connections.
+ between Check Point components. Choose a random string consisting of at least
+ 8 alphanumeric characters
+ Type: String
+ AllowedPattern: '^[a-zA-Z0-9]{8,}$'
+ ConstraintDescription: At least 8 alpha numeric characters.
+ NoEcho: true
+ MemberAToken:
+ Description: Follow the instructions in sk180501 to quickly connect this Single AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+ AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+ Type: String
+ NoEcho: true
+ MemberBToken:
+ Description: Follow the instructions in sk180501 to quickly connect this Single AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+ AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+ Type: String
+ NoEcho: true
+ ResourcesTagName:
+ Description: Name tag prefix of the resources (optional).
+ Type: String
+ Default: ''
+ GatewayHostname:
+ Description: The host name will be appended with member-a/b accordingly (optional). The name must not contain reserved words. For details, refer to sk40179.
+ Type: String
+ Default: ''
+ AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z]))?$'
+ ConstraintDescription: A valid hostname label or an empty string.
+ AllowUploadDownload:
+ Description: Automatically download updates and share statistical data for product improvement purpose.
+ Improve product experience by sending data to Check Point
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ CloudWatch:
+ Description: Report Check Point specific CloudWatch metrics.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ GatewayBootstrapScript:
+ Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+ Type: String
+ Default: ''
+ NoEcho: true
+ NTPPrimary:
+ Description: (optional)
+ Type: String
+ Default: 169.254.169.123
+ AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+ NTPSecondary:
+ Description: (optional)
+ Type: String
+ Default: 0.pool.ntp.org
+ AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+Conditions:
+ ProvidedRouteTable: !Not [!Equals [!Ref InternalRouteTable, '']]
+ AllocateAddress: !Equals [!Ref AllocatePublicAddress, true]
+ EncryptedVolume: !Not [!Equals [!Ref VolumeEncryption, '']]
+ CreateRole: !Equals [!Ref GatewayPredefinedRole, '']
+ ProvidedPassHash: !Not [!Equals [!Ref GatewayPasswordHash, '']]
+ ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']]
+ EmptyHostName: !Equals [!Ref GatewayHostname, '']
+ EnableCloudWatch: !Equals [!Ref CloudWatch, true]
+ EnableMetaDataToken: !Equals [!Ref MetaDataToken, true]
+Resources:
+ ClusterReadyHandle:
+ Type: AWS::CloudFormation::WaitConditionHandle
+ Condition: AllocateAddress
+ Properties: {}
+ ClusterReadyCondition:
+ Type: AWS::CloudFormation::WaitCondition
+ DependsOn: [MemberAInstance, MemberBInstance]
+ Condition: AllocateAddress
+ Properties:
+ Count: 2
+ Handle: !Ref ClusterReadyHandle
+ Timeout: 1800
+ ClusterRole:
+ Condition: CreateRole
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/iam/cluster-iam-role.yaml
+ ClusterInstanceProfile:
+ Type: AWS::IAM::InstanceProfile
+ Properties:
+ Path: /
+ Roles: [!If [CreateRole, !GetAtt ClusterRole.Outputs.ClusterIAMRole, !Ref GatewayPredefinedRole]]
+ CloudwatchPolicy:
+ Condition: EnableCloudWatch
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/iam/cloudwatch-policy.yaml
+ Parameters:
+ PolicyName: !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+ PolicyRole: !If [CreateRole, !GetAtt ClusterRole.Outputs.ClusterIAMRole, !Ref GatewayPredefinedRole]
+ AMI:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/utils/amis.yaml
+ Parameters:
+ Version: !Join [-, [!Ref GatewayVersion, GW]]
+ PermissiveSecurityGroup:
+ Type: AWS::EC2::SecurityGroup
+ Properties:
+ GroupDescription: Permissive security group.
+ VpcId: !Ref VPC
+ SecurityGroupIngress:
+ - IpProtocol: -1
+ CidrIp: 0.0.0.0/0
+ Tags:
+ - Key: Name
+ Value:
+ !Join
+ - _
+ - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+ - PermissiveSecurityGroup
+ MemberAExternalInterface:
+ Type: AWS::EC2::NetworkInterface
+ DependsOn: PermissiveSecurityGroup
+ Properties:
+ Description: Member A external.
+ SecondaryPrivateIpAddressCount: 1
+ SourceDestCheck: false
+ GroupSet: [!Ref PermissiveSecurityGroup]
+ SubnetId: !Ref PublicSubnet
+ Tags:
+ - Key: Name
+ Value:
+ !Join
+ - _
+ - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+ - Member_A_ExternalInterface
+ MemberBExternalInterface:
+ Type: AWS::EC2::NetworkInterface
+ DependsOn: PermissiveSecurityGroup
+ Properties:
+ Description: Member B external.
+ SourceDestCheck: false
+ GroupSet: [!Ref PermissiveSecurityGroup]
+ SubnetId: !Ref PublicSubnet
+ Tags:
+ - Key: Name
+ Value:
+ !Join
+ - _
+ - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+ - Member_B_ExternalInterface
+ MemberAInternalInterface:
+ Type: AWS::EC2::NetworkInterface
+ DependsOn: PermissiveSecurityGroup
+ Properties:
+ Description: Member A internal.
+ SecondaryPrivateIpAddressCount: 1
+ GroupSet: [!Ref PermissiveSecurityGroup]
+ SourceDestCheck: false
+ SubnetId: !Ref PrivateSubnet
+ Tags:
+ - Key: Name
+ Value:
+ !Join
+ - _
+ - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+ - Member_A_InternalInterface
+ MemberBInternalInterface:
+ Type: AWS::EC2::NetworkInterface
+ DependsOn: PermissiveSecurityGroup
+ Properties:
+ Description: Member B internal.
+ GroupSet: [!Ref PermissiveSecurityGroup]
+ SourceDestCheck: false
+ SubnetId: !Ref PrivateSubnet
+ Tags:
+ - Key: Name
+ Value:
+ !Join
+ - _
+ - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+ - Member_B_InternalInterface
+ InternalDefaultRoute:
+ Type: AWS::EC2::Route
+ Condition: ProvidedRouteTable
+ DependsOn: MemberAInternalInterface
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ NetworkInterfaceId: !Ref MemberAInternalInterface
+ RouteTableId: !Ref InternalRouteTable
+ PrivateSubnetRouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Condition: ProvidedRouteTable
+ Properties:
+ RouteTableId: !Ref InternalRouteTable
+ SubnetId: !Ref PrivateSubnet
+ MemberAInstance:
+ Type: AWS::EC2::Instance
+ DependsOn: [MemberAExternalInterface, MemberAInternalInterface, MemberAGatewayLaunchTemplate]
+ Properties:
+ LaunchTemplate:
+ LaunchTemplateId: !Ref MemberAGatewayLaunchTemplate
+ Version: !GetAtt MemberAGatewayLaunchTemplate.LatestVersionNumber
+ DisableApiTermination: !Ref TerminationProtection
+ Tags:
+ - Key: Name
+ Value: !Join ['-', [!Ref GatewayName, Member-A]]
+ - Key: x-chkp-member-ips
+ Value: !Join
+ - ':'
+ - - !Join [ '=', [ public-ip, !If [ AllocateAddress, !Ref MemberAPublicAddress, '' ] ] ]
+ - !Join [ '=', [ external-private-ip, !GetAtt MemberAExternalInterface.PrimaryPrivateIpAddress ] ]
+ - !Join [ '=', [ internal-private-ip, !GetAtt MemberAInternalInterface.PrimaryPrivateIpAddress ] ]
+ - Key: x-chkp-cluster-ips
+ Value: !Join
+ - ':'
+ - - !Join [ '=', [ cluster-ip, !Ref ClusterPublicAddress ] ]
+ - !Join [ '=', [ cluster-eth0-private-ip, !Select [ 0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses ] ] ]
+ - !Join [ '=', [ cluster-eth1-private-ip, !Select [ 0, !GetAtt MemberAInternalInterface.SecondaryPrivateIpAddresses ] ] ]
+ MemberBInstance:
+ Type: AWS::EC2::Instance
+ DependsOn: [MemberBExternalInterface, MemberBInternalInterface, MemberBGatewayLaunchTemplate]
+ Properties:
+ LaunchTemplate:
+ LaunchTemplateId: !Ref MemberBGatewayLaunchTemplate
+ Version: !GetAtt MemberBGatewayLaunchTemplate.LatestVersionNumber
+ DisableApiTermination: !Ref TerminationProtection
+ Tags:
+ - Key: Name
+ Value: !Join ['-', [!Ref GatewayName, Member-B]]
+ - Key: x-chkp-member-ips
+ Value: !Join
+ - ':'
+ - - !Join [ '=', [ public-ip, !If [ AllocateAddress, !Ref MemberBPublicAddress, '' ] ] ]
+ - !Join [ '=', [ external-private-ip, !GetAtt MemberBExternalInterface.PrimaryPrivateIpAddress ] ]
+ - !Join [ '=', [ internal-private-ip, !GetAtt MemberBInternalInterface.PrimaryPrivateIpAddress ] ]
+ - Key: x-chkp-cluster-ips
+ Value: !Join
+ - ':'
+ - - !Join [ '=', [ cluster-ip, !Ref ClusterPublicAddress ] ]
+ - !Join [ '=', [ cluster-eth0-private-ip, !Select [ 0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses ] ] ]
+ - !Join [ '=', [ cluster-eth1-private-ip, !Select [ 0, !GetAtt MemberAInternalInterface.SecondaryPrivateIpAddresses ] ] ]
+ MemberAGatewayLaunchTemplate:
+ Type: AWS::EC2::LaunchTemplate
+ Properties:
+ LaunchTemplateData:
+ NetworkInterfaces:
+ - DeviceIndex: 0
+ NetworkInterfaceId: !Ref MemberAExternalInterface
+ - DeviceIndex: 1
+ NetworkInterfaceId: !Ref MemberAInternalInterface
+ KeyName: !Ref KeyName
+ ImageId: !GetAtt AMI.Outputs.ImageId
+ InstanceType: !Ref GatewayInstanceType
+ MetadataOptions:
+ HttpTokens: !If [EnableMetaDataToken, required, optional]
+ BlockDeviceMappings:
+ - DeviceName: '/dev/xvda'
+ Ebs:
+ Encrypted: !If [ EncryptedVolume, true, false ]
+ KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ]
+ VolumeType: !Ref VolumeType
+ VolumeSize: !Ref VolumeSize
+ IamInstanceProfile:
+ Name: !Ref ClusterInstanceProfile
+ UserData:
+ 'Fn::Base64':
+ !Join
+ - |+
+
+ - - '#cloud-config'
+ - 'runcmd:'
+ - ' - |'
+ - ' set -e'
+ - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenA=''${MemberAToken}'''
+ - !If [AllocateAddress, !Sub ' wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue']
+ - !If [EmptyHostName, ' hostname=""',!Sub ' hostname=${GatewayHostname}-member-a']
+ - !Join ['', [' eip="', !If [AllocateAddress, !Ref MemberAPublicAddress, ''], '"']]
+ - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']]
+ - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']]
+ - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']]
+ - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']]
+ - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}]
+ - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenA}\"" installationType=\"cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" bootstrapScript64=\"${bootstrap}\"'
+ VersionDescription: Initial template version
+ MemberBGatewayLaunchTemplate:
+ Type: AWS::EC2::LaunchTemplate
+ Properties:
+ LaunchTemplateData:
+ NetworkInterfaces:
+ - DeviceIndex: 0
+ NetworkInterfaceId: !Ref MemberBExternalInterface
+ - DeviceIndex: 1
+ NetworkInterfaceId: !Ref MemberBInternalInterface
+ KeyName: !Ref KeyName
+ ImageId: !GetAtt AMI.Outputs.ImageId
+ InstanceType: !Ref GatewayInstanceType
+ MetadataOptions:
+ HttpTokens: !If [EnableMetaDataToken, required, optional]
+ BlockDeviceMappings:
+ - DeviceName: '/dev/xvda'
+ Ebs:
+ Encrypted: !If [ EncryptedVolume, true, false ]
+ KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ]
+ VolumeType: !Ref VolumeType
+ VolumeSize: !Ref VolumeSize
+ IamInstanceProfile:
+ Name: !Ref ClusterInstanceProfile
+ UserData:
+ 'Fn::Base64':
+ !Join
+ - |+
+
+ - - '#cloud-config'
+ - 'runcmd:'
+ - ' - |'
+ - ' set -e'
+ - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenB=''${MemberBToken}'''
+ - !If [AllocateAddress, !Sub ' wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue']
+ - !If [EmptyHostName, ' hostname=""',!Sub ' hostname=${GatewayHostname}-member-b']
+ - !Join ['', [' eip="', !If [AllocateAddress, !Ref MemberBPublicAddress, ''], '"']]
+ - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']]
+ - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']]
+ - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']]
+ - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']]
+ - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}]
+ - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenB}\"" installationType=\"cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" bootstrapScript64=\"${bootstrap}\"'
+ VersionDescription: Initial template version
+ ClusterPublicAddress:
+ Type: AWS::EC2::EIP
+ Properties:
+ Domain: vpc
+ MemberAPublicAddress:
+ Type: AWS::EC2::EIP
+ Condition: AllocateAddress
+ Properties:
+ Domain: vpc
+ MemberBPublicAddress:
+ Type: AWS::EC2::EIP
+ Condition: AllocateAddress
+ Properties:
+ Domain: vpc
+ ClusterAddressAssoc:
+ Type: AWS::EC2::EIPAssociation
+ DependsOn: MemberAInstance
+ Properties:
+ NetworkInterfaceId: !Ref MemberAExternalInterface
+ AllocationId: !GetAtt ClusterPublicAddress.AllocationId
+ PrivateIpAddress: !Select [0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses]
+ MemberAAddressAssoc:
+ Type: AWS::EC2::EIPAssociation
+ Condition: AllocateAddress
+ DependsOn: MemberAInstance
+ Properties:
+ NetworkInterfaceId: !Ref MemberAExternalInterface
+ AllocationId: !GetAtt MemberAPublicAddress.AllocationId
+ PrivateIpAddress: !GetAtt MemberAExternalInterface.PrimaryPrivateIpAddress
+ MemberBAddressAssoc:
+ Type: AWS::EC2::EIPAssociation
+ Condition: AllocateAddress
+ DependsOn: MemberBInstance
+ Properties:
+ NetworkInterfaceId: !Ref MemberBExternalInterface
+ AllocationId: !GetAtt MemberBPublicAddress.AllocationId
+ PrivateIpAddress: !GetAtt MemberBExternalInterface.PrimaryPrivateIpAddress
+Outputs:
+ ClusterPublicAddress:
+ Description: The public address of the cluster.
+ Value: !Ref ClusterPublicAddress
+ MemberAPublicAddress:
+ Condition: AllocateAddress
+ Description: The public address of member A.
+ Value: !Ref MemberAPublicAddress
+ MemberASSH:
+ Condition: AllocateAddress
+ Description: SSH command to member A.
+ Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref MemberAPublicAddress]]
+ MemberAURL:
+ Condition: AllocateAddress
+ Description: URL to the member A portal.
+ Value: !Join ['', ['https://', !Ref MemberAPublicAddress]]
+ MemberAExternalInterface:
+ Condition: AllocateAddress
+ Description: The external interface of member A.
+ Value: !Ref MemberAExternalInterface
+ MemberAPrivateExternalAddress:
+ Description: The private external address of member A.
+ Value: !GetAtt MemberAExternalInterface.PrimaryPrivateIpAddress
+ MemberAPrivateInternalAddress:
+ Description: The private internal address of member A.
+ Value: !GetAtt MemberAInternalInterface.PrimaryPrivateIpAddress
+ MemberBPublicAddress:
+ Condition: AllocateAddress
+ Description: The public address of member B.
+ Value: !Ref MemberBPublicAddress
+ MemberBSSH:
+ Condition: AllocateAddress
+ Description: SSH command to member B.
+ Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref MemberBPublicAddress]]
+ MemberBURL:
+ Condition: AllocateAddress
+ Description: URL to the member B portal.
+ Value: !Join ['', ['https://', !Ref MemberBPublicAddress]]
+ MemberBPrivateExternalAddress:
+ Description: The private external address of member B.
+ Value: !GetAtt MemberBExternalInterface.PrimaryPrivateIpAddress
+ MemberBPrivateInternalAddress:
+ Description: The private internal address of member B.
+ Value: !GetAtt MemberBInternalInterface.PrimaryPrivateIpAddress
+ ClusterPrivateAliasExternalAddress:
+ Description: The secondary external private IP address of the cluster.
+ Value: !Select [ 0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses ]
+ ClusterPrivateAliasInternalAddress:
+ Description: The secondary internal private IP address of the cluster.
+ Value: !Select [ 0, !GetAtt MemberAInternalInterface.SecondaryPrivateIpAddresses ]
+
+Rules:
+ MemberATokenNotProvided:
+ RuleCondition: !Equals [!Ref MemberAToken, '']
+ Assertions:
+ - AssertDescription: "Smart-1 Cloud Token for member A can not be empty"
+ Assert: !Equals [!Ref MemberBToken, '']
+ MemberBTokenNotProvided:
+ RuleCondition: !Equals [ !Ref MemberBToken, '' ]
+ Assertions:
+ - AssertDescription: "Smart-1 Cloud Token for member B can not be empty"
+ Assert: !Equals [ !Ref MemberAToken, '' ]
+ MembersTokenValueEquals:
+ RuleCondition: !EachMemberEquals [[!Ref MemberBToken], !Ref MemberAToken]
+ Assertions:
+ - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+ Assert: !Equals [ !Ref MemberAToken, '' ]
+ - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+ Assert: !Equals [ !Ref MemberBToken, '' ]
+
+
diff --git a/deprecated/aws/templates/R80.40/cluster/geo-cluster-master.yaml b/deprecated/aws/templates/R80.40/cluster/geo-cluster-master.yaml
new file mode 100755
index 00000000..a135499c
--- /dev/null
+++ b/deprecated/aws/templates/R80.40/cluster/geo-cluster-master.yaml
@@ -0,0 +1,523 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Deploy a Check Point cross AZ Cluster in a new VPC (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: VPC Network Configuration
+ Parameters:
+ - AvailabilityZones
+ - VPCCIDR
+ - PublicSubnet1CIDR
+ - PublicSubnet2CIDR
+ - PrivateSubnet1CIDR
+ - PrivateSubnet2CIDR
+ - Label:
+ default: EC2 Instance Configuration
+ Parameters:
+ - GatewayName
+ - GatewayInstanceType
+ - KeyName
+ - AllocatePublicAddress
+ - VolumeSize
+ - VolumeType
+ - VolumeEncryption
+ - EnableInstanceConnect
+ - GatewayPredefinedRole
+ - TerminationProtection
+ - MetaDataToken
+ - Label:
+ default: Check Point Settings
+ Parameters:
+ - GatewayVersion
+ - Shell
+ - GatewayPasswordHash
+ - GatewayMaintenancePasswordHash
+ - GatewaySICKey
+ - Label:
+ default: Quick connect to Smart-1 Cloud (Recommended)
+ Parameters:
+ - MemberAToken
+ - MemberBToken
+ - Label:
+ default: Advanced Settings
+ Parameters:
+ - ResourcesTagName
+ - GatewayHostname
+ - AllowUploadDownload
+ - CloudWatch
+ - GatewayBootstrapScript
+ - NTPPrimary
+ - NTPSecondary
+ ParameterLabels:
+ AvailabilityZones:
+ default: Availability Zones
+ VPCCIDR:
+ default: VPC CIDR
+ PublicSubnet1CIDR:
+ default: Public subnet 1 CIDR
+ PublicSubnet2CIDR:
+ default: Public subnet 2 CIDR
+ PrivateSubnet1CIDR:
+ default: Private subnet 1 CIDR
+ PrivateSubnet2CIDR:
+ default: Private subnet 2 CIDR
+ GatewayName:
+ default: Gateway Name
+ GatewayInstanceType:
+ default: Security Gateways instance type
+ KeyName:
+ default: Key name
+ AllocatePublicAddress:
+ default: Allocate Elastic IPs for cluster members
+ VolumeSize:
+ default: Root volume size (GB)
+ VolumeType:
+ default: Volume Type
+ VolumeEncryption:
+ default: Volume encryption KMS key identifier
+ EnableInstanceConnect:
+ default: Enable AWS Instance Connect
+ GatewayPredefinedRole:
+ default: Existing IAM role name
+ TerminationProtection:
+ default: Termination Protection
+ MetaDataToken:
+ default: Metadata HTTP token
+ GatewayVersion:
+ default: Gateways version & license
+ Shell:
+ default: Admin shell
+ GatewayPasswordHash:
+ default: Password hash
+ GatewayMaintenancePasswordHash:
+ default: Gateway Maintenance Password hash
+ GatewaySICKey:
+ default: SIC key
+ MemberAToken:
+ default: Smart-1 Cloud Token for member A
+ MemberBToken:
+ default: Smart-1 Cloud Token for member B
+ ResourcesTagName:
+ default: Resources prefix tag
+ GatewayHostname:
+ default: Gateway Hostname
+ AllowUploadDownload:
+ default: Allow upload & download
+ CloudWatch:
+ default: CloudWatch metrics
+ GatewayBootstrapScript:
+ default: Bootstrap Script
+ NTPPrimary:
+ default: Primary NTP server
+ NTPSecondary:
+ default: Secondary NTP server
+Parameters:
+ AvailabilityZones:
+ Description: The Availability Zones (AZs) to use for the subnets in the VPC. Select two (the logical order is preserved).
+ Type: List
+ MinLength: 2
+ VPCCIDR:
+ Description: CIDR block for the VPC.
+ Type: String
+ Default: 10.0.0.0/16
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PublicSubnet1CIDR:
+ Description: CIDR block for public subnet 1 located in the 1st Availability Zone. The cluster's public IPs will be generated from this subnet.
+ Type: String
+ Default: 10.0.10.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PublicSubnet2CIDR:
+ Description: CIDR block for public subnet 2 located in the 2nd Availability Zone. The cluster's public IPs will be generated from this subnet.
+ Type: String
+ Default: 10.0.20.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PrivateSubnet1CIDR:
+ Description: CIDR block for private subnet 1 located in the 1st Availability Zone. The cluster's private IPs will be generated from this subnet.
+ Type: String
+ Default: 10.0.11.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PrivateSubnet2CIDR:
+ Description: CIDR block for private subnet 2 located in the 2nd Availability Zone. The cluster's private IPs will be generated from this subnet.
+ Type: String
+ Default: 10.0.21.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ GatewayName:
+ Description: The name tag of the Security Gateway instances. (optional)
+ Type: String
+ Default: Check-Point-Cluster
+ GatewayInstanceType:
+ Description: The instance type of the Secutiry Gateway.
+ Type: String
+ Default: c5.xlarge
+ AllowedValues:
+ - c4.large
+ - c4.xlarge
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: must be a valid EC2 instance type.
+ KeyName:
+ Description: The EC2 Key Pair to allow SSH access to the Security Gateways.
+ Type: AWS::EC2::KeyPair::KeyName
+ MinLength: 1
+ ConstraintDescription: must be the name of an existing EC2 KeyPair.
+ AllocatePublicAddress:
+ Description: When choosing "false", make sure the cluster members can connect to an ec2 endpoint.
+ Default: true
+ Type: String
+ AllowedValues:
+ - true
+ - false
+ VolumeSize:
+ Type: Number
+ Default: 100
+ MinValue: 100
+ VolumeType:
+ Description: General Purpose SSD Volume Type
+ Type: String
+ Default: gp3
+ AllowedValues:
+ - gp3
+ - gp2
+ VolumeEncryption:
+ Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
+ Type: String
+ Default: alias/aws/ebs
+ EnableInstanceConnect:
+ Description: Enable SSH connection over AWS web console.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ GatewayPredefinedRole:
+ Description: A predefined IAM role to attach to the cluster profile. (optional)
+ Type: String
+ Default: ''
+ TerminationProtection:
+ Description: Prevents an instance from accidental termination.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ MetaDataToken:
+ Description: Set true to deploy the instance with metadata v2 token required.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ GatewayVersion:
+ Description: The license to install on the Security Gateways.
+ Type: String
+ Default: R80.40-BYOL
+ AllowedValues:
+ - R80.40-BYOL
+ - R80.40-PAYG-NGTP
+ - R80.40-PAYG-NGTX
+ Shell:
+ Description: Change the admin shell to enable advanced command line configuration.
+ Type: String
+ Default: /etc/cli.sh
+ AllowedValues:
+ - /etc/cli.sh
+ - /bin/bash
+ - /bin/csh
+ - /bin/tcsh
+ GatewayPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to
+ get the PASSWORD's hash). (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+ NoEcho: true
+ GatewayMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ GatewaySICKey:
+ Description: The Secure Internal Communication key creates trusted connections between
+ Check Point components. Choose a random string consisting of at least 8
+ alphanumeric characters.
+ Type: String
+ AllowedPattern: '^[a-zA-Z0-9]{8,}$'
+ ConstraintDescription: At least 8 alpha numeric characters.
+ NoEcho: true
+ MemberAToken:
+ Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+ AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+ Type: String
+ NoEcho: true
+ MemberBToken:
+ Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+ AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+ Type: String
+ NoEcho: true
+ ResourcesTagName:
+ Description: Name tag prefix of the resources. (optional)
+ Type: String
+ Default: ''
+ GatewayHostname:
+ Description: The host name will be appended with member-a/b accordingly (optional). The name must not contain reserved words. For details, refer to sk40179.
+ Type: String
+ Default: ''
+ AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z]))?$'
+ ConstraintDescription: A valid hostname label or an empty string.
+ AllowUploadDownload:
+ Description: >-
+ Automatically download updates and share statistical data for product improvement purpose.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ CloudWatch:
+ Description: Report Check Point specific CloudWatch metrics.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ GatewayBootstrapScript:
+ Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+ Type: String
+ Default: ''
+ NoEcho: true
+ NTPPrimary:
+ Description: (optional)
+ Type: String
+ Default: 169.254.169.123
+ AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+ NTPSecondary:
+ Description: (optional)
+ Type: String
+ Default: 0.pool.ntp.org
+ AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+Conditions:
+ AllocateAddress: !Equals [!Ref AllocatePublicAddress, true]
+Resources:
+ VPCStack:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/utils/vpc.yaml
+ Parameters:
+ AvailabilityZones: !Join [',', !Ref AvailabilityZones]
+ NumberOfAZs: 2
+ VPCCIDR: !Ref VPCCIDR
+ PublicSubnet1CIDR: !Ref PublicSubnet1CIDR
+ PublicSubnet2CIDR: !Ref PublicSubnet2CIDR
+ PrivateSubnet1CIDR: !Ref PrivateSubnet1CIDR
+ PrivateSubnet2CIDR: !Ref PrivateSubnet2CIDR
+ InternalRouteTable:
+ Type: AWS::EC2::RouteTable
+ DependsOn: VPCStack
+ Properties:
+ VpcId: !GetAtt VPCStack.Outputs.VPCID
+ Tags:
+ - Key: Name
+ Value: Private Subnets Route Table
+ ClusterStack:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/cluster/geo-cluster.yaml
+ Parameters:
+ VPC: !GetAtt VPCStack.Outputs.VPCID
+ PublicSubnetA: !GetAtt VPCStack.Outputs.PublicSubnet1ID
+ PublicSubnetB: !GetAtt VPCStack.Outputs.PublicSubnet2ID
+ PrivateSubnetA: !GetAtt VPCStack.Outputs.PrivateSubnet1ID
+ PrivateSubnetB: !GetAtt VPCStack.Outputs.PrivateSubnet2ID
+ InternalRouteTable: !Ref InternalRouteTable
+ GatewayName: !Ref GatewayName
+ GatewayInstanceType: !Ref GatewayInstanceType
+ KeyName: !Ref KeyName
+ AllocatePublicAddress: !Ref AllocatePublicAddress
+ VolumeSize: !Ref VolumeSize
+ VolumeType: !Ref VolumeType
+ VolumeEncryption: !Ref VolumeEncryption
+ EnableInstanceConnect: !Ref EnableInstanceConnect
+ GatewayPredefinedRole: !Ref GatewayPredefinedRole
+ TerminationProtection: !Ref TerminationProtection
+ MetaDataToken: !Ref MetaDataToken
+ GatewayVersion: !Ref GatewayVersion
+ Shell: !Ref Shell
+ GatewayPasswordHash: !Ref GatewayPasswordHash
+ GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
+ GatewaySICKey: !Ref GatewaySICKey
+ MemberAToken: !Ref MemberAToken
+ MemberBToken: !Ref MemberBToken
+ ResourcesTagName: !Ref ResourcesTagName
+ GatewayHostname: !Ref GatewayHostname
+ AllowUploadDownload: !Ref AllowUploadDownload
+ CloudWatch: !Ref CloudWatch
+ GatewayBootstrapScript: !Ref GatewayBootstrapScript
+ NTPPrimary: !Ref NTPPrimary
+ NTPSecondary: !Ref NTPSecondary
+Outputs:
+ MemberAPublicAddress:
+ Condition: AllocateAddress
+ Description: The public address of member A.
+ Value: !GetAtt ClusterStack.Outputs.MemberAPublicAddress
+ MemberAPrivateExternalAddress:
+ Description: The private external address of member A.
+ Value: !GetAtt ClusterStack.Outputs.MemberAPrivateExternalAddress
+ MemberAPrivateInternalAddress:
+ Description: The private internal address of member A.
+ Value: !GetAtt ClusterStack.Outputs.MemberAPrivateInternalAddress
+ MemberASSH:
+ Condition: AllocateAddress
+ Description: SSH command to member A.
+ Value: !GetAtt ClusterStack.Outputs.MemberASSH
+ MemberAURL:
+ Condition: AllocateAddress
+ Description: URL to the member A portal.
+ Value: !GetAtt ClusterStack.Outputs.MemberAURL
+ MemberBPublicAddress:
+ Condition: AllocateAddress
+ Description: The public address of member B.
+ Value: !GetAtt ClusterStack.Outputs.MemberBPublicAddress
+ MemberBPrivateExternalAddress:
+ Description: The private external address of member B.
+ Value: !GetAtt ClusterStack.Outputs.MemberBPrivateExternalAddress
+ MemberBPrivateInternalAddress:
+ Description: The private internal address of member B.
+ Value: !GetAtt ClusterStack.Outputs.MemberBPrivateInternalAddress
+ MemberBSSH:
+ Condition: AllocateAddress
+ Description: SSH command to member B.
+ Value: !GetAtt ClusterStack.Outputs.MemberBSSH
+ MemberBURL:
+ Condition: AllocateAddress
+ Description: URL to the member B portal.
+ Value: !GetAtt ClusterStack.Outputs.MemberBURL
+Rules:
+ MemberATokenNotProvided:
+ RuleCondition: !Equals [!Ref MemberAToken, '']
+ Assertions:
+ - AssertDescription: "Smart-1 Cloud Token for member A can not be empty"
+ Assert: !Equals [!Ref MemberBToken, '']
+ MemberBTokenNotProvided:
+ RuleCondition: !Equals [ !Ref MemberBToken, '' ]
+ Assertions:
+ - AssertDescription: "Smart-1 Cloud Token for member B can not be empty"
+ Assert: !Equals [ !Ref MemberAToken, '' ]
+ MembersTokenValueEquals:
+ RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ]
+ Assertions:
+ - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+ Assert: !Equals [ !Ref MemberAToken, '' ]
+ - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+ Assert: !Equals [ !Ref MemberBToken, '' ]
\ No newline at end of file
diff --git a/deprecated/aws/templates/R80.40/cluster/geo-cluster.yaml b/deprecated/aws/templates/R80.40/cluster/geo-cluster.yaml
new file mode 100755
index 00000000..9db1f13a
--- /dev/null
+++ b/deprecated/aws/templates/R80.40/cluster/geo-cluster.yaml
@@ -0,0 +1,734 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Deploys a Check Point cross AZ Cluster into an existing VPC (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: VPC Network Configuration
+ Parameters:
+ - VPC
+ - PublicSubnetA
+ - PublicSubnetB
+ - PrivateSubnetA
+ - PrivateSubnetB
+ - InternalRouteTable
+ - Label:
+ default: EC2 Instance Configuration
+ Parameters:
+ - GatewayName
+ - GatewayInstanceType
+ - KeyName
+ - AllocatePublicAddress
+ - VolumeSize
+ - VolumeType
+ - VolumeEncryption
+ - EnableInstanceConnect
+ - GatewayPredefinedRole
+ - TerminationProtection
+ - MetaDataToken
+ - Label:
+ default: Check Point Settings
+ Parameters:
+ - GatewayVersion
+ - Shell
+ - GatewayPasswordHash
+ - GatewayMaintenancePasswordHash
+ - GatewaySICKey
+ - Label:
+ default: Quick connect to Smart-1 Cloud (Recommended)
+ Parameters:
+ - MemberAToken
+ - MemberBToken
+ - Label:
+ default: Advanced Settings
+ Parameters:
+ - ResourcesTagName
+ - GatewayHostname
+ - AllowUploadDownload
+ - CloudWatch
+ - GatewayBootstrapScript
+ - NTPPrimary
+ - NTPSecondary
+ ParameterLabels:
+ VPC:
+ default: VPC
+ PublicSubnetA:
+ default: Public subnet 1
+ PublicSubnetB:
+ default: Public subnet 2
+ PrivateSubnetA:
+ default: Private subnet 1
+ PrivateSubnetB:
+ default: Private subnet 2
+ InternalRouteTable:
+ default: Internal route table
+ GatewayName:
+ default: Gateway Name
+ GatewayInstanceType:
+ default: Security Gateways instance type
+ KeyName:
+ default: Key name
+ AllocatePublicAddress:
+ default: Allocate Elastic IPs for cluster members
+ VolumeSize:
+ default: Root volume size (GB)
+ VolumeType:
+ default: Volume Type
+ VolumeEncryption:
+ default: Volume encryption KMS key identifier
+ EnableInstanceConnect:
+ default: Enable AWS Instance Connect
+ GatewayPredefinedRole:
+ default: Existing IAM role name
+ TerminationProtection:
+ default: Termination Protection
+ MetaDataToken:
+ default: Metadata HTTP token
+ GatewayVersion:
+ default: Gateways version & license
+ Shell:
+ default: Admin shell
+ GatewayPasswordHash:
+ default: Password hash
+ GatewayMaintenancePasswordHash:
+ default: Gateway Maintenance Password hash
+ GatewaySICKey:
+ default: SIC key
+ MemberAToken:
+ default: Smart-1 Cloud Token for member A
+ MemberBToken:
+ default: Smart-1 Cloud Token for member B
+ ResourcesTagName:
+ default: Resources prefix tag
+ GatewayHostname:
+ default: Gateway Hostname
+ AllowUploadDownload:
+ default: Allow upload & download
+ CloudWatch:
+ default: CloudWatch metrics
+ GatewayBootstrapScript:
+ default: Bootstrap Script
+ NTPPrimary:
+ default: Primary NTP server
+ NTPSecondary:
+ default: Secondary NTP server
+Parameters:
+ VPC:
+ Description: Select an existing VPC.
+ Type: AWS::EC2::VPC::Id
+ MinLength: 1
+ ConstraintDescription: you must select a VPC.
+ PublicSubnetA:
+ Description: Select a public subnet for the first Security Gateway.
+ Type: AWS::EC2::Subnet::Id
+ MinLength: 1
+ ConstraintDescription: you must select a public subnet for the first Security Gateway.
+ PublicSubnetB:
+ Description: Select a public subnet for the second Security Gateway.
+ Type: AWS::EC2::Subnet::Id
+ MinLength: 1
+ ConstraintDescription: you must select a public subnet for the second Security Gateway.
+ PrivateSubnetA:
+ Description: Select a private subnet for the first Security Gateway.
+ Type: AWS::EC2::Subnet::Id
+ MinLength: 1
+ ConstraintDescription: you must select a private subnet for the first Security Gateway.
+ PrivateSubnetB:
+ Description: Select a private subnet for the second Security Gateway.
+ Type: AWS::EC2::Subnet::Id
+ MinLength: 1
+ ConstraintDescription: you must select a private subnet for the second Security Gateway.
+ InternalRouteTable:
+ Description: Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route. If empty - traffic will not be routed through the Security Cluster, this requires manual configuration in the Route Table. (optional)
+ Type: String
+ Default: ''
+ GatewayName:
+ Description: The name tag of the Security Gateway instances. (optional)
+ Type: String
+ Default: Check-Point-Cluster
+ GatewayInstanceType:
+ Type: String
+ Default: c5.xlarge
+ AllowedValues:
+ - c4.large
+ - c4.xlarge
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: must be a valid EC2 instance type.
+ KeyName:
+ Description: The EC2 Key Pair to allow SSH access to the Security Gateways.
+ Type: AWS::EC2::KeyPair::KeyName
+ MinLength: 1
+ ConstraintDescription: must be the name of an existing EC2 KeyPair.
+ AllocatePublicAddress:
+ Description: When choosing "false", make sure the cluster members can connect to an ec2 endpoint.
+ Default: true
+ Type: String
+ AllowedValues:
+ - true
+ - false
+ VolumeSize:
+ Type: Number
+ Default: 100
+ MinValue: 100
+ VolumeType:
+ Description: General Purpose SSD Volume Type
+ Type: String
+ Default: gp3
+ AllowedValues:
+ - gp3
+ - gp2
+ VolumeEncryption:
+ Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
+ Type: String
+ Default: alias/aws/ebs
+ EnableInstanceConnect:
+ Description: Enable SSH connection over AWS web console.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ GatewayPredefinedRole:
+ Description: A predefined IAM role to attach to the cluster profile. (optional)
+ Type: String
+ Default: ''
+ TerminationProtection:
+ Description: Prevents an instance from accidental termination.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ MetaDataToken:
+ Description: Set true to deploy the instance with metadata v2 token required.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ GatewayVersion:
+ Description: The license to install on the Security Gateways.
+ Type: String
+ Default: R80.40-BYOL
+ AllowedValues:
+ - R80.40-BYOL
+ - R80.40-PAYG-NGTP
+ - R80.40-PAYG-NGTX
+ Shell:
+ Description: Change the admin shell to enable advanced command line configuration.
+ Type: String
+ Default: /etc/cli.sh
+ AllowedValues:
+ - /etc/cli.sh
+ - /bin/bash
+ - /bin/csh
+ - /bin/tcsh
+ GatewayPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to
+ get the PASSWORD's hash). (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+ NoEcho: true
+ GatewayMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ GatewaySICKey:
+ Description: The Secure Internal Communication key creates trusted connections between
+ Check Point components. Choose a random string consisting of at least 8
+ alphanumeric characters.
+ Type: String
+ AllowedPattern: '^[a-zA-Z0-9]{8,}$'
+ ConstraintDescription: At least 8 alpha numeric characters.
+ NoEcho: true
+ MemberAToken:
+ Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+ AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+ Type: String
+ NoEcho: true
+ MemberBToken:
+ Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+ AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+ Type: String
+ NoEcho: true
+ ResourcesTagName:
+ Description: Name tag prefix of the resources. (optional)
+ Type: String
+ Default: ''
+ GatewayHostname:
+ Description: The host name will be appended with member-a/b accordingly (optional). The name must not contain reserved words. For details, refer to sk40179.
+ Type: String
+ Default: ''
+ AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z]))?$'
+ ConstraintDescription: A valid hostname label or an empty string.
+ AllowUploadDownload:
+ Description: >-
+ Automatically download updates and share statistical data for product improvement purpose.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ CloudWatch:
+ Description: Report Check Point specific CloudWatch metrics.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ GatewayBootstrapScript:
+ Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+ Type: String
+ Default: ''
+ NoEcho: true
+ NTPPrimary:
+ Description: (optional)
+ Type: String
+ Default: 169.254.169.123
+ AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+ NTPSecondary:
+ Description: (optional)
+ Type: String
+ Default: 0.pool.ntp.org
+ AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+Conditions:
+ ProvidedRouteTable: !Not [!Equals [!Ref InternalRouteTable, '']]
+ AllocateAddress: !Equals [!Ref AllocatePublicAddress, true]
+ EncryptedVolume: !Not [!Equals [!Ref VolumeEncryption, '']]
+ CreateRole: !Equals [!Ref GatewayPredefinedRole, '']
+ ProvidedPassHash: !Not [!Equals [!Ref GatewayPasswordHash, '']]
+ ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']]
+ EmptyHostName: !Equals [!Ref GatewayHostname, '']
+ EnableCloudWatch: !Equals [!Ref CloudWatch, true]
+ EnableMetaDataToken: !Equals [!Ref MetaDataToken, true]
+Resources:
+ ClusterReadyHandle:
+ Type: AWS::CloudFormation::WaitConditionHandle
+ Condition: AllocateAddress
+ Properties: {}
+ ClusterReadyCondition:
+ Type: AWS::CloudFormation::WaitCondition
+ Condition: AllocateAddress
+ DependsOn: [MemberAInstance, MemberBInstance]
+ Properties:
+ Count: 2
+ Handle: !Ref ClusterReadyHandle
+ Timeout: 1800
+ ClusterRole:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/iam/cluster-iam-role.yaml
+ ClusterInstanceProfile:
+ Type: AWS::IAM::InstanceProfile
+ Properties:
+ Path: /
+ Roles: [!If [CreateRole, !GetAtt ClusterRole.Outputs.ClusterIAMRole, !Ref GatewayPredefinedRole]]
+ CloudwatchPolicy:
+ Condition: EnableCloudWatch
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/iam/cloudwatch-policy.yaml
+ Parameters:
+ PolicyName: !If [ ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName' ]
+ PolicyRole: !If [CreateRole, !GetAtt ClusterRole.Outputs.ClusterIAMRole, !Ref GatewayPredefinedRole]
+ AMI:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/utils/amis.yaml
+ Parameters:
+ Version: !Join ['-', [!Ref GatewayVersion, GW]]
+ PermissiveSecurityGroup:
+ Type: AWS::EC2::SecurityGroup
+ Properties:
+ GroupDescription: Permissive security group.
+ VpcId: !Ref VPC
+ SecurityGroupIngress:
+ - IpProtocol: -1
+ CidrIp: 0.0.0.0/0
+ Tags:
+ - Key: Name
+ Value:
+ !Join
+ - _
+ - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+ - PermissiveSecurityGroup
+ MemberAExternalInterface:
+ Type: AWS::EC2::NetworkInterface
+ Properties:
+ Description: External.
+ SourceDestCheck: false
+ GroupSet: [!Ref PermissiveSecurityGroup]
+ SubnetId: !Ref PublicSubnetA
+ Tags:
+ - Key: Name
+ Value:
+ !Join
+ - _
+ - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+ - Member_A_ExternalInterface
+ MemberBExternalInterface:
+ Type: AWS::EC2::NetworkInterface
+ Properties:
+ Description: External.
+ SourceDestCheck: false
+ GroupSet: [!Ref PermissiveSecurityGroup]
+ SubnetId: !Ref PublicSubnetB
+ Tags:
+ - Key: Name
+ Value:
+ !Join
+ - _
+ - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+ - Member_B_ExternalInterface
+ MemberAInternalInterface:
+ Type: AWS::EC2::NetworkInterface
+ Properties:
+ Description: Internal.
+ GroupSet: [!Ref PermissiveSecurityGroup]
+ SourceDestCheck: false
+ SubnetId: !Ref PrivateSubnetA
+ Tags:
+ - Key: Name
+ Value:
+ !Join
+ - _
+ - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+ - Member_A_InternalInterface
+ MemberBInternalInterface:
+ Type: AWS::EC2::NetworkInterface
+ Properties:
+ Description: Internal.
+ GroupSet: [!Ref PermissiveSecurityGroup]
+ SourceDestCheck: false
+ SubnetId: !Ref PrivateSubnetB
+ Tags:
+ - Key: Name
+ Value:
+ !Join
+ - _
+ - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+ - Member_B_InternalInterface
+ InternalDefaultRoute:
+ Type: AWS::EC2::Route
+ Condition: ProvidedRouteTable
+ DependsOn: MemberAInternalInterface
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ NetworkInterfaceId: !Ref MemberAInternalInterface
+ RouteTableId: !Ref InternalRouteTable
+ PrivateSubnet1RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Condition: ProvidedRouteTable
+ Properties:
+ RouteTableId: !Ref InternalRouteTable
+ SubnetId: !Ref PrivateSubnetA
+ PrivateSubnet2RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Condition: ProvidedRouteTable
+ Properties:
+ RouteTableId: !Ref InternalRouteTable
+ SubnetId: !Ref PrivateSubnetB
+ MemberAInstance:
+ Type: AWS::EC2::Instance
+ DependsOn: [MemberAInternalInterface, MemberAGatewayLaunchTemplate]
+ Properties:
+ LaunchTemplate:
+ LaunchTemplateId: !Ref MemberAGatewayLaunchTemplate
+ Version: !GetAtt MemberAGatewayLaunchTemplate.LatestVersionNumber
+ DisableApiTermination: !Ref TerminationProtection
+ Tags:
+ - Key: Name
+ Value: !Join ['-', [!Ref GatewayName, Member-A]]
+ MemberBInstance:
+ Type: AWS::EC2::Instance
+ DependsOn: [MemberBInternalInterface, MemberBGatewayLaunchTemplate]
+ Properties:
+ LaunchTemplate:
+ LaunchTemplateId: !Ref MemberBGatewayLaunchTemplate
+ Version: !GetAtt MemberBGatewayLaunchTemplate.LatestVersionNumber
+ DisableApiTermination: !Ref TerminationProtection
+ Tags:
+ - Key: Name
+ Value: !Join ['-', [!Ref GatewayName, Member-B]]
+ MemberAGatewayLaunchTemplate:
+ Type: AWS::EC2::LaunchTemplate
+ Properties:
+ LaunchTemplateData:
+ NetworkInterfaces:
+ - DeviceIndex: 0
+ NetworkInterfaceId: !Ref MemberAExternalInterface
+ - DeviceIndex: 1
+ NetworkInterfaceId: !Ref MemberAInternalInterface
+ KeyName: !Ref KeyName
+ ImageId: !GetAtt AMI.Outputs.ImageId
+ InstanceType: !Ref GatewayInstanceType
+ MetadataOptions:
+ HttpTokens: !If [EnableMetaDataToken, required, optional]
+ BlockDeviceMappings:
+ - DeviceName: '/dev/xvda'
+ Ebs:
+ Encrypted: !If [ EncryptedVolume, true, false ]
+ KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ]
+ VolumeType: !Ref VolumeType
+ VolumeSize: !Ref VolumeSize
+ IamInstanceProfile:
+ Name: !Ref ClusterInstanceProfile
+ UserData: !Base64
+ 'Fn::Join':
+ - |+
+
+ - - '#cloud-config'
+ - 'runcmd:'
+ - ' - |'
+ - ' set -e'
+ - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenA=''${MemberAToken}'''
+ - !If [AllocateAddress, !Sub ' wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue']
+ - !If [EmptyHostName, ' hostname=""',!Sub ' hostname=${GatewayHostname}-member-a']
+ - !Join ['', [' other_member_ip="', !GetAtt MemberBInternalInterface.PrimaryPrivateIpAddress, '"']]
+ - !Join ['', [' eip="', !If [AllocateAddress, !Ref MemberAPublicAddress, ''], '"']]
+ - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']]
+ - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']]
+ - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']]
+ - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']]
+ - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}]
+ - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenA}\"" installationType=\"geo-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"geo_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" elasticIp=\"${eip}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" otherMemberIp=\"${other_member_ip}\" bootstrapScript64=\"${bootstrap}\"'
+ MemberBGatewayLaunchTemplate:
+ Type: AWS::EC2::LaunchTemplate
+ Properties:
+ LaunchTemplateData:
+ NetworkInterfaces:
+ - DeviceIndex: 0
+ NetworkInterfaceId: !Ref MemberBExternalInterface
+ - DeviceIndex: 1
+ NetworkInterfaceId: !Ref MemberBInternalInterface
+ KeyName: !Ref KeyName
+ ImageId: !GetAtt AMI.Outputs.ImageId
+ InstanceType: !Ref GatewayInstanceType
+ MetadataOptions:
+ HttpTokens: !If [EnableMetaDataToken, required, optional]
+ BlockDeviceMappings:
+ - DeviceName: '/dev/xvda'
+ Ebs:
+ Encrypted: !If [ EncryptedVolume, true, false ]
+ KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ]
+ VolumeType: !Ref VolumeType
+ VolumeSize: !Ref VolumeSize
+ IamInstanceProfile:
+ Name: !Ref ClusterInstanceProfile
+ UserData: !Base64
+ 'Fn::Join':
+ - |+
+
+ - - '#cloud-config'
+ - 'runcmd:'
+ - ' - |'
+ - ' set -e'
+ - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenB=''${MemberBToken}'''
+ - !If [AllocateAddress, !Sub ' wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue']
+ - !If [EmptyHostName, ' hostname=""',!Sub ' hostname=${GatewayHostname}-member-b']
+ - !Join ['', [' other_member_ip="', !GetAtt MemberAInternalInterface.PrimaryPrivateIpAddress, '"']]
+ - !Join ['', [' eip="', !If [AllocateAddress, !Ref MemberBPublicAddress, ''], '"']]
+ - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']]
+ - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']]
+ - !Join [ '', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"' ] ]
+ - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']]
+ - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}]
+ - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenB}\"" installationType=\"geo-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"geo_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" otherMemberIp=\"${other_member_ip}\" bootstrapScript64=\"${bootstrap}\"'
+ VersionDescription: Initial template version
+ MemberAPublicAddress:
+ Type: AWS::EC2::EIP
+ Condition: AllocateAddress
+ Properties:
+ Domain: vpc
+ MemberBPublicAddress:
+ Type: AWS::EC2::EIP
+ Condition: AllocateAddress
+ Properties:
+ Domain: vpc
+ MemberAAddressAssoc:
+ Type: AWS::EC2::EIPAssociation
+ Condition: AllocateAddress
+ DependsOn: MemberAInstance
+ Properties:
+ NetworkInterfaceId: !Ref MemberAExternalInterface
+ AllocationId: !GetAtt MemberAPublicAddress.AllocationId
+ PrivateIpAddress: !GetAtt MemberAExternalInterface.PrimaryPrivateIpAddress
+ MemberBAddressAssoc:
+ Type: AWS::EC2::EIPAssociation
+ Condition: AllocateAddress
+ DependsOn: MemberBInstance
+ Properties:
+ NetworkInterfaceId: !Ref MemberBExternalInterface
+ AllocationId: !GetAtt MemberBPublicAddress.AllocationId
+ PrivateIpAddress: !GetAtt MemberBExternalInterface.PrimaryPrivateIpAddress
+Outputs:
+ MemberAPublicAddress:
+ Condition: AllocateAddress
+ Description: The public address of member A.
+ Value: !Ref MemberAPublicAddress
+ MemberAPrivateExternalAddress:
+ Description: The private external address of member A.
+ Value: !GetAtt MemberAExternalInterface.PrimaryPrivateIpAddress
+ MemberAPrivateInternalAddress:
+ Description: The private internal address of member A.
+ Value: !GetAtt MemberAInternalInterface.PrimaryPrivateIpAddress
+ MemberAExternalInterface:
+ Description: The external interface of member A.
+ Value: !Ref MemberAExternalInterface
+ MemberASSH:
+ Condition: AllocateAddress
+ Description: SSH command to member A.
+ Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref MemberAPublicAddress]]
+ MemberAURL:
+ Condition: AllocateAddress
+ Description: URL to the member A portal.
+ Value: !Join ['', ['https://', !Ref MemberAPublicAddress]]
+ MemberBPublicAddress:
+ Condition: AllocateAddress
+ Description: The public address of member B.
+ Value: !Ref MemberBPublicAddress
+ MemberBPrivateExternalAddress:
+ Description: The private external address of member B.
+ Value: !GetAtt MemberBExternalInterface.PrimaryPrivateIpAddress
+ MemberBPrivateInternalAddress:
+ Description: The private internal address of member B.
+ Value: !GetAtt MemberBInternalInterface.PrimaryPrivateIpAddress
+ MemberBExternalInterface:
+ Description: The external interface of member B.
+ Value: !Ref MemberBExternalInterface
+ MemberBSSH:
+ Condition: AllocateAddress
+ Description: SSH command to member B.
+ Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref MemberBPublicAddress]]
+ MemberBURL:
+ Condition: AllocateAddress
+ Description: URL to the member B portal.
+ Value: !Join ['', ['https://', !Ref MemberBPublicAddress]]
+Rules:
+ MemberATokenNotProvided:
+ RuleCondition: !Equals [!Ref MemberAToken, '']
+ Assertions:
+ - AssertDescription: "Smart-1 Cloud Token for member A can not be empty"
+ Assert: !Equals [!Ref MemberBToken, '']
+ MemberBTokenNotProvided:
+ RuleCondition: !Equals [ !Ref MemberBToken, '' ]
+ Assertions:
+ - AssertDescription: "Smart-1 Cloud Token for member B can not be empty"
+ Assert: !Equals [ !Ref MemberAToken, '' ]
+ MembersTokenValueEquals:
+ RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ]
+ Assertions:
+ - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+ Assert: !Equals [ !Ref MemberAToken, '' ]
+ - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+ Assert: !Equals [ !Ref MemberBToken, '' ]
\ No newline at end of file
diff --git a/deprecated/aws/templates/R80.40/cluster/tgw-ha-master.yaml b/deprecated/aws/templates/R80.40/cluster/tgw-ha-master.yaml
new file mode 100755
index 00000000..b9321374
--- /dev/null
+++ b/deprecated/aws/templates/R80.40/cluster/tgw-ha-master.yaml
@@ -0,0 +1,531 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Deploy a Check Point TGW HA cross AZ Cluster in a new VPC (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: VPC Network Configuration
+ Parameters:
+ - AvailabilityZones
+ - VPCCIDR
+ - PublicSubnet1CIDR
+ - PublicSubnet2CIDR
+ - PrivateSubnet1CIDR
+ - PrivateSubnet2CIDR
+ - TgwSubnet1CIDR
+ - TgwSubnet2CIDR
+ - Label:
+ default: EC2 Instance Configuration
+ Parameters:
+ - GatewayName
+ - GatewayInstanceType
+ - KeyName
+ - AllocatePublicAddress
+ - VolumeSize
+ - VolumeType
+ - VolumeEncryption
+ - EnableInstanceConnect
+ - GatewayPredefinedRole
+ - TerminationProtection
+ - MetaDataToken
+ - Label:
+ default: Check Point Settings
+ Parameters:
+ - GatewayVersion
+ - Shell
+ - GatewayPasswordHash
+ - GatewayMaintenancePasswordHash
+ - GatewaySICKey
+ - Label:
+ default: Quick connect to Smart-1 Cloud (Recommended)
+ Parameters:
+ - MemberAToken
+ - MemberBToken
+ - Label:
+ default: Advanced Settings
+ Parameters:
+ - ResourcesTagName
+ - GatewayHostname
+ - AllowUploadDownload
+ - CloudWatch
+ - GatewayBootstrapScript
+ - NTPPrimary
+ - NTPSecondary
+ ParameterLabels:
+ AvailabilityZones:
+ default: Availability Zones
+ VPCCIDR:
+ default: VPC CIDR
+ PublicSubnet1CIDR:
+ default: Public subnet 1 CIDR
+ PublicSubnet2CIDR:
+ default: Public subnet 2 CIDR
+ PrivateSubnet1CIDR:
+ default: Private subnet 1 CIDR
+ PrivateSubnet2CIDR:
+ default: Private subnet 2 CIDR
+ TgwSubnet1CIDR:
+ default: TGW HA subnet 1 CIDR
+ TgwSubnet2CIDR:
+ default: TGW HA subnet 2 CIDR
+ GatewayName:
+ default: Gateway Name
+ GatewayInstanceType:
+ default: Security Gateways instance type
+ KeyName:
+ default: Key name
+ AllocatePublicAddress:
+ default: Allocate Elastic IPs for cluster members
+ VolumeSize:
+ default: Root volume size (GB)
+ VolumeType:
+ default: Volume Type
+ VolumeEncryption:
+ default: Volume encryption KMS key identifier
+ EnableInstanceConnect:
+ default: Enable AWS Instance Connect
+ GatewayPredefinedRole:
+ default: Existing IAM role name
+ TerminationProtection:
+ default: Termination Protection
+ MetaDataToken:
+ default: Metadata HTTP token
+ GatewayVersion:
+ default: Gateways version & license
+ Shell:
+ default: Admin shell
+ GatewayPasswordHash:
+ default: Password hash
+ GatewayMaintenancePasswordHash:
+ default: Gateway Maintenance Password hash
+ GatewaySICKey:
+ default: SIC key
+ MemberAToken:
+ default: Smart-1 Cloud Token for member A
+ MemberBToken:
+ default: Smart-1 Cloud Token for member B
+ ResourcesTagName:
+ default: Resources prefix tag
+ GatewayHostname:
+ default: Gateway Hostname
+ AllowUploadDownload:
+ default: Allow upload & download
+ CloudWatch:
+ default: CloudWatch metrics
+ GatewayBootstrapScript:
+ default: Bootstrap Script
+ NTPPrimary:
+ default: Primary NTP server
+ NTPSecondary:
+ default: Secondary NTP server
+Parameters:
+ AvailabilityZones:
+ Description: The Availability Zones (AZs) to use for the subnets in the VPC. Select two (the logical order is preserved).
+ Type: List
+ MinLength: 2
+ VPCCIDR:
+ Description: The CIDR block of the provided VPC.
+ Type: String
+ Default: 10.0.0.0/16
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PublicSubnet1CIDR:
+ Description: CIDR block for public subnet 1 located in the 1st Availability Zone.
+ Type: String
+ Default: 10.0.10.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PublicSubnet2CIDR:
+ Description: CIDR block for public subnet 2 located in the 2nd Availability Zone.
+ Type: String
+ Default: 10.0.20.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PrivateSubnet1CIDR:
+ Description: CIDR block for private subnet 1 located in the 1st Availability Zone.
+ Type: String
+ Default: 10.0.11.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PrivateSubnet2CIDR:
+ Description: CIDR block for private subnet 2 located in the 2nd Availability Zone.
+ Type: String
+ Default: 10.0.21.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ TgwSubnet1CIDR:
+ Description: CIDR block for TGW HA subnet 1 located in the 1st Availability Zone.
+ Type: String
+ Default: 10.0.12.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ TgwSubnet2CIDR:
+ Description: CIDR block for TGW HA subnet 2 located in the 2nd Availability Zone.
+ Type: String
+ Default: 10.0.22.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ GatewayName:
+ Description: The name tag of the Security Gateway instances. (optional)
+ Type: String
+ Default: Check-Point-Cluster
+ GatewayInstanceType:
+ Description: The instance type of the Secutiry Gateway.
+ Type: String
+ Default: c5.xlarge
+ AllowedValues:
+ - c4.large
+ - c4.xlarge
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: must be a valid EC2 instance type.
+ KeyName:
+ Description: The EC2 Key Pair to allow SSH access to the instance.
+ Type: AWS::EC2::KeyPair::KeyName
+ MinLength: 1
+ AllocatePublicAddress:
+ Description: Allocate an Elastic IP for each cluster member, in addition to the shared cluster Elastic IP.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ VolumeSize:
+ Type: Number
+ Default: 100
+ MinValue: 100
+ VolumeType:
+ Description: General Purpose SSD Volume Type
+ Type: String
+ Default: gp3
+ AllowedValues:
+ - gp3
+ - gp2
+ VolumeEncryption:
+ Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
+ Type: String
+ Default: alias/aws/ebs
+ EnableInstanceConnect:
+ Description: Enable SSH connection over AWS web console.
+ Default: false
+ Type: String
+ AllowedValues:
+ - true
+ - false
+ GatewayPredefinedRole:
+ Description: A predefined IAM role to attach to the cluster profile. (optional)
+ Type: String
+ Default: ''
+ TerminationProtection:
+ Description: Prevents an instance from accidental termination.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ MetaDataToken:
+ Description: Set true to deploy the instance with metadata v2 token required.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ GatewayVersion:
+ Type: String
+ Default: R80.40-BYOL
+ AllowedValues:
+ - R80.40-BYOL
+ - R80.40-PAYG-NGTP
+ - R80.40-PAYG-NGTX
+ Shell:
+ Description: Change the admin shell to enable advanced command line configuration.
+ Type: String
+ Default: /etc/cli.sh
+ AllowedValues:
+ - /etc/cli.sh
+ - /bin/bash
+ - /bin/csh
+ - /bin/tcsh
+ GatewayPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD"
+ to get the PASSWORD's hash). (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+ NoEcho: true
+ GatewayMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ GatewaySICKey:
+ Description: The Secure Internal Communication key creates trusted connections
+ between Check Point components. Choose a random string consisting of at least
+ 8 alphanumeric characters.
+ Type: String
+ AllowedPattern: '^[a-zA-Z0-9]{8,}$'
+ ConstraintDescription: At least 8 alpha numeric characters.
+ NoEcho: true
+ MemberAToken:
+ Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+ AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+ Type: String
+ NoEcho: true
+ MemberBToken:
+ Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+ AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+ Type: String
+ NoEcho: true
+ ResourcesTagName:
+ Description: Name tag prefix of the resources. (optional)
+ Type: String
+ Default: ''
+ GatewayHostname:
+ Description: The host name will be appended with member-a/b accordingly (optional). The name must not contain reserved words. For details, refer to sk40179.
+ Type: String
+ Default: ''
+ AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z]))?$'
+ ConstraintDescription: A valid hostname label or an empty string.
+ AllowUploadDownload:
+ Description: Automatically download updates and share statistical data for product improvement purpose.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ CloudWatch:
+ Description: Report Check Point specific CloudWatch metrics.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ GatewayBootstrapScript:
+ Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+ Type: String
+ Default: ''
+ NoEcho: true
+ NTPPrimary:
+ Description: (optional)
+ Type: String
+ Default: 169.254.169.123
+ AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+ NTPSecondary:
+ Description: (optional)
+ Type: String
+ Default: 0.pool.ntp.org
+ AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+Conditions:
+ AllocateAddress: !Equals [!Ref AllocatePublicAddress, true]
+Resources:
+ VPCStack:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/utils/vpc.yaml
+ Parameters:
+ AvailabilityZones: !Join [',', !Ref AvailabilityZones]
+ NumberOfAZs: 2
+ VPCCIDR: !Ref VPCCIDR
+ PublicSubnet1CIDR: !Ref PublicSubnet1CIDR
+ PublicSubnet2CIDR: !Ref PublicSubnet2CIDR
+ PrivateSubnet1CIDR: !Ref PrivateSubnet1CIDR
+ PrivateSubnet2CIDR: !Ref PrivateSubnet2CIDR
+ CreateAttachmentSubnets: true
+ AttachmentSubnet1CIDR: !Ref TgwSubnet1CIDR
+ AttachmentSubnet2CIDR: !Ref TgwSubnet2CIDR
+ InternalRouteTable:
+ Type: AWS::EC2::RouteTable
+ DependsOn: VPCStack
+ Properties:
+ VpcId: !GetAtt VPCStack.Outputs.VPCID
+ Tags:
+ - Key: Name
+ Value: Private Subnets Route Table
+ ClusterStack:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/cluster/tgw-ha.yaml
+ Parameters:
+ VPC: !GetAtt VPCStack.Outputs.VPCID
+ PublicSubnetA: !GetAtt VPCStack.Outputs.PublicSubnet1ID
+ PublicSubnetB: !GetAtt VPCStack.Outputs.PublicSubnet2ID
+ PrivateSubnetA: !GetAtt VPCStack.Outputs.PrivateSubnet1ID
+ PrivateSubnetB: !GetAtt VPCStack.Outputs.PrivateSubnet2ID
+ TgwHASubnetA: !GetAtt VPCStack.Outputs.AttachmentSubnet1ID
+ TgwHASubnetB: !GetAtt VPCStack.Outputs.AttachmentSubnet2ID
+ InternalRouteTable: !Ref InternalRouteTable
+ GatewayName: !Ref GatewayName
+ GatewayInstanceType: !Ref GatewayInstanceType
+ KeyName: !Ref KeyName
+ AllocatePublicAddress: !Ref AllocatePublicAddress
+ VolumeSize: !Ref VolumeSize
+ VolumeType: !Ref VolumeType
+ VolumeEncryption: !Ref VolumeEncryption
+ EnableInstanceConnect: !Ref EnableInstanceConnect
+ GatewayPredefinedRole: !Ref GatewayPredefinedRole
+ TerminationProtection: !Ref TerminationProtection
+ MetaDataToken: !Ref MetaDataToken
+ GatewayVersion: !Ref GatewayVersion
+ Shell: !Ref Shell
+ GatewayPasswordHash: !Ref GatewayPasswordHash
+ GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
+ GatewaySICKey: !Ref GatewaySICKey
+ MemberAToken: !Ref MemberAToken
+ MemberBToken: !Ref MemberBToken
+ ResourcesTagName: !Ref ResourcesTagName
+ GatewayHostname: !Ref GatewayHostname
+ AllowUploadDownload: !Ref AllowUploadDownload
+ CloudWatch: !Ref CloudWatch
+ GatewayBootstrapScript: !Ref GatewayBootstrapScript
+ NTPPrimary: !Ref NTPPrimary
+ NTPSecondary: !Ref NTPSecondary
+Outputs:
+ MemberAPublicAddress:
+ Condition: AllocateAddress
+ Description: The public address of member A.
+ Value: !GetAtt ClusterStack.Outputs.MemberAPublicAddress
+ MemberASSH:
+ Condition: AllocateAddress
+ Description: SSH command to member A.
+ Value: !GetAtt ClusterStack.Outputs.MemberASSH
+ MemberAURL:
+ Condition: AllocateAddress
+ Description: URL to the member A portal.
+ Value: !GetAtt ClusterStack.Outputs.MemberAURL
+ MemberBPublicAddress:
+ Condition: AllocateAddress
+ Description: The public address of member B.
+ Value: !GetAtt ClusterStack.Outputs.MemberBPublicAddress
+ MemberBSSH:
+ Condition: AllocateAddress
+ Description: SSH command to member B.
+ Value: !GetAtt ClusterStack.Outputs.MemberBSSH
+ MemberBURL:
+ Condition: AllocateAddress
+ Description: URL to the member B portal.
+ Value: !GetAtt ClusterStack.Outputs.MemberBURL
+Rules:
+ MemberATokenNotProvided:
+ RuleCondition: !Equals [!Ref MemberAToken, '']
+ Assertions:
+ - AssertDescription: "Smart-1 Cloud Token for member A can not be empty"
+ Assert: !Equals [!Ref MemberBToken, '']
+ MemberBTokenNotProvided:
+ RuleCondition: !Equals [ !Ref MemberBToken, '' ]
+ Assertions:
+ - AssertDescription: "Smart-1 Cloud Token for member B can not be empty"
+ Assert: !Equals [ !Ref MemberAToken, '' ]
+ MembersTokenValueEquals:
+ RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ]
+ Assertions:
+ - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+ Assert: !Equals [ !Ref MemberAToken, '' ]
+ - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+ Assert: !Equals [ !Ref MemberBToken, '' ]
\ No newline at end of file
diff --git a/deprecated/aws/templates/R80.40/cluster/tgw-ha.yaml b/deprecated/aws/templates/R80.40/cluster/tgw-ha.yaml
new file mode 100755
index 00000000..18b36563
--- /dev/null
+++ b/deprecated/aws/templates/R80.40/cluster/tgw-ha.yaml
@@ -0,0 +1,527 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Deploys a Check Point TGW HA Cluster into an existing VPC (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: VPC Network Configuration
+ Parameters:
+ - VPC
+ - PublicSubnetA
+ - PublicSubnetB
+ - PrivateSubnetA
+ - PrivateSubnetB
+ - TgwHASubnetA
+ - TgwHASubnetB
+ - InternalRouteTable
+ - Label:
+ default: EC2 Instance Configuration
+ Parameters:
+ - GatewayName
+ - GatewayInstanceType
+ - KeyName
+ - AllocatePublicAddress
+ - VolumeSize
+ - VolumeType
+ - VolumeEncryption
+ - EnableInstanceConnect
+ - GatewayPredefinedRole
+ - TerminationProtection
+ - MetaDataToken
+ - Label:
+ default: Check Point Settings
+ Parameters:
+ - GatewayVersion
+ - Shell
+ - GatewayPasswordHash
+ - GatewayMaintenancePasswordHash
+ - GatewaySICKey
+ - Label:
+ default: Quick connect to Smart-1 Cloud (Recommended)
+ Parameters:
+ - MemberAToken
+ - MemberBToken
+ - Label:
+ default: Advanced Settings
+ Parameters:
+ - ResourcesTagName
+ - GatewayHostname
+ - AllowUploadDownload
+ - CloudWatch
+ - GatewayBootstrapScript
+ - NTPPrimary
+ - NTPSecondary
+ ParameterLabels:
+ VPC:
+ default: VPC
+ PublicSubnetA:
+ default: Public subnet 1
+ PublicSubnetB:
+ default: Public subnet 2
+ PrivateSubnetA:
+ default: Private subnet 1
+ PrivateSubnetB:
+ default: Private subnet 2
+ TgwHASubnetA:
+ default: TGW HA subnet 1
+ TgwHASubnetB:
+ default: TGW HA subnet 2
+ InternalRouteTable:
+ default: Internal route table
+ GatewayName:
+ default: Gateway Name
+ GatewayInstanceType:
+ default: Security Gateways instance type
+ KeyName:
+ default: Key name
+ AllocatePublicAddress:
+ default: Allocate Elastic IPs for cluster members
+ VolumeSize:
+ default: Root volume size (GB)
+ VolumeType:
+ default: Volume Type
+ VolumeEncryption:
+ default: Volume encryption KMS key identifier
+ EnableInstanceConnect:
+ default: Enable AWS Instance Connect
+ GatewayPredefinedRole:
+ default: Existing IAM role name
+ TerminationProtection:
+ default: Termination Protection
+ MetaDataToken:
+ default: Metadata HTTP token
+ GatewayVersion:
+ default: Gateways version & license
+ Shell:
+ default: Admin shell
+ GatewayPasswordHash:
+ default: Password hash
+ GatewayMaintenancePasswordHash:
+ default: Gateway Maintenance Password hash
+ GatewaySICKey:
+ default: SIC key
+ MemberAToken:
+ default: Smart-1 Cloud Token for member A
+ MemberBToken:
+ default: Smart-1 Cloud Token for member B
+ ResourcesTagName:
+ default: Resources prefix tag
+ GatewayHostname:
+ default: Gateway Hostname
+ AllowUploadDownload:
+ default: Allow upload & download
+ CloudWatch:
+ default: CloudWatch metrics
+ GatewayBootstrapScript:
+ default: Bootstrap Script
+ NTPPrimary:
+ default: Primary NTP server
+ NTPSecondary:
+ default: Secondary NTP server
+Parameters:
+ VPC:
+ Description: Select an existing VPC.
+ Type: AWS::EC2::VPC::Id
+ MinLength: 1
+ ConstraintDescription: you must select a VPC.
+ PublicSubnetA:
+ Description: Select a public subnet for the first Security Gateway.
+ Type: AWS::EC2::Subnet::Id
+ MinLength: 1
+ ConstraintDescription: you must select a public subnet for the first Security Gateway.
+ PublicSubnetB:
+ Description: Select a public subnet for the second Security Gateway.
+ Type: AWS::EC2::Subnet::Id
+ MinLength: 1
+ ConstraintDescription: you must select a public subnet for the second Security Gateway.
+ PrivateSubnetA:
+ Description: Select a private subnet for the first Security Gateway.
+ Type: AWS::EC2::Subnet::Id
+ MinLength: 1
+ ConstraintDescription: you must select a private subnet for the first Security Gateway.
+ PrivateSubnetB:
+ Description: Select a private subnet for the second Security Gateway.
+ Type: AWS::EC2::Subnet::Id
+ MinLength: 1
+ ConstraintDescription: you must select a private subnet for the second Security Gateway.
+ TgwHASubnetA:
+ Description: Select a TGW HA subnet for the first Security Gateway.
+ Type: AWS::EC2::Subnet::Id
+ MinLength: 1
+ ConstraintDescription: you must select a TGW HA subnet for the first Security Gateway.
+ TgwHASubnetB:
+ Description: Select a TGW HA subnet for the second Security Gateway.
+ Type: AWS::EC2::Subnet::Id
+ MinLength: 1
+ ConstraintDescription: you must select a TGW HAsubnet for the second Security Gateway.
+ InternalRouteTable:
+ Description: Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route. If empty - traffic will not be routed through the Security Cluster, this requires manual configuration in the Route Table. (optional)
+ Type: String
+ Default: ''
+ GatewayName:
+ Description: The name tag of the Security Gateway instances. (optional)
+ Type: String
+ Default: Check-Point-Cluster
+ GatewayInstanceType:
+ Type: String
+ Default: c5.xlarge
+ AllowedValues:
+ - c4.large
+ - c4.xlarge
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: must be a valid EC2 instance type.
+ KeyName:
+ Description: The EC2 Key Pair to allow SSH access to the Security Gateways.
+ Type: AWS::EC2::KeyPair::KeyName
+ MinLength: 1
+ ConstraintDescription: must be the name of an existing EC2 KeyPair.
+ AllocatePublicAddress:
+ Description: When choosing "false", make sure the cluster members can connect to an ec2 endpoint.
+ Default: true
+ Type: String
+ AllowedValues:
+ - true
+ - false
+ VolumeSize:
+ Type: Number
+ Default: 100
+ MinValue: 100
+ VolumeType:
+ Description: General Purpose SSD Volume Type
+ Type: String
+ Default: gp3
+ AllowedValues:
+ - gp3
+ - gp2
+ VolumeEncryption:
+ Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
+ Type: String
+ Default: alias/aws/ebs
+ EnableInstanceConnect:
+ Description: Enable SSH connection over AWS web console.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ GatewayPredefinedRole:
+ Description: A predefined IAM role to attach to the cluster profile. (optional)
+ Type: String
+ Default: ''
+ TerminationProtection:
+ Description: Prevents an instance from accidental termination.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ MetaDataToken:
+ Description: Set true to deploy the instance with metadata v2 token required.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ GatewayVersion:
+ Description: The license to install on the Security Gateways.
+ Type: String
+ Default: R80.40-BYOL
+ AllowedValues:
+ - R80.40-BYOL
+ - R80.40-PAYG-NGTP
+ - R80.40-PAYG-NGTX
+ Shell:
+ Description: Change the admin shell to enable advanced command line configuration.
+ Type: String
+ Default: /etc/cli.sh
+ AllowedValues:
+ - /etc/cli.sh
+ - /bin/bash
+ - /bin/csh
+ - /bin/tcsh
+ GatewayPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to
+ get the PASSWORD's hash). (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+ NoEcho: true
+ GatewayMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ GatewaySICKey:
+ Description: The Secure Internal Communication key creates trusted connections between
+ Check Point components. Choose a random string consisting of at least 8
+ alphanumeric characters.
+ Type: String
+ AllowedPattern: '^[a-zA-Z0-9]{8,}$'
+ ConstraintDescription: At least 8 alpha numeric characters.
+ NoEcho: true
+ MemberAToken:
+ Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+ AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+ Type: String
+ NoEcho: true
+ MemberBToken:
+ Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+ AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+ Type: String
+ NoEcho: true
+ ResourcesTagName:
+ Description: Name tag prefix of the resources. (optional)
+ Type: String
+ Default: ''
+ GatewayHostname:
+ Description: The host name will be appended with member-a/b accordingly (optional). The name must not contain reserved words. For details, refer to sk40179.
+ Type: String
+ Default: ''
+ AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z]))?$'
+ ConstraintDescription: A valid hostname label or an empty string.
+ AllowUploadDownload:
+ Description: >-
+ Automatically download updates and share statistical data for product improvement purpose.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ CloudWatch:
+ Description: Report Check Point specific CloudWatch metrics.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ GatewayBootstrapScript:
+ Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+ Type: String
+ Default: ''
+ NoEcho: true
+ NTPPrimary:
+ Description: (optional)
+ Type: String
+ Default: 169.254.169.123
+ AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+ NTPSecondary:
+ Description: (optional)
+ Type: String
+ Default: 0.pool.ntp.org
+ AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+Conditions:
+ AllocateAddress: !Equals [!Ref AllocatePublicAddress, true]
+Resources:
+ ClusterStack:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/cluster/geo-cluster.yaml
+ Parameters:
+ VPC: !Ref VPC
+ PublicSubnetA: !Ref PublicSubnetA
+ PublicSubnetB: !Ref PublicSubnetB
+ PrivateSubnetA: !Ref PrivateSubnetA
+ PrivateSubnetB: !Ref PrivateSubnetB
+ InternalRouteTable: !Ref InternalRouteTable
+ GatewayName: !Ref GatewayName
+ GatewayInstanceType: !Ref GatewayInstanceType
+ KeyName: !Ref KeyName
+ AllocatePublicAddress: !Ref AllocatePublicAddress
+ VolumeSize: !Ref VolumeSize
+ VolumeType: !Ref VolumeType
+ VolumeEncryption: !Ref VolumeEncryption
+ EnableInstanceConnect: !Ref EnableInstanceConnect
+ GatewayPredefinedRole: !Ref GatewayPredefinedRole
+ TerminationProtection: !Ref TerminationProtection
+ MetaDataToken: !Ref MetaDataToken
+ GatewayVersion: !Ref GatewayVersion
+ Shell: !Ref Shell
+ GatewayPasswordHash: !Ref GatewayPasswordHash
+ GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
+ GatewaySICKey: !Ref GatewaySICKey
+ MemberAToken: !Ref MemberAToken
+ MemberBToken: !Ref MemberBToken
+ ResourcesTagName: !Ref ResourcesTagName
+ GatewayHostname: !Ref GatewayHostname
+ AllowUploadDownload: !Ref AllowUploadDownload
+ CloudWatch: !Ref CloudWatch
+ GatewayBootstrapScript: !Ref GatewayBootstrapScript
+ NTPPrimary: !Ref NTPPrimary
+ NTPSecondary: !Ref NTPSecondary
+ TGWRouteTable:
+ Type: AWS::EC2::RouteTable
+ Properties:
+ VpcId: !Ref VPC
+ Tags:
+ - Key: Name
+ Value: TGW Subnets
+ TGWDefaultRoute:
+ Type: AWS::EC2::Route
+ DependsOn: ClusterStack
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ NetworkInterfaceId: !GetAtt ClusterStack.Outputs.MemberAExternalInterface
+ RouteTableId: !Ref TGWRouteTable
+ TGWNSubnet1RouteAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ DependsOn: TGWRouteTable
+ Properties:
+ RouteTableId: !Ref TGWRouteTable
+ SubnetId: !Ref TgwHASubnetA
+ TGWSubnet2RouteAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ DependsOn: TGWRouteTable
+ Properties:
+ RouteTableId: !Ref TGWRouteTable
+ SubnetId: !Ref TgwHASubnetB
+Outputs:
+ MemberAPublicAddress:
+ Condition: AllocateAddress
+ Description: The public address of member A.
+ Value: !GetAtt ClusterStack.Outputs.MemberAPublicAddress
+ MemberASSH:
+ Condition: AllocateAddress
+ Description: SSH command to member A.
+ Value: !GetAtt ClusterStack.Outputs.MemberASSH
+ MemberAURL:
+ Condition: AllocateAddress
+ Description: URL to the member A portal.
+ Value: !GetAtt ClusterStack.Outputs.MemberAURL
+ MemberBPublicAddress:
+ Condition: AllocateAddress
+ Description: The public address of member B.
+ Value: !GetAtt ClusterStack.Outputs.MemberBPublicAddress
+ MemberBSSH:
+ Condition: AllocateAddress
+ Description: SSH command to member B.
+ Value: !GetAtt ClusterStack.Outputs.MemberBSSH
+ MemberBURL:
+ Condition: AllocateAddress
+ Description: URL to the member B portal.
+ Value: !GetAtt ClusterStack.Outputs.MemberBURL
+Rules:
+ MemberATokenNotProvided:
+ RuleCondition: !Equals [!Ref MemberAToken, '']
+ Assertions:
+ - AssertDescription: "Smart-1 Cloud Token for member A can not be empty"
+ Assert: !Equals [!Ref MemberBToken, '']
+ MemberBTokenNotProvided:
+ RuleCondition: !Equals [ !Ref MemberBToken, '' ]
+ Assertions:
+ - AssertDescription: "Smart-1 Cloud Token for member B can not be empty"
+ Assert: !Equals [ !Ref MemberAToken, '' ]
+ MembersTokenValueEquals:
+ RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ]
+ Assertions:
+ - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+ Assert: !Equals [ !Ref MemberAToken, '' ]
+ - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+ Assert: !Equals [ !Ref MemberBToken, '' ]
\ No newline at end of file
diff --git a/deprecated/aws/templates/R80.40/gateway/gateway-master.yaml b/deprecated/aws/templates/R80.40/gateway/gateway-master.yaml
new file mode 100755
index 00000000..bca67151
--- /dev/null
+++ b/deprecated/aws/templates/R80.40/gateway/gateway-master.yaml
@@ -0,0 +1,495 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Deploys a Check Point Security Gateway into a new VPC (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: VPC Network Configuration
+ Parameters:
+ - AvailabilityZone
+ - VPCCIDR
+ - PublicSubnetCIDR
+ - PrivateSubnetCIDR
+ - Label:
+ default: EC2 Instance Configuration
+ Parameters:
+ - GatewayName
+ - GatewayInstanceType
+ - KeyName
+ - AllocatePublicAddress
+ - VolumeSize
+ - VolumeType
+ - VolumeEncryption
+ - EnableInstanceConnect
+ - TerminationProtection
+ - MetaDataToken
+ - Label:
+ default: Check Point Settings
+ Parameters:
+ - GatewayVersion
+ - Shell
+ - GatewaySICKey
+ - GatewayPasswordHash
+ - GatewayMaintenancePasswordHash
+ - Label:
+ default: Quick connect to Smart-1 Cloud (Recommended)
+ Parameters:
+ - GatewayToken
+ - Label:
+ default: Advanced Settings
+ Parameters:
+ - ResourcesTagName
+ - GatewayHostname
+ - AllowUploadDownload
+ - CloudWatch
+ - GatewayBootstrapScript
+ - NTPPrimary
+ - NTPSecondary
+ - Label:
+ default: Automatic Provisioning with Security Management Server Settings (optional)
+ Parameters:
+ - ControlGatewayOverPrivateOrPublicAddress
+ - ManagementServer
+ - ConfigurationTemplate
+ ParameterLabels:
+ AvailabilityZone:
+ default: Availability zone
+ VPCCIDR:
+ default: VPC CIDR
+ PublicSubnetCIDR:
+ default: Public subnet CIDR
+ PrivateSubnetCIDR:
+ default: Private subnet CIDR
+ GatewayName:
+ default: Gateway Name
+ GatewayInstanceType:
+ default: Gateway Instance type
+ KeyName:
+ default: Key name
+ AllocatePublicAddress:
+ default: Allocate an Elastic IP
+ VolumeSize:
+ default: Root volume size (GB)
+ VolumeType:
+ default: Volume Type
+ VolumeEncryption:
+ default: Volume encryption KMS key identifier
+ EnableInstanceConnect:
+ default: Enable AWS Instance Connect
+ TerminationProtection:
+ default: Termination Protection
+ MetaDataToken:
+ default: Metadata HTTP token
+ GatewayVersion:
+ default: Gateway Version & license
+ Shell:
+ default: Admin shell
+ GatewaySICKey:
+ default: Gateway SIC key
+ GatewayToken:
+ default: Smart-1 Cloud Token
+ GatewayPasswordHash:
+ default: Gateway Password hash
+ GatewayMaintenancePasswordHash:
+ default: Gateway Maintenance Password hash
+ ResourcesTagName:
+ default: Resources prefix tag
+ GatewayHostname:
+ default: Gateway Hostname
+ AllowUploadDownload:
+ default: Allow upload & download
+ CloudWatch:
+ default: CloudWatch metrics
+ GatewayBootstrapScript:
+ default: Bootstrap Script
+ NTPPrimary:
+ default: Primary NTP server
+ NTPSecondary:
+ default: Secondary NTP server
+ ControlGatewayOverPrivateOrPublicAddress:
+ default: Gateway address
+ ManagementServer:
+ default: Management Server
+ ConfigurationTemplate:
+ default: Configuration template
+Parameters:
+ AvailabilityZone:
+ Description: The availability zone in which to deploy the instance.
+ Type: AWS::EC2::AvailabilityZone::Name
+ MinLength: 1
+ VPCCIDR:
+ Description: The CIDR block of the VPC.
+ Type: String
+ Default: 10.0.0.0/16
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PublicSubnetCIDR:
+ Description: The public subnet of the Security Gateway.
+ Type: String
+ Default: 10.0.10.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PrivateSubnetCIDR:
+ Description: The private subnet of the Security Gateway.
+ Type: String
+ Default: 10.0.11.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ GatewayName:
+ Type: String
+ Default: Check-Point-Gateway
+ GatewayInstanceType:
+ Description: The instance type of the Secutiry Gateways.
+ Type: String
+ Default: c5.xlarge
+ AllowedValues:
+ - c4.large
+ - c4.xlarge
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: Must be a valid EC2 instance type
+ KeyName:
+ Description: The EC2 Key Pair to allow SSH access to the instance.
+ Type: AWS::EC2::KeyPair::KeyName
+ MinLength: 1
+ ConstraintDescription: must be the name of an existing EC2 KeyPair.
+ AllocatePublicAddress:
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ VolumeSize:
+ Type: Number
+ Default: 100
+ MinValue: 100
+ VolumeType:
+ Description: General Purpose SSD Volume Type
+ Type: String
+ Default: gp3
+ AllowedValues:
+ - gp3
+ - gp2
+ VolumeEncryption:
+ Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
+ Type: String
+ Default: alias/aws/ebs
+ EnableInstanceConnect:
+ Description: Ec2 Instance Connect is not supported with versions prior to R80.40.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ TerminationProtection:
+ Description: Prevents an instance from accidental termination.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ MetaDataToken:
+ Description: Set true to deploy the instance with metadata v2 token required.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ GatewayVersion:
+ Type: String
+ Default: R80.40-BYOL
+ AllowedValues:
+ - R80.40-BYOL
+ - R80.40-PAYG-NGTP
+ - R80.40-PAYG-NGTX
+ Shell:
+ Description: Change the admin shell to enable advanced command line configuration.
+ Type: String
+ Default: /etc/cli.sh
+ AllowedValues:
+ - /etc/cli.sh
+ - /bin/bash
+ - /bin/csh
+ - /bin/tcsh
+ GatewaySICKey:
+ Description: The Secure Internal Communication key creates trusted connections
+ between Check Point components. Choose a random string consisting of at least
+ 8 alphanumeric characters.
+ Type: String
+ AllowedPattern: '[a-zA-Z0-9]{8,}'
+ NoEcho: true
+ GatewayToken:
+ Description: Follow the instructions in sk180501 to quickly connect this Gateway to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+ AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+ Type: String
+ NoEcho: true
+ GatewayPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD"
+ to get the PASSWORD's hash). (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ GatewayMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ ResourcesTagName:
+ Description: The name tag of the resources. (optional)
+ Type: String
+ Default: ''
+ GatewayHostname:
+ Description: The name must not contain reserved words. For details, refer to sk40179. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$'
+ ConstraintDescription: A valid hostname label or an empty string.
+ AllowUploadDownload:
+ Description: Automatically download updates and share statistical data for product improvement purpose.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ CloudWatch:
+ Description: Report Check Point specific CloudWatch metrics.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ GatewayBootstrapScript:
+ Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+ Type: String
+ Default: ''
+ NoEcho: true
+ NTPPrimary:
+ Description: (optional)
+ Type: String
+ Default: 169.254.169.123
+ AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+ NTPSecondary:
+ Description: (optional)
+ Type: String
+ Default: 0.pool.ntp.org
+ AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+ ControlGatewayOverPrivateOrPublicAddress:
+ Description: Determines if the Security Gateway is provisioned using its private.
+ or public address
+ Type: String
+ Default: private
+ AllowedValues:
+ - private
+ - public
+ ManagementServer:
+ Description: The name that represents the Security Management Server in the automatic.
+ provisioning configuration.
+ Type: String
+ ConfigurationTemplate:
+ Description: A name of a Security Gateway configuration template in the automatic.
+ provisioning configuration.
+ Type: String
+ MaxLength: 30
+Conditions:
+ AllocateAddress: !Equals [!Ref AllocatePublicAddress, true]
+ ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']]
+Resources:
+ VPCStack:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/utils/vpc.yaml
+ Parameters:
+ AvailabilityZones: !Ref AvailabilityZone
+ NumberOfAZs: 1
+ VPCCIDR: !Ref VPCCIDR
+ PublicSubnet1CIDR: !Ref PublicSubnetCIDR
+ CreatePrivateSubnets: true
+ PrivateSubnet1CIDR: !Ref PrivateSubnetCIDR
+ CreateAttachmentSubnets: false
+ InternalRoutingTable:
+ Type: AWS::EC2::RouteTable
+ Properties:
+ VpcId: !GetAtt VPCStack.Outputs.VPCID
+ Tags:
+ - Key: Name
+ Value:
+ !Join
+ - _
+ - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+ - InternalRoutingTable
+ InternalNetworkRouteAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Properties:
+ RouteTableId: !Ref InternalRoutingTable
+ SubnetId: !GetAtt VPCStack.Outputs.PrivateSubnet1ID
+ GatewayStack:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/gateway/gateway.yaml
+ Parameters:
+ VPC: !GetAtt VPCStack.Outputs.VPCID
+ PublicSubnet: !GetAtt VPCStack.Outputs.PublicSubnet1ID
+ PrivateSubnet: !GetAtt VPCStack.Outputs.PrivateSubnet1ID
+ InternalRouteTable: !Ref InternalRoutingTable
+ GatewayName: !Ref GatewayName
+ GatewayInstanceType: !Ref GatewayInstanceType
+ KeyName: !Ref KeyName
+ AllocatePublicAddress: !Ref AllocatePublicAddress
+ VolumeSize: !Ref VolumeSize
+ VolumeType: !Ref VolumeType
+ VolumeEncryption: !Ref VolumeEncryption
+ EnableInstanceConnect: !Ref EnableInstanceConnect
+ TerminationProtection: !Ref TerminationProtection
+ MetaDataToken: !Ref MetaDataToken
+ GatewayVersion: !Ref GatewayVersion
+ Shell: !Ref Shell
+ GatewaySICKey: !Ref GatewaySICKey
+ GatewayToken: !Ref GatewayToken
+ GatewayPasswordHash: !Ref GatewayPasswordHash
+ GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
+ ResourcesTagName: !Ref ResourcesTagName
+ GatewayHostname: !Ref GatewayHostname
+ AllowUploadDownload: !Ref AllowUploadDownload
+ CloudWatch: !Ref CloudWatch
+ GatewayBootstrapScript: !Ref GatewayBootstrapScript
+ NTPPrimary: !Ref NTPPrimary
+ NTPSecondary: !Ref NTPSecondary
+ ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress
+ ManagementServer: !Ref ManagementServer
+ ConfigurationTemplate: !Ref ConfigurationTemplate
+Outputs:
+ CheckPointInstancePublicAddress:
+ Condition: AllocateAddress
+ Description: The public address of the Check Point instance.
+ Value: !GetAtt GatewayStack.Outputs.PublicAddress
+ CheckPointInstancePrivateExternalAddress:
+ Description: The private external address of the Check Point instance.
+ Value: !GetAtt GatewayStack.Outputs.PrivateExternalAddress
+ CheckPointInstancePrivateInternalAddress:
+ Description: The private internal address of the Check Point instance.
+ Value: !GetAtt GatewayStack.Outputs.PrivateInternalAddress
+ CheckPointInstanceSSH:
+ Condition: AllocateAddress
+ Description: SSH command to the Check Point instance.
+ Value: !GetAtt GatewayStack.Outputs.SSH
+ CheckPointInstanceURL:
+ Condition: AllocateAddress
+ Description: URL to the portal
+ Value: !GetAtt GatewayStack.Outputs.URL
+ ManagementName:
+ Description: The name that represents the Security Management Server.
+ Value: !Ref ManagementServer
+ ConfigurationTemplateName:
+ Description: The name that represents the configuration template. Configurations
+ required to automatically provision the Gateways in the Auto Scaling Group,
+ such as what Security Policy to install and which Blades to enable, will be
+ placed under this template name.
+ Value: !Ref ConfigurationTemplate
diff --git a/deprecated/aws/templates/R80.40/gateway/gateway.yaml b/deprecated/aws/templates/R80.40/gateway/gateway.yaml
new file mode 100755
index 00000000..169f1239
--- /dev/null
+++ b/deprecated/aws/templates/R80.40/gateway/gateway.yaml
@@ -0,0 +1,601 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Deploys a Check Point Security Gateway into an existing VPC (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: VPC Network Configuration
+ Parameters:
+ - VPC
+ - PublicSubnet
+ - PrivateSubnet
+ - InternalRouteTable
+ - Label:
+ default: EC2 Instance Configuration
+ Parameters:
+ - GatewayName
+ - GatewayInstanceType
+ - KeyName
+ - AllocatePublicAddress
+ - VolumeSize
+ - VolumeType
+ - VolumeEncryption
+ - EnableInstanceConnect
+ - TerminationProtection
+ - MetaDataToken
+ - Label:
+ default: Check Point Settings
+ Parameters:
+ - GatewayVersion
+ - Shell
+ - GatewaySICKey
+ - GatewayPasswordHash
+ - GatewayMaintenancePasswordHash
+ - Label:
+ default: Quick connect to Smart-1 Cloud (Recommended)
+ Parameters:
+ - GatewayToken
+ - Label:
+ default: Advanced Settings
+ Parameters:
+ - ResourcesTagName
+ - GatewayHostname
+ - AllowUploadDownload
+ - CloudWatch
+ - GatewayBootstrapScript
+ - NTPPrimary
+ - NTPSecondary
+ - Label:
+ default: Automatic Provisioning with Security Management Server Settings (optional)
+ Parameters:
+ - ControlGatewayOverPrivateOrPublicAddress
+ - ManagementServer
+ - ConfigurationTemplate
+ ParameterLabels:
+ VPC:
+ default: VPC
+ PublicSubnet:
+ default: Public subnet
+ PrivateSubnet:
+ default: Private subnet
+ InternalRouteTable:
+ default: Internal route table
+ GatewayName:
+ default: Gateway Name
+ GatewayInstanceType:
+ default: Gateway Instance type
+ KeyName:
+ default: Key name
+ AllocatePublicAddress:
+ default: Allocate an Elastic IP
+ VolumeSize:
+ default: Root volume size (GB)
+ VolumeType:
+ default: Volume Type
+ VolumeEncryption:
+ default: Volume encryption KMS key identifier
+ EnableInstanceConnect:
+ default: Enable AWS Instance Connect
+ TerminationProtection:
+ default: Termination Protection
+ MetaDataToken:
+ default: Metadata HTTP token
+ GatewayVersion:
+ default: Gateway Version & license
+ Shell:
+ default: Admin shell
+ GatewaySICKey:
+ default: Gateway SIC key
+ GatewayToken:
+ default: Smart-1 Cloud Token
+ GatewayPasswordHash:
+ default: Gateway Password hash
+ GatewayMaintenancePasswordHash:
+ default: Gateway Maintenance Password hash
+ ResourcesTagName:
+ default: Resources prefix tag
+ GatewayHostname:
+ default: Gateway Hostname
+ AllowUploadDownload:
+ default: Allow upload & download
+ CloudWatch:
+ default: CloudWatch metrics
+ GatewayBootstrapScript:
+ default: Bootstrap Script
+ NTPPrimary:
+ default: Primary NTP server
+ NTPSecondary:
+ default: Secondary NTP server
+ ControlGatewayOverPrivateOrPublicAddress:
+ default: Gateway address
+ ManagementServer:
+ default: Management Server
+ ConfigurationTemplate:
+ default: Configuration template
+Parameters:
+ VPC:
+ Type: AWS::EC2::VPC::Id
+ MinLength: 1
+ PublicSubnet:
+ Description: The public subnet of the security gateway.
+ Type: AWS::EC2::Subnet::Id
+ MinLength: 1
+ PrivateSubnet:
+ Description: The private subnet of the security gateway.
+ Type: AWS::EC2::Subnet::Id
+ MinLength: 1
+ InternalRouteTable:
+ Description: The route table id in which to set 0.0.0.0/0 route to the Gateway instance (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route. If empty - traffic will not be routed through the Security Gateway, this requires manual configuration in the route table. (optional)
+ Type: String
+ Default: ''
+ GatewayName:
+ Description: The name tag of the Security Gateway instances. (optional)
+ Type: String
+ Default: Check-Point-Gateway
+ GatewayInstanceType:
+ Description: The instance type of the Secutiry Gateway.
+ Type: String
+ Default: c5.xlarge
+ AllowedValues:
+ - c4.large
+ - c4.xlarge
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: Must be a valid EC2 instance type
+ KeyName:
+ Description: The EC2 Key Pair to allow SSH access to the instance.
+ Type: AWS::EC2::KeyPair::KeyName
+ MinLength: 1
+ ConstraintDescription: must be the name of an existing EC2 KeyPair.
+ AllocatePublicAddress:
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ VolumeSize:
+ Type: Number
+ Default: 100
+ MinValue: 100
+ VolumeType:
+ Description: General Purpose SSD Volume Type
+ Type: String
+ Default: gp3
+ AllowedValues:
+ - gp3
+ - gp2
+ VolumeEncryption:
+ Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
+ Type: String
+ Default: alias/aws/ebs
+ EnableInstanceConnect:
+ Description: Ec2 Instance Connect is not supported with versions prior to R80.40.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ TerminationProtection:
+ Description: Prevents an instance from accidental termination.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ MetaDataToken:
+ Description: Set true to deploy the instance with metadata v2 token required.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ GatewayVersion:
+ Type: String
+ Default: R80.40-BYOL
+ AllowedValues:
+ - R80.40-BYOL
+ - R80.40-PAYG-NGTP
+ - R80.40-PAYG-NGTX
+ Shell:
+ Description: Change the admin shell to enable advanced command line configuration.
+ Type: String
+ Default: /etc/cli.sh
+ AllowedValues:
+ - /etc/cli.sh
+ - /bin/bash
+ - /bin/csh
+ - /bin/tcsh
+ GatewaySICKey:
+ Description: The Secure Internal Communication key creates trusted connections
+ between Check Point components. Choose a random string consisting of at least
+ 8 alphanumeric characters.
+ Type: String
+ AllowedPattern: '[a-zA-Z0-9]{8,}'
+ NoEcho: true
+ GatewayToken:
+ Description: Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+ Type: String
+ AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+ NoEcho: true
+ GatewayPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD"
+ to get the PASSWORD's hash). (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ GatewayMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ ResourcesTagName:
+ Description: The name tag of the resources. (optional)
+ Type: String
+ Default: ''
+ GatewayHostname:
+ Description: The name must not contain reserved words. For details, refer to sk40179. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$'
+ ConstraintDescription: A valid hostname label or an empty string.
+ AllowUploadDownload:
+ Description: Automatically download updates and share statistical data for product improvement purpose.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ CloudWatch:
+ Description: Report Check Point specific CloudWatch metrics.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ GatewayBootstrapScript:
+ Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+ Type: String
+ Default: ''
+ NoEcho: true
+ NTPPrimary:
+ Description: (optional)
+ Type: String
+ Default: 169.254.169.123
+ AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+ NTPSecondary:
+ Description: (optional)
+ Type: String
+ Default: 0.pool.ntp.org
+ AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+ ControlGatewayOverPrivateOrPublicAddress:
+ Description: Determines if the Security Gateway is provisioned using its private
+ or public address.
+ Type: String
+ Default: private
+ AllowedValues:
+ - private
+ - public
+ ManagementServer:
+ Description: The name that represents the Security Management Server in the automatic
+ provisioning configuration.
+ Type: String
+ ConfigurationTemplate:
+ Description: A name of a Security Gateway configuration template in the automatic
+ provisioning configuration.
+ Type: String
+ MaxLength: 30
+Conditions:
+ ProvidedRouteTable: !Not [!Equals [!Ref InternalRouteTable, '']]
+ AllocateAddress: !Equals [!Ref AllocatePublicAddress, true]
+ EncryptedVolume: !Not [!Equals [!Ref VolumeEncryption, '']]
+ ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']]
+ ProvidedManagementParameters: !And [!Not [!Equals [!Ref ManagementServer, '']], !Not [!Equals [!Ref ConfigurationTemplate, '']]]
+ EnableCloudWatch: !Equals [!Ref CloudWatch, true]
+ EnableMetaDataToken: !Equals [!Ref MetaDataToken, true]
+Resources:
+ ReadyHandle:
+ Type: AWS::CloudFormation::WaitConditionHandle
+ Condition: AllocateAddress
+ Properties: {}
+ ReadyCondition:
+ Type: AWS::CloudFormation::WaitCondition
+ Condition: AllocateAddress
+ DependsOn: GatewayInstance
+ Properties:
+ Handle: !Ref ReadyHandle
+ Timeout: 1800
+ GatewayIAMRole:
+ Condition: EnableCloudWatch
+ Type: AWS::IAM::Role
+ Properties:
+ AssumeRolePolicyDocument:
+ Version: 2012-10-17
+ Statement:
+ - Effect: Allow
+ Principal:
+ Service: [ ec2.amazonaws.com ]
+ Action: sts:AssumeRole
+ Path: /
+ GatewayInstanceProfile:
+ Condition: EnableCloudWatch
+ Type: AWS::IAM::InstanceProfile
+ Properties:
+ Path: /
+ Roles: [!Ref GatewayIAMRole]
+ CloudwatchPolicy:
+ Condition: EnableCloudWatch
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/iam/cloudwatch-policy.yaml
+ Parameters:
+ PolicyName: !If [ ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName' ]
+ PolicyRole: !Ref GatewayIAMRole
+ AMI:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/utils/amis.yaml
+ Parameters:
+ Version: !Join ['-', [!Ref GatewayVersion,GW]]
+ ExternalNetworkInterface:
+ Type: AWS::EC2::NetworkInterface
+ Properties:
+ Tags:
+ - Key: Name
+ Value:
+ !Join
+ - _
+ - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+ - ExternalNetworkInterface
+ Description: eth0
+ SourceDestCheck: false
+ GroupSet:
+ - !Ref PermissiveSecurityGroup
+ SubnetId: !Ref PublicSubnet
+ InternalNetworkInterface:
+ Type: AWS::EC2::NetworkInterface
+ Properties:
+ Tags:
+ - Key: Name
+ Value:
+ !Join
+ - _
+ - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+ - InternalNetworkInterface
+ Description: eth1
+ SourceDestCheck: false
+ GroupSet:
+ - !Ref PermissiveSecurityGroup
+ SubnetId: !Ref PrivateSubnet
+ PermissiveSecurityGroup:
+ Type: AWS::EC2::SecurityGroup
+ Properties:
+ Tags:
+ - Key: Name
+ Value:
+ !Join
+ - _
+ - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+ - PermissiveSecurityGroup
+ GroupDescription: Permissive security group.
+ VpcId: !Ref VPC
+ SecurityGroupIngress:
+ - IpProtocol: -1
+ CidrIp: 0.0.0.0/0
+ InternalDefaultRoute:
+ Type: AWS::EC2::Route
+ Condition: ProvidedRouteTable
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ NetworkInterfaceId: !Ref InternalNetworkInterface
+ RouteTableId: !Ref InternalRouteTable
+ GatewayInstance:
+ Type: AWS::EC2::Instance
+ DependsOn: GatewayLaunchTemplate
+ Properties:
+ LaunchTemplate:
+ LaunchTemplateId: !Ref GatewayLaunchTemplate
+ Version: !GetAtt GatewayLaunchTemplate.LatestVersionNumber
+ DisableApiTermination: !Ref TerminationProtection
+ Tags:
+ - Key: Name
+ Value: !Ref GatewayName
+ - !If
+ - ProvidedManagementParameters
+ - Key: x-chkp-tags
+ Value:
+ !Join
+ - ':'
+ - - !Join ['=', [management, !Ref ManagementServer]]
+ - !Join ['=', [template,!Ref ConfigurationTemplate]]
+ - !Join ['=',[ip-address, !Ref ControlGatewayOverPrivateOrPublicAddress]]
+ - !Ref 'AWS::NoValue'
+ GatewayLaunchTemplate:
+ Type: AWS::EC2::LaunchTemplate
+ Properties:
+ LaunchTemplateData:
+ NetworkInterfaces:
+ - DeviceIndex: 0
+ NetworkInterfaceId: !Ref ExternalNetworkInterface
+ - DeviceIndex: 1
+ NetworkInterfaceId: !Ref InternalNetworkInterface
+ KeyName: !Ref KeyName
+ ImageId: !GetAtt AMI.Outputs.ImageId
+ InstanceType: !Ref GatewayInstanceType
+ MetadataOptions:
+ HttpTokens: !If [EnableMetaDataToken, required, optional]
+ BlockDeviceMappings:
+ - DeviceName: '/dev/xvda'
+ Ebs:
+ Encrypted: !If [ EncryptedVolume, true, false ]
+ KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ]
+ VolumeType: !Ref VolumeType
+ VolumeSize: !Ref VolumeSize
+ IamInstanceProfile:
+ Name: !If [EnableCloudWatch, !Ref GatewayInstanceProfile, !Ref 'AWS::NoValue']
+ UserData:
+ 'Fn::Base64':
+ !Join
+ - |+
+
+ - - '#cloud-config'
+ - 'runcmd:'
+ - ' - |'
+ - ' set -e'
+ - !Sub ' admin_shell=${Shell} ; hostname=${GatewayHostname} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; eic=${EnableInstanceConnect} ; eip=${AllocatePublicAddress} ; token=''${GatewayToken}'''
+ - !If [AllocateAddress, !Sub ' wait_handle=''${ReadyHandle}''',!Ref 'AWS::NoValue']
+ - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']]
+ - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']]
+ - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']]
+ - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']]
+ - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}]
+ - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${token}\"" installationType=\"gateway\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"gateway\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" allocatePublicAddress=\"${eip}\" bootstrapScript64=\"${bootstrap}\"'
+ VersionDescription: Initial template version
+ PublicAddress:
+ Type: AWS::EC2::EIP
+ Condition: AllocateAddress
+ Properties:
+ Domain: vpc
+ AddressAssoc:
+ Type: AWS::EC2::EIPAssociation
+ Condition: AllocateAddress
+ DependsOn: GatewayInstance
+ Properties:
+ NetworkInterfaceId: !Ref ExternalNetworkInterface
+ AllocationId: !GetAtt PublicAddress.AllocationId
+ PrivateIpAddress: !GetAtt ExternalNetworkInterface.PrimaryPrivateIpAddress
+Outputs:
+ PublicAddress:
+ Description: The public address of the Check Point instance.
+ Value: !Ref PublicAddress
+ Condition: AllocateAddress
+ PrivateExternalAddress:
+ Description: The private external address of the Check Point instance.
+ Value: !GetAtt ExternalNetworkInterface.PrimaryPrivateIpAddress
+ PrivateInternalAddress:
+ Description: The private internal address of the Check Point instance.
+ Value: !GetAtt InternalNetworkInterface.PrimaryPrivateIpAddress
+ SSH:
+ Description: SSH command to the Check Point instance.
+ Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref PublicAddress]]
+ Condition: AllocateAddress
+ URL:
+ Description: URL to the portal.
+ Value: !Join ['', ['https://', !Ref PublicAddress]]
+ Condition: AllocateAddress
+ ManagementName:
+ Description: The name that represents the Security Management Server.
+ Value: !Ref ManagementServer
+ ConfigurationTemplateName:
+ Description: The name that represents the configuration template. Configurations
+ required to automatically provision the Gateways in the Auto Scaling Group,
+ such as what Security Policy to install and which Blades to enable, will be
+ placed under this template name.
+ Value: !Ref ConfigurationTemplate
diff --git a/deprecated/aws/templates/R80.40/gateway/standalone-master.yaml b/deprecated/aws/templates/R80.40/gateway/standalone-master.yaml
new file mode 100755
index 00000000..6408614d
--- /dev/null
+++ b/deprecated/aws/templates/R80.40/gateway/standalone-master.yaml
@@ -0,0 +1,443 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Deploys either a manually configurable or a Check Point CloudGuard IaaS
+ Security Gateway & Management (Standalone) instance in a new VPC (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: VPC Network Configuration
+ Parameters:
+ - AvailabilityZone
+ - VPCCIDR
+ - PublicSubnetCIDR
+ - PrivateSubnetCIDR
+ - Label:
+ default: EC2 Instance Configuration
+ Parameters:
+ - StandaloneName
+ - StandaloneInstanceType
+ - KeyName
+ - AllocatePublicAddress
+ - VolumeSize
+ - VolumeType
+ - VolumeEncryption
+ - EnableInstanceConnect
+ - TerminationProtection
+ - MetaDataToken
+ - Label:
+ default: Check Point Settings
+ Parameters:
+ - StandaloneVersion
+ - Shell
+ - StandalonePasswordHash
+ - StandaloneMaintenancePasswordHash
+ - Label:
+ default: Advanced Settings
+ Parameters:
+ - ResourcesTagName
+ - StandaloneHostname
+ - AllowUploadDownload
+ - CloudWatch
+ - StandaloneBootstrapScript
+ - NTPPrimary
+ - NTPSecondary
+ - AdminCIDR
+ - GatewaysAddresses
+ ParameterLabels:
+ AvailabilityZone:
+ default: Availability zone
+ VPCCIDR:
+ default: VPC CIDR
+ PublicSubnetCIDR:
+ default: Public subnet CIDR
+ PrivateSubnetCIDR:
+ default: Private subnet CIDR
+ StandaloneName:
+ default: Standalone Name
+ StandaloneInstanceType:
+ default: Instance type
+ KeyName:
+ default: Key name
+ AllocatePublicAddress:
+ default: Allocate an Elastic IP
+ VolumeSize:
+ default: Root volume size (GB)
+ VolumeType:
+ default: Volume Type
+ VolumeEncryption:
+ default: Volume encryption KMS key identifier
+ EnableInstanceConnect:
+ default: Enable AWS Instance Connect
+ TerminationProtection:
+ default: Termination Protection
+ MetaDataToken:
+ default: Metadata HTTP token
+ StandaloneVersion:
+ default: License
+ Shell:
+ default: Admin shell
+ StandalonePasswordHash:
+ default: Standalone Password hash
+ StandaloneMaintenancePasswordHash:
+ default: Gateway Maintenance Password hash
+ ResourcesTagName:
+ default: Resources prefix tag
+ StandaloneHostname:
+ default: Standalone Hostname
+ AllowUploadDownload:
+ default: Allow upload & download
+ CloudWatch:
+ default: CloudWatch metrics
+ StandaloneBootstrapScript:
+ default: Bootstrap Script
+ NTPPrimary:
+ default: Primary NTP server
+ NTPSecondary:
+ default: Secondary NTP server
+ AdminCIDR:
+ default: Administrator addresses
+ GatewaysAddresses:
+ default: Gateways addresses
+Parameters:
+ AvailabilityZone:
+ Description: The availability zone in which to deploy the instance.
+ Type: AWS::EC2::AvailabilityZone::Name
+ MinLength: 1
+ VPCCIDR:
+ Description: The CIDR block of the VPC.
+ Type: String
+ Default: 10.0.0.0/16
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PublicSubnetCIDR:
+ Description: The public subnet of the Security Gateway.
+ Type: String
+ Default: 10.0.10.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PrivateSubnetCIDR:
+ Description: The private subnet of the Security Gateway.
+ Type: String
+ Default: 10.0.11.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ StandaloneName:
+ Type: String
+ Default: Check-Point-Instance
+ KeyName:
+ Description: The EC2 Key Pair to allow SSH access to the instance.
+ Type: AWS::EC2::KeyPair::KeyName
+ MinLength: 1
+ ConstraintDescription: must be the name of an existing EC2 KeyPair.
+ AllocatePublicAddress:
+ Default: true
+ Type: String
+ AllowedValues:
+ - true
+ - false
+ VolumeSize:
+ Type: Number
+ MinValue: 100
+ Default: 100
+ VolumeType:
+ Description: General Purpose SSD Volume Type
+ Type: String
+ Default: gp3
+ AllowedValues:
+ - gp3
+ - gp2
+ VolumeEncryption:
+ Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
+ Type: String
+ Default: alias/aws/ebs
+ EnableInstanceConnect:
+ Description: Ec2 Instance Connect is not supported with versions prior to R80.40.
+ Default: false
+ Type: String
+ AllowedValues:
+ - true
+ - false
+ TerminationProtection:
+ Description: Prevents an instance from accidental termination.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ MetaDataToken:
+ Description: Set true to deploy the instance with metadata v2 token required.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ StandaloneVersion:
+ Description: Standalone Version & License.
+ Type: String
+ Default: R80.40-BYOL
+ AllowedValues:
+ - R80.40-PAYG-NGTP
+ - R80.40-BYOL
+ Shell:
+ Description: Change the admin shell to enable advanced command line configuration.
+ Type: String
+ Default: /etc/cli.sh
+ AllowedValues:
+ - /etc/cli.sh
+ - /bin/bash
+ - /bin/csh
+ - /bin/tcsh
+ StandalonePasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD"
+ to get the PASSWORD's hash). (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ StandaloneMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ StandaloneInstanceType:
+ Description: The instance type of the Security Gateway & Management (Standalone) instance.
+ Type: String
+ Default: c5.xlarge
+ AllowedValues:
+ - c4.large
+ - c4.xlarge
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: Must be a valid EC2 instance type
+ ResourcesTagName:
+ Description: The name tag of the resources. (optional)
+ Type: String
+ Default: ''
+ StandaloneHostname:
+ Description: (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$'
+ ConstraintDescription: A valid hostname label or an empty string.
+ AllowUploadDownload:
+ Description: Automatically download updates and share statistical data for product improvement purpose.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ CloudWatch:
+ Description: Report Check Point specific CloudWatch metrics.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ StandaloneBootstrapScript:
+ Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+ Type: String
+ Default: ''
+ NoEcho: true
+ NTPPrimary:
+ Description: (optional)
+ Type: String
+ Default: 169.254.169.123
+ AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+ NTPSecondary:
+ Description: (optional)
+ Type: String
+ Default: 0.pool.ntp.org
+ AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+ AdminCIDR:
+ Description: Allow web, SSH, and graphical clients only from this network to communicate.
+ with the Management Server
+ Type: String
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+ GatewaysAddresses:
+ Description: Allow gateways only from this network to communicate with the Management.
+ Server. (optional)
+ Type: String
+ AllowedPattern: '^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2])))?$'
+Conditions:
+ AllocateAddress: !Equals [!Ref AllocatePublicAddress, true]
+ ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']]
+Resources:
+ VPCStack:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/utils/vpc.yaml
+ Parameters:
+ AvailabilityZones: !Ref AvailabilityZone
+ NumberOfAZs: 1
+ VPCCIDR: !Ref VPCCIDR
+ PublicSubnet1CIDR: !Ref PublicSubnetCIDR
+ CreatePrivateSubnets: true
+ PrivateSubnet1CIDR: !Ref PrivateSubnetCIDR
+ CreateAttachmentSubnets: false
+ InternalRoutingTable:
+ Type: AWS::EC2::RouteTable
+ Properties:
+ VpcId: !GetAtt VPCStack.Outputs.VPCID
+ Tags:
+ - Key: Name
+ Value: !Join
+ - _
+ - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+ - InternalRoutingTable
+ InternalNetworkRouteAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Properties:
+ RouteTableId: !Ref InternalRoutingTable
+ SubnetId: !GetAtt VPCStack.Outputs.PrivateSubnet1ID
+ StandaloneStack:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/gateway/standalone.yaml
+ Parameters:
+ VPC: !GetAtt VPCStack.Outputs.VPCID
+ PublicSubnet: !GetAtt VPCStack.Outputs.PublicSubnet1ID
+ PrivateSubnet: !GetAtt VPCStack.Outputs.PrivateSubnet1ID
+ InternalRouteTable: !Ref InternalRoutingTable
+ StandaloneName: !Ref StandaloneName
+ StandaloneInstanceType: !Ref StandaloneInstanceType
+ KeyName: !Ref KeyName
+ AllocatePublicAddress: !Ref AllocatePublicAddress
+ VolumeSize: !Ref VolumeSize
+ VolumeType: !Ref VolumeType
+ VolumeEncryption: !Ref VolumeEncryption
+ EnableInstanceConnect: !Ref EnableInstanceConnect
+ TerminationProtection: !Ref TerminationProtection
+ MetaDataToken: !Ref MetaDataToken
+ StandaloneVersion: !Ref StandaloneVersion
+ Shell: !Ref Shell
+ StandalonePasswordHash: !Ref StandalonePasswordHash
+ StandaloneMaintenancePasswordHash: !Ref StandaloneMaintenancePasswordHash
+ ResourcesTagName: !Ref ResourcesTagName
+ StandaloneHostname: !Ref StandaloneHostname
+ AllowUploadDownload: !Ref AllowUploadDownload
+ CloudWatch: !Ref CloudWatch
+ StandaloneBootstrapScript: !Ref StandaloneBootstrapScript
+ NTPPrimary: !Ref NTPPrimary
+ NTPSecondary: !Ref NTPSecondary
+ AdminCIDR: !Ref AdminCIDR
+ GatewaysAddresses: !Ref GatewaysAddresses
+Outputs:
+ CheckPointInstancePublicAddress:
+ Condition: AllocateAddress
+ Description: The public address of the Check Point instance.
+ Value: !GetAtt StandaloneStack.Outputs.PublicAddress
+ CheckPointInstanceSSH:
+ Condition: AllocateAddress
+ Description: SSH command to the Check Point instance.
+ Value: !GetAtt StandaloneStack.Outputs.SSH
+ CheckPointInstanceURL:
+ Condition: AllocateAddress
+ Description: URL to the portal.
+ Value: !GetAtt StandaloneStack.Outputs.URL
diff --git a/deprecated/aws/templates/R80.40/gateway/standalone.yaml b/deprecated/aws/templates/R80.40/gateway/standalone.yaml
new file mode 100755
index 00000000..62ed02ce
--- /dev/null
+++ b/deprecated/aws/templates/R80.40/gateway/standalone.yaml
@@ -0,0 +1,538 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Deploys either a manually configurable or a Check Point CloudGuard IaaS
+ Security Gateway & Management (Standalone) instance into an existing VPC (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: VPC Network Configuration
+ Parameters:
+ - VPC
+ - PublicSubnet
+ - PrivateSubnet
+ - InternalRouteTable
+ - Label:
+ default: EC2 Instance Configuration
+ Parameters:
+ - StandaloneName
+ - StandaloneInstanceType
+ - KeyName
+ - AllocatePublicAddress
+ - VolumeSize
+ - VolumeType
+ - VolumeEncryption
+ - EnableInstanceConnect
+ - TerminationProtection
+ - MetaDataToken
+ - Label:
+ default: Check Point Settings
+ Parameters:
+ - StandaloneVersion
+ - Shell
+ - StandalonePasswordHash
+ - StandaloneMaintenancePasswordHash
+ - Label:
+ default: Advanced Settings
+ Parameters:
+ - ResourcesTagName
+ - StandaloneHostname
+ - AllowUploadDownload
+ - CloudWatch
+ - StandaloneBootstrapScript
+ - NTPPrimary
+ - NTPSecondary
+ - AdminCIDR
+ - GatewaysAddresses
+ ParameterLabels:
+ VPC:
+ default: VPC
+ PublicSubnet:
+ default: Public subnet
+ PrivateSubnet:
+ default: Private subnet
+ InternalRouteTable:
+ default: Internal route table
+ StandaloneName:
+ default: Standalone Name
+ StandaloneInstanceType:
+ default: Standalone Instance type
+ KeyName:
+ default: Key name
+ AllocatePublicAddress:
+ default: Allocate an Elastic IP
+ VolumeSize:
+ default: Root volume size (GB)
+ VolumeType:
+ default: Volume Type
+ VolumeEncryption:
+ default: Volume encryption KMS key identifier
+ EnableInstanceConnect:
+ default: Enable AWS Instance Connect
+ TerminationProtection:
+ default: Termination Protection
+ MetaDataToken:
+ default: Metadata HTTP token
+ StandaloneVersion:
+ default: License
+ Shell:
+ default: Admin shell
+ StandalonePasswordHash:
+ default: Standalone Password hash
+ StandaloneMaintenancePasswordHash:
+ default: Standalone Maintenance Password hash
+ ResourcesTagName:
+ default: Resources prefix tag
+ StandaloneHostname:
+ default: Standalone Hostname
+ AllowUploadDownload:
+ default: Allow upload & download
+ CloudWatch:
+ default: CloudWatch metrics
+ StandaloneBootstrapScript:
+ default: Bootstrap Script
+ NTPPrimary:
+ default: Primary NTP server
+ NTPSecondary:
+ default: Secondary NTP server
+ AdminCIDR:
+ default: Administrator addresses
+ GatewaysAddresses:
+ default: Gateways addresses
+Parameters:
+ VPC:
+ Type: AWS::EC2::VPC::Id
+ MinLength: 1
+ PublicSubnet:
+ Description: The public subnet of the Security Gateway.
+ Type: AWS::EC2::Subnet::Id
+ MinLength: 1
+ PrivateSubnet:
+ Description: The private subnet of the Security Gateway.
+ Type: AWS::EC2::Subnet::Id
+ MinLength: 1
+ InternalRouteTable:
+ Description: The route table id in which to set 0.0.0.0/0 route to the Security Gateway instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route. If empty - traffic will not be routed through the Security Gateway, this requires manual configuration in the route table. (optional)
+ Type: String
+ Default: ''
+ StandaloneName:
+ Type: String
+ Default: Check-Point-Instance
+ StandaloneInstanceType:
+ Description: The instance type of the Security Gateway & Management (Standalone) instance.
+ Type: String
+ Default: c5.xlarge
+ AllowedValues:
+ - c4.large
+ - c4.xlarge
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: Must be a valid EC2 instance type
+ KeyName:
+ Description: The EC2 Key Pair to allow SSH access to the instance.
+ Type: AWS::EC2::KeyPair::KeyName
+ MinLength: 1
+ ConstraintDescription: must be the name of an existing EC2 KeyPair.
+ AllocatePublicAddress:
+ Default: true
+ Type: String
+ AllowedValues:
+ - true
+ - false
+ VolumeSize:
+ Type: Number
+ MinValue: 100
+ Default: 100
+ VolumeType:
+ Description: General Purpose SSD Volume Type
+ Type: String
+ Default: gp3
+ AllowedValues:
+ - gp3
+ - gp2
+ VolumeEncryption:
+ Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
+ Type: String
+ Default: alias/aws/ebs
+ EnableInstanceConnect:
+ Description: Ec2 Instance Connect is not supported with versions prior to R80.40.
+ Default: false
+ Type: String
+ AllowedValues:
+ - true
+ - false
+ TerminationProtection:
+ Description: Prevents an instance from accidental termination.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ MetaDataToken:
+ Description: Set true to deploy the instance with metadata v2 token required.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ StandaloneVersion:
+ Description: Standalone Version & License.
+ Type: String
+ Default: R80.40-BYOL
+ AllowedValues:
+ - R80.40-PAYG-NGTP
+ - R80.40-BYOL
+ Shell:
+ Description: Change the admin shell to enable advanced command line configuration.
+ Type: String
+ Default: /etc/cli.sh
+ AllowedValues:
+ - /etc/cli.sh
+ - /bin/bash
+ - /bin/csh
+ - /bin/tcsh
+ StandalonePasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD"
+ to get the PASSWORD's hash). (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ StandaloneMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ ResourcesTagName:
+ Description: The name tag of the resources. (optional)
+ Type: String
+ Default: ''
+ StandaloneHostname:
+ Description: (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$'
+ ConstraintDescription: A valid hostname label or an empty string.
+ AllowUploadDownload:
+ Description: Automatically download updates and share statistical data for product improvement purpose.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ CloudWatch:
+ Description: Report Check Point specific CloudWatch metrics.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ StandaloneBootstrapScript:
+ Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+ Type: String
+ Default: ''
+ NoEcho: true
+ NTPPrimary:
+ Description: (optional)
+ Type: String
+ Default: 169.254.169.123
+ AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+ NTPSecondary:
+ Description: (optional)
+ Type: String
+ Default: 0.pool.ntp.org
+ AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+ AdminCIDR:
+ Description: Allow web, SSH, and graphical clients only from this network to communicate.
+ with the Management Server.
+ Type: String
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+ GatewaysAddresses:
+ Description: Allow gateways only from this network to communicate with the Management.
+ Server. (optional)
+ Type: String
+ AllowedPattern: '^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2])))?$'
+Conditions:
+ ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']]
+ AllocateAddress: !Equals [!Ref AllocatePublicAddress, true]
+ EncryptedVolume: !Not [!Equals [!Ref VolumeEncryption, '']]
+ ProvidedRouteTable: !Not [!Equals [!Ref InternalRouteTable, '']]
+ EnableCloudWatch: !Equals [!Ref CloudWatch, true]
+ IsBYOL: !Equals [!Select [1, !Split ['-', !Ref StandaloneVersion]], 'BYOL']
+ EnableMetaDataToken: !Equals [!Ref MetaDataToken, true]
+Resources:
+ ReadyHandle:
+ Type: AWS::CloudFormation::WaitConditionHandle
+ Condition: AllocateAddress
+ Properties: {}
+ ReadyCondition:
+ Type: AWS::CloudFormation::WaitCondition
+ Condition: AllocateAddress
+ DependsOn: StandaloneInstance
+ Properties:
+ Handle: !Ref ReadyHandle
+ Timeout: 1800
+ StandaloneIAMRole:
+ Condition: EnableCloudWatch
+ Type: AWS::IAM::Role
+ Properties:
+ AssumeRolePolicyDocument:
+ Version: 2012-10-17
+ Statement:
+ - Effect: Allow
+ Principal:
+ Service: [ ec2.amazonaws.com ]
+ Action: sts:AssumeRole
+ Path: /
+ StandaloneInstanceProfile:
+ Condition: EnableCloudWatch
+ Type: AWS::IAM::InstanceProfile
+ Properties:
+ Path: /
+ Roles: [ !Ref StandaloneIAMRole ]
+ CloudwatchPolicy:
+ Condition: EnableCloudWatch
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/iam/cloudwatch-policy.yaml
+ Parameters:
+ PolicyName: !If [ ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName' ]
+ PolicyRole: !Ref StandaloneIAMRole
+ AMI:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/utils/amis.yaml
+ Parameters:
+ Version: !If [IsBYOL, !Join ['-', [!Ref StandaloneVersion,MGMT]], !Ref StandaloneVersion]
+ ExternalNetworkInterface:
+ Type: AWS::EC2::NetworkInterface
+ Properties:
+ Tags:
+ - Key: Name
+ Value: !Join
+ - _
+ - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+ - ExternalNetworkInterface
+ Description: eth0
+ SourceDestCheck: false
+ GroupSet:
+ - !Ref PermissiveSecurityGroup
+ SubnetId: !Ref PublicSubnet
+ InternalNetworkInterface:
+ Type: AWS::EC2::NetworkInterface
+ Properties:
+ Tags:
+ - Key: Name
+ Value: !Join
+ - _
+ - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+ - InternalNetworkInterface
+ Description: eth1
+ SourceDestCheck: false
+ GroupSet:
+ - !Ref PermissiveSecurityGroup
+ SubnetId: !Ref PrivateSubnet
+ PermissiveSecurityGroup:
+ Type: AWS::EC2::SecurityGroup
+ Properties:
+ Tags:
+ - Key: Name
+ Value: !Join
+ - _
+ - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+ - PermissiveSecurityGroup
+ GroupDescription: Permissive security group.
+ VpcId: !Ref VPC
+ SecurityGroupIngress:
+ - IpProtocol: -1
+ CidrIp: 0.0.0.0/0
+ InternalDefaultRoute:
+ Type: AWS::EC2::Route
+ Condition: ProvidedRouteTable
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ NetworkInterfaceId: !Ref InternalNetworkInterface
+ RouteTableId: !Ref InternalRouteTable
+ StandaloneInstance:
+ Type: AWS::EC2::Instance
+ DependsOn: GatewayLaunchTemplate
+ Properties:
+ LaunchTemplate:
+ LaunchTemplateId: !Ref GatewayLaunchTemplate
+ Version: !GetAtt GatewayLaunchTemplate.LatestVersionNumber
+ DisableApiTermination: !Ref TerminationProtection
+ Tags:
+ - Key: Name
+ Value: !Ref StandaloneName
+ GatewayLaunchTemplate:
+ Type: AWS::EC2::LaunchTemplate
+ Properties:
+ LaunchTemplateData:
+ NetworkInterfaces:
+ - DeviceIndex: 0
+ NetworkInterfaceId: !Ref ExternalNetworkInterface
+ - DeviceIndex: 1
+ NetworkInterfaceId: !Ref InternalNetworkInterface
+ KeyName: !Ref KeyName
+ ImageId: !GetAtt AMI.Outputs.ImageId
+ InstanceType: !Ref StandaloneInstanceType
+ MetadataOptions:
+ HttpTokens: !If [EnableMetaDataToken, required, optional]
+ BlockDeviceMappings:
+ - DeviceName: '/dev/xvda'
+ Ebs:
+ Encrypted: !If [ EncryptedVolume, true, false ]
+ KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ]
+ VolumeType: !Ref VolumeType
+ VolumeSize: !Ref VolumeSize
+ IamInstanceProfile:
+ Name: !If [ EnableCloudWatch, !Ref StandaloneInstanceProfile, !Ref 'AWS::NoValue' ]
+ UserData:
+ 'Fn::Base64':
+ !Join
+ - |+
+
+ - - '#cloud-config'
+ - 'runcmd:'
+ - ' - |'
+ - ' set -e'
+ - !Sub ' admin_shell=${Shell} ; hostname=${StandaloneHostname} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; eic=${EnableInstanceConnect} ; eip=${AllocatePublicAddress} ; admin_subnet=${AdminCIDR}'
+ - !If [ AllocateAddress, !Sub ' wait_handle=''${ReadyHandle}''',!Ref 'AWS::NoValue' ]
+ - !Join [ '', [ ' bootstrap="$(echo ', 'Fn::Base64': !Ref StandaloneBootstrapScript, ')"' ] ]
+ - !Join [ '', [ ' pwd_hash="$(echo ', 'Fn::Base64': !Ref StandalonePasswordHash, ')"' ] ]
+ - !Join [ '', [ ' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref StandaloneMaintenancePasswordHash, ')"' ] ]
+ - !Sub [ ' version=${Version}', { Version: !Select [ 0, !Split [ '-', !Ref StandaloneVersion ] ] } ]
+ - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" installationType=\"standalone\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"standalone\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" adminSubnet=\"${admin_subnet}\" allocatePublicAddress=\"${eip}\" bootstrapScript64=\"${bootstrap}\"'
+ VersionDescription: Initial template version
+ PublicAddress:
+ Type: AWS::EC2::EIP
+ Condition: AllocateAddress
+ Properties:
+ Domain: vpc
+ AddressAssoc:
+ Type: AWS::EC2::EIPAssociation
+ DependsOn: StandaloneInstance
+ Condition: AllocateAddress
+ Properties:
+ NetworkInterfaceId: !Ref ExternalNetworkInterface
+ AllocationId: !GetAtt PublicAddress.AllocationId
+ PrivateIpAddress: !GetAtt ExternalNetworkInterface.PrimaryPrivateIpAddress
+Outputs:
+ PublicAddress:
+ Condition: AllocateAddress
+ Description: The public address of the Check Point instance.
+ Value: !Ref PublicAddress
+ SSH:
+ Condition: AllocateAddress
+ Description: SSH command to the Check Point instance.
+ Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref PublicAddress]]
+ URL:
+ Condition: AllocateAddress
+ Description: URL to the portal.
+ Value: !Join ['', ['https://', !Ref PublicAddress ]]
diff --git a/deprecated/aws/templates/R80.40/gwlb/amis-gwlb.yaml b/deprecated/aws/templates/R80.40/gwlb/amis-gwlb.yaml
new file mode 100755
index 00000000..08089c1f
--- /dev/null
+++ b/deprecated/aws/templates/R80.40/gwlb/amis-gwlb.yaml
@@ -0,0 +1,123 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: Returns a Check Point Amazon Machine ID (__VERSION__)
+Parameters:
+ Version:
+ Description: Security Gateway version
+ Type: String
+ Default: R80.40-BYOL-GW
+ AllowedValues:
+ - R80.40-BYOL-GW
+ - R80.40-PAYG-NGTP-GW
+ - R80.40-PAYG-NGTX-GW
+Mappings:
+ ConverterMap:
+ R80.40-BYOL-GW:
+ Value: R8040BYOLGW
+ R80.40-PAYG-NGTP-GW:
+ Value: R8040PAYGNGTPGW
+ R80.40-PAYG-NGTX-GW:
+ Value: R8040PAYGNGTXGW
+ RegionMap:
+ af-south-1:
+ R8040BYOLGW: ami-0ac3de5e02318dbb9
+ R8040PAYGNGTPGW: ami-0bd5e19d8b6c2e010
+ R8040PAYGNGTXGW: ami-0daea7d32748a95b7
+ ap-east-1:
+ R8040BYOLGW: ami-03e84cc92d6d806d9
+ R8040PAYGNGTPGW: ami-0a50d8be138a39ffa
+ R8040PAYGNGTXGW: ami-07b3af199dfa93478
+ ap-northeast-1:
+ R8040BYOLGW: ami-08b50c5e55789267c
+ R8040PAYGNGTPGW: ami-07ed13ea6074c0487
+ R8040PAYGNGTXGW: ami-04691498c292bb2ca
+ ap-northeast-2:
+ R8040BYOLGW: ami-0199c1aa2899f1fc2
+ R8040PAYGNGTPGW: ami-07f249c288d5453e5
+ R8040PAYGNGTXGW: ami-0de1b8fb057fc6cb3
+ ap-northeast-3:
+ R8040BYOLGW: ami-0001e1915cbd7af1b
+ R8040PAYGNGTPGW: ami-05e34615518b20617
+ R8040PAYGNGTXGW: ami-05d2bb2f12a0bb254
+ ap-south-1:
+ R8040BYOLGW: ami-0a26838410046600b
+ R8040PAYGNGTPGW: ami-012277a3c7c028020
+ R8040PAYGNGTXGW: ami-03da4b399784399f0
+ ap-south-2: {}
+ ap-southeast-1:
+ R8040BYOLGW: ami-0af3307d70bf9d8b6
+ R8040PAYGNGTPGW: ami-0e8ed0eb9aa094877
+ R8040PAYGNGTXGW: ami-0accd2e7ebac4ed10
+ ap-southeast-2:
+ R8040BYOLGW: ami-054952950277df882
+ R8040PAYGNGTPGW: ami-0c483bfb4f071bbb3
+ R8040PAYGNGTXGW: ami-0a6030b227d947535
+ ap-southeast-3:
+ R8040BYOLGW: ami-01de813d939f37210
+ R8040PAYGNGTPGW: ami-0a69ac977555b13e4
+ R8040PAYGNGTXGW: ami-0d730e1b951919c9b
+ ca-central-1:
+ R8040BYOLGW: ami-0d71e4ca01e67dc40
+ R8040PAYGNGTPGW: ami-0c2116d978c175f8a
+ R8040PAYGNGTXGW: ami-0e53f675371e80935
+ eu-central-1:
+ R8040BYOLGW: ami-046f3dfde3055c0c2
+ R8040PAYGNGTPGW: ami-06af9b32f93c957dc
+ R8040PAYGNGTXGW: ami-09c6fee62f6bc0270
+ eu-central-2: {}
+ eu-north-1:
+ R8040BYOLGW: ami-05c9b72e460f6e230
+ R8040PAYGNGTPGW: ami-09399d091a241d03e
+ R8040PAYGNGTXGW: ami-08422e2787d7a0b86
+ eu-south-1:
+ R8040BYOLGW: ami-0021d29e6c8983ff6
+ R8040PAYGNGTPGW: ami-07c770caf8d288636
+ R8040PAYGNGTXGW: ami-0b355610d679e47bc
+ eu-south-2: {}
+ eu-west-1:
+ R8040BYOLGW: ami-00be1913a17d99fb4
+ R8040PAYGNGTPGW: ami-0b53953de2f981cc3
+ R8040PAYGNGTXGW: ami-0f9c751772234a142
+ eu-west-2:
+ R8040BYOLGW: ami-05aec4880e95365ce
+ R8040PAYGNGTPGW: ami-036cdb2393d5c1a32
+ R8040PAYGNGTXGW: ami-09891046424c314af
+ eu-west-3:
+ R8040BYOLGW: ami-02b95b5c9683bd9ac
+ R8040PAYGNGTPGW: ami-033f58324df30157a
+ R8040PAYGNGTXGW: ami-0c43d0326c68bcb48
+ me-central-1:
+ R8040BYOLGW: ami-02e8d091194949457
+ R8040PAYGNGTPGW: ami-0a8131eea457f8a71
+ R8040PAYGNGTXGW: ami-04ab9b46aa75ad99b
+ me-south-1:
+ R8040BYOLGW: ami-0b95f19ae216bdf25
+ R8040PAYGNGTPGW: ami-0328604c962b84b4c
+ R8040PAYGNGTXGW: ami-0455013fffc60b073
+ sa-east-1:
+ R8040BYOLGW: ami-0e875f613b36b6b79
+ R8040PAYGNGTPGW: ami-008379899b3dc952d
+ R8040PAYGNGTXGW: ami-07e9fc0a27d0eb659
+ us-east-1:
+ R8040BYOLGW: ami-038bddea5b07efcd2
+ R8040PAYGNGTPGW: ami-0f51f2cc69296c954
+ R8040PAYGNGTXGW: ami-056bc408f66e8057b
+ us-east-2:
+ R8040BYOLGW: ami-0c90634daf216611a
+ R8040PAYGNGTPGW: ami-04c93712f9f3c54ca
+ R8040PAYGNGTXGW: ami-0b6988dff7d7b520b
+ us-west-1:
+ R8040BYOLGW: ami-0ee766db82ecd8c06
+ R8040PAYGNGTPGW: ami-0a86fb5df6b87b3ee
+ R8040PAYGNGTXGW: ami-07b7818ac041a88a6
+ us-west-2:
+ R8040BYOLGW: ami-0271bf8fd0aae0f14
+ R8040PAYGNGTPGW: ami-0595481bb41b3ec7d
+ R8040PAYGNGTXGW: ami-0e6c6921c23256796
+Resources:
+ DummyHandle:
+ Type: AWS::CloudFormation::WaitConditionHandle
+ Properties: {}
+Outputs:
+ ImageId:
+ Description: Check Point Security Gateway AMI
+ Value: !FindInMap [RegionMap ,!Ref 'AWS::Region', !FindInMap [ConverterMap, !Ref 'Version', Value]]
diff --git a/deprecated/aws/templates/R80.40/gwlb/autoscale-gwlb.yaml b/deprecated/aws/templates/R80.40/gwlb/autoscale-gwlb.yaml
new file mode 100755
index 00000000..725be55c
--- /dev/null
+++ b/deprecated/aws/templates/R80.40/gwlb/autoscale-gwlb.yaml
@@ -0,0 +1,657 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Create an Auto Scaling group of Check Point gateways (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: VPC Network Configuration
+ Parameters:
+ - VPC
+ - GatewaysSubnets
+ - Label:
+ default: EC2 Instances Configuration
+ Parameters:
+ - GatewayName
+ - GatewayInstanceType
+ - KeyName
+ - VolumeSize
+ - VolumeType
+ - EnableVolumeEncryption
+ - EnableInstanceConnect
+ - MetaDataToken
+ - Label:
+ default: Auto Scaling Configuration
+ Parameters:
+ - GatewaysMinSize
+ - GatewaysMaxSize
+ - AdminEmail
+ - GatewaysTargetGroups
+ - Label:
+ default: Check Point Settings
+ Parameters:
+ - GatewayVersion
+ - Shell
+ - GatewayPasswordHash
+ - GatewayMaintenancePasswordHash
+ - GatewaySICKey
+ - AllowUploadDownload
+ - CloudWatch
+ - GatewayBootstrapScript
+ - Label:
+ default: Automatic Provisioning with Security Management Server Settings
+ Parameters:
+ - ControlGatewayOverPrivateOrPublicAddress
+ - AllocatePublicAddress
+ - ManagementServer
+ - ConfigurationTemplate
+ - Label:
+ default: Proxy Configuration (optional)
+ Parameters:
+ - ELBType
+ - ELBPort
+ - ELBClients
+ ParameterLabels:
+ VPC:
+ default: VPC
+ GatewaysSubnets:
+ default: Gateways subnets
+ GatewayName:
+ default: Gateways name
+ GatewayInstanceType:
+ default: Gateways instance type
+ KeyName:
+ default: Key name
+ VolumeSize:
+ default: Root volume size (GB)
+ VolumeType:
+ default: Volume Type
+ EnableVolumeEncryption:
+ default: Enable volume encryption
+ EnableInstanceConnect:
+ default: Enable AWS Instance Connect
+ MetaDataToken:
+ default: Metadata HTTP token
+ GatewaysMinSize:
+ default: Minimum Gateway group size
+ GatewaysMaxSize:
+ default: Maximum Gateway group size
+ AdminEmail:
+ default: Email address
+ GatewaysTargetGroups:
+ default: Gateways target groups
+ GatewayVersion:
+ default: Gateways version & license
+ Shell:
+ default: Admin shell
+ GatewayPasswordHash:
+ default: Gateways Password hash
+ GatewayMaintenancePasswordHash:
+ default: Gateway Maintenance Password hash
+ GatewaySICKey:
+ default: Gateways SIC key
+ AllowUploadDownload:
+ default: Allow upload & download
+ CloudWatch:
+ default: CloudWatch metrics
+ GatewayBootstrapScript:
+ default: Gateways bootstrap script
+ ControlGatewayOverPrivateOrPublicAddress:
+ default: Gateways addresses
+ AllocatePublicAddress:
+ default: Allocate Public IPs
+ ManagementServer:
+ default: Management Server
+ ConfigurationTemplate:
+ default: Configuration template
+ ELBType:
+ default: Proxy type
+ ELBPort:
+ default: Proxy port
+ ELBClients:
+ default: Allowed proxy clients
+Parameters:
+ VPC:
+ Description: Select an existing VPC.
+ Type: AWS::EC2::VPC::Id
+ MinLength: 1
+ GatewaysSubnets:
+ Description: Select at least 2 public subnets in the VPC.
+ Type: List
+ MinLength: 2
+ GatewayName:
+ Description: The name tag of the Security Gateway instances. (optional)
+ Type: String
+ Default: Check-Point-Gateway
+ GatewayInstanceType:
+ Description: The instance type of the Secutiry Gateways.
+ Type: String
+ Default: c5.xlarge
+ AllowedValues:
+ - c4.large
+ - c4.xlarge
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: must be a valid EC2 instance type.
+ KeyName:
+ Description: The EC2 Key Pair to allow SSH access to the instances.
+ Type: AWS::EC2::KeyPair::KeyName
+ MinLength: 1
+ ConstraintDescription: Must be the name of an existing EC2 KeyPair.
+ VolumeSize:
+ Type: Number
+ Default: 100
+ MinValue: 100
+ VolumeType:
+ Description: General Purpose SSD Volume Type
+ Type: String
+ Default: gp3
+ AllowedValues:
+ - gp3
+ - gp2
+ EnableVolumeEncryption:
+ Description: Encrypt Auto Scaling instances volume with default AWS KMS key.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ EnableInstanceConnect:
+ Description: Enable SSH connection over AWS web console.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ MetaDataToken:
+ Description: Set true to deploy the instance with metadata v2 token required.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ GatewaysMinSize:
+ Description: The minimal number of gateways in the Auto Scaling group.
+ Type: Number
+ Default: 2
+ MinValue: 1
+ GatewaysMaxSize:
+ Description: The maximal number of gateways in the Auto Scaling group.
+ Type: Number
+ Default: 10
+ MinValue: 1
+ AdminEmail:
+ Description: Notifications about scaling events will be sent to this email address. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$'
+ ConstraintDescription: Must be a valid email address.
+ GatewaysTargetGroups:
+ Description: A list of Target Groups to associate with the Auto Scaling
+ group (comma separated list of ARNs, without spaces). (optional)
+ Type: String
+ Default: ''
+ GatewayVersion:
+ Type: String
+ Default: R80.40-BYOL
+ AllowedValues:
+ - R80.40-BYOL
+ - R80.40-PAYG-NGTP
+ - R80.40-PAYG-NGTX
+ Shell:
+ Description: Change the admin shell to enable advanced command line configuration.
+ Type: String
+ Default: /etc/cli.sh
+ AllowedValues:
+ - /etc/cli.sh
+ - /bin/bash
+ - /bin/csh
+ - /bin/tcsh
+ GatewayPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD"
+ to get the PASSWORD's hash). (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+ NoEcho: true
+ GatewayMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ GatewaySICKey:
+ Description: The Secure Internal Communication key creates trusted connections
+ between Check Point components. Choose a random string consisting of at least
+ 8 alphanumeric characters.
+ Type: String
+ AllowedPattern: '^[a-zA-Z0-9]{8,}$'
+ ConstraintDescription: At least 8 alpha numeric characters.
+ NoEcho: true
+ AllowUploadDownload:
+ Description: Automatically download updates and share statistical data for product improvement purpose.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ CloudWatch:
+ Description: Report Check Point specific CloudWatch metrics.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ GatewayBootstrapScript:
+ Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+ Type: String
+ Default: ''
+ NoEcho: true
+ ControlGatewayOverPrivateOrPublicAddress:
+ Description: Determines if the gateways are provisioned using their private or public address.
+ Type: String
+ Default: private
+ AllowedValues:
+ - private
+ - public
+ AllocatePublicAddress:
+ Description: Allocate a Public IP for gateway members.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ ManagementServer:
+ Description: The name that represents the Security Management Server in the automatic provisioning configuration.
+ Type: String
+ Default: management-server
+ MinLength: 1
+ ConfigurationTemplate:
+ Description: A name of a gateway configuration template in the automatic provisioning configuration.
+ Type: String
+ Default: ASG-configuration
+ MinLength: 1
+ MaxLength: 30
+ ELBType:
+ Type: String
+ Default: none
+ AllowedValues:
+ - none
+ - internal
+ - internet-facing
+ ELBPort:
+ Type: Number
+ Default: 8080
+ ELBClients:
+ Type: String
+ Default: 0.0.0.0/0
+ AllowedPattern: '^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})$'
+Conditions:
+ ProvidedAdminEmail: !Not [!Equals [!Ref AdminEmail, '']]
+ ProvidedTargetGroups: !Not [!Equals [!Ref GatewaysTargetGroups, '']]
+ EnableCloudWatch: !Equals [!Ref CloudWatch, true]
+ CreateELB: !Not [!Equals [!Ref ELBType, none]]
+ isR8040: !Or [!Equals [!Ref GatewayVersion,R80.40-BYOL], !Equals [!Ref GatewayVersion, R80.40-PAYG-NGTP], !Equals [!Ref GatewayVersion,R80.40-PAYG-NGTX]]
+ EnableMetaDataToken: !Equals [!Ref MetaDataToken, true]
+Resources:
+ ChkpGatewayRole:
+ Type: AWS::IAM::Role
+ Condition: EnableCloudWatch
+ Properties:
+ AssumeRolePolicyDocument:
+ Version: 2012-10-17
+ Statement:
+ - Effect: Allow
+ Principal:
+ Service:
+ - ec2.amazonaws.com
+ Action:
+ - sts:AssumeRole
+ Path: /
+ CloudwatchPolicy:
+ Condition: EnableCloudWatch
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/iam/cloudwatch-policy.yaml
+ Parameters:
+ PolicyName: ChkpGatewayPolicy
+ PolicyRole: !Ref ChkpGatewayRole
+ InstanceProfile:
+ Type: AWS::IAM::InstanceProfile
+ Condition: EnableCloudWatch
+ Properties:
+ Path: /
+ Roles:
+ - !Ref ChkpGatewayRole
+ AMI:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/utils/amis.yaml
+ Parameters:
+ Version: !Join ['-', [!Ref GatewayVersion, GW]]
+ NotificationTopic:
+ Type: AWS::SNS::Topic
+ Condition: ProvidedAdminEmail
+ Properties:
+ Subscription:
+ - Endpoint: !Ref AdminEmail
+ Protocol: email
+ ElasticLoadBalancer:
+ Type: AWS::ElasticLoadBalancing::LoadBalancer
+ Condition: CreateELB
+ Properties:
+ CrossZone: true
+ Listeners:
+ - LoadBalancerPort: !Ref ELBPort
+ InstancePort: !Ref ELBPort
+ Protocol: TCP
+ HealthCheck:
+ Target: !Join [':', [TCP, !Ref ELBPort]]
+ HealthyThreshold: 3
+ UnhealthyThreshold: 5
+ Interval: 30
+ Timeout: 5
+ Scheme: !Ref ELBType
+ Subnets: !Ref GatewaysSubnets
+ Policies:
+ - PolicyName: EnableProxyProtocol
+ PolicyType: ProxyProtocolPolicyType
+ Attributes:
+ - Name: ProxyProtocol
+ Value: true
+ InstancePorts:
+ - !Ref ELBPort
+ SecurityGroups:
+ - !Ref ELBSecurityGroup
+ PermissiveSecurityGroup:
+ Type: AWS::EC2::SecurityGroup
+ Properties:
+ Tags:
+ - Key: Name
+ Value: !Join ['_', [!Ref 'AWS::StackName', PermissiveSecurityGroup]]
+ GroupDescription: Permissive security group.
+ VpcId: !Ref VPC
+ SecurityGroupIngress:
+ - IpProtocol: -1
+ CidrIp: 0.0.0.0/0
+ GatewayGroup:
+ Type: AWS::AutoScaling::AutoScalingGroup
+ DependsOn: GatewayLaunchTemplate
+ Properties:
+ VPCZoneIdentifier: !Ref GatewaysSubnets
+ LaunchTemplate:
+ LaunchTemplateId: !Ref GatewayLaunchTemplate
+ Version: !GetAtt GatewayLaunchTemplate.LatestVersionNumber
+ MinSize: !Ref GatewaysMinSize
+ MaxSize: !Ref GatewaysMaxSize
+ LoadBalancerNames: !If [CreateELB, [!Ref ElasticLoadBalancer], !Ref 'AWS::NoValue']
+ TargetGroupARNs: !If [ProvidedTargetGroups, !Split [',', !Ref GatewaysTargetGroups], !Ref 'AWS::NoValue']
+ HealthCheckGracePeriod: 3600
+ HealthCheckType: ELB
+ NotificationConfiguration: !If
+ - ProvidedAdminEmail
+ - TopicARN: !Ref NotificationTopic
+ NotificationTypes:
+ - autoscaling:EC2_INSTANCE_LAUNCH
+ - autoscaling:EC2_INSTANCE_LAUNCH_ERROR
+ - autoscaling:EC2_INSTANCE_TERMINATE
+ - autoscaling:EC2_INSTANCE_TERMINATE_ERROR
+ - !Ref 'AWS::NoValue'
+ Tags:
+ - Key: Name
+ Value: !Ref GatewayName
+ PropagateAtLaunch: true
+ - Key: x-chkp-tags
+ Value: !Join
+ - ':'
+ - - !Join ['=', [management, !Ref ManagementServer]]
+ - !Join ['=', [template, !Ref ConfigurationTemplate]]
+ - !Join ['=', [ip-address, !Ref ControlGatewayOverPrivateOrPublicAddress]]
+ PropagateAtLaunch: true
+ - Key: x-chkp-topology
+ Value: internal
+ PropagateAtLaunch: true
+ - Key: x-chkp-solution
+ Value: autoscale_gwlb
+ PropagateAtLaunch: true
+ GatewayLaunchTemplate:
+ Type: AWS::EC2::LaunchTemplate
+ Properties:
+ LaunchTemplateData:
+ NetworkInterfaces:
+ - DeviceIndex: 0
+ AssociatePublicIpAddress: !Ref AllocatePublicAddress
+ Groups:
+ - !Ref PermissiveSecurityGroup
+ Monitoring:
+ Enabled: true
+ KeyName: !Ref KeyName
+ ImageId: !GetAtt AMI.Outputs.ImageId
+ InstanceType: !Ref GatewayInstanceType
+ MetadataOptions:
+ HttpTokens: !If [EnableMetaDataToken, required, optional]
+ BlockDeviceMappings:
+ - DeviceName: '/dev/xvda'
+ Ebs:
+ Encrypted: !Ref EnableVolumeEncryption
+ VolumeType: !Ref VolumeType
+ VolumeSize: !Ref VolumeSize
+ IamInstanceProfile:
+ Name: !If [EnableCloudWatch, !Ref InstanceProfile, !Ref 'AWS::NoValue']
+ UserData:
+ 'Fn::Base64':
+ !Join
+ - |+
+
+ - - '#cloud-config'
+ - 'network:'
+ - ' version: 1'
+ - ' config:'
+ - ' - type: bridge'
+ - ' name: br0'
+ - ' mtu: *eth0-mtu'
+ - ' subnets:'
+ - ' - address: *eth0-private'
+ - ' type: static'
+ - ' gateway: *default-gateway'
+ - ' dns_nameservers:'
+ - ' - *eth0-dns1'
+ - ' bridge_interfaces:'
+ - ' - eth0'
+ - 'kernel_parameters:'
+ - ' sim:'
+ - ' - sim_geneve_enabled=1'
+ - ' - sim_geneve_br_dev=br0'
+ - ' fw:'
+ - ' - fwtls_bridge_mode_inspection=1'
+ - ' - fw_geneve_enabled=1'
+ - 'bootcmd:'
+ - ' - echo "brctl hairpin br0 eth0 on" >> /etc/rc.local'
+ - ' - echo "cpprod_util CPPROD_SetValue \"fw1\" \"AwsGwlb\" 4 1 1" >> /etc/rc.local'
+ - 'runcmd:'
+ - ' - |'
+ - ' set -e'
+ - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect}'
+ - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']]
+ - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']]
+ - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']]
+ - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']]
+ - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}]
+ - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" sicKey=\"${sic}\" installationType=\"autoscale\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"autoscale_gwlb\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" bootstrapScript64=\"${bootstrap}\"'
+ VersionDescription: Initial template version
+ GatewayScaleUpPolicy:
+ Type: AWS::AutoScaling::ScalingPolicy
+ Properties:
+ AdjustmentType: ChangeInCapacity
+ AutoScalingGroupName: !Ref GatewayGroup
+ Cooldown: 300
+ ScalingAdjustment: 1
+ GatewayScaleDownPolicy:
+ Type: AWS::AutoScaling::ScalingPolicy
+ Properties:
+ AdjustmentType: ChangeInCapacity
+ AutoScalingGroupName: !Ref GatewayGroup
+ Cooldown: 300
+ ScalingAdjustment: -1
+ CPUAlarmHigh:
+ Type: AWS::CloudWatch::Alarm
+ Properties:
+ AlarmDescription: Scale-up if CPU > 80% for 10 minutes.
+ MetricName: CPUUtilization
+ Namespace: AWS/EC2
+ Statistic: Average
+ Period: 300
+ EvaluationPeriods: 2
+ Threshold: 80
+ AlarmActions:
+ - !Ref GatewayScaleUpPolicy
+ Dimensions:
+ - Name: AutoScalingGroupName
+ Value: !Ref GatewayGroup
+ ComparisonOperator: GreaterThanThreshold
+ CPUAlarmLow:
+ Type: AWS::CloudWatch::Alarm
+ Properties:
+ AlarmDescription: Scale-down if CPU < 60% for 10 minutes.
+ MetricName: CPUUtilization
+ Namespace: AWS/EC2
+ Statistic: Average
+ Period: 300
+ EvaluationPeriods: 2
+ Threshold: 60
+ AlarmActions:
+ - !Ref GatewayScaleDownPolicy
+ Dimensions:
+ - Name: AutoScalingGroupName
+ Value: !Ref GatewayGroup
+ ComparisonOperator: LessThanThreshold
+ ELBSecurityGroup:
+ Type: AWS::EC2::SecurityGroup
+ Condition: CreateELB
+ Properties:
+ GroupDescription: ELB security group.
+ VpcId: !Ref VPC
+ SecurityGroupIngress:
+ - IpProtocol: tcp
+ CidrIp: !Ref ELBClients
+ FromPort: !Ref ELBPort
+ ToPort: !Ref ELBPort
+Outputs:
+ URL:
+ Description: The URL of the Proxy.
+ Condition: CreateELB
+ Value: !Join ['', ['http://', !GetAtt ElasticLoadBalancer.DNSName]]
+ SecurityGroup:
+ Description: The Security Group of the Auto Scaling group.
+ Value: !GetAtt PermissiveSecurityGroup.GroupId
+Rules:
+ GatewayAddressAllocationRule:
+ RuleCondition: !Equals [!Ref ControlGatewayOverPrivateOrPublicAddress, 'public']
+ Assertions:
+ - AssertDescription: "Gateway's selected to be provisioned by public IP, but ['AllocatePublicAddress'] parameter is false"
+ Assert: !Equals [!Ref AllocatePublicAddress, 'true']
diff --git a/deprecated/aws/templates/R80.40/gwlb/cme-iam-role-gwlb.yaml b/deprecated/aws/templates/R80.40/gwlb/cme-iam-role-gwlb.yaml
new file mode 100755
index 00000000..be7c923c
--- /dev/null
+++ b/deprecated/aws/templates/R80.40/gwlb/cme-iam-role-gwlb.yaml
@@ -0,0 +1,131 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Creates an IAM role for selected permissions (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: IAM
+ Parameters:
+ - Permissions
+ - Label:
+ default: Advanced Configuration (optional)
+ Parameters:
+ - STSRoles
+ - TrustedAccount
+ ParameterLabels:
+ Permissions:
+ default: IAM role
+ STSRoles:
+ default: STS roles
+ TrustedAccount:
+ default: Trusted Account ID
+Parameters:
+ Permissions:
+ Type: String
+ Default: Create with read permissions
+ AllowedValues:
+ - Create with read permissions
+ - Create with read-write permissions
+ - Create with assume role permissions (specify an STS role ARN)
+ STSRoles:
+ Description: The IAM role will be able to assume these STS Roles (comma separated list of ARNs, without spaces).
+ Type: String
+ Default: ''
+ TrustedAccount:
+ Description: A 12 digits number that represents the ID of a trusted account. IAM users in this account will be able assume the IAM role and receive the permissions attached to it.
+ Type: String
+ Default: ''
+ AllowedPattern: '^([0-9]{12})|$'
+Conditions:
+ AllowReadPermissions: !Or
+ - !Equals [!Ref Permissions, Create with read permissions]
+ - !Equals [!Ref Permissions, Create with read-write permissions]
+ AllowWritePermissions: !Equals [!Ref Permissions, Create with read-write permissions]
+ ProvidedSTSRoles: !Not [!Equals [!Ref STSRoles, '']]
+ NotProvidedTrustedAccount: !Equals ['', !Ref TrustedAccount]
+ ProvidedTrustedAccount: !Not [!Condition NotProvidedTrustedAccount]
+Resources:
+ CMEIAMRole:
+ Type: AWS::IAM::Role
+ Properties:
+ AssumeRolePolicyDocument:
+ Version: 2012-10-17
+ Statement:
+ - !If
+ - ProvidedTrustedAccount
+ - Effect: Allow
+ Principal:
+ AWS: [!Ref TrustedAccount]
+ Action: ['sts:AssumeRole']
+ - !Ref 'AWS::NoValue'
+ - !If
+ - NotProvidedTrustedAccount
+ - Effect: Allow
+ Principal:
+ Service: [ec2.amazonaws.com]
+ Action: ['sts:AssumeRole']
+ - !Ref 'AWS::NoValue'
+ Path: /
+ Policies:
+ - PolicyName: CMEPolicy
+ PolicyDocument:
+ Version: 2012-10-17
+ Statement:
+ - !If
+ - ProvidedSTSRoles
+ - Effect: Allow
+ Action: ['sts:AssumeRole']
+ Resource: !Split [',', !Ref STSRoles]
+ - !Ref 'AWS::NoValue'
+ - !If
+ - AllowReadPermissions
+ - Effect: Allow
+ Action:
+ - autoscaling:DescribeAutoScalingGroups
+ - ec2:DescribeRegions
+ - ec2:DescribeInstances
+ - ec2:DescribeNetworkInterfaces
+ - ec2:DescribeRouteTables
+ - ec2:DescribeSecurityGroups
+ - ec2:DescribeSubnets
+ - ec2:DescribeVpcs
+ - ec2:DescribeInternetGateways
+ - ec2:DescribeVpcEndpoints
+ - ec2:DescribeVpcEndpointServiceConfigurations
+ - elasticloadbalancing:DescribeLoadBalancers
+ - elasticloadbalancing:DescribeTags
+ - elasticloadbalancing:DescribeListeners
+ - elasticloadbalancing:DescribeTargetGroups
+ - elasticloadbalancing:DescribeRules
+ - elasticloadbalancing:DescribeTargetHealth
+ Resource: '*'
+ - !Ref 'AWS::NoValue'
+ - !If
+ - AllowWritePermissions
+ - Effect: Allow
+ Action:
+ - ec2:CreateRoute
+ - ec2:ReplaceRoute
+ - ec2:DeleteRoute
+ - ec2:CreateRouteTable
+ - ec2:AssociateRouteTable
+ - ec2:CreateTags
+ Resource: '*'
+ - !Ref 'AWS::NoValue'
+ InstanceProfile:
+ Type: AWS::IAM::InstanceProfile
+ Properties:
+ InstanceProfileName: !Ref CMEIAMRole
+ Roles:
+ - !Ref CMEIAMRole
+Outputs:
+ CMEIAMRole:
+ Description: The IAM role.
+ Value: !Ref CMEIAMRole
+ CMEARNRole:
+ Description: The IAM role ARN.
+ Value: !GetAtt CMEIAMRole.Arn
+ InstanceProfile:
+ Description: The Instance Profile ARN.
+ Value: !GetAtt InstanceProfile.Arn
+
diff --git a/deprecated/aws/templates/R80.40/gwlb/gwlb-master.yaml b/deprecated/aws/templates/R80.40/gwlb/gwlb-master.yaml
new file mode 100755
index 00000000..581341f8
--- /dev/null
+++ b/deprecated/aws/templates/R80.40/gwlb/gwlb-master.yaml
@@ -0,0 +1,732 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, in a new VPC (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: VPC Network Configuration
+ Parameters:
+ - AvailabilityZones
+ - NumberOfAZs
+ - VPCCIDR
+ - PublicSubnet1CIDR
+ - PublicSubnet2CIDR
+ - PublicSubnet3CIDR
+ - PublicSubnet4CIDR
+ - Label:
+ default: General Settings
+ Parameters:
+ - KeyName
+ - EnableVolumeEncryption
+ - VolumeSize
+ - VolumeType
+ - EnableInstanceConnect
+ - TerminationProtection
+ - MetaDataToken
+ - AllowUploadDownload
+ - ManagementServer
+ - ConfigurationTemplate
+ - AdminEmail
+ - Shell
+ - Label:
+ default: Gateway Load Balancer Configuration
+ Parameters:
+ - GWLBName
+ - TargetGroupName
+ - AcceptConnectionRequired
+ - CrossZoneLoadBalancing
+ - Label:
+ default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration
+ Parameters:
+ - GatewayName
+ - GatewayInstanceType
+ - GatewaysMinSize
+ - GatewaysMaxSize
+ - GatewayVersion
+ - GatewayPasswordHash
+ - GatewayMaintenancePasswordHash
+ - GatewaySICKey
+ - ControlGatewayOverPrivateOrPublicAddress
+ - AllocatePublicAddress
+ - CloudWatch
+ - GatewayBootstrapScript
+ - Label:
+ default: Check Point CloudGuard IaaS Security Management Server Configuration
+ Parameters:
+ - ManagementDeploy
+ - ManagementInstanceType
+ - ManagementVersion
+ - ManagementPasswordHash
+ - ManagementMaintenancePasswordHash
+ - GatewaysPolicy
+ - AdminCIDR
+ - GatewayManagement
+ - GatewaysAddresses
+ ParameterLabels:
+ AvailabilityZones:
+ default: Availability Zones
+ NumberOfAZs:
+ default: Number of AZs
+ VPCCIDR:
+ default: VPC CIDR
+ PublicSubnet1CIDR:
+ default: Auto Scaling Group Public Subnet 1
+ PublicSubnet2CIDR:
+ default: Auto Scaling Group Public Subnet 2
+ PublicSubnet3CIDR:
+ default: Auto Scaling Group Public Subnet 3
+ PublicSubnet4CIDR:
+ default: Auto Scaling Group Public Subnet 4
+ KeyName:
+ default: Key name
+ EnableVolumeEncryption:
+ default: Enable environment volume encryption
+ VolumeSize:
+ default: Root volume size (GB)
+ VolumeType:
+ default: Volume Type
+ EnableInstanceConnect:
+ default: Enable AWS Instance Connect
+ TerminationProtection:
+ default: Termination Protection
+ MetaDataToken:
+ default: Metadata HTTP token
+ AllowUploadDownload:
+ default: Allow upload & download
+ ManagementServer:
+ default: Management Server
+ ConfigurationTemplate:
+ default: Configuration template
+ AdminEmail:
+ default: Email address
+ Shell:
+ default: Admin shell
+ GWLBName:
+ default: Gateway Load Balancer Name
+ TargetGroupName:
+ default: Target Group Name
+ AcceptConnectionRequired:
+ default: Connection Acceptance Required
+ CrossZoneLoadBalancing:
+ default: Enable Cross Zone Load Balancing
+ GatewayName:
+ default: Gateways instance name
+ GatewayInstanceType:
+ default: Gateways instance type
+ GatewaysMinSize:
+ default: Minimum group size
+ GatewaysMaxSize:
+ default: Maximum group size
+ GatewayVersion:
+ default: Gateways version & license
+ GatewayPasswordHash:
+ default: Gateways Password hash
+ GatewayMaintenancePasswordHash:
+ default: Gateway Maintenance Password hash
+ GatewaySICKey:
+ default: Gateways SIC key
+ ControlGatewayOverPrivateOrPublicAddress:
+ default: Gateways addresses
+ AllocatePublicAddress:
+ default: Allocate Public IPs
+ CloudWatch:
+ default: CloudWatch metrics
+ GatewayBootstrapScript:
+ default: Gateways bootstrap script
+ ManagementDeploy:
+ default: Deploy Management Server
+ ManagementInstanceType:
+ default: Management instance type
+ ManagementVersion:
+ default: Management version & license
+ ManagementPasswordHash:
+ default: Management password hash
+ ManagementMaintenancePasswordHash:
+ default: Management Maintenance Password hash
+ GatewaysPolicy:
+ default: Security Policy
+ AdminCIDR:
+ default: Administrator addresses
+ GatewayManagement:
+ default: Manage Gateways
+ GatewaysAddresses:
+ default: Gateways addresses
+Parameters:
+ AvailabilityZones:
+ Description: List of Availability Zones (AZs) to use for the subnets in the VPC. Select at least two.
+ Type: List
+ MinLength: 2
+ NumberOfAZs:
+ Description: Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter.
+ Type: Number
+ Default: 2
+ MinValue: 2
+ MaxValue: 4
+ VPCCIDR:
+ Description: CIDR block for the VPC.
+ Type: String
+ Default: 10.0.0.0/16
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PublicSubnet1CIDR:
+ Description: CIDR block for public subnet 1 located in the 1st Availability Zone. If you choose to deploy a Security Management Server it will be deployed in this subnet.
+ Type: String
+ Default: 10.0.10.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PublicSubnet2CIDR:
+ Description: CIDR block for public subnet 2 located in the 2nd Availability Zone.
+ Type: String
+ Default: 10.0.20.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PublicSubnet3CIDR:
+ Description: CIDR block for public subnet 3 located in the 3rd Availability Zone.
+ Type: String
+ Default: 10.0.30.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PublicSubnet4CIDR:
+ Description: CIDR block for public subnet 4 located in the 4th Availability Zone.
+ Type: String
+ Default: 10.0.40.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ KeyName:
+ Description: The EC2 Key Pair to allow SSH access to the instances created by this stack.
+ Type: AWS::EC2::KeyPair::KeyName
+ MinLength: 1
+ ConstraintDescription: Must be the name of an existing EC2 KeyPair.
+ EnableVolumeEncryption:
+ Description: Encrypt Environment instances volume with default AWS KMS key.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ VolumeSize:
+ Type: Number
+ MinValue: 100
+ Default: 100
+ VolumeType:
+ Description: General Purpose SSD Volume Type
+ Type: String
+ Default: gp3
+ AllowedValues:
+ - gp3
+ - gp2
+ EnableInstanceConnect:
+ Description: Enable SSH connection over AWS web console.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ TerminationProtection:
+ Description: Prevents an instance from accidental termination.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ MetaDataToken:
+ Description: Set true to deploy the instance with metadata v2 token required.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ AllowUploadDownload:
+ Description: Automatically download updates and share statistical data for product improvement purpose.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ ManagementServer:
+ Description: The name that represents the Security Management Server in the automatic provisioning configuration.
+ Type: String
+ Default: gwlb-management-server
+ MinLength: 1
+ ConfigurationTemplate:
+ Description: A name of a gateway configuration template in the automatic provisioning configuration.
+ Type: String
+ Default: gwlb-ASG-configuration
+ MinLength: 1
+ MaxLength: 30
+ AdminEmail:
+ Description: Notifications about scaling events will be sent to this email address. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$'
+ Shell:
+ Description: Change the admin shell to enable advanced command line configuration. Applies for Security Gateways and Security Management Server if deployed.
+ Type: String
+ Default: /etc/cli.sh
+ AllowedValues:
+ - /etc/cli.sh
+ - /bin/bash
+ - /bin/csh
+ - /bin/tcsh
+ GWLBName:
+ Description: Gateway Load Balancer name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen.
+ Type: String
+ AllowedPattern: '^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])$'
+ Default: gwlb1
+ MaxLength: 32
+ ConstraintDescription: Must be a valid GWLB Name.
+ TargetGroupName:
+ Description: Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen.
+ Type: String
+ AllowedPattern: '^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])$'
+ Default: tg1
+ MaxLength: 32
+ ConstraintDescription: Must be a valid target group name.
+ AcceptConnectionRequired:
+ Description: Indicate whether requests from service consumers to create an endpoint to your service must be accepted. Default is set to false(acceptance not required).
+ Default: "false"
+ AllowedValues: ["true", "false"]
+ Type: String
+ ConstraintDescription: Must be true or false.
+ CrossZoneLoadBalancing:
+ Description: Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ GatewayName:
+ Description: The name tag of the Security Gateway instances. (optional)
+ Type: String
+ Default: Check-Point-Gateway
+ GatewayInstanceType:
+ Description: The EC2 instance type for the Security Gateways.
+ Type: String
+ Default: c5.xlarge
+ AllowedValues:
+ - c4.large
+ - c4.xlarge
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: Must be a valid EC2 instance type
+ GatewaysMinSize:
+ Description: The minimal number of Security Gateways.
+ Type: Number
+ Default: 2
+ MinValue: 1
+ GatewaysMaxSize:
+ Description: The maximal number of Security Gateways.
+ Type: Number
+ Default: 10
+ MinValue: 1
+ GatewayVersion:
+ Description: The version and license to install on the Security Gateways.
+ Type: String
+ Default: R80.40-BYOL
+ AllowedValues:
+ - R80.40-BYOL
+ - R80.40-PAYG-NGTP
+ - R80.40-PAYG-NGTX
+ GatewayPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+ NoEcho: true
+ GatewayMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ GatewaySICKey:
+ Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters.
+ Type: String
+ AllowedPattern: '^[a-zA-Z0-9]{8,}$'
+ ConstraintDescription: Secure Internal Communication activation key should contain only alpha numeric characters and be at least 8 characters long.
+ NoEcho: true
+ ControlGatewayOverPrivateOrPublicAddress:
+ Description: Determines if the gateways are provisioned using their private or public address.
+ Type: String
+ Default: private
+ AllowedValues:
+ - private
+ - public
+ AllocatePublicAddress:
+ Description: Allocate a Public IP for gateway members.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ CloudWatch:
+ Description: Report Check Point specific CloudWatch metrics.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ GatewayBootstrapScript:
+ Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+ Type: String
+ Default: ''
+ NoEcho: true
+ ManagementDeploy:
+ Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ ManagementInstanceType:
+ Description: The EC2 instance type of the Security Management Server.
+ Type: String
+ Default: m5.xlarge
+ AllowedValues:
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: Must be a valid EC2 instance type
+ ManagementVersion:
+ Description: The license to install on the Security Management Server.
+ Type: String
+ Default: R80.40-BYOL
+ AllowedValues:
+ - R80.40-BYOL
+ - R80.40-PAYG
+ ManagementPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+ NoEcho: true
+ ManagementMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ GatewaysPolicy:
+ Description: The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group.
+ Type: String
+ Default: Standard
+ MinLength: 1
+ AdminCIDR:
+ Description: Allow web, SSH, and graphical clients only from this network to communicate with the Security Management Server.
+ Type: String
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+ GatewayManagement:
+ Description: Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address.
+ Type: String
+ Default: Locally managed
+ AllowedValues:
+ - Locally managed
+ - Over the internet
+ GatewaysAddresses:
+ Description: Allow gateways only from this network to communicate with the Security Management Server.
+ Type: String
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+Conditions:
+ 4AZs: !Equals [!Ref NumberOfAZs, 4]
+ 3AZs: !Or [!Equals [!Ref NumberOfAZs, 3], !Condition 4AZs]
+ DeployManagement: !Equals [!Ref ManagementDeploy, true]
+Resources:
+ VPCStack:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/utils/vpc.yaml
+ Parameters:
+ AvailabilityZones: !Join [',' , !Ref AvailabilityZones]
+ NumberOfAZs: !Ref NumberOfAZs
+ VPCCIDR: !Ref VPCCIDR
+ PublicSubnet1CIDR: !Ref PublicSubnet1CIDR
+ PublicSubnet2CIDR: !Ref PublicSubnet2CIDR
+ PublicSubnet3CIDR: !Ref PublicSubnet3CIDR
+ PublicSubnet4CIDR: !Ref PublicSubnet4CIDR
+ CreatePrivateSubnets: false
+ GWLBStack:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/gwlb/gwlb.yaml
+ Parameters:
+ VPC: !GetAtt VPCStack.Outputs.VPCID
+ GatewaysSubnets: !Join
+ - ','
+ - - !GetAtt VPCStack.Outputs.PublicSubnet1ID
+ - !GetAtt VPCStack.Outputs.PublicSubnet2ID
+ - !If [3AZs, !GetAtt VPCStack.Outputs.PublicSubnet3ID, !Ref 'AWS::NoValue']
+ - !If [4AZs, !GetAtt VPCStack.Outputs.PublicSubnet4ID, !Ref 'AWS::NoValue']
+ KeyName: !Ref KeyName
+ EnableVolumeEncryption: !Ref EnableVolumeEncryption
+ VolumeType: !Ref VolumeType
+ VolumeSize: !Ref VolumeSize
+ EnableInstanceConnect: !Ref EnableInstanceConnect
+ TerminationProtection: !Ref TerminationProtection
+ MetaDataToken: !Ref MetaDataToken
+ AllowUploadDownload: !Ref AllowUploadDownload
+ ManagementServer: !Ref ManagementServer
+ ConfigurationTemplate: !Ref ConfigurationTemplate
+ AdminEmail: !Ref AdminEmail
+ Shell: !Ref Shell
+ GWLBName: !Ref GWLBName
+ TargetGroupName: !Ref TargetGroupName
+ AcceptConnectionRequired: !Ref AcceptConnectionRequired
+ CrossZoneLoadBalancing: !Ref CrossZoneLoadBalancing
+ GatewayName: !Ref GatewayName
+ GatewayInstanceType: !Ref GatewayInstanceType
+ GatewaysMinSize: !Ref GatewaysMinSize
+ GatewaysMaxSize: !Ref GatewaysMaxSize
+ GatewayVersion: !Ref GatewayVersion
+ GatewayPasswordHash: !Ref GatewayPasswordHash
+ GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
+ GatewaySICKey: !Ref GatewaySICKey
+ ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress
+ AllocatePublicAddress: !Ref AllocatePublicAddress
+ CloudWatch: !Ref CloudWatch
+ GatewayBootstrapScript: !Ref GatewayBootstrapScript
+ ManagementDeploy: !Ref ManagementDeploy
+ ManagementInstanceType: !Ref ManagementInstanceType
+ ManagementVersion: !Ref ManagementVersion
+ ManagementPasswordHash: !Ref ManagementPasswordHash
+ ManagementMaintenancePasswordHash: !Ref ManagementMaintenancePasswordHash
+ GatewaysPolicy: !Ref GatewaysPolicy
+ AdminCIDR: !Ref AdminCIDR
+ GatewayManagement: !Ref GatewayManagement
+ GatewaysAddresses: !Ref GatewaysAddresses
+Outputs:
+ VPCID:
+ Description: VPC ID.
+ Value: !GetAtt VPCStack.Outputs.VPCID
+ ManagementPublicAddress:
+ Description: The public address of the management server.
+ Value: !GetAtt GWLBStack.Outputs.ManagementPublicAddress
+ Condition: DeployManagement
+ ConfigurationTemplateName:
+ Description: The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name.
+ Value: !GetAtt GWLBStack.Outputs.ConfigurationTemplateName
+ ControllerName:
+ Description: The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name
+ Value: !GetAtt GWLBStack.Outputs.ControllerName
+ GWLBName:
+ Description: Gateway Load Balancer Name.
+ Value: !Ref GWLBName
+ GWLBServiceName:
+ Description: Gateway Load Balancer Service Name.
+ Value: !GetAtt GWLBStack.Outputs.GWLBServiceName
+Rules:
+ GatewayAddressAllocationRule:
+ RuleCondition: !Equals [!Ref ControlGatewayOverPrivateOrPublicAddress, 'public']
+ Assertions:
+ - AssertDescription: "Gateway's selected to be provisioned by public IP, but ['AllocatePublicAddress'] parameter is false"
+ Assert: !Equals [!Ref AllocatePublicAddress, 'true']
diff --git a/deprecated/aws/templates/R80.40/gwlb/gwlb-servers-infrastructure.yaml b/deprecated/aws/templates/R80.40/gwlb/gwlb-servers-infrastructure.yaml
new file mode 100755
index 00000000..2f90dd34
--- /dev/null
+++ b/deprecated/aws/templates/R80.40/gwlb/gwlb-servers-infrastructure.yaml
@@ -0,0 +1,324 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Deploy GWLB application servers infrastructure, it creates a Multi-AZ, multi-subnet VPC infrastructure for application servers, and Multi-AZ, multi-subnet VPC infrastructure for GWLBe, and optionally deploy Application Autoscale(__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: Availability Zone Configuration
+ Parameters:
+ - AvailabilityZones
+ - NumberOfAZs
+ - Label:
+ default: Server Network Configuration
+ Parameters:
+ - VPCCIDR
+ - Label:
+ default: Server Network Configuration
+ Parameters:
+ - VPCCIDR
+ - ServersSubnet1CIDR
+ - ServersSubnet2CIDR
+ - ServersSubnet3CIDR
+ - ServersSubnet4CIDR
+ - GWLBeSubnet1CIDR
+ - GWLBeSubnet2CIDR
+ - GWLBeSubnet3CIDR
+ - GWLBeSubnet4CIDR
+ - Label:
+ default: GWLB Information
+ Parameters:
+ - SubnetTagsInboundCIDR
+ - SubnetTagsOutboundCIDR
+ - GWLBServiceName
+ - Label:
+ default: Web Servers Auto Scaling Group Configuration
+ Parameters:
+ - ServersDeploy
+ - AdminEmail
+ - ServerAMI
+ - KeyName
+ - GroupMinSize
+ - GroupMaxSize
+ - ALBProtocol
+ - ServicePort
+ - ServerInstanceType
+ ParameterLabels:
+ AvailabilityZones:
+ default: Availability Zones
+ NumberOfAZs:
+ default: Number of Availability Zones
+ VPCCIDR:
+ default: Servers VPC CIDR
+ ServersSubnet1CIDR:
+ default: Servers subnet 1 CIDR
+ ServersSubnet2CIDR:
+ default: Servers subnet 2 CIDR
+ ServersSubnet3CIDR:
+ default: Servers subnet 3 CIDR
+ ServersSubnet4CIDR:
+ default: Servers subnet 4 CIDR
+ GWLBeSubnet1CIDR:
+ default: GWLBe subnet 1 CIDR
+ GWLBeSubnet2CIDR:
+ default: GWLBe subnet 2 CIDR
+ GWLBeSubnet3CIDR:
+ default: GWLBe subnet 3 CIDR
+ GWLBeSubnet4CIDR:
+ default: GWLBe subnet 4 CIDR
+ SubnetTagsInboundCIDR:
+ default: App cidr inbound tags
+ SubnetTagsOutboundCIDR:
+ default: App cidr Outbound tags
+ GWLBServiceName:
+ defsult: GWLB Service Name
+ ALBProtocol:
+ default: ALB Protocol
+ ServicePort:
+ default: Custom service port
+ ServersDeploy:
+ default: Deploy servers
+ ServerInstanceType:
+ default: Servers instance type
+ ServerAMI:
+ default: AMI ID
+ GroupMinSize:
+ default: Minimum group size
+ GroupMaxSize:
+ default: Maximum group size
+ AdminEmail:
+ default: Email address
+ KeyName:
+ default: Key name
+Parameters:
+ AvailabilityZones:
+ Description: 'List of Availability Zones to use for the subnets in the VPC. Note: The logical order is preserved.'
+ Type: List
+ MinLength: 1
+ NumberOfAZs:
+ Description: Number of Availability Zones to use in the VPC. This must match your
+ selections in the list of Availability Zones parameter.
+ Type: Number
+ Default: 2
+ MinValue: 1
+ MaxValue: 4
+ VPCCIDR:
+ Description: CIDR block for the Servers VPC.
+ Type: String
+ Default: 192.168.0.0/16
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ ServersSubnet1CIDR:
+ Description: CIDR block for the public DMZ subnet 1 located in Availability Zone 1.
+ Type: String
+ Default: 192.168.10.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ ServersSubnet2CIDR:
+ Description: CIDR block for the public DMZ subnet 2 located in Availability Zone 2.
+ Type: String
+ Default: 192.168.20.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ ServersSubnet3CIDR:
+ Description: CIDR block for the public DMZ subnet 3 located in Availability Zone 3.
+ Type: String
+ Default: 192.168.30.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ ServersSubnet4CIDR:
+ Description: CIDR block for the public DMZ subnet 4 located in Availability Zone 4.
+ Type: String
+ Default: 192.168.40.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ GWLBeSubnet1CIDR:
+ Description: CIDR block for the GWLBe subnet 1 located in Availability Zone 1.
+ Type: String
+ Default: 192.168.70.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ GWLBeSubnet2CIDR:
+ Description: CIDR block for the GWLBe subnet 2 located in Availability Zone 2.
+ Type: String
+ Default: 192.168.80.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ GWLBeSubnet3CIDR:
+ Description: CIDR block for the GWLBe subnet 3 located in Availability Zone 3.
+ Type: String
+ Default: 192.168.90.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ GWLBeSubnet4CIDR:
+ Description: CIDR block for the GWLBe subnet 4 located in Availability Zone 4.
+ Type: String
+ Default: 192.168.100.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ SubnetTagsInboundCIDR:
+ Description: Inbound Subnet tagging for Inspection (Comma-delimited list of three CIDR blocks for inspection)
+ Type: CommaDelimitedList
+ Default: "0.0.0.0/0"
+ SubnetTagsOutboundCIDR:
+ Description: Outbound Subnet tagging for Inspection (Comma-delimited list of three CIDR blocks for inspection)
+ Type: CommaDelimitedList
+ Default: "0.0.0.0/0"
+ GWLBServiceName:
+ Description: GWLB service name (The value can be achieved from security VPC stack outputs)
+ Type: String
+ GroupMinSize:
+ Description: The minimal number of Application Servers.
+ Type: Number
+ Default: 2
+ MinValue: 1
+ GroupMaxSize:
+ Description: The maximal number of Application Servers.
+ Type: Number
+ Default: 10
+ MinValue: 1
+ ALBProtocol:
+ Description: The protocol to use on the Application Load Balancer. If Network Load Balancer was selected this section will be ignored.
+ Type: String
+ Default: HTTP
+ AllowedValues:
+ - HTTP
+ - HTTPS
+ ServicePort:
+ Description: 'The external Load Balancer listens to this port. Leave this field blank to use default ports: 80 for HTTP and 443 for HTTPS.'
+ Type: String
+ AllowedPattern: '^([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])?$'
+ ConstraintDescription: Custom service port must be a number between 0 and 65535.
+ ResourcesTagName:
+ Description: The name tag of the resources. (optional)
+ Type: String
+ Default: ''
+ ServersDeploy:
+ Description: Select 'true' to deploy web servers and an internal Application Load Balancer. If you select 'false' the other parameters of this section will be ignored.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ ServerInstanceType:
+ Description: The EC2 instance type for the web servers.
+ Type: String
+ Default: t3.micro
+ AllowedValues:
+ - t3.nano
+ - t3.micro
+ - t3.small
+ - t3.medium
+ - t3.large
+ - t3.xlarge
+ - t3.2xlarge
+ ConstraintDescription: Must be a valid EC2 instance type.
+ ServerAMI:
+ Description: The Amazon Machine Image ID of a preconfigured web server (e.g. ami-0dc7dc63).
+ Type: String
+ AllowedPattern: '^(ami-(([0-9a-f]{8})|([0-9a-f]{17})))?$'
+ ConstraintDescription: Amazon Machine Image ID must be in the form ami-xxxxxxxx or ami-xxxxxxxxxxxxxxxxx.
+ AdminEmail:
+ Description: Notifications about scaling events will be sent to this email address. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$'
+ KeyName:
+ Description: The EC2 Key Pair to allow SSH access to the instances created by this stack.
+ Type: AWS::EC2::KeyPair::KeyName
+ MinLength: 1
+ ConstraintDescription: Must be the name of an existing EC2 KeyPair.
+Conditions:
+ 4AZs: !Equals [!Ref NumberOfAZs, 4]
+ 3AZs: !Or [!Equals [!Ref NumberOfAZs, 3], !Condition 4AZs]
+ 2AZs: !Or [!Equals [!Ref NumberOfAZs, 2], !Condition 3AZs]
+ DeployServers: !Equals [!Ref ServersDeploy, true]
+ EncryptedProtocol: !Equals [ ALBProtocol, HTTPS ]
+ ProvidedPort: !Not [!Equals [!Ref ServicePort, '']]
+ ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']]
+Resources:
+ VPCStack:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/gwlb/qs-gwlb-servers-vpc.yaml
+ Parameters:
+ AvailabilityZones: !Join [ ',' , !Ref AvailabilityZones ]
+ NumberOfAZs: !Ref NumberOfAZs
+ VPCCIDR: !Ref VPCCIDR
+ ServersSubnet1CIDR: !Ref ServersSubnet1CIDR
+ ServersSubnet2CIDR: !Ref ServersSubnet2CIDR
+ ServersSubnet3CIDR: !Ref ServersSubnet3CIDR
+ ServersSubnet4CIDR: !Ref ServersSubnet4CIDR
+ GWLBeSubnet1CIDR: !Ref GWLBeSubnet1CIDR
+ GWLBeSubnet2CIDR: !Ref GWLBeSubnet2CIDR
+ GWLBeSubnet3CIDR: !Ref GWLBeSubnet3CIDR
+ GWLBeSubnet4CIDR: !Ref GWLBeSubnet4CIDR
+ SubnetTagsOutboundCIDR: !Join [ ',' , !Ref SubnetTagsOutboundCIDR ]
+ SubnetTagsInboundCIDR: !Join [ ',' , !Ref SubnetTagsInboundCIDR ]
+ GWLBeEndpointStack:
+ Type: AWS::CloudFormation::Stack
+ DependsOn: VPCStack
+ Properties:
+ TemplateURL: __URL__/gwlb/qs-gwlb-endpoints.yaml
+ Parameters:
+ NumberOfAZs: !Ref NumberOfAZs
+ GWLBeVPC: !GetAtt VPCStack.Outputs.VPCID
+ GWLBeSubnets: !Join
+ - ','
+ - - !GetAtt VPCStack.Outputs.GWLBeSubnet1ID
+ - !GetAtt VPCStack.Outputs.GWLBeSubnet2ID
+ - !If [ 3AZs, !GetAtt VPCStack.Outputs.GWLBeSubnet3ID, !Ref 'AWS::NoValue' ]
+ - !If [ 4AZs, !GetAtt VPCStack.Outputs.GWLBeSubnet4ID, !Ref 'AWS::NoValue' ]
+ GWLBServiceName: !Ref GWLBServiceName
+ ServersSubnets: !Join
+ - ','
+ - - !GetAtt VPCStack.Outputs.ServersSubnet1ID
+ - !GetAtt VPCStack.Outputs.ServersSubnet2ID
+ - !If [ 3AZs, !GetAtt VPCStack.Outputs.ServersSubnet3ID, !Ref 'AWS::NoValue' ]
+ - !If [ 4AZs, !GetAtt VPCStack.Outputs.ServersSubnet4ID, !Ref 'AWS::NoValue' ]
+ ServersCIDRs: !Join
+ - ','
+ - - !Ref ServersSubnet1CIDR
+ - !Ref ServersSubnet2CIDR
+ - !If [ 3AZs, !Ref ServersSubnet3CIDR, !Ref 'AWS::NoValue' ]
+ - !If [ 4AZs, !Ref ServersSubnet4CIDR, !Ref 'AWS::NoValue' ]
+ ServerIGW: !GetAtt VPCStack.Outputs.IGWID
+ ServersStacks:
+ Type: AWS::CloudFormation::Stack
+ Condition: DeployServers
+ DependsOn: GWLBeEndpointStack
+ Properties:
+ TemplateURL: __URL__/gwlb/qs-gwlb-servers-autoscale.yaml
+ Parameters:
+ VPC: !GetAtt VPCStack.Outputs.VPCID
+ Subnets: !Join
+ - ','
+ - - !GetAtt VPCStack.Outputs.ServersSubnet1ID
+ - !GetAtt VPCStack.Outputs.ServersSubnet2ID
+ - !If [ 3AZs, !GetAtt VPCStack.Outputs.ServersSubnet3ID, !Ref 'AWS::NoValue' ]
+ - !If [ 4AZs, !GetAtt VPCStack.Outputs.ServersSubnet4ID, !Ref 'AWS::NoValue' ]
+ ResourcesTagName: !Ref ResourcesTagName
+ ALBProtocol: !Ref ALBProtocol
+ ServicePort: !If [ProvidedPort, !Ref ServicePort, !If [EncryptedProtocol, 443, 80]]
+ AdminEmail: !Ref AdminEmail
+ ServerInstanceType: !Ref ServerInstanceType
+ ServerAMI: !Ref ServerAMI
+ KeyName: !Ref KeyName
+ AllocateServerPublicAddress: true
+ ServersMinSize: !Ref GroupMinSize
+ ServersMaxSize: !Ref GroupMaxSize
+Outputs:
+ VpcEndpointService:
+ Description: Endpoint Service Name.
+ Value: !GetAtt VPCStack.Outputs.VPCID
+ ServerPorts:
+ Description: The internal Load Balancer should listen to this port.
+ Value: !If [EncryptedProtocol, 443, 80]
+ Condition: DeployServers
+ ServerLBURL:
+ Description: The URL of the Servers Application Load Balancer.
+ Value: !GetAtt ServersStacks.Outputs.ServerLBURL
+ Condition: DeployServers
+ ServerSecurityGroupID:
+ Description: The Application Servers Security Group ID.
+ Value: !GetAtt ServersStacks.Outputs.ServerSecurityGroupID
+ Condition: DeployServers
\ No newline at end of file
diff --git a/deprecated/aws/templates/R80.40/gwlb/gwlb-wan-global-network-master.yaml b/deprecated/aws/templates/R80.40/gwlb/gwlb-wan-global-network-master.yaml
new file mode 100755
index 00000000..782f72dc
--- /dev/null
+++ b/deprecated/aws/templates/R80.40/gwlb/gwlb-wan-global-network-master.yaml
@@ -0,0 +1,847 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Deploy a Global Network and Core Network with 3 segments, basic policy and a Security VPC with Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, in a new VPC for Cloud WAN (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: VPC Network Configuration
+ Parameters:
+ - AvailabilityZones
+ - NumberOfAZs
+ - VPCCIDR
+ - PublicSubnet1CIDR
+ - PublicSubnet2CIDR
+ - PublicSubnet3CIDR
+ - PublicSubnet4CIDR
+ - CloudWANSubnet1CIDR
+ - CloudWANSubnet2CIDR
+ - CloudWANSubnet3CIDR
+ - CloudWANSubnet4CIDR
+ - NatGwSubnet1CIDR
+ - NatGwSubnet2CIDR
+ - NatGwSubnet3CIDR
+ - NatGwSubnet4CIDR
+ - GWLBeSubnet1CIDR
+ - GWLBeSubnet2CIDR
+ - GWLBeSubnet3CIDR
+ - GWLBeSubnet4CIDR
+ - Label:
+ default: General Settings
+ Parameters:
+ - KeyName
+ - EnableVolumeEncryption
+ - VolumeSize
+ - VolumeType
+ - EnableInstanceConnect
+ - TerminationProtection
+ - AllowUploadDownload
+ - ManagementServer
+ - ConfigurationTemplate
+ - AdminEmail
+ - Shell
+ - Label:
+ default: Gateway Load Balancer Configuration
+ Parameters:
+ - GWLBName
+ - TargetGroupName
+ - CrossZoneLoadBalancing
+ - Label:
+ default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration
+ Parameters:
+ - GatewayName
+ - GatewayInstanceType
+ - GatewaysMinSize
+ - GatewaysMaxSize
+ - GatewayVersion
+ - GatewayPasswordHash
+ - GatewayMaintenancePasswordHash
+ - GatewaySICKey
+ - ControlGatewayOverPrivateOrPublicAddress
+ - CloudWatch
+ - Label:
+ default: Check Point CloudGuard IaaS Security Management Server Configuration
+ Parameters:
+ - ManagementDeploy
+ - ManagementInstanceType
+ - ManagementVersion
+ - ManagementPasswordHash
+ - ManagementMaintenancePasswordHash
+ - GatewaysPolicy
+ - AdminCIDR
+ - GatewayManagement
+ - GatewaysAddresses
+ ParameterLabels:
+ AvailabilityZones:
+ default: Availability Zones
+ NumberOfAZs:
+ default: Number of AZs
+ VPCCIDR:
+ default: VPC CIDR
+ PublicSubnet1CIDR:
+ default: Public subnet 1 CIDR
+ PublicSubnet2CIDR:
+ default: Public subnet 2 CIDR
+ PublicSubnet3CIDR:
+ default: Public subnet 3 CIDR
+ PublicSubnet4CIDR:
+ default: Public subnet 4 CIDR
+ CloudWANSubnet1CIDR:
+ default: Cloud WAN subnet 1 CIDR
+ CloudWANSubnet2CIDR:
+ default: Cloud WAN subnet 2 CIDR
+ CloudWANSubnet3CIDR:
+ default: Cloud WAN subnet 3 CIDR
+ CloudWANSubnet4CIDR:
+ default: Cloud WAN subnet 4 CIDR
+ NatGwSubnet1CIDR:
+ default: NAT subnet 1 CIDR
+ NatGwSubnet2CIDR:
+ default: NAT subnet 2 CIDR
+ NatGwSubnet3CIDR:
+ default: NAT subnet 3 CIDR
+ NatGwSubnet4CIDR:
+ default: NAT subnet 4 CIDR
+ GWLBeSubnet1CIDR:
+ default: Gateway Load Balancer Endpoint subnet 1 CIDR
+ GWLBeSubnet2CIDR:
+ default: Gateway Load Balancer Endpoint subnet 2 CIDR
+ GWLBeSubnet3CIDR:
+ default: Gateway Load Balancer Endpoint subnet 3 CIDR
+ GWLBeSubnet4CIDR:
+ default: Gateway Load Balancer Endpoint subnet 4 CIDR
+ KeyName:
+ default: Key name
+ EnableVolumeEncryption:
+ default: Enable environment volume encryption
+ VolumeSize:
+ default: Root volume size (GB)
+ VolumeType:
+ default: Volume Type
+ EnableInstanceConnect:
+ default: Enable AWS Instance Connect
+ TerminationProtection:
+ default: Termination Protection
+ AllowUploadDownload:
+ default: Allow upload & download
+ ManagementServer:
+ default: Management Server
+ ConfigurationTemplate:
+ default: Configuration template
+ AdminEmail:
+ default: Email address
+ Shell:
+ default: Admin shell
+ GWLBName:
+ default: Gateway Load Balancer Name
+ TargetGroupName:
+ default: Target Group Name
+ CrossZoneLoadBalancing:
+ default: Enable Cross Zone Load Balancing
+ GatewayName:
+ default: Gateways instance name
+ GatewayInstanceType:
+ default: Gateways instance type
+ GatewaysMinSize:
+ default: Minimum group size
+ GatewaysMaxSize:
+ default: Maximum group size
+ GatewayVersion:
+ default: Gateways version & license
+ GatewayPasswordHash:
+ default: Gateways Password hash
+ GatewayMaintenancePasswordHash:
+ default: Gateway Maintenance Password hash
+ GatewaySICKey:
+ default: Gateways SIC key
+ ControlGatewayOverPrivateOrPublicAddress:
+ default: Gateways addresses
+ CloudWatch:
+ default: CloudWatch metrics
+ ManagementDeploy:
+ default: Deploy Management Server
+ ManagementInstanceType:
+ default: Management instance type
+ ManagementVersion:
+ default: Management version & license
+ ManagementPasswordHash:
+ default: Management password hash
+ ManagementMaintenancePasswordHash:
+ default: Management Maintenance Password hash
+ GatewaysPolicy:
+ default: Security Policy
+ AdminCIDR:
+ default: Administrator addresses
+ GatewayManagement:
+ default: Manage Gateways
+ GatewaysAddresses:
+ default: Gateways addresses
+Parameters:
+ AvailabilityZones:
+ Description: The Availability Zones (AZs) to use for the subnets in the VPC. Select two (the logical order is preserved)
+ Type: List
+ MinLength: 2
+ NumberOfAZs:
+ Description: Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter
+ Type: Number
+ Default: 2
+ MinValue: 2
+ MaxValue: 4
+ VPCCIDR:
+ Description: The CIDR block of the provided VPC.
+ Type: String
+ Default: 10.0.0.0/16
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ PublicSubnet1CIDR:
+ Description: CIDR block for public subnet 1 located in the 1st Availability Zone
+ Type: String
+ Default: 10.0.10.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ PublicSubnet2CIDR:
+ Description: CIDR block for public subnet 2 located in the 2nd Availability Zone
+ Type: String
+ Default: 10.0.20.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ PublicSubnet3CIDR:
+ Description: CIDR block for public subnet 3 located in the 3rd Availability Zone
+ Type: String
+ Default: 10.0.30.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ PublicSubnet4CIDR:
+ Description: CIDR block for public subnet 4 located in the 4th Availability Zone
+ Type: String
+ Default: 10.0.40.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ CloudWANSubnet1CIDR:
+ Description: CIDR block for Cloud WAN subnet 1 located in the 1st Availability Zone
+ Type: String
+ Default: 10.0.12.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ CloudWANSubnet2CIDR:
+ Description: CIDR block for Cloud WAN subnet 2 located in the 2nd Availability Zone
+ Type: String
+ Default: 10.0.22.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ CloudWANSubnet3CIDR:
+ Description: CIDR block for Cloud WAN subnet 3 located in the 3rd Availability Zone
+ Type: String
+ Default: 10.0.32.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ CloudWANSubnet4CIDR:
+ Description: CIDR block for Cloud WAN subnet 4 located in the 4th Availability Zone
+ Type: String
+ Default: 10.0.42.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ NatGwSubnet1CIDR:
+ Description: CIDR block for NAT subnet 1 located in the 1st Availability Zone
+ Type: String
+ Default: 10.0.13.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ NatGwSubnet2CIDR:
+ Description: CIDR block for NAT subnet 2 located in the 2nd Availability Zone
+ Type: String
+ Default: 10.0.23.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ NatGwSubnet3CIDR:
+ Description: CIDR block for NAT subnet 3 located in the 3rd Availability Zone
+ Type: String
+ Default: 10.0.33.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ NatGwSubnet4CIDR:
+ Description: CIDR block for NAT subnet 4 located in the 4th Availability Zone
+ Type: String
+ Default: 10.0.43.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ GWLBeSubnet1CIDR:
+ Description: CIDR block for GWLBe subnet 1 located in the 1st Availability Zone
+ Type: String
+ Default: 10.0.14.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ GWLBeSubnet2CIDR:
+ Description: CIDR block for GWLBe subnet 2 located in the 2nd Availability Zone
+ Type: String
+ Default: 10.0.24.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ GWLBeSubnet3CIDR:
+ Description: CIDR block for GWLBe subnet 3 located in the 3rd Availability Zone
+ Type: String
+ Default: 10.0.34.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ GWLBeSubnet4CIDR:
+ Description: CIDR block for GWLBe subnet 4 located in the 4th Availability Zone
+ Type: String
+ Default: 10.0.44.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ KeyName:
+ Description: The EC2 Key Pair to allow SSH access to the instances created by this stack
+ Type: AWS::EC2::KeyPair::KeyName
+ MinLength: 1
+ ConstraintDescription: Must be the name of an existing EC2 KeyPair
+ EnableVolumeEncryption:
+ Description: Encrypt Environment instances volume with default AWS KMS key
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ VolumeSize:
+ Type: Number
+ MinValue: 100
+ Default: 100
+ VolumeType:
+ Description: General Purpose SSD Volume Type
+ Type: String
+ Default: gp3
+ AllowedValues:
+ - gp3
+ - gp2
+ EnableInstanceConnect:
+ Description: Enable SSH connection over AWS web console
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ TerminationProtection:
+ Description: Prevents an instance from accidental termination.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ AllowUploadDownload:
+ Description: Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ ManagementServer:
+ Description: The name that represents the Security Management Server in the automatic provisioning configuration
+ Type: String
+ Default: gwlb-wan-management-server
+ MinLength: 1
+ ConfigurationTemplate:
+ Description: A name of a gateway configuration template in the automatic provisioning configuration
+ Type: String
+ Default: gwlb-wan-ASG-configuration
+ MinLength: 1
+ MaxLength: 30
+ AdminEmail:
+ Description: Notifications about scaling events will be sent to this email address (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$'
+ Shell:
+ Description: Change the admin shell to enable advanced command line configuration. Applies for Security Gateways and Security Management Server if deployed.
+ Type: String
+ Default: /etc/cli.sh
+ AllowedValues:
+ - /etc/cli.sh
+ - /bin/bash
+ - /bin/csh
+ - /bin/tcsh
+ GWLBName:
+ Description: Gateway Load Balancer name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen.
+ Type: String
+ Default: gwlb-wan1
+ ConstraintDescription: Must be a valid GWLB Name
+ TargetGroupName:
+ Description: Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen.
+ Type: String
+ Default: tg-gwlb-wan1
+ ConstraintDescription: Must be a valid target group name
+ CrossZoneLoadBalancing:
+ Description: Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ GatewayName:
+ Description: The name tag of the Security Gateway instances (optional)
+ Type: String
+ Default: Check-Point-Gateway
+ GatewayInstanceType:
+ Description: The EC2 instance type for the Security Gateways
+ Type: String
+ Default: c5.xlarge
+ AllowedValues:
+ - c4.large
+ - c4.xlarge
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: Must be a valid EC2 instance type
+ GatewaysMinSize:
+ Description: The minimal number of Security Gateways
+ Type: Number
+ Default: 2
+ MinValue: 1
+ GatewaysMaxSize:
+ Description: The maximal number of Security Gateways
+ Type: Number
+ Default: 10
+ MinValue: 1
+ GatewayVersion:
+ Description: The version and license to install on the Security Gateways
+ Type: String
+ Default: R80.40-BYOL
+ AllowedValues:
+ - R80.40-BYOL
+ - R80.40-PAYG-NGTP
+ - R80.40-PAYG-NGTX
+ GatewayPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash) (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+ NoEcho: true
+ GatewayMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ GatewaySICKey:
+ Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters
+ Type: String
+ AllowedPattern: '^[a-zA-Z0-9]{8,}$'
+ ConstraintDescription: Secure Internal Communication activation key should contain only alpha numeric characters and be at least 8 characters long
+ NoEcho: true
+ ControlGatewayOverPrivateOrPublicAddress:
+ Description: Determines if the gateways are provisioned using their private or public address
+ Type: String
+ Default: private
+ AllowedValues:
+ - private
+ - public
+ CloudWatch:
+ Description: Report Check Point specific CloudWatch metrics
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ ManagementDeploy:
+ Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ ManagementInstanceType:
+ Description: The EC2 instance type of the Security Management Server
+ Type: String
+ Default: m5.xlarge
+ AllowedValues:
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: Must be a valid EC2 instance type
+ ManagementVersion:
+ Description: The license to install on the Security Management Server
+ Type: String
+ Default: R80.40-BYOL
+ AllowedValues:
+ - R80.40-BYOL
+ - R80.40-PAYG
+ ManagementPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash) (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+ NoEcho: true
+ ManagementMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ GatewaysPolicy:
+ Description: The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group
+ Type: String
+ Default: Standard
+ MinLength: 1
+ AdminCIDR:
+ Description: Allow web, SSH, and graphical clients only from this network to communicate with the Security Management Server
+ Type: String
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+ GatewayManagement:
+ Description: Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address
+ Type: String
+ Default: Locally managed
+ AllowedValues:
+ - Locally managed
+ - Over the internet
+ GatewaysAddresses:
+ Description: Allow gateways only from this network to communicate with the Security Management Server
+ Type: String
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+Conditions:
+ 4AZs: !Equals [!Ref NumberOfAZs, 4]
+ 3AZs: !Or [!Equals [!Ref NumberOfAZs, 3], !Condition 4AZs]
+ DeployManagement: !Equals [!Ref ManagementDeploy, true]
+ VolumeEncryption: !Equals [!Ref EnableVolumeEncryption, true]
+Resources:
+ VPCStack:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/utils/vpc.yaml
+ Parameters:
+ AvailabilityZones: !Join [',', !Ref AvailabilityZones]
+ NumberOfAZs: !Ref NumberOfAZs
+ VPCCIDR: !Ref VPCCIDR
+ PublicSubnet1CIDR: !Ref PublicSubnet1CIDR
+ PublicSubnet2CIDR: !Ref PublicSubnet2CIDR
+ PublicSubnet3CIDR: !Ref PublicSubnet3CIDR
+ PublicSubnet4CIDR: !Ref PublicSubnet4CIDR
+ CreatePrivateSubnets: false
+ CreateAttachmentSubnets: true
+ AttachmentSubnet1CIDR: !Ref CloudWANSubnet1CIDR
+ AttachmentSubnet2CIDR: !Ref CloudWANSubnet2CIDR
+ AttachmentSubnet3CIDR: !Ref CloudWANSubnet3CIDR
+ AttachmentSubnet4CIDR: !Ref CloudWANSubnet4CIDR
+ CloudWANGwlbStack:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/gwlb/gwlb-wan-global-network.yaml
+ Parameters:
+ VPC: !GetAtt VPCStack.Outputs.VPCID
+ IGWID: !GetAtt VPCStack.Outputs.IGWID
+ AvailabilityZones: !Join [',', !Ref AvailabilityZones]
+ NumberOfAZs: !Ref NumberOfAZs
+ GatewaysSubnets: !Join
+ - ','
+ - - !GetAtt VPCStack.Outputs.PublicSubnet1ID
+ - !GetAtt VPCStack.Outputs.PublicSubnet2ID
+ - !If [3AZs, !GetAtt VPCStack.Outputs.PublicSubnet3ID, !Ref 'AWS::NoValue']
+ - !If [4AZs, !GetAtt VPCStack.Outputs.PublicSubnet4ID, !Ref 'AWS::NoValue']
+ CloudWANSubnet1Id: !GetAtt VPCStack.Outputs.AttachmentSubnet1ID
+ CloudWANSubnet2Id: !GetAtt VPCStack.Outputs.AttachmentSubnet2ID
+ CloudWANSubnet3Id: !If [3AZs, !GetAtt VPCStack.Outputs.AttachmentSubnet3ID, ""]
+ CloudWANSubnet4Id: !If [4AZs, !GetAtt VPCStack.Outputs.AttachmentSubnet4ID, ""]
+ NatGwSubnet1CIDR: !Ref NatGwSubnet1CIDR
+ NatGwSubnet2CIDR: !Ref NatGwSubnet2CIDR
+ NatGwSubnet3CIDR: !Ref NatGwSubnet3CIDR
+ NatGwSubnet4CIDR: !Ref NatGwSubnet4CIDR
+ GWLBeSubnet1CIDR: !Ref GWLBeSubnet1CIDR
+ GWLBeSubnet2CIDR: !Ref GWLBeSubnet2CIDR
+ GWLBeSubnet3CIDR: !Ref GWLBeSubnet3CIDR
+ GWLBeSubnet4CIDR: !Ref GWLBeSubnet4CIDR
+ KeyName: !Ref KeyName
+ EnableVolumeEncryption: !Ref EnableVolumeEncryption
+ VolumeType: !Ref VolumeType
+ VolumeSize: !Ref VolumeSize
+ EnableInstanceConnect: !Ref EnableInstanceConnect
+ TerminationProtection: !Ref TerminationProtection
+ AllowUploadDownload: !Ref AllowUploadDownload
+ ManagementServer: !Ref ManagementServer
+ ConfigurationTemplate: !Ref ConfigurationTemplate
+ AdminEmail: !Ref AdminEmail
+ Shell: !Ref Shell
+ GatewayName: !Ref GatewayName
+ GatewayInstanceType: !Ref GatewayInstanceType
+ GatewaysMinSize: !Ref GatewaysMinSize
+ GatewaysMaxSize: !Ref GatewaysMaxSize
+ GatewayVersion: !Ref GatewayVersion
+ GatewayPasswordHash: !Ref GatewayPasswordHash
+ GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
+ GatewaySICKey: !Ref GatewaySICKey
+ ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress
+ CloudWatch: !Ref CloudWatch
+ GWLBName: !Ref GWLBName
+ TargetGroupName: !Ref TargetGroupName
+ CrossZoneLoadBalancing: !Ref CrossZoneLoadBalancing
+ ManagementDeploy: !Ref ManagementDeploy
+ ManagementInstanceType: !Ref ManagementInstanceType
+ ManagementVersion: !Ref ManagementVersion
+ ManagementPasswordHash: !Ref ManagementPasswordHash
+ ManagementMaintenancePasswordHash: !Ref ManagementMaintenancePasswordHash
+ GatewaysPolicy: !Ref GatewaysPolicy
+ AdminCIDR: !Ref AdminCIDR
+ GatewayManagement: !Ref GatewayManagement
+ GatewaysAddresses: !Ref GatewaysAddresses
+Outputs:
+ VPCID:
+ Description: VPC ID
+ Value: !GetAtt VPCStack.Outputs.VPCID
+ ManagementPublicAddress:
+ Description: The public address of the management server
+ Value: !GetAtt CloudWANGwlbStack.Outputs.ManagementPublicAddress
+ Condition: DeployManagement
+ ConfigurationTemplateName:
+ Description: The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name
+ Value: !GetAtt CloudWANGwlbStack.Outputs.ConfigurationTemplateName
+ ControllerName:
+ Description: The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name
+ Value: !GetAtt CloudWANGwlbStack.Outputs.ControllerName
+ GWLBName:
+ Description: Gateway Load Balancer Name
+ Value: !Ref GWLBName
+ GWLBServiceName:
+ Description: Gateway Load Balancer Service Name
+ Value: !GetAtt CloudWANGwlbStack.Outputs.GWLBServiceName
+ CloudWANSubnet1ID:
+ Description: Cloud WAN subnet 1 ID in Availability Zone 1
+ Value: !GetAtt VPCStack.Outputs.AttachmentSubnet1ID
+ CloudWANSubnet2ID:
+ Description: Cloud WAN subnet 2 ID in Availability Zone 2
+ Value: !GetAtt VPCStack.Outputs.AttachmentSubnet2ID
+ CloudWANSubnet3ID:
+ Description: Cloud WAN subnet 3 ID in Availability Zone 3
+ Value: !GetAtt VPCStack.Outputs.AttachmentSubnet3ID
+ Condition: 3AZs
+ CloudWANSubnet4ID:
+ Description: Cloud WAN subnet 4 ID in Availability Zone 4
+ Value: !GetAtt VPCStack.Outputs.AttachmentSubnet4ID
+ Condition: 4AZs
+ CloudWANSubnet1CIDR:
+ Description: Cloud WAN subnet 1 CIDR in Availability Zone 1
+ Value: !GetAtt VPCStack.Outputs.AttachmentSubnet1CIDR
+ CloudWANSubnet2CIDR:
+ Description: Cloud WAN subnet 2 CIDR in Availability Zone 2
+ Value: !GetAtt VPCStack.Outputs.AttachmentSubnet2CIDR
+ CloudWANSubnet3CIDR:
+ Description: Cloud WAN subnet 3 CIDR in Availability Zone 3
+ Value: !GetAtt VPCStack.Outputs.AttachmentSubnet3CIDR
+ Condition: 3AZs
+ CloudWANSubnet4CIDR:
+ Description: Cloud WAN subnet 4 CIDR in Availability Zone 4
+ Value: !GetAtt VPCStack.Outputs.AttachmentSubnet4CIDR
+ Condition: 4AZs
+ GlobalNetworkId:
+ Description: Cloud WAN Global Network ID
+ Value: !GetAtt CloudWANGwlbStack.Outputs.GlobalNetworkId
+ CoreNetworkId:
+ Description: Cloud WAN Core Network ID
+ Value: !GetAtt CloudWANGwlbStack.Outputs.CoreNetworkId
+ SecurityVpcAttachmentId:
+ Description: Cloud WAN Security VPC Attachment ID
+ Value: !GetAtt CloudWANGwlbStack.Outputs.SecurityVpcAttachmentId
\ No newline at end of file
diff --git a/deprecated/aws/templates/R80.40/gwlb/gwlb-wan-global-network.yaml b/deprecated/aws/templates/R80.40/gwlb/gwlb-wan-global-network.yaml
new file mode 100755
index 00000000..b72ce09c
--- /dev/null
+++ b/deprecated/aws/templates/R80.40/gwlb/gwlb-wan-global-network.yaml
@@ -0,0 +1,1317 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Deploy a Global Network and Core Network with 3 segments, basic policy and a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, in an existing VPC for Cloud WAN (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: VPC Network Configuration
+ Parameters:
+ - VPC
+ - IGWID
+ - AvailabilityZones
+ - NumberOfAZs
+ - GatewaysSubnets
+ - CloudWANSubnet1Id
+ - CloudWANSubnet2Id
+ - CloudWANSubnet3Id
+ - CloudWANSubnet4Id
+ - NatGwSubnet1CIDR
+ - NatGwSubnet2CIDR
+ - NatGwSubnet3CIDR
+ - NatGwSubnet4CIDR
+ - GWLBeSubnet1CIDR
+ - GWLBeSubnet2CIDR
+ - GWLBeSubnet3CIDR
+ - GWLBeSubnet4CIDR
+ - Label:
+ default: General Settings
+ Parameters:
+ - KeyName
+ - EnableVolumeEncryption
+ - VolumeSize
+ - VolumeType
+ - EnableInstanceConnect
+ - TerminationProtection
+ - AllowUploadDownload
+ - ManagementServer
+ - ConfigurationTemplate
+ - AdminEmail
+ - Shell
+ - Label:
+ default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration
+ Parameters:
+ - GatewayName
+ - GatewayInstanceType
+ - GatewaysMinSize
+ - GatewaysMaxSize
+ - GatewayVersion
+ - GatewayPasswordHash
+ - GatewayMaintenancePasswordHash
+ - GatewaySICKey
+ - ControlGatewayOverPrivateOrPublicAddress
+ - CloudWatch
+ - Label:
+ default: Gateway Load Balancer Configuration
+ Parameters:
+ - GWLBName
+ - TargetGroupName
+ - CrossZoneLoadBalancing
+ - Label:
+ default: Check Point CloudGuard IaaS Security Management Server Configuration
+ Parameters:
+ - ManagementDeploy
+ - ManagementInstanceType
+ - ManagementVersion
+ - ManagementPasswordHash
+ - ManagementMaintenancePasswordHash
+ - GatewaysPolicy
+ - AdminCIDR
+ - GatewayManagement
+ - GatewaysAddresses
+ ParameterLabels:
+ VPC:
+ default: VPC
+ IGWID:
+ default: Internet Gateway ID
+ AvailabilityZones:
+ default: Availability Zones
+ NumberOfAZs:
+ default: Number of AZs
+ GatewaysSubnets:
+ default: Gateways subnets
+ CloudWANSubnet1Id:
+ default: Cloud WAN Attachment subnet 1 Id
+ CloudWANSubnet2Id:
+ default: Cloud WAN Attachment subnet 2 Id
+ CloudWANSubnet3Id:
+ default: Cloud WAN Attachment subnet 3 Id
+ CloudWANSubnet4Id:
+ default: Cloud WAN Attachment subnet 4 Id
+ NatGwSubnet1CIDR:
+ default: NAT subnet 1 CIDR
+ NatGwSubnet2CIDR:
+ default: NAT subnet 2 CIDR
+ NatGwSubnet3CIDR:
+ default: NAT subnet 3 CIDR
+ NatGwSubnet4CIDR:
+ default: NAT subnet 4 CIDR
+ GWLBeSubnet1CIDR:
+ default: Gateway Load Balancer Endpoint subnet 1 CIDR
+ GWLBeSubnet2CIDR:
+ default: Gateway Load Balancer Endpoint subnet 2 CIDR
+ GWLBeSubnet3CIDR:
+ default: Gateway Load Balancer Endpoint subnet 3 CIDR
+ GWLBeSubnet4CIDR:
+ default: Gateway Load Balancer Endpoint subnet 4 CIDR
+ KeyName:
+ default: Key name
+ EnableVolumeEncryption:
+ default: Enable environment volume encryption
+ VolumeSize:
+ default: Root volume size (GB)
+ VolumeType:
+ default: Volume Type
+ EnableInstanceConnect:
+ default: Enable AWS Instance Connect
+ TerminationProtection:
+ default: Termination Protection
+ AllowUploadDownload:
+ default: Allow upload & download
+ ManagementServer:
+ default: Management Server
+ ConfigurationTemplate:
+ default: Configuration template
+ AdminEmail:
+ default: Email address
+ Shell:
+ default: Admin shell
+ GatewayName:
+ default: Gateways instance name
+ GatewayInstanceType:
+ default: Gateways instance type
+ GatewaysMinSize:
+ default: Minimum group size
+ GatewaysMaxSize:
+ default: Maximum group size
+ GatewayVersion:
+ default: Gateways version & license
+ GatewayPasswordHash:
+ default: Gateways Password hash
+ GatewayMaintenancePasswordHash:
+ default: Gateway Maintenance Password hash
+ GatewaySICKey:
+ default: Gateways SIC key
+ ControlGatewayOverPrivateOrPublicAddress:
+ default: Gateways addresses
+ CloudWatch:
+ default: CloudWatch metrics
+ GWLBName:
+ default: Gateway Load Balancer Name
+ TargetGroupName:
+ default: Target Group Name
+ CrossZoneLoadBalancing:
+ default: Enable Cross Zone Load Balancing
+ ManagementDeploy:
+ default: Deploy Management Server
+ ManagementInstanceType:
+ default: Management instance type
+ ManagementVersion:
+ default: Management version & license
+ ManagementPasswordHash:
+ default: Management password hash
+ ManagementMaintenancePasswordHash:
+ default: Management Maintenance Password hash
+ GatewaysPolicy:
+ default: Security Policy
+ AdminCIDR:
+ default: Administrator addresses
+ GatewayManagement:
+ default: Manage Gateways
+ GatewaysAddresses:
+ default: Gateways addresses
+Parameters:
+ VPC:
+ Description: Select an existing VPC
+ Type: AWS::EC2::VPC::Id
+ MinLength: 1
+ ConstraintDescription: You must select a VPC
+ IGWID:
+ Description: VPC's Internet Gateway Id (e.g. igw-123a4567)
+ Type: String
+ MinLength: 1
+ ConstraintDescription: You must insert an Internet Gateway Id
+ AvailabilityZones:
+ Description: The Availability Zones (AZs) to use for the subnets in the VPC. Select two (the logical order is preserved)
+ Type: List
+ MinLength: 2
+ NumberOfAZs:
+ Description: Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter
+ Type: Number
+ Default: 2
+ MinValue: 2
+ MaxValue: 4
+ GatewaysSubnets:
+ Description: Select at least 2 public subnets in the VPC. If you choose to deploy a Security Management Server it will be deployed in the first subnet
+ Type: List
+ MinLength: 2
+ CloudWANSubnet1Id:
+ Description: The Cloud WAN attachment subnet ID located in the 1st Availability Zone
+ Type: String
+ MinLength: 1
+ ConstraintDescription: You must insert Cloud WAN Subnet Id for Availability Zone 1
+ CloudWANSubnet2Id:
+ Description: The Cloud WAN attachment subnet ID located in the 2nd Availability Zone
+ Type: String
+ MinLength: 1
+ ConstraintDescription: You must insert Cloud WAN Subnet Id for Availability Zone 2
+ CloudWANSubnet3Id:
+ Description: The Cloud WAN attachment subnet ID located in the 3rd Availability Zone
+ Type: String
+ CloudWANSubnet4Id:
+ Description: The Cloud WAN attachment subnet ID located in the 4th Availability Zone
+ Type: String
+ NatGwSubnet1CIDR:
+ Description: CIDR block for NAT subnet 1 located in the 1st Availability Zone
+ Type: String
+ Default: 10.0.13.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ NatGwSubnet2CIDR:
+ Description: CIDR block for NAT subnet 2 located in the 2nd Availability Zone
+ Type: String
+ Default: 10.0.23.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ NatGwSubnet3CIDR:
+ Description: CIDR block for NAT subnet 3 located in the 3rd Availability Zone
+ Type: String
+ Default: 10.0.33.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ NatGwSubnet4CIDR:
+ Description: CIDR block for NAT subnet 4 located in the 4th Availability Zone
+ Type: String
+ Default: 10.0.43.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ GWLBeSubnet1CIDR:
+ Description: CIDR block for GWLBe subnet 1 located in the 1st Availability Zone
+ Type: String
+ Default: 10.0.14.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ GWLBeSubnet2CIDR:
+ Description: CIDR block for GWLBe subnet 2 located in the 2nd Availability Zone
+ Type: String
+ Default: 10.0.24.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ GWLBeSubnet3CIDR:
+ Description: CIDR block for GWLBe subnet 3 located in the 3rd Availability Zone
+ Type: String
+ Default: 10.0.34.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ GWLBeSubnet4CIDR:
+ Description: CIDR block for GWLBe subnet 4 located in the 4th Availability Zone
+ Type: String
+ Default: 10.0.44.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ KeyName:
+ Description: The EC2 Key Pair to allow SSH access to the instances created by this stack
+ Type: AWS::EC2::KeyPair::KeyName
+ MinLength: 1
+ ConstraintDescription: Must be the name of an existing EC2 KeyPair
+ EnableVolumeEncryption:
+ Description: Encrypt Environment instances volume with default AWS KMS key
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ VolumeSize:
+ Type: Number
+ MinValue: 100
+ Default: 100
+ VolumeType:
+ Description: General Purpose SSD Volume Type
+ Type: String
+ Default: gp3
+ AllowedValues:
+ - gp3
+ - gp2
+ EnableInstanceConnect:
+ Description: Enable SSH connection over AWS web console
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ TerminationProtection:
+ Description: Prevents an instance from accidental termination.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ AllowUploadDownload:
+ Description: Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ ManagementServer:
+ Description: The name that represents the Security Management Server in the automatic provisioning configuration
+ Type: String
+ Default: gwlb-wan-management-server
+ MinLength: 1
+ ConfigurationTemplate:
+ Description: A name of a gateway configuration template in the automatic provisioning configuration
+ Type: String
+ Default: gwlb-wan-ASG-configuration
+ MinLength: 1
+ MaxLength: 30
+ AdminEmail:
+ Description: Notifications about scaling events will be sent to this email address (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$'
+ Shell:
+ Description: Change the admin shell to enable advanced command line configuration. Applies for Security Gateways and Security Management Server if deployed.
+ Type: String
+ Default: /etc/cli.sh
+ AllowedValues:
+ - /etc/cli.sh
+ - /bin/bash
+ - /bin/csh
+ - /bin/tcsh
+ GatewayName:
+ Description: The name tag of the Security Gateway instances (optional)
+ Type: String
+ Default: Check-Point-Gateway
+ GatewayInstanceType:
+ Description: The EC2 instance type for the Security Gateways
+ Type: String
+ Default: c5.xlarge
+ AllowedValues:
+ - c4.large
+ - c4.xlarge
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: Must be a valid EC2 instance type
+ GatewaysMinSize:
+ Description: The minimal number of Security Gateways
+ Type: Number
+ Default: 2
+ MinValue: 1
+ GatewaysMaxSize:
+ Description: The maximal number of Security Gateways
+ Type: Number
+ Default: 10
+ MinValue: 1
+ GatewayVersion:
+ Description: The version and license to install on the Security Gateways
+ Type: String
+ Default: R80.40-BYOL
+ AllowedValues:
+ - R80.40-BYOL
+ - R80.40-PAYG-NGTP
+ - R80.40-PAYG-NGTX
+ GatewayPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash) (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+ NoEcho: true
+ GatewayMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ GatewaySICKey:
+ Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters
+ Type: String
+ AllowedPattern: '^[a-zA-Z0-9]{8,}$'
+ ConstraintDescription: Secure Internal Communication activation key should contain only alpha numeric characters and be at least 8 characters long
+ NoEcho: true
+ ControlGatewayOverPrivateOrPublicAddress:
+ Description: Determines if the gateways are provisioned using their private or public address
+ Type: String
+ Default: private
+ AllowedValues:
+ - private
+ - public
+ CloudWatch:
+ Description: Report Check Point specific CloudWatch metrics
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ GWLBName:
+ Description: Gateway Load Balancer name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen.
+ Type: String
+ Default: gwlb-wan1
+ ConstraintDescription: Must be a valid GWLB Name
+ TargetGroupName:
+ Description: Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen.
+ Type: String
+ Default: tg-gwlb-wan1
+ ConstraintDescription: Must be a valid target group name
+ CrossZoneLoadBalancing:
+ Description: Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ ManagementDeploy:
+ Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ ManagementInstanceType:
+ Description: The EC2 instance type of the Security Management Server
+ Type: String
+ Default: m5.xlarge
+ AllowedValues:
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: Must be a valid EC2 instance type
+ ManagementVersion:
+ Description: The license to install on the Security Management Server
+ Type: String
+ Default: R80.40-BYOL
+ AllowedValues:
+ - R80.40-BYOL
+ - R80.40-PAYG
+ ManagementPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash) (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+ NoEcho: true
+ ManagementMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ GatewaysPolicy:
+ Description: The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group
+ Type: String
+ Default: Standard
+ MinLength: 1
+ AdminCIDR:
+ Description: Allow web, SSH, and graphical clients only from this network to communicate with the Security Management Server
+ Type: String
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+ GatewayManagement:
+ Description: Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address
+ Type: String
+ Default: Locally managed
+ AllowedValues:
+ - Locally managed
+ - Over the internet
+ GatewaysAddresses:
+ Description: Allow gateways only from this network to communicate with the Security Management Server
+ Type: String
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+Conditions:
+ 4AZs: !Equals [!Ref NumberOfAZs, 4]
+ 3AZs: !Or [!Equals [!Ref NumberOfAZs, 3], !Condition 4AZs]
+ DeployManagement: !Equals [!Ref ManagementDeploy, true]
+ VolumeEncryption: !Equals [!Ref EnableVolumeEncryption, true]
+Resources:
+ GWLBeSubnet1:
+ Type: AWS::EC2::Subnet
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref GWLBeSubnet1CIDR
+ AvailabilityZone: !Select [0, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: GWLBe subnet 1
+ - Key: Network
+ Value: Private
+ GWLBeSubnet2:
+ Type: AWS::EC2::Subnet
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref GWLBeSubnet2CIDR
+ AvailabilityZone: !Select [1, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: GWLBe subnet 2
+ - Key: Network
+ Value: Private
+ GWLBeSubnet3:
+ Type: AWS::EC2::Subnet
+ Condition: 3AZs
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref GWLBeSubnet3CIDR
+ AvailabilityZone: !Select [2, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: GWLBe subnet 3
+ - Key: Network
+ Value: Private
+ GWLBeSubnet4:
+ Type: AWS::EC2::Subnet
+ Condition: 4AZs
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref GWLBeSubnet4CIDR
+ AvailabilityZone: !Select [3, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: GWLBe subnet 4
+ - Key: Network
+ Value: Private
+ GWLBeSubnet1RouteTable:
+ Type: AWS::EC2::RouteTable
+ Properties:
+ VpcId: !Ref VPC
+ Tags:
+ - Key: Name
+ Value: GWLBe Subnet 1 Route Table
+ - Key: Network
+ Value: Private
+ GWLBeSubnet1NatGwDefaultRoute:
+ Type: AWS::EC2::Route
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ NatGatewayId: !Ref NatGateway1
+ RouteTableId: !Ref GWLBeSubnet1RouteTable
+ GWLBeSubnet1RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Properties:
+ RouteTableId: !Ref GWLBeSubnet1RouteTable
+ SubnetId: !Ref GWLBeSubnet1
+ GWLBeSubnet2RouteTable:
+ Type: AWS::EC2::RouteTable
+ Properties:
+ VpcId: !Ref VPC
+ Tags:
+ - Key: Name
+ Value: GWLBe Subnet 2 Route Table
+ - Key: Network
+ Value: Private
+ GWLBeSubnet2NatGwDefaultRoute:
+ Type: AWS::EC2::Route
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ NatGatewayId: !Ref NatGateway2
+ RouteTableId: !Ref GWLBeSubnet2RouteTable
+ GWLBeSubnet2RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Properties:
+ RouteTableId: !Ref GWLBeSubnet2RouteTable
+ SubnetId: !Ref GWLBeSubnet2
+ GWLBeSubnet3RouteTable:
+ Type: AWS::EC2::RouteTable
+ Condition: 3AZs
+ Properties:
+ VpcId: !Ref VPC
+ Tags:
+ - Key: Name
+ Value: GWLBe Subnet 3 Route Table
+ - Key: Network
+ Value: Private
+ GWLBeSubnet3NatGwDefaultRoute:
+ Type: AWS::EC2::Route
+ Condition: 3AZs
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ NatGatewayId: !Ref NatGateway3
+ RouteTableId: !Ref GWLBeSubnet3RouteTable
+ GWLBeSubnet3RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Condition: 3AZs
+ Properties:
+ RouteTableId: !Ref GWLBeSubnet3RouteTable
+ SubnetId: !Ref GWLBeSubnet3
+ GWLBeSubnet4RouteTable:
+ Type: AWS::EC2::RouteTable
+ Condition: 4AZs
+ Properties:
+ VpcId: !Ref VPC
+ Tags:
+ - Key: Name
+ Value: GWLBe Subnet 4 Route Table
+ - Key: Network
+ Value: Private
+ GWLBeSubnet4NatGwDefaultRoute:
+ Type: AWS::EC2::Route
+ Condition: 4AZs
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ NatGatewayId: !Ref NatGateway4
+ RouteTableId: !Ref GWLBeSubnet4RouteTable
+ GWLBeSubnet4RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Condition: 4AZs
+ Properties:
+ RouteTableId: !Ref GWLBeSubnet4RouteTable
+ SubnetId: !Ref GWLBeSubnet4
+ NatGwSubnet1:
+ Type: AWS::EC2::Subnet
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref NatGwSubnet1CIDR
+ AvailabilityZone: !Select [0, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: NAT subnet 1
+ - Key: Network
+ Value: Private
+ NatGwSubnet2:
+ Type: AWS::EC2::Subnet
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref NatGwSubnet2CIDR
+ AvailabilityZone: !Select [1, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: NAT subnet 2
+ - Key: Network
+ Value: Private
+ NatGwSubnet3:
+ Type: AWS::EC2::Subnet
+ Condition: 3AZs
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref NatGwSubnet3CIDR
+ AvailabilityZone: !Select [2, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: NAT subnet 3
+ - Key: Network
+ Value: Private
+ NatGwSubnet4:
+ Type: AWS::EC2::Subnet
+ Condition: 4AZs
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref NatGwSubnet4CIDR
+ AvailabilityZone: !Select [3, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: NAT subnet 4
+ - Key: Network
+ Value: Private
+ NatGwSubnet1RouteTable:
+ Type: AWS::EC2::RouteTable
+ Properties:
+ VpcId: !Ref VPC
+ Tags:
+ - Key: Name
+ Value: NAT Subnet 1 Route Table
+ - Key: Network
+ Value: Public
+ NatGwSubnet1NatGwDefaultRoute:
+ Type: AWS::EC2::Route
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ GatewayId: !Ref IGWID
+ RouteTableId: !Ref NatGwSubnet1RouteTable
+ NatGwSubnet1RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Properties:
+ RouteTableId: !Ref NatGwSubnet1RouteTable
+ SubnetId: !Ref NatGwSubnet1
+ NatGwSubnet2RouteTable:
+ Type: AWS::EC2::RouteTable
+ Properties:
+ VpcId: !Ref VPC
+ Tags:
+ - Key: Name
+ Value: NAT Subnet 2 Route Table
+ - Key: Network
+ Value: Public
+ NatGwSubnet2NatGwDefaultRoute:
+ Type: AWS::EC2::Route
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ GatewayId: !Ref IGWID
+ RouteTableId: !Ref NatGwSubnet2RouteTable
+ NatGwSubnet2RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Properties:
+ RouteTableId: !Ref NatGwSubnet2RouteTable
+ SubnetId: !Ref NatGwSubnet2
+ NatGwSubnet3RouteTable:
+ Type: AWS::EC2::RouteTable
+ Condition: 3AZs
+ Properties:
+ VpcId: !Ref VPC
+ Tags:
+ - Key: Name
+ Value: NAT Subnet 3 Route Table
+ - Key: Network
+ Value: Public
+ NatGwSubnet3NatGwDefaultRoute:
+ Type: AWS::EC2::Route
+ Condition: 3AZs
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ GatewayId: !Ref IGWID
+ RouteTableId: !Ref NatGwSubnet3RouteTable
+ NatGwSubnet3RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Condition: 3AZs
+ Properties:
+ RouteTableId: !Ref NatGwSubnet3RouteTable
+ SubnetId: !Ref NatGwSubnet3
+ NatGwSubnet4RouteTable:
+ Type: AWS::EC2::RouteTable
+ Condition: 4AZs
+ Properties:
+ VpcId: !Ref VPC
+ Tags:
+ - Key: Name
+ Value: NAT Subnet 4 Route Table
+ - Key: Network
+ Value: Public
+ NatGwSubnet4NatGwDefaultRoute:
+ Type: AWS::EC2::Route
+ Condition: 4AZs
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ GatewayId: !Ref IGWID
+ RouteTableId: !Ref NatGwSubnet4RouteTable
+ NatGwSubnet4RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Condition: 4AZs
+ Properties:
+ RouteTableId: !Ref NatGwSubnet4RouteTable
+ SubnetId: !Ref NatGwSubnet4
+ GWLBStack:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/gwlb/gwlb.yaml
+ Parameters:
+ VPC: !Ref VPC
+ GatewaysSubnets: !Join [',', !Ref GatewaysSubnets]
+ KeyName: !Ref KeyName
+ EnableVolumeEncryption: !Ref EnableVolumeEncryption
+ VolumeType: !Ref VolumeType
+ VolumeSize: !Ref VolumeSize
+ EnableInstanceConnect: !Ref EnableInstanceConnect
+ TerminationProtection: !Ref TerminationProtection
+ AllowUploadDownload: !Ref AllowUploadDownload
+ ManagementServer: !Ref ManagementServer
+ ConfigurationTemplate: !Ref ConfigurationTemplate
+ AdminEmail: !Ref AdminEmail
+ Shell: !Ref Shell
+ GWLBName: !Ref GWLBName
+ TargetGroupName: !Ref TargetGroupName
+ AcceptConnectionRequired: false
+ CrossZoneLoadBalancing: !Ref CrossZoneLoadBalancing
+ GatewayName: !Ref GatewayName
+ GatewayInstanceType: !Ref GatewayInstanceType
+ GatewaysMinSize: !Ref GatewaysMinSize
+ GatewaysMaxSize: !Ref GatewaysMaxSize
+ GatewayVersion: !Ref GatewayVersion
+ GatewayPasswordHash: !Ref GatewayPasswordHash
+ GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
+ GatewaySICKey: !Ref GatewaySICKey
+ ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress
+ CloudWatch: !Ref CloudWatch
+ GatewayBootstrapScript: !Join
+ - ';'
+ - - 'echo -e "\nStarting Bootstrap script\n"'
+ - 'echo "Adding cloud wan identifier to cloud-version"'
+ - 'template="autoscale_gwlb_cloud_wan"'
+ - 'cv_path="/etc/cloud-version"'
+ - 'if test -f ${cv_path}; then sed -i ''/template_name/c\template_name: ''"${template}"'''' /etc/cloud-version; fi'
+ - 'cv_json_path="/etc/cloud-version.json"'
+ - 'cv_json_path_tmp="/etc/cloud-version-tmp.json"'
+ - 'if test -f ${cv_json_path}; then cat ${cv_json_path} | jq ''.template_name = "''"${template}"''"'' > ${cv_json_path_tmp}; mv ${cv_json_path_tmp} ${cv_json_path}; fi'
+ - 'echo -e "\nFinished Bootstrap script\n"'
+ ManagementDeploy: !Ref ManagementDeploy
+ ManagementInstanceType: !Ref ManagementInstanceType
+ ManagementVersion: !Ref ManagementVersion
+ ManagementPasswordHash: !Ref ManagementPasswordHash
+ ManagementMaintenancePasswordHash: !Ref ManagementMaintenancePasswordHash
+ GatewaysPolicy: !Ref GatewaysPolicy
+ AdminCIDR: !Ref AdminCIDR
+ GatewayManagement: !Ref GatewayManagement
+ GatewaysAddresses: !Ref GatewaysAddresses
+ GWLBe1:
+ DependsOn: [GWLBStack, GWLBeSubnet1]
+ Type: AWS::EC2::VPCEndpoint
+ Properties:
+ VpcId: !Ref VPC
+ VpcEndpointType: GatewayLoadBalancer
+ SubnetIds:
+ - !Ref GWLBeSubnet1
+ ServiceName: !GetAtt GWLBStack.Outputs.GWLBServiceName
+ GWLBe2:
+ DependsOn: [GWLBStack, GWLBeSubnet2]
+ Type: AWS::EC2::VPCEndpoint
+ Properties:
+ VpcId: !Ref VPC
+ VpcEndpointType: GatewayLoadBalancer
+ SubnetIds:
+ - !Ref GWLBeSubnet2
+ ServiceName: !GetAtt GWLBStack.Outputs.GWLBServiceName
+ GWLBe3:
+ DependsOn: [GWLBStack, GWLBeSubnet3]
+ Type: AWS::EC2::VPCEndpoint
+ Condition: 3AZs
+ Properties:
+ VpcId: !Ref VPC
+ VpcEndpointType: GatewayLoadBalancer
+ SubnetIds:
+ - !Ref GWLBeSubnet3
+ ServiceName: !GetAtt GWLBStack.Outputs.GWLBServiceName
+ GWLBe4:
+ DependsOn: [GWLBStack, GWLBeSubnet4]
+ Type: AWS::EC2::VPCEndpoint
+ Condition: 4AZs
+ Properties:
+ VpcId: !Ref VPC
+ VpcEndpointType: GatewayLoadBalancer
+ SubnetIds:
+ - !Ref GWLBeSubnet4
+ ServiceName: !GetAtt GWLBStack.Outputs.GWLBServiceName
+ CloudWANAttachmentSubnet1RouteTable:
+ Type: AWS::EC2::RouteTable
+ Properties:
+ VpcId: !Ref VPC
+ Tags:
+ - Key: Name
+ Value: CloudWAN Attachment Subnet 1 Route Table
+ - Key: Network
+ Value: Private
+ CloudWANAttachmentSubnet1GWLBeDefaultRoute:
+ Type: AWS::EC2::Route
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ VpcEndpointId: !Ref GWLBe1
+ RouteTableId: !Ref CloudWANAttachmentSubnet1RouteTable
+ CloudWANAttachmentSubnet1RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Properties:
+ RouteTableId: !Ref CloudWANAttachmentSubnet1RouteTable
+ SubnetId: !Ref CloudWANSubnet1Id
+ CloudWANAttachmentSubnet2RouteTable:
+ Type: AWS::EC2::RouteTable
+ Properties:
+ VpcId: !Ref VPC
+ Tags:
+ - Key: Name
+ Value: CloudWAN Attachment Subnet 2 Route Table
+ - Key: Network
+ Value: Private
+ CloudWANAttachmentSubnet2GWLBeDefaultRoute:
+ Type: AWS::EC2::Route
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ VpcEndpointId: !Ref GWLBe2
+ RouteTableId: !Ref CloudWANAttachmentSubnet2RouteTable
+ CloudWANAttachmentSubnet2RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Properties:
+ RouteTableId: !Ref CloudWANAttachmentSubnet2RouteTable
+ SubnetId: !Ref CloudWANSubnet2Id
+ CloudWANAttachmentSubnet3RouteTable:
+ Type: AWS::EC2::RouteTable
+ Condition: 3AZs
+ Properties:
+ VpcId: !Ref VPC
+ Tags:
+ - Key: Name
+ Value: CloudWAN Attachment Subnet 3 Route Table
+ - Key: Network
+ Value: Private
+ CloudWANAttachmentSubnet3GWLBeDefaultRoute:
+ Type: AWS::EC2::Route
+ Condition: 3AZs
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ VpcEndpointId: !Ref GWLBe3
+ RouteTableId: !Ref CloudWANAttachmentSubnet3RouteTable
+ CloudWANAttachmentSubnet3RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Condition: 3AZs
+ Properties:
+ RouteTableId: !Ref CloudWANAttachmentSubnet3RouteTable
+ SubnetId: !Ref CloudWANSubnet3Id
+ CloudWANAttachmentSubnet4RouteTable:
+ Type: AWS::EC2::RouteTable
+ Condition: 4AZs
+ Properties:
+ VpcId: !Ref VPC
+ Tags:
+ - Key: Name
+ Value: CloudWAN Attachment Subnet 4 Route Table
+ - Key: Network
+ Value: Private
+ CloudWANAttachmentSubnet4GWLBeDefaultRoute:
+ Type: AWS::EC2::Route
+ Condition: 4AZs
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ VpcEndpointId: !Ref GWLBe4
+ RouteTableId: !Ref CloudWANAttachmentSubnet4RouteTable
+ CloudWANAttachmentSubnet4RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Condition: 4AZs
+ Properties:
+ RouteTableId: !Ref CloudWANAttachmentSubnet4RouteTable
+ SubnetId: !Ref CloudWANSubnet4Id
+ CloudWANGlobalNetwork:
+ Type: AWS::NetworkManager::GlobalNetwork
+ Properties:
+ Description: Check Point Gateway Load Balancer for Cloud WAN Global Network
+ CloudWANCoreNetwork:
+ Type: AWS::NetworkManager::CoreNetwork
+ Properties:
+ Description: Check Point Gateway Load Balancer for Cloud WAN Core Network
+ GlobalNetworkId: !Ref CloudWANGlobalNetwork
+ PolicyDocument:
+ {
+ "version": "2021.12",
+ "core-network-configuration": {
+ "vpn-ecmp-support": false,
+ "asn-ranges": [
+ "64512-65534"
+ ],
+ "edge-locations": [
+ {
+ "location": { "Ref" : "AWS::Region" }
+ }
+ ]
+ },
+ "segments": [
+ {
+ "name": "dev",
+ "edge-locations": [{ "Ref" : "AWS::Region" }],
+ "require-attachment-acceptance": false
+ },
+ {
+ "name": "SecurityVpc",
+ "edge-locations": [{ "Ref" : "AWS::Region" }],
+ "require-attachment-acceptance": false
+ },
+ {
+ "name": "prod",
+ "edge-locations": [{ "Ref" : "AWS::Region" }],
+ "require-attachment-acceptance": false
+ }
+ ],
+ "segment-actions": [
+ {
+ "action": "share",
+ "mode": "attachment-route",
+ "segment": "SecurityVpc",
+ "share-with": [
+ "dev",
+ "prod"
+ ]
+ }
+ ],
+ "attachment-policies": [
+ {
+ "rule-number": 100,
+ "conditions": [
+ {
+ "type": "tag-value",
+ "operator": "equals",
+ "key": "segment",
+ "value": "dev"
+ }
+ ],
+ "action": {
+ "association-method": "constant",
+ "segment": "dev"
+ }
+ },
+ {
+ "rule-number": 150,
+ "conditions": [
+ {
+ "type": "tag-value",
+ "operator": "equals",
+ "key": "segment",
+ "value": "prod"
+ }
+ ],
+ "action": {
+ "association-method": "constant",
+ "segment": "prod"
+ }
+ },
+ {
+ "rule-number": 200,
+ "conditions": [
+ {
+ "type": "tag-value",
+ "operator": "equals",
+ "key": "segment",
+ "value": "SecurityVpc"
+ }
+ ],
+ "action": {
+ "association-method": "constant",
+ "segment": "SecurityVpc"
+ }
+ }
+ ]
+ }
+ CloudWANSecurityVpcAttachement:
+ DependsOn: CloudWANCoreNetwork
+ Type: AWS::NetworkManager::VpcAttachment
+ Properties:
+ CoreNetworkId: !GetAtt CloudWANCoreNetwork.CoreNetworkId
+ SubnetArns:
+ - !Join [ "", [ "arn:aws:ec2:", !Ref "AWS::Region", ":", !Ref "AWS::AccountId", ":subnet/", !Ref CloudWANSubnet1Id ] ]
+ - !Join [ "", [ "arn:aws:ec2:", !Ref "AWS::Region", ":", !Ref "AWS::AccountId", ":subnet/", !Ref CloudWANSubnet2Id ] ]
+ - !If [ 3AZs, !Join [ "", [ "arn:aws:ec2:", !Ref "AWS::Region", ":", !Ref "AWS::AccountId", ":subnet/", !Ref CloudWANSubnet3Id ] ] , !Ref 'AWS::NoValue' ]
+ - !If [ 4AZs, !Join [ "", [ "arn:aws:ec2:", !Ref "AWS::Region", ":", !Ref "AWS::AccountId", ":subnet/", !Ref CloudWANSubnet4Id ] ] , !Ref 'AWS::NoValue' ]
+ Tags:
+ - Key: segment
+ Value: SecurityVpc
+ VpcArn: !Join [ "", [ "arn:aws:ec2:", !Ref "AWS::Region", ":", !Ref "AWS::AccountId", ":vpc/", !Ref VPC ] ]
+ NatGwPublicAddress1:
+ Type: AWS::EC2::EIP
+ Properties:
+ Domain: vpc
+ NatGwPublicAddress2:
+ Type: AWS::EC2::EIP
+ Properties:
+ Domain: vpc
+ NatGwPublicAddress3:
+ Type: AWS::EC2::EIP
+ Condition: 3AZs
+ Properties:
+ Domain: vpc
+ NatGwPublicAddress4:
+ Type: AWS::EC2::EIP
+ Condition: 4AZs
+ Properties:
+ Domain: vpc
+ NatGateway1:
+ DependsOn: [GWLBStack, NatGwSubnet1]
+ Type: AWS::EC2::NatGateway
+ Properties:
+ AllocationId: !GetAtt NatGwPublicAddress1.AllocationId
+ SubnetId: !Ref NatGwSubnet1
+ Tags:
+ - Key: Name
+ Value: NatGW1
+ NatGateway2:
+ DependsOn: [GWLBStack, NatGwSubnet2]
+ Type: AWS::EC2::NatGateway
+ Properties:
+ AllocationId: !GetAtt NatGwPublicAddress2.AllocationId
+ SubnetId: !Ref NatGwSubnet2
+ Tags:
+ - Key: Name
+ Value: NatGW2
+ NatGateway3:
+ DependsOn: [GWLBStack, NatGwSubnet3]
+ Type: AWS::EC2::NatGateway
+ Condition: 3AZs
+ Properties:
+ AllocationId: !GetAtt NatGwPublicAddress3.AllocationId
+ SubnetId: !Ref NatGwSubnet3
+ Tags:
+ - Key: Name
+ Value: NatGW3
+ NatGateway4:
+ DependsOn: [GWLBStack, NatGwSubnet4]
+ Type: AWS::EC2::NatGateway
+ Condition: 4AZs
+ Properties:
+ AllocationId: !GetAtt NatGwPublicAddress4.AllocationId
+ SubnetId: !Ref NatGwSubnet4
+ Tags:
+ - Key: Name
+ Value: NatGW4
+Outputs:
+ ManagementPublicAddress:
+ Description: The public address of the management server
+ Value: !GetAtt GWLBStack.Outputs.ManagementPublicAddress
+ Condition: DeployManagement
+ ConfigurationTemplateName:
+ Description: The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name
+ Value: !GetAtt GWLBStack.Outputs.ConfigurationTemplateName
+ ControllerName:
+ Description: The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name
+ Value: !GetAtt GWLBStack.Outputs.ControllerName
+ GWLBName:
+ Description: Gateway Load Balancer Name
+ Value: !Ref GWLBName
+ GWLBServiceName:
+ Description: Gateway Load Balancer Service Name
+ Value: !GetAtt GWLBStack.Outputs.GWLBServiceName
+ GlobalNetworkId:
+ Description: Cloud WAN Global Network ID
+ Value: !GetAtt CloudWANGlobalNetwork.Id
+ CoreNetworkId:
+ Description: Cloud WAN Core Network ID
+ Value: !GetAtt CloudWANCoreNetwork.CoreNetworkId
+ SecurityVpcAttachmentId:
+ Description: Cloud WAN Security VPC Attachment ID
+ Value: !GetAtt CloudWANSecurityVpcAttachement.AttachmentId
\ No newline at end of file
diff --git a/deprecated/aws/templates/R80.40/gwlb/gwlb-wan-security-vpc-master.yaml b/deprecated/aws/templates/R80.40/gwlb/gwlb-wan-security-vpc-master.yaml
new file mode 100755
index 00000000..b9d86c06
--- /dev/null
+++ b/deprecated/aws/templates/R80.40/gwlb/gwlb-wan-security-vpc-master.yaml
@@ -0,0 +1,874 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, in a new VPC for Cloud WAN and attach the VPC to existing Core Network (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: VPC Network Configuration
+ Parameters:
+ - AvailabilityZones
+ - NumberOfAZs
+ - VPCCIDR
+ - PublicSubnet1CIDR
+ - PublicSubnet2CIDR
+ - PublicSubnet3CIDR
+ - PublicSubnet4CIDR
+ - CloudWANSubnet1CIDR
+ - CloudWANSubnet2CIDR
+ - CloudWANSubnet3CIDR
+ - CloudWANSubnet4CIDR
+ - NatGwSubnet1CIDR
+ - NatGwSubnet2CIDR
+ - NatGwSubnet3CIDR
+ - NatGwSubnet4CIDR
+ - GWLBeSubnet1CIDR
+ - GWLBeSubnet2CIDR
+ - GWLBeSubnet3CIDR
+ - GWLBeSubnet4CIDR
+ - Label:
+ default: General Settings
+ Parameters:
+ - KeyName
+ - EnableVolumeEncryption
+ - VolumeSize
+ - VolumeType
+ - EnableInstanceConnect
+ - TerminationProtection
+ - AllowUploadDownload
+ - ManagementServer
+ - ConfigurationTemplate
+ - AdminEmail
+ - Shell
+ - Label:
+ default: Gateway Load Balancer Configuration
+ Parameters:
+ - GWLBName
+ - TargetGroupName
+ - CrossZoneLoadBalancing
+ - Label:
+ default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration
+ Parameters:
+ - GatewayName
+ - GatewayInstanceType
+ - GatewaysMinSize
+ - GatewaysMaxSize
+ - GatewayVersion
+ - GatewayPasswordHash
+ - GatewayMaintenancePasswordHash
+ - GatewaySICKey
+ - ControlGatewayOverPrivateOrPublicAddress
+ - CloudWatch
+ - Label:
+ default: Cloud WAN configuration
+ Parameters:
+ - CoreNetworkID
+ - VPCAttachmentTagKey
+ - VPCAttachmentTagValue
+ - Label:
+ default: Check Point CloudGuard IaaS Security Management Server Configuration
+ Parameters:
+ - ManagementDeploy
+ - ManagementInstanceType
+ - ManagementVersion
+ - ManagementPasswordHash
+ - ManagementMaintenancePasswordHash
+ - GatewaysPolicy
+ - AdminCIDR
+ - GatewayManagement
+ - GatewaysAddresses
+ ParameterLabels:
+ AvailabilityZones:
+ default: Availability Zones
+ NumberOfAZs:
+ default: Number of AZs
+ VPCCIDR:
+ default: VPC CIDR
+ PublicSubnet1CIDR:
+ default: Public subnet 1 CIDR
+ PublicSubnet2CIDR:
+ default: Public subnet 2 CIDR
+ PublicSubnet3CIDR:
+ default: Public subnet 3 CIDR
+ PublicSubnet4CIDR:
+ default: Public subnet 4 CIDR
+ CloudWANSubnet1CIDR:
+ default: Cloud WAN subnet 1 CIDR
+ CloudWANSubnet2CIDR:
+ default: Cloud WAN subnet 2 CIDR
+ CloudWANSubnet3CIDR:
+ default: Cloud WAN subnet 3 CIDR
+ CloudWANSubnet4CIDR:
+ default: Cloud WAN subnet 4 CIDR
+ NatGwSubnet1CIDR:
+ default: NAT subnet 1 CIDR
+ NatGwSubnet2CIDR:
+ default: NAT subnet 2 CIDR
+ NatGwSubnet3CIDR:
+ default: NAT subnet 3 CIDR
+ NatGwSubnet4CIDR:
+ default: NAT subnet 4 CIDR
+ GWLBeSubnet1CIDR:
+ default: Gateway Load Balancer Endpoint subnet 1 CIDR
+ GWLBeSubnet2CIDR:
+ default: Gateway Load Balancer Endpoint subnet 2 CIDR
+ GWLBeSubnet3CIDR:
+ default: Gateway Load Balancer Endpoint subnet 3 CIDR
+ GWLBeSubnet4CIDR:
+ default: Gateway Load Balancer Endpoint subnet 4 CIDR
+ KeyName:
+ default: Key name
+ EnableVolumeEncryption:
+ default: Enable environment volume encryption
+ VolumeSize:
+ default: Root volume size (GB)
+ VolumeType:
+ default: Volume Type
+ EnableInstanceConnect:
+ default: Enable AWS Instance Connect
+ TerminationProtection:
+ default: Termination Protection
+ AllowUploadDownload:
+ default: Allow upload & download
+ ManagementServer:
+ default: Management Server
+ ConfigurationTemplate:
+ default: Configuration template
+ AdminEmail:
+ default: Email address
+ Shell:
+ default: Admin shell
+ GWLBName:
+ default: Gateway Load Balancer Name
+ TargetGroupName:
+ default: Target Group Name
+ CrossZoneLoadBalancing:
+ default: Enable Cross Zone Load Balancing
+ GatewayName:
+ default: Gateways instance name
+ GatewayInstanceType:
+ default: Gateways instance type
+ GatewaysMinSize:
+ default: Minimum group size
+ GatewaysMaxSize:
+ default: Maximum group size
+ GatewayVersion:
+ default: Gateways version & license
+ GatewayPasswordHash:
+ default: Gateways Password hash
+ GatewayMaintenancePasswordHash:
+ default: Gateway Maintenance Password hash
+ GatewaySICKey:
+ default: Gateways SIC key
+ ControlGatewayOverPrivateOrPublicAddress:
+ default: Gateways addresses
+ CloudWatch:
+ default: CloudWatch metrics
+ CoreNetworkID:
+ default: Cloud WAN Core Network ID
+ VPCAttachmentTagKey:
+ default: Cloud WAN VPC attachment tag key
+ VPCAttachmentTagValue:
+ default: Cloud WAN VPC attachment tag value
+ ManagementDeploy:
+ default: Deploy Management Server
+ ManagementInstanceType:
+ default: Management instance type
+ ManagementVersion:
+ default: Management version & license
+ ManagementPasswordHash:
+ default: Management password hash
+ ManagementMaintenancePasswordHash:
+ default: Management Maintenance Password hash
+ GatewaysPolicy:
+ default: Security Policy
+ AdminCIDR:
+ default: Administrator addresses
+ GatewayManagement:
+ default: Manage Gateways
+ GatewaysAddresses:
+ default: Gateways addresses
+Parameters:
+ AvailabilityZones:
+ Description: The Availability Zones (AZs) to use for the subnets in the VPC. Select two (the logical order is preserved)
+ Type: List
+ MinLength: 2
+ NumberOfAZs:
+ Description: Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter
+ Type: Number
+ Default: 2
+ MinValue: 2
+ MaxValue: 4
+ VPCCIDR:
+ Description: The CIDR block of the provided VPC.
+ Type: String
+ Default: 10.0.0.0/16
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ PublicSubnet1CIDR:
+ Description: CIDR block for public subnet 1 located in the 1st Availability Zone
+ Type: String
+ Default: 10.0.10.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ PublicSubnet2CIDR:
+ Description: CIDR block for public subnet 2 located in the 2nd Availability Zone
+ Type: String
+ Default: 10.0.20.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ PublicSubnet3CIDR:
+ Description: CIDR block for public subnet 3 located in the 3rd Availability Zone
+ Type: String
+ Default: 10.0.30.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ PublicSubnet4CIDR:
+ Description: CIDR block for public subnet 4 located in the 4th Availability Zone
+ Type: String
+ Default: 10.0.40.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ CloudWANSubnet1CIDR:
+ Description: CIDR block for Cloud WAN subnet 1 located in the 1st Availability Zone
+ Type: String
+ Default: 10.0.12.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ CloudWANSubnet2CIDR:
+ Description: CIDR block for Cloud WAN subnet 2 located in the 2nd Availability Zone
+ Type: String
+ Default: 10.0.22.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ CloudWANSubnet3CIDR:
+ Description: CIDR block for Cloud WAN subnet 3 located in the 3rd Availability Zone
+ Type: String
+ Default: 10.0.32.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ CloudWANSubnet4CIDR:
+ Description: CIDR block for Cloud WAN subnet 4 located in the 4th Availability Zone
+ Type: String
+ Default: 10.0.42.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ NatGwSubnet1CIDR:
+ Description: CIDR block for NAT subnet 1 located in the 1st Availability Zone
+ Type: String
+ Default: 10.0.13.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ NatGwSubnet2CIDR:
+ Description: CIDR block for NAT subnet 2 located in the 2nd Availability Zone
+ Type: String
+ Default: 10.0.23.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ NatGwSubnet3CIDR:
+ Description: CIDR block for NAT subnet 3 located in the 3rd Availability Zone
+ Type: String
+ Default: 10.0.33.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ NatGwSubnet4CIDR:
+ Description: CIDR block for NAT subnet 4 located in the 4th Availability Zone
+ Type: String
+ Default: 10.0.43.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ GWLBeSubnet1CIDR:
+ Description: CIDR block for GWLBe subnet 1 located in the 1st Availability Zone
+ Type: String
+ Default: 10.0.14.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ GWLBeSubnet2CIDR:
+ Description: CIDR block for GWLBe subnet 2 located in the 2nd Availability Zone
+ Type: String
+ Default: 10.0.24.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ GWLBeSubnet3CIDR:
+ Description: CIDR block for GWLBe subnet 3 located in the 3rd Availability Zone
+ Type: String
+ Default: 10.0.34.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ GWLBeSubnet4CIDR:
+ Description: CIDR block for GWLBe subnet 4 located in the 4th Availability Zone
+ Type: String
+ Default: 10.0.44.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ KeyName:
+ Description: The EC2 Key Pair to allow SSH access to the instances created by this stack
+ Type: AWS::EC2::KeyPair::KeyName
+ MinLength: 1
+ ConstraintDescription: Must be the name of an existing EC2 KeyPair
+ EnableVolumeEncryption:
+ Description: Encrypt Environment instances volume with default AWS KMS key
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ VolumeSize:
+ Type: Number
+ MinValue: 100
+ Default: 100
+ VolumeType:
+ Description: General Purpose SSD Volume Type
+ Type: String
+ Default: gp3
+ AllowedValues:
+ - gp3
+ - gp2
+ EnableInstanceConnect:
+ Description: Enable SSH connection over AWS web console
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ TerminationProtection:
+ Description: Prevents an instance from accidental termination.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ AllowUploadDownload:
+ Description: Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ ManagementServer:
+ Description: The name that represents the Security Management Server in the automatic provisioning configuration
+ Type: String
+ Default: gwlb-wan-management-server
+ MinLength: 1
+ ConfigurationTemplate:
+ Description: A name of a gateway configuration template in the automatic provisioning configuration
+ Type: String
+ Default: gwlb-wan-ASG-configuration
+ MinLength: 1
+ MaxLength: 30
+ AdminEmail:
+ Description: Notifications about scaling events will be sent to this email address (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$'
+ Shell:
+ Description: Change the admin shell to enable advanced command line configuration. Applies for Security Gateways and Security Management Server if deployed.
+ Type: String
+ Default: /etc/cli.sh
+ AllowedValues:
+ - /etc/cli.sh
+ - /bin/bash
+ - /bin/csh
+ - /bin/tcsh
+ GWLBName:
+ Description: Gateway Load Balancer name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen.
+ Type: String
+ Default: gwlb-wan1
+ ConstraintDescription: Must be a valid GWLB Name
+ TargetGroupName:
+ Description: Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen.
+ Type: String
+ Default: tg-gwlb-wan1
+ ConstraintDescription: Must be a valid target group name
+ CrossZoneLoadBalancing:
+ Description: Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ GatewayName:
+ Description: The name tag of the Security Gateway instances (optional)
+ Type: String
+ Default: Check-Point-Gateway
+ GatewayInstanceType:
+ Description: The EC2 instance type for the Security Gateways
+ Type: String
+ Default: c5.xlarge
+ AllowedValues:
+ - c4.large
+ - c4.xlarge
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: Must be a valid EC2 instance type
+ GatewaysMinSize:
+ Description: The minimal number of Security Gateways
+ Type: Number
+ Default: 2
+ MinValue: 1
+ GatewaysMaxSize:
+ Description: The maximal number of Security Gateways
+ Type: Number
+ Default: 10
+ MinValue: 1
+ GatewayVersion:
+ Description: The version and license to install on the Security Gateways
+ Type: String
+ Default: R80.40-BYOL
+ AllowedValues:
+ - R80.40-BYOL
+ - R80.40-PAYG-NGTP
+ - R80.40-PAYG-NGTX
+ GatewayPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash) (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+ NoEcho: true
+ GatewayMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ GatewaySICKey:
+ Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters
+ Type: String
+ AllowedPattern: '^[a-zA-Z0-9]{8,}$'
+ ConstraintDescription: Secure Internal Communication activation key should contain only alpha numeric characters and be at least 8 characters long
+ NoEcho: true
+ ControlGatewayOverPrivateOrPublicAddress:
+ Description: Determines if the gateways are provisioned using their private or public address
+ Type: String
+ Default: private
+ AllowedValues:
+ - private
+ - public
+ CloudWatch:
+ Description: Report Check Point specific CloudWatch metrics
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ CoreNetworkID:
+ Description: The Core Network ID to attach the Security VPC with
+ Type: String
+ MinLength: 1
+ ConstraintDescription: You must insert a Core Network ID
+ VPCAttachmentTagKey:
+ Description: The tag key of the Security VPC attachment to Cloud WAN Core Newtork
+ Type: String
+ MinLength: 1
+ Default: Check-Point-Cloud-WAN
+ VPCAttachmentTagValue:
+ Description: The tag value of the Security VPC attachment to Cloud WAN Core Newtork
+ Type: String
+ MinLength: 1
+ Default: Security-VPC-Attachment
+ ManagementDeploy:
+ Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ ManagementInstanceType:
+ Description: The EC2 instance type of the Security Management Server
+ Type: String
+ Default: m5.xlarge
+ AllowedValues:
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: Must be a valid EC2 instance type
+ ManagementVersion:
+ Description: The license to install on the Security Management Server
+ Type: String
+ Default: R80.40-BYOL
+ AllowedValues:
+ - R80.40-BYOL
+ - R80.40-PAYG
+ ManagementPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash) (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+ NoEcho: true
+ ManagementMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ GatewaysPolicy:
+ Description: The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group
+ Type: String
+ Default: Standard
+ MinLength: 1
+ AdminCIDR:
+ Description: Allow web, SSH, and graphical clients only from this network to communicate with the Security Management Server
+ Type: String
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+ GatewayManagement:
+ Description: Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address
+ Type: String
+ Default: Locally managed
+ AllowedValues:
+ - Locally managed
+ - Over the internet
+ GatewaysAddresses:
+ Description: Allow gateways only from this network to communicate with the Security Management Server
+ Type: String
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+Conditions:
+ 4AZs: !Equals [!Ref NumberOfAZs, 4]
+ 3AZs: !Or [!Equals [!Ref NumberOfAZs, 3], !Condition 4AZs]
+ DeployManagement: !Equals [!Ref ManagementDeploy, true]
+ VolumeEncryption: !Equals [!Ref EnableVolumeEncryption, true]
+Resources:
+ VPCStack:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/utils/vpc.yaml
+ Parameters:
+ AvailabilityZones: !Join [',', !Ref AvailabilityZones]
+ NumberOfAZs: !Ref NumberOfAZs
+ VPCCIDR: !Ref VPCCIDR
+ PublicSubnet1CIDR: !Ref PublicSubnet1CIDR
+ PublicSubnet2CIDR: !Ref PublicSubnet2CIDR
+ PublicSubnet3CIDR: !Ref PublicSubnet3CIDR
+ PublicSubnet4CIDR: !Ref PublicSubnet4CIDR
+ CreatePrivateSubnets: false
+ CreateAttachmentSubnets: true
+ AttachmentSubnet1CIDR: !Ref CloudWANSubnet1CIDR
+ AttachmentSubnet2CIDR: !Ref CloudWANSubnet2CIDR
+ AttachmentSubnet3CIDR: !Ref CloudWANSubnet3CIDR
+ AttachmentSubnet4CIDR: !Ref CloudWANSubnet4CIDR
+ CloudWANGwlbStack:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/gwlb/gwlb-wan-security-vpc.yaml
+ Parameters:
+ VPC: !GetAtt VPCStack.Outputs.VPCID
+ IGWID: !GetAtt VPCStack.Outputs.IGWID
+ AvailabilityZones: !Join [',', !Ref AvailabilityZones]
+ NumberOfAZs: !Ref NumberOfAZs
+ GatewaysSubnets: !Join
+ - ','
+ - - !GetAtt VPCStack.Outputs.PublicSubnet1ID
+ - !GetAtt VPCStack.Outputs.PublicSubnet2ID
+ - !If [3AZs, !GetAtt VPCStack.Outputs.PublicSubnet3ID, !Ref 'AWS::NoValue']
+ - !If [4AZs, !GetAtt VPCStack.Outputs.PublicSubnet4ID, !Ref 'AWS::NoValue']
+ CloudWANSubnet1Id: !GetAtt VPCStack.Outputs.AttachmentSubnet1ID
+ CloudWANSubnet2Id: !GetAtt VPCStack.Outputs.AttachmentSubnet2ID
+ CloudWANSubnet3Id: !If [3AZs, !GetAtt VPCStack.Outputs.AttachmentSubnet3ID, ""]
+ CloudWANSubnet4Id: !If [4AZs, !GetAtt VPCStack.Outputs.AttachmentSubnet4ID, ""]
+ NatGwSubnet1CIDR: !Ref NatGwSubnet1CIDR
+ NatGwSubnet2CIDR: !Ref NatGwSubnet2CIDR
+ NatGwSubnet3CIDR: !Ref NatGwSubnet3CIDR
+ NatGwSubnet4CIDR: !Ref NatGwSubnet4CIDR
+ GWLBeSubnet1CIDR: !Ref GWLBeSubnet1CIDR
+ GWLBeSubnet2CIDR: !Ref GWLBeSubnet2CIDR
+ GWLBeSubnet3CIDR: !Ref GWLBeSubnet3CIDR
+ GWLBeSubnet4CIDR: !Ref GWLBeSubnet4CIDR
+ KeyName: !Ref KeyName
+ EnableVolumeEncryption: !Ref EnableVolumeEncryption
+ VolumeType: !Ref VolumeType
+ VolumeSize: !Ref VolumeSize
+ EnableInstanceConnect: !Ref EnableInstanceConnect
+ TerminationProtection: !Ref TerminationProtection
+ AllowUploadDownload: !Ref AllowUploadDownload
+ ManagementServer: !Ref ManagementServer
+ ConfigurationTemplate: !Ref ConfigurationTemplate
+ AdminEmail: !Ref AdminEmail
+ Shell: !Ref Shell
+ GatewayName: !Ref GatewayName
+ GatewayInstanceType: !Ref GatewayInstanceType
+ GatewaysMinSize: !Ref GatewaysMinSize
+ GatewaysMaxSize: !Ref GatewaysMaxSize
+ GatewayVersion: !Ref GatewayVersion
+ GatewayPasswordHash: !Ref GatewayPasswordHash
+ GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
+ GatewaySICKey: !Ref GatewaySICKey
+ ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress
+ CloudWatch: !Ref CloudWatch
+ CoreNetworkID: !Ref CoreNetworkID
+ VPCAttachmentTagKey: !Ref VPCAttachmentTagKey
+ VPCAttachmentTagValue: !Ref VPCAttachmentTagValue
+ GWLBName: !Ref GWLBName
+ TargetGroupName: !Ref TargetGroupName
+ CrossZoneLoadBalancing: !Ref CrossZoneLoadBalancing
+ ManagementDeploy: !Ref ManagementDeploy
+ ManagementInstanceType: !Ref ManagementInstanceType
+ ManagementVersion: !Ref ManagementVersion
+ ManagementPasswordHash: !Ref ManagementPasswordHash
+ ManagementMaintenancePasswordHash: !Ref ManagementMaintenancePasswordHash
+ GatewaysPolicy: !Ref GatewaysPolicy
+ AdminCIDR: !Ref AdminCIDR
+ GatewayManagement: !Ref GatewayManagement
+ GatewaysAddresses: !Ref GatewaysAddresses
+Outputs:
+ VPCID:
+ Description: VPC ID
+ Value: !GetAtt VPCStack.Outputs.VPCID
+ ManagementPublicAddress:
+ Description: The public address of the management server
+ Value: !GetAtt CloudWANGwlbStack.Outputs.ManagementPublicAddress
+ Condition: DeployManagement
+ ConfigurationTemplateName:
+ Description: The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name
+ Value: !GetAtt CloudWANGwlbStack.Outputs.ConfigurationTemplateName
+ ControllerName:
+ Description: The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name
+ Value: !GetAtt CloudWANGwlbStack.Outputs.ControllerName
+ GWLBName:
+ Description: Gateway Load Balancer Name
+ Value: !Ref GWLBName
+ GWLBServiceName:
+ Description: Gateway Load Balancer Service Name
+ Value: !GetAtt CloudWANGwlbStack.Outputs.GWLBServiceName
+ CloudWANSubnet1ID:
+ Description: Cloud WAN subnet 1 ID in Availability Zone 1
+ Value: !GetAtt VPCStack.Outputs.AttachmentSubnet1ID
+ CloudWANSubnet2ID:
+ Description: Cloud WAN subnet 2 ID in Availability Zone 2
+ Value: !GetAtt VPCStack.Outputs.AttachmentSubnet2ID
+ CloudWANSubnet3ID:
+ Description: Cloud WAN subnet 3 ID in Availability Zone 3
+ Value: !GetAtt VPCStack.Outputs.AttachmentSubnet3ID
+ Condition: 3AZs
+ CloudWANSubnet4ID:
+ Description: Cloud WAN subnet 4 ID in Availability Zone 4
+ Value: !GetAtt VPCStack.Outputs.AttachmentSubnet4ID
+ Condition: 4AZs
+ CloudWANSubnet1CIDR:
+ Description: Cloud WAN subnet 1 CIDR in Availability Zone 1
+ Value: !GetAtt VPCStack.Outputs.AttachmentSubnet1CIDR
+ CloudWANSubnet2CIDR:
+ Description: Cloud WAN subnet 2 CIDR in Availability Zone 2
+ Value: !GetAtt VPCStack.Outputs.AttachmentSubnet2CIDR
+ CloudWANSubnet3CIDR:
+ Description: Cloud WAN subnet 3 CIDR in Availability Zone 3
+ Value: !GetAtt VPCStack.Outputs.AttachmentSubnet3CIDR
+ Condition: 3AZs
+ CloudWANSubnet4CIDR:
+ Description: Cloud WAN subnet 4 CIDR in Availability Zone 4
+ Value: !GetAtt VPCStack.Outputs.AttachmentSubnet4CIDR
+ Condition: 4AZs
+ SecurityVpcAttachmentId:
+ Description: Cloud WAN Security VPC Attachment ID
+ Value: !GetAtt CloudWANGwlbStack.Outputs.SecurityVpcAttachmentId
+ SecurityVpcAttachmentSegment:
+ Description: Cloud WAN Security VPC Attachment Segment
+ Value: !GetAtt CloudWANGwlbStack.Outputs.SecurityVpcAttachmentSegment
\ No newline at end of file
diff --git a/deprecated/aws/templates/R80.40/gwlb/gwlb-wan-security-vpc.yaml b/deprecated/aws/templates/R80.40/gwlb/gwlb-wan-security-vpc.yaml
new file mode 100755
index 00000000..cb188c84
--- /dev/null
+++ b/deprecated/aws/templates/R80.40/gwlb/gwlb-wan-security-vpc.yaml
@@ -0,0 +1,1241 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, in an existing VPC for Cloud WAN and attach the VPC to existing Core Network (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: VPC Network Configuration
+ Parameters:
+ - VPC
+ - IGWID
+ - AvailabilityZones
+ - NumberOfAZs
+ - GatewaysSubnets
+ - CloudWANSubnet1Id
+ - CloudWANSubnet2Id
+ - CloudWANSubnet3Id
+ - CloudWANSubnet4Id
+ - NatGwSubnet1CIDR
+ - NatGwSubnet2CIDR
+ - NatGwSubnet3CIDR
+ - NatGwSubnet4CIDR
+ - GWLBeSubnet1CIDR
+ - GWLBeSubnet2CIDR
+ - GWLBeSubnet3CIDR
+ - GWLBeSubnet4CIDR
+ - Label:
+ default: General Settings
+ Parameters:
+ - KeyName
+ - EnableVolumeEncryption
+ - VolumeSize
+ - VolumeType
+ - EnableInstanceConnect
+ - TerminationProtection
+ - AllowUploadDownload
+ - ManagementServer
+ - ConfigurationTemplate
+ - AdminEmail
+ - Shell
+ - Label:
+ default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration
+ Parameters:
+ - GatewayName
+ - GatewayInstanceType
+ - GatewaysMinSize
+ - GatewaysMaxSize
+ - GatewayVersion
+ - GatewayPasswordHash
+ - GatewayMaintenancePasswordHash
+ - GatewaySICKey
+ - ControlGatewayOverPrivateOrPublicAddress
+ - CloudWatch
+ - Label:
+ default: Cloud WAN configuration
+ Parameters:
+ - CoreNetworkID
+ - VPCAttachmentTagKey
+ - VPCAttachmentTagValue
+ - Label:
+ default: Gateway Load Balancer Configuration
+ Parameters:
+ - GWLBName
+ - TargetGroupName
+ - CrossZoneLoadBalancing
+ - Label:
+ default: Check Point CloudGuard IaaS Security Management Server Configuration
+ Parameters:
+ - ManagementDeploy
+ - ManagementInstanceType
+ - ManagementVersion
+ - ManagementPasswordHash
+ - ManagementMaintenancePasswordHash
+ - GatewaysPolicy
+ - AdminCIDR
+ - GatewayManagement
+ - GatewaysAddresses
+ ParameterLabels:
+ VPC:
+ default: VPC
+ IGWID:
+ default: Internet Gateway ID
+ AvailabilityZones:
+ default: Availability Zones
+ NumberOfAZs:
+ default: Number of AZs
+ GatewaysSubnets:
+ default: Gateways subnets
+ CloudWANSubnet1Id:
+ default: Cloud WAN Attachment subnet 1 Id
+ CloudWANSubnet2Id:
+ default: Cloud WAN Attachment subnet 2 Id
+ CloudWANSubnet3Id:
+ default: Cloud WAN Attachment subnet 3 Id
+ CloudWANSubnet4Id:
+ default: Cloud WAN Attachment subnet 4 Id
+ NatGwSubnet1CIDR:
+ default: NAT subnet 1 CIDR
+ NatGwSubnet2CIDR:
+ default: NAT subnet 2 CIDR
+ NatGwSubnet3CIDR:
+ default: NAT subnet 3 CIDR
+ NatGwSubnet4CIDR:
+ default: NAT subnet 4 CIDR
+ GWLBeSubnet1CIDR:
+ default: Gateway Load Balancer Endpoint subnet 1 CIDR
+ GWLBeSubnet2CIDR:
+ default: Gateway Load Balancer Endpoint subnet 2 CIDR
+ GWLBeSubnet3CIDR:
+ default: Gateway Load Balancer Endpoint subnet 3 CIDR
+ GWLBeSubnet4CIDR:
+ default: Gateway Load Balancer Endpoint subnet 4 CIDR
+ KeyName:
+ default: Key name
+ EnableVolumeEncryption:
+ default: Enable environment volume encryption
+ VolumeSize:
+ default: Root volume size (GB)
+ VolumeType:
+ default: Volume Type
+ EnableInstanceConnect:
+ default: Enable AWS Instance Connect
+ TerminationProtection:
+ default: Termination Protection
+ AllowUploadDownload:
+ default: Allow upload & download
+ ManagementServer:
+ default: Management Server
+ ConfigurationTemplate:
+ default: Configuration template
+ AdminEmail:
+ default: Email address
+ Shell:
+ default: Admin shell
+ GatewayName:
+ default: Gateways instance name
+ GatewayInstanceType:
+ default: Gateways instance type
+ GatewaysMinSize:
+ default: Minimum group size
+ GatewaysMaxSize:
+ default: Maximum group size
+ GatewayVersion:
+ default: Gateways version & license
+ GatewayPasswordHash:
+ default: Gateways Password hash
+ GatewayMaintenancePasswordHash:
+ default: Gateway Maintenance Password hash
+ GatewaySICKey:
+ default: Gateways SIC key
+ ControlGatewayOverPrivateOrPublicAddress:
+ default: Gateways addresses
+ CloudWatch:
+ default: CloudWatch metrics
+ CoreNetworkID:
+ default: Cloud WAN Core Network ID
+ VPCAttachmentTagKey:
+ default: Cloud WAN VPC attachment tag key
+ VPCAttachmentTagValue:
+ default: Cloud WAN VPC attachment tag value
+ GWLBName:
+ default: Gateway Load Balancer Name
+ TargetGroupName:
+ default: Target Group Name
+ CrossZoneLoadBalancing:
+ default: Enable Cross Zone Load Balancing
+ ManagementDeploy:
+ default: Deploy Management Server
+ ManagementInstanceType:
+ default: Management instance type
+ ManagementVersion:
+ default: Management version & license
+ ManagementPasswordHash:
+ default: Management password hash
+ ManagementMaintenancePasswordHash:
+ default: Management Maintenance Password hash
+ GatewaysPolicy:
+ default: Security Policy
+ AdminCIDR:
+ default: Administrator addresses
+ GatewayManagement:
+ default: Manage Gateways
+ GatewaysAddresses:
+ default: Gateways addresses
+Parameters:
+ VPC:
+ Description: Select an existing VPC
+ Type: AWS::EC2::VPC::Id
+ MinLength: 1
+ ConstraintDescription: You must select a VPC
+ IGWID:
+ Description: VPC's Internet Gateway Id (e.g. igw-123a4567)
+ Type: String
+ MinLength: 1
+ ConstraintDescription: You must insert an Internet Gateway Id
+ AvailabilityZones:
+ Description: The Availability Zones (AZs) to use for the subnets in the VPC. Select two (the logical order is preserved)
+ Type: List
+ MinLength: 2
+ NumberOfAZs:
+ Description: Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter
+ Type: Number
+ Default: 2
+ MinValue: 2
+ MaxValue: 4
+ GatewaysSubnets:
+ Description: Select at least 2 public subnets in the VPC. If you choose to deploy a Security Management Server it will be deployed in the first subnet
+ Type: List
+ MinLength: 2
+ CloudWANSubnet1Id:
+ Description: The Cloud WAN attachment subnet ID located in the 1st Availability Zone
+ Type: String
+ MinLength: 1
+ ConstraintDescription: You must insert Cloud WAN Subnet Id for Availability Zone 1
+ CloudWANSubnet2Id:
+ Description: The Cloud WAN attachment subnet ID located in the 2nd Availability Zone
+ Type: String
+ MinLength: 1
+ ConstraintDescription: You must insert Cloud WAN Subnet Id for Availability Zone 2
+ CloudWANSubnet3Id:
+ Description: The Cloud WAN attachment subnet ID located in the 3rd Availability Zone
+ Type: String
+ CloudWANSubnet4Id:
+ Description: The Cloud WAN attachment subnet ID located in the 4th Availability Zone
+ Type: String
+ NatGwSubnet1CIDR:
+ Description: CIDR block for NAT subnet 1 located in the 1st Availability Zone
+ Type: String
+ Default: 10.0.13.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ NatGwSubnet2CIDR:
+ Description: CIDR block for NAT subnet 2 located in the 2nd Availability Zone
+ Type: String
+ Default: 10.0.23.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ NatGwSubnet3CIDR:
+ Description: CIDR block for NAT subnet 3 located in the 3rd Availability Zone
+ Type: String
+ Default: 10.0.33.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ NatGwSubnet4CIDR:
+ Description: CIDR block for NAT subnet 4 located in the 4th Availability Zone
+ Type: String
+ Default: 10.0.43.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ GWLBeSubnet1CIDR:
+ Description: CIDR block for GWLBe subnet 1 located in the 1st Availability Zone
+ Type: String
+ Default: 10.0.14.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ GWLBeSubnet2CIDR:
+ Description: CIDR block for GWLBe subnet 2 located in the 2nd Availability Zone
+ Type: String
+ Default: 10.0.24.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ GWLBeSubnet3CIDR:
+ Description: CIDR block for GWLBe subnet 3 located in the 3rd Availability Zone
+ Type: String
+ Default: 10.0.34.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ GWLBeSubnet4CIDR:
+ Description: CIDR block for GWLBe subnet 4 located in the 4th Availability Zone
+ Type: String
+ Default: 10.0.44.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
+ KeyName:
+ Description: The EC2 Key Pair to allow SSH access to the instances created by this stack
+ Type: AWS::EC2::KeyPair::KeyName
+ MinLength: 1
+ ConstraintDescription: Must be the name of an existing EC2 KeyPair
+ EnableVolumeEncryption:
+ Description: Encrypt Environment instances volume with default AWS KMS key
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ VolumeSize:
+ Type: Number
+ MinValue: 100
+ Default: 100
+ VolumeType:
+ Description: General Purpose SSD Volume Type
+ Type: String
+ Default: gp3
+ AllowedValues:
+ - gp3
+ - gp2
+ EnableInstanceConnect:
+ Description: Enable SSH connection over AWS web console
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ TerminationProtection:
+ Description: Prevents an instance from accidental termination.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ AllowUploadDownload:
+ Description: Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ ManagementServer:
+ Description: The name that represents the Security Management Server in the automatic provisioning configuration
+ Type: String
+ Default: gwlb-wan-management-server
+ MinLength: 1
+ ConfigurationTemplate:
+ Description: A name of a gateway configuration template in the automatic provisioning configuration
+ Type: String
+ Default: gwlb-wan-ASG-configuration
+ MinLength: 1
+ MaxLength: 30
+ AdminEmail:
+ Description: Notifications about scaling events will be sent to this email address (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$'
+ Shell:
+ Description: Change the admin shell to enable advanced command line configuration. Applies for Security Gateways and Security Management Server if deployed.
+ Type: String
+ Default: /etc/cli.sh
+ AllowedValues:
+ - /etc/cli.sh
+ - /bin/bash
+ - /bin/csh
+ - /bin/tcsh
+ GatewayName:
+ Description: The name tag of the Security Gateway instances (optional)
+ Type: String
+ Default: Check-Point-Gateway
+ GatewayInstanceType:
+ Description: The EC2 instance type for the Security Gateways
+ Type: String
+ Default: c5.xlarge
+ AllowedValues:
+ - c4.large
+ - c4.xlarge
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: Must be a valid EC2 instance type
+ GatewaysMinSize:
+ Description: The minimal number of Security Gateways
+ Type: Number
+ Default: 2
+ MinValue: 1
+ GatewaysMaxSize:
+ Description: The maximal number of Security Gateways
+ Type: Number
+ Default: 10
+ MinValue: 1
+ GatewayVersion:
+ Description: The version and license to install on the Security Gateways
+ Type: String
+ Default: R80.40-BYOL
+ AllowedValues:
+ - R80.40-BYOL
+ - R80.40-PAYG-NGTP
+ - R80.40-PAYG-NGTX
+ GatewayPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash) (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+ NoEcho: true
+ GatewayMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ GatewaySICKey:
+ Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters
+ Type: String
+ AllowedPattern: '^[a-zA-Z0-9]{8,}$'
+ ConstraintDescription: Secure Internal Communication activation key should contain only alpha numeric characters and be at least 8 characters long
+ NoEcho: true
+ ControlGatewayOverPrivateOrPublicAddress:
+ Description: Determines if the gateways are provisioned using their private or public address
+ Type: String
+ Default: private
+ AllowedValues:
+ - private
+ - public
+ CloudWatch:
+ Description: Report Check Point specific CloudWatch metrics
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ CoreNetworkID:
+ Description: The Core Network ID to attach the Security VPC with
+ Type: String
+ MinLength: 1
+ ConstraintDescription: You must insert a Core Network ID
+ VPCAttachmentTagKey:
+ Description: The tag key of the Security VPC attachment to Cloud WAN Core Newtork
+ Type: String
+ MinLength: 1
+ Default: Check-Point-Cloud-WAN
+ VPCAttachmentTagValue:
+ Description: The tag value of the Security VPC attachment to Cloud WAN Core Newtork
+ Type: String
+ MinLength: 1
+ Default: Security-VPC-Attachment
+ GWLBName:
+ Description: Gateway Load Balancer name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen.
+ Type: String
+ Default: gwlb-wan1
+ ConstraintDescription: Must be a valid GWLB Name
+ TargetGroupName:
+ Description: Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen.
+ Type: String
+ Default: tg-gwlb-wan1
+ ConstraintDescription: Must be a valid target group name
+ CrossZoneLoadBalancing:
+ Description: Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ ManagementDeploy:
+ Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ ManagementInstanceType:
+ Description: The EC2 instance type of the Security Management Server
+ Type: String
+ Default: m5.xlarge
+ AllowedValues:
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: Must be a valid EC2 instance type
+ ManagementVersion:
+ Description: The license to install on the Security Management Server
+ Type: String
+ Default: R80.40-BYOL
+ AllowedValues:
+ - R80.40-BYOL
+ - R80.40-PAYG
+ ManagementPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash) (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+ NoEcho: true
+ ManagementMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ GatewaysPolicy:
+ Description: The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group
+ Type: String
+ Default: Standard
+ MinLength: 1
+ AdminCIDR:
+ Description: Allow web, SSH, and graphical clients only from this network to communicate with the Security Management Server
+ Type: String
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+ GatewayManagement:
+ Description: Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address
+ Type: String
+ Default: Locally managed
+ AllowedValues:
+ - Locally managed
+ - Over the internet
+ GatewaysAddresses:
+ Description: Allow gateways only from this network to communicate with the Security Management Server
+ Type: String
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+Conditions:
+ 4AZs: !Equals [!Ref NumberOfAZs, 4]
+ 3AZs: !Or [!Equals [!Ref NumberOfAZs, 3], !Condition 4AZs]
+ DeployManagement: !Equals [!Ref ManagementDeploy, true]
+ VolumeEncryption: !Equals [!Ref EnableVolumeEncryption, true]
+Resources:
+ GWLBeSubnet1:
+ Type: AWS::EC2::Subnet
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref GWLBeSubnet1CIDR
+ AvailabilityZone: !Select [0, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: GWLBe subnet 1
+ - Key: Network
+ Value: Private
+ GWLBeSubnet2:
+ Type: AWS::EC2::Subnet
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref GWLBeSubnet2CIDR
+ AvailabilityZone: !Select [1, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: GWLBe subnet 2
+ - Key: Network
+ Value: Private
+ GWLBeSubnet3:
+ Type: AWS::EC2::Subnet
+ Condition: 3AZs
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref GWLBeSubnet3CIDR
+ AvailabilityZone: !Select [2, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: GWLBe subnet 3
+ - Key: Network
+ Value: Private
+ GWLBeSubnet4:
+ Type: AWS::EC2::Subnet
+ Condition: 4AZs
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref GWLBeSubnet4CIDR
+ AvailabilityZone: !Select [3, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: GWLBe subnet 4
+ - Key: Network
+ Value: Private
+ GWLBeSubnet1RouteTable:
+ Type: AWS::EC2::RouteTable
+ Properties:
+ VpcId: !Ref VPC
+ Tags:
+ - Key: Name
+ Value: GWLBe Subnet 1 Route Table
+ - Key: Network
+ Value: Private
+ GWLBeSubnet1NatGwDefaultRoute:
+ Type: AWS::EC2::Route
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ NatGatewayId: !Ref NatGateway1
+ RouteTableId: !Ref GWLBeSubnet1RouteTable
+ GWLBeSubnet1RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Properties:
+ RouteTableId: !Ref GWLBeSubnet1RouteTable
+ SubnetId: !Ref GWLBeSubnet1
+ GWLBeSubnet2RouteTable:
+ Type: AWS::EC2::RouteTable
+ Properties:
+ VpcId: !Ref VPC
+ Tags:
+ - Key: Name
+ Value: GWLBe Subnet 2 Route Table
+ - Key: Network
+ Value: Private
+ GWLBeSubnet2NatGwDefaultRoute:
+ Type: AWS::EC2::Route
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ NatGatewayId: !Ref NatGateway2
+ RouteTableId: !Ref GWLBeSubnet2RouteTable
+ GWLBeSubnet2RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Properties:
+ RouteTableId: !Ref GWLBeSubnet2RouteTable
+ SubnetId: !Ref GWLBeSubnet2
+ GWLBeSubnet3RouteTable:
+ Type: AWS::EC2::RouteTable
+ Condition: 3AZs
+ Properties:
+ VpcId: !Ref VPC
+ Tags:
+ - Key: Name
+ Value: GWLBe Subnet 3 Route Table
+ - Key: Network
+ Value: Private
+ GWLBeSubnet3NatGwDefaultRoute:
+ Type: AWS::EC2::Route
+ Condition: 3AZs
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ NatGatewayId: !Ref NatGateway3
+ RouteTableId: !Ref GWLBeSubnet3RouteTable
+ GWLBeSubnet3RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Condition: 3AZs
+ Properties:
+ RouteTableId: !Ref GWLBeSubnet3RouteTable
+ SubnetId: !Ref GWLBeSubnet3
+ GWLBeSubnet4RouteTable:
+ Type: AWS::EC2::RouteTable
+ Condition: 4AZs
+ Properties:
+ VpcId: !Ref VPC
+ Tags:
+ - Key: Name
+ Value: GWLBe Subnet 4 Route Table
+ - Key: Network
+ Value: Private
+ GWLBeSubnet4NatGwDefaultRoute:
+ Type: AWS::EC2::Route
+ Condition: 4AZs
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ NatGatewayId: !Ref NatGateway4
+ RouteTableId: !Ref GWLBeSubnet4RouteTable
+ GWLBeSubnet4RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Condition: 4AZs
+ Properties:
+ RouteTableId: !Ref GWLBeSubnet4RouteTable
+ SubnetId: !Ref GWLBeSubnet4
+ NatGwSubnet1:
+ Type: AWS::EC2::Subnet
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref NatGwSubnet1CIDR
+ AvailabilityZone: !Select [0, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: NAT subnet 1
+ - Key: Network
+ Value: Private
+ NatGwSubnet2:
+ Type: AWS::EC2::Subnet
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref NatGwSubnet2CIDR
+ AvailabilityZone: !Select [1, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: NAT subnet 2
+ - Key: Network
+ Value: Private
+ NatGwSubnet3:
+ Type: AWS::EC2::Subnet
+ Condition: 3AZs
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref NatGwSubnet3CIDR
+ AvailabilityZone: !Select [2, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: NAT subnet 3
+ - Key: Network
+ Value: Private
+ NatGwSubnet4:
+ Type: AWS::EC2::Subnet
+ Condition: 4AZs
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref NatGwSubnet4CIDR
+ AvailabilityZone: !Select [3, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: NAT subnet 4
+ - Key: Network
+ Value: Private
+ NatGwSubnet1RouteTable:
+ Type: AWS::EC2::RouteTable
+ Properties:
+ VpcId: !Ref VPC
+ Tags:
+ - Key: Name
+ Value: NAT Subnet 1 Route Table
+ - Key: Network
+ Value: Public
+ NatGwSubnet1NatGwDefaultRoute:
+ Type: AWS::EC2::Route
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ GatewayId: !Ref IGWID
+ RouteTableId: !Ref NatGwSubnet1RouteTable
+ NatGwSubnet1RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Properties:
+ RouteTableId: !Ref NatGwSubnet1RouteTable
+ SubnetId: !Ref NatGwSubnet1
+ NatGwSubnet2RouteTable:
+ Type: AWS::EC2::RouteTable
+ Properties:
+ VpcId: !Ref VPC
+ Tags:
+ - Key: Name
+ Value: NAT Subnet 2 Route Table
+ - Key: Network
+ Value: Public
+ NatGwSubnet2NatGwDefaultRoute:
+ Type: AWS::EC2::Route
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ GatewayId: !Ref IGWID
+ RouteTableId: !Ref NatGwSubnet2RouteTable
+ NatGwSubnet2RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Properties:
+ RouteTableId: !Ref NatGwSubnet2RouteTable
+ SubnetId: !Ref NatGwSubnet2
+ NatGwSubnet3RouteTable:
+ Type: AWS::EC2::RouteTable
+ Condition: 3AZs
+ Properties:
+ VpcId: !Ref VPC
+ Tags:
+ - Key: Name
+ Value: NAT Subnet 3 Route Table
+ - Key: Network
+ Value: Public
+ NatGwSubnet3NatGwDefaultRoute:
+ Type: AWS::EC2::Route
+ Condition: 3AZs
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ GatewayId: !Ref IGWID
+ RouteTableId: !Ref NatGwSubnet3RouteTable
+ NatGwSubnet3RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Condition: 3AZs
+ Properties:
+ RouteTableId: !Ref NatGwSubnet3RouteTable
+ SubnetId: !Ref NatGwSubnet3
+ NatGwSubnet4RouteTable:
+ Type: AWS::EC2::RouteTable
+ Condition: 4AZs
+ Properties:
+ VpcId: !Ref VPC
+ Tags:
+ - Key: Name
+ Value: NAT Subnet 4 Route Table
+ - Key: Network
+ Value: Public
+ NatGwSubnet4NatGwDefaultRoute:
+ Type: AWS::EC2::Route
+ Condition: 4AZs
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ GatewayId: !Ref IGWID
+ RouteTableId: !Ref NatGwSubnet4RouteTable
+ NatGwSubnet4RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Condition: 4AZs
+ Properties:
+ RouteTableId: !Ref NatGwSubnet4RouteTable
+ SubnetId: !Ref NatGwSubnet4
+ GWLBStack:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/gwlb/gwlb.yaml
+ Parameters:
+ VPC: !Ref VPC
+ GatewaysSubnets: !Join [',', !Ref GatewaysSubnets]
+ KeyName: !Ref KeyName
+ EnableVolumeEncryption: !Ref EnableVolumeEncryption
+ VolumeType: !Ref VolumeType
+ VolumeSize: !Ref VolumeSize
+ EnableInstanceConnect: !Ref EnableInstanceConnect
+ TerminationProtection: !Ref TerminationProtection
+ AllowUploadDownload: !Ref AllowUploadDownload
+ ManagementServer: !Ref ManagementServer
+ ConfigurationTemplate: !Ref ConfigurationTemplate
+ AdminEmail: !Ref AdminEmail
+ Shell: !Ref Shell
+ GWLBName: !Ref GWLBName
+ TargetGroupName: !Ref TargetGroupName
+ AcceptConnectionRequired: false
+ CrossZoneLoadBalancing: !Ref CrossZoneLoadBalancing
+ GatewayName: !Ref GatewayName
+ GatewayInstanceType: !Ref GatewayInstanceType
+ GatewaysMinSize: !Ref GatewaysMinSize
+ GatewaysMaxSize: !Ref GatewaysMaxSize
+ GatewayVersion: !Ref GatewayVersion
+ GatewayPasswordHash: !Ref GatewayPasswordHash
+ GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
+ GatewaySICKey: !Ref GatewaySICKey
+ ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress
+ CloudWatch: !Ref CloudWatch
+ GatewayBootstrapScript: !Join
+ - ';'
+ - - 'echo -e "\nStarting Bootstrap script\n"'
+ - 'echo "Adding cloud wan identifier to cloud-version"'
+ - 'template="autoscale_gwlb_cloud_wan"'
+ - 'cv_path="/etc/cloud-version"'
+ - 'if test -f ${cv_path}; then sed -i ''/template_name/c\template_name: ''"${template}"'''' /etc/cloud-version; fi'
+ - 'cv_json_path="/etc/cloud-version.json"'
+ - 'cv_json_path_tmp="/etc/cloud-version-tmp.json"'
+ - 'if test -f ${cv_json_path}; then cat ${cv_json_path} | jq ''.template_name = "''"${template}"''"'' > ${cv_json_path_tmp}; mv ${cv_json_path_tmp} ${cv_json_path}; fi'
+ - 'echo -e "\nFinished Bootstrap script\n"'
+ ManagementDeploy: !Ref ManagementDeploy
+ ManagementInstanceType: !Ref ManagementInstanceType
+ ManagementVersion: !Ref ManagementVersion
+ ManagementPasswordHash: !Ref ManagementPasswordHash
+ ManagementMaintenancePasswordHash: !Ref ManagementMaintenancePasswordHash
+ GatewaysPolicy: !Ref GatewaysPolicy
+ AdminCIDR: !Ref AdminCIDR
+ GatewayManagement: !Ref GatewayManagement
+ GatewaysAddresses: !Ref GatewaysAddresses
+ GWLBe1:
+ DependsOn: [GWLBStack, GWLBeSubnet1]
+ Type: AWS::EC2::VPCEndpoint
+ Properties:
+ VpcId: !Ref VPC
+ VpcEndpointType: GatewayLoadBalancer
+ SubnetIds:
+ - !Ref GWLBeSubnet1
+ ServiceName: !GetAtt GWLBStack.Outputs.GWLBServiceName
+ GWLBe2:
+ DependsOn: [GWLBStack, GWLBeSubnet2]
+ Type: AWS::EC2::VPCEndpoint
+ Properties:
+ VpcId: !Ref VPC
+ VpcEndpointType: GatewayLoadBalancer
+ SubnetIds:
+ - !Ref GWLBeSubnet2
+ ServiceName: !GetAtt GWLBStack.Outputs.GWLBServiceName
+ GWLBe3:
+ DependsOn: [GWLBStack, GWLBeSubnet3]
+ Type: AWS::EC2::VPCEndpoint
+ Condition: 3AZs
+ Properties:
+ VpcId: !Ref VPC
+ VpcEndpointType: GatewayLoadBalancer
+ SubnetIds:
+ - !Ref GWLBeSubnet3
+ ServiceName: !GetAtt GWLBStack.Outputs.GWLBServiceName
+ GWLBe4:
+ DependsOn: [GWLBStack, GWLBeSubnet4]
+ Type: AWS::EC2::VPCEndpoint
+ Condition: 4AZs
+ Properties:
+ VpcId: !Ref VPC
+ VpcEndpointType: GatewayLoadBalancer
+ SubnetIds:
+ - !Ref GWLBeSubnet4
+ ServiceName: !GetAtt GWLBStack.Outputs.GWLBServiceName
+ CloudWANAttachmentSubnet1RouteTable:
+ Type: AWS::EC2::RouteTable
+ Properties:
+ VpcId: !Ref VPC
+ Tags:
+ - Key: Name
+ Value: CloudWAN Attachment Subnet 1 Route Table
+ - Key: Network
+ Value: Private
+ CloudWANAttachmentSubnet1GWLBeDefaultRoute:
+ Type: AWS::EC2::Route
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ VpcEndpointId: !Ref GWLBe1
+ RouteTableId: !Ref CloudWANAttachmentSubnet1RouteTable
+ CloudWANAttachmentSubnet1RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Properties:
+ RouteTableId: !Ref CloudWANAttachmentSubnet1RouteTable
+ SubnetId: !Ref CloudWANSubnet1Id
+ CloudWANAttachmentSubnet2RouteTable:
+ Type: AWS::EC2::RouteTable
+ Properties:
+ VpcId: !Ref VPC
+ Tags:
+ - Key: Name
+ Value: CloudWAN Attachment Subnet 2 Route Table
+ - Key: Network
+ Value: Private
+ CloudWANAttachmentSubnet2GWLBeDefaultRoute:
+ Type: AWS::EC2::Route
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ VpcEndpointId: !Ref GWLBe2
+ RouteTableId: !Ref CloudWANAttachmentSubnet2RouteTable
+ CloudWANAttachmentSubnet2RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Properties:
+ RouteTableId: !Ref CloudWANAttachmentSubnet2RouteTable
+ SubnetId: !Ref CloudWANSubnet2Id
+ CloudWANAttachmentSubnet3RouteTable:
+ Type: AWS::EC2::RouteTable
+ Condition: 3AZs
+ Properties:
+ VpcId: !Ref VPC
+ Tags:
+ - Key: Name
+ Value: CloudWAN Attachment Subnet 3 Route Table
+ - Key: Network
+ Value: Private
+ CloudWANAttachmentSubnet3GWLBeDefaultRoute:
+ Type: AWS::EC2::Route
+ Condition: 3AZs
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ VpcEndpointId: !Ref GWLBe3
+ RouteTableId: !Ref CloudWANAttachmentSubnet3RouteTable
+ CloudWANAttachmentSubnet3RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Condition: 3AZs
+ Properties:
+ RouteTableId: !Ref CloudWANAttachmentSubnet3RouteTable
+ SubnetId: !Ref CloudWANSubnet3Id
+ CloudWANAttachmentSubnet4RouteTable:
+ Type: AWS::EC2::RouteTable
+ Condition: 4AZs
+ Properties:
+ VpcId: !Ref VPC
+ Tags:
+ - Key: Name
+ Value: CloudWAN Attachment Subnet 4 Route Table
+ - Key: Network
+ Value: Private
+ CloudWANAttachmentSubnet4GWLBeDefaultRoute:
+ Type: AWS::EC2::Route
+ Condition: 4AZs
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ VpcEndpointId: !Ref GWLBe4
+ RouteTableId: !Ref CloudWANAttachmentSubnet4RouteTable
+ CloudWANAttachmentSubnet4RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Condition: 4AZs
+ Properties:
+ RouteTableId: !Ref CloudWANAttachmentSubnet4RouteTable
+ SubnetId: !Ref CloudWANSubnet4Id
+ CloudWANAttachement:
+ Type: AWS::NetworkManager::VpcAttachment
+ Properties:
+ CoreNetworkId: !Ref CoreNetworkID
+ SubnetArns:
+ - !Join [ "", [ "arn:aws:ec2:", !Ref "AWS::Region", ":", !Ref "AWS::AccountId", ":subnet/", !Ref CloudWANSubnet1Id] ]
+ - !Join [ "", [ "arn:aws:ec2:", !Ref "AWS::Region", ":", !Ref "AWS::AccountId", ":subnet/", !Ref CloudWANSubnet2Id] ]
+ - !If [3AZs, !Join [ "", [ "arn:aws:ec2:", !Ref "AWS::Region", ":", !Ref "AWS::AccountId", ":subnet/", !Ref CloudWANSubnet3Id] ] , !Ref 'AWS::NoValue']
+ - !If [4AZs, !Join [ "", [ "arn:aws:ec2:", !Ref "AWS::Region", ":", !Ref "AWS::AccountId", ":subnet/", !Ref CloudWANSubnet4Id] ] , !Ref 'AWS::NoValue']
+ Tags:
+ - Key: !Ref VPCAttachmentTagKey
+ Value: !Ref VPCAttachmentTagValue
+ VpcArn: !Join [ "", [ "arn:aws:ec2:", !Ref "AWS::Region", ":", !Ref "AWS::AccountId", ":vpc/", !Ref VPC] ]
+ NatGwPublicAddress1:
+ Type: AWS::EC2::EIP
+ Properties:
+ Domain: vpc
+ NatGwPublicAddress2:
+ Type: AWS::EC2::EIP
+ Properties:
+ Domain: vpc
+ NatGwPublicAddress3:
+ Type: AWS::EC2::EIP
+ Condition: 3AZs
+ Properties:
+ Domain: vpc
+ NatGwPublicAddress4:
+ Type: AWS::EC2::EIP
+ Condition: 4AZs
+ Properties:
+ Domain: vpc
+ NatGateway1:
+ DependsOn: [GWLBStack, NatGwSubnet1]
+ Type: AWS::EC2::NatGateway
+ Properties:
+ AllocationId: !GetAtt NatGwPublicAddress1.AllocationId
+ SubnetId: !Ref NatGwSubnet1
+ Tags:
+ - Key: Name
+ Value: NatGW1
+ NatGateway2:
+ DependsOn: [GWLBStack, NatGwSubnet2]
+ Type: AWS::EC2::NatGateway
+ Properties:
+ AllocationId: !GetAtt NatGwPublicAddress2.AllocationId
+ SubnetId: !Ref NatGwSubnet2
+ Tags:
+ - Key: Name
+ Value: NatGW2
+ NatGateway3:
+ DependsOn: [GWLBStack, NatGwSubnet3]
+ Type: AWS::EC2::NatGateway
+ Condition: 3AZs
+ Properties:
+ AllocationId: !GetAtt NatGwPublicAddress3.AllocationId
+ SubnetId: !Ref NatGwSubnet3
+ Tags:
+ - Key: Name
+ Value: NatGW3
+ NatGateway4:
+ DependsOn: [GWLBStack, NatGwSubnet4]
+ Type: AWS::EC2::NatGateway
+ Condition: 4AZs
+ Properties:
+ AllocationId: !GetAtt NatGwPublicAddress4.AllocationId
+ SubnetId: !Ref NatGwSubnet4
+ Tags:
+ - Key: Name
+ Value: NatGW4
+Outputs:
+ ManagementPublicAddress:
+ Description: The public address of the management server
+ Value: !GetAtt GWLBStack.Outputs.ManagementPublicAddress
+ Condition: DeployManagement
+ ConfigurationTemplateName:
+ Description: The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name
+ Value: !GetAtt GWLBStack.Outputs.ConfigurationTemplateName
+ ControllerName:
+ Description: The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name
+ Value: !GetAtt GWLBStack.Outputs.ControllerName
+ GWLBName:
+ Description: Gateway Load Balancer Name
+ Value: !Ref GWLBName
+ GWLBServiceName:
+ Description: Gateway Load Balancer Service Name
+ Value: !GetAtt GWLBStack.Outputs.GWLBServiceName
+ SecurityVpcAttachmentId:
+ Description: Cloud WAN Security VPC Attachment ID
+ Value: !GetAtt CloudWANAttachement.AttachmentId
+ SecurityVpcAttachmentSegment:
+ Description: Cloud WAN Security VPC Attachment Segment
+ Value: !GetAtt CloudWANAttachement.SegmentName
\ No newline at end of file
diff --git a/deprecated/aws/templates/R80.40/gwlb/gwlb.yaml b/deprecated/aws/templates/R80.40/gwlb/gwlb.yaml
new file mode 100755
index 00000000..4a590be4
--- /dev/null
+++ b/deprecated/aws/templates/R80.40/gwlb/gwlb.yaml
@@ -0,0 +1,732 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, in a new VPC (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: Network Configuration
+ Parameters:
+ - VPC
+ - GatewaysSubnets
+ - Label:
+ default: General Settings
+ Parameters:
+ - KeyName
+ - EnableVolumeEncryption
+ - VolumeSize
+ - VolumeType
+ - EnableInstanceConnect
+ - TerminationProtection
+ - MetaDataToken
+ - AllowUploadDownload
+ - ManagementServer
+ - ConfigurationTemplate
+ - AdminEmail
+ - Shell
+ - Label:
+ default: Gateway Load Balancer Configuration
+ Parameters:
+ - GWLBName
+ - TargetGroupName
+ - AcceptConnectionRequired
+ - CrossZoneLoadBalancing
+ - Label:
+ default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration
+ Parameters:
+ - GatewayName
+ - GatewayInstanceType
+ - GatewaysMinSize
+ - GatewaysMaxSize
+ - GatewayVersion
+ - GatewayPasswordHash
+ - GatewayMaintenancePasswordHash
+ - GatewaySICKey
+ - ControlGatewayOverPrivateOrPublicAddress
+ - AllocatePublicAddress
+ - CloudWatch
+ - GatewayBootstrapScript
+ - Label:
+ default: Check Point CloudGuard IaaS Security Management Server Configuration
+ Parameters:
+ - ManagementDeploy
+ - ManagementInstanceType
+ - ManagementVersion
+ - ManagementPasswordHash
+ - ManagementMaintenancePasswordHash
+ - GatewaysPolicy
+ - AdminCIDR
+ - GatewayManagement
+ - GatewaysAddresses
+ ParameterLabels:
+ VPC:
+ default: VPC
+ GatewaysSubnets:
+ default: Gateways subnets
+ KeyName:
+ default: Key name
+ EnableVolumeEncryption:
+ default: Enable environment volume encryption
+ VolumeSize:
+ default: Root volume size (GB)
+ VolumeType:
+ default: Volume Type
+ EnableInstanceConnect:
+ default: Enable AWS Instance Connect
+ TerminationProtection:
+ default: Termination Protection
+ MetaDataToken:
+ default: Metadata HTTP token
+ AllowUploadDownload:
+ default: Allow upload & download
+ ManagementServer:
+ default: Management Server
+ ConfigurationTemplate:
+ default: Configuration template
+ AdminEmail:
+ default: Email address
+ Shell:
+ default: Admin shell
+ GWLBName:
+ default: Gateway Load Balancer Name
+ TargetGroupName:
+ default: Target Group Name
+ AcceptConnectionRequired:
+ default: Connection Acceptance Required
+ CrossZoneLoadBalancing:
+ default: Enable Cross Zone Load Balancing
+ GatewayName:
+ default: Gateways instance name
+ GatewayInstanceType:
+ default: Gateways instance type
+ GatewaysMinSize:
+ default: Minimum group size
+ GatewaysMaxSize:
+ default: Maximum group size
+ GatewayVersion:
+ default: Gateways version & license
+ GatewayPasswordHash:
+ default: Gateways Password hash
+ GatewayMaintenancePasswordHash:
+ default: Gateway Maintenance Password hash
+ GatewaySICKey:
+ default: Gateways SIC key
+ ControlGatewayOverPrivateOrPublicAddress:
+ default: Gateways addresses
+ AllocatePublicAddress:
+ default: Allocate Public IPs
+ CloudWatch:
+ default: CloudWatch metrics
+ GatewayBootstrapScript:
+ default: Gateways bootstrap script
+ ManagementDeploy:
+ default: Deploy Management Server
+ ManagementInstanceType:
+ default: Management instance type
+ ManagementVersion:
+ default: Management version & license
+ ManagementPasswordHash:
+ default: Management password hash
+ ManagementMaintenancePasswordHash:
+ default: Management Maintenance Password hash
+ GatewaysPolicy:
+ default: Security Policy
+ AdminCIDR:
+ default: Administrator addresses
+ GatewayManagement:
+ default: Manage Gateways
+ GatewaysAddresses:
+ default: Gateways addresses
+Parameters:
+ VPC:
+ Description: Select an existing VPC.
+ Type: AWS::EC2::VPC::Id
+ MinLength: 1
+ ConstraintDescription: You must select a VPC.
+ GatewaysSubnets:
+ Description: Select at least 2 public subnets in the VPC.
+ Type: List
+ MinLength: 2
+ KeyName:
+ Description: The EC2 Key Pair to allow SSH access to the instances created by this stack.
+ Type: AWS::EC2::KeyPair::KeyName
+ MinLength: 1
+ ConstraintDescription: Must be the name of an existing EC2 KeyPair.
+ EnableVolumeEncryption:
+ Description: Encrypt Environment instances volume with default AWS KMS key.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ VolumeSize:
+ Type: Number
+ MinValue: 100
+ Default: 100
+ VolumeType:
+ Description: General Purpose SSD Volume Type
+ Type: String
+ Default: gp3
+ AllowedValues:
+ - gp3
+ - gp2
+ EnableInstanceConnect:
+ Description: Enable SSH connection over AWS web console.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ TerminationProtection:
+ Description: Prevents an instance from accidental termination.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ MetaDataToken:
+ Description: Set true to deploy the instance with metadata v2 token required.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ AllowUploadDownload:
+ Description: Automatically download updates and share statistical data for product improvement purpose.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ ManagementServer:
+ Description: The name that represents the Security Management Server in the automatic provisioning configuration.
+ Type: String
+ Default: gwlb-management-server
+ MinLength: 1
+ ConfigurationTemplate:
+ Description: A name of a gateway configuration template in the automatic provisioning configuration.
+ Type: String
+ Default: gwlb-ASG-configuration
+ MinLength: 1
+ MaxLength: 30
+ AdminEmail:
+ Description: Notifications about scaling events will be sent to this email address. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$'
+ Shell:
+ Description: Change the admin shell to enable advanced command line configuration. Applies for Security Gateways and Security Management Server if deployed.
+ Type: String
+ Default: /etc/cli.sh
+ AllowedValues:
+ - /etc/cli.sh
+ - /bin/bash
+ - /bin/csh
+ - /bin/tcsh
+ GWLBName:
+ Description: Gateway Load Balancer name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen.
+ Type: String
+ Default: gwlb1
+ ConstraintDescription: Must be a valid GWLB Name.
+ TargetGroupName:
+ Description: Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen.
+ Type: String
+ Default: tg1
+ ConstraintDescription: Must be a valid target group name.
+ AcceptConnectionRequired:
+ Description: Indicate whether requests from service consumers to create an endpoint to your service must be accepted. Default is set to false(acceptance not required).
+ Default: "false"
+ AllowedValues: ["true", "false"]
+ Type: String
+ ConstraintDescription: Must be true or false.
+ CrossZoneLoadBalancing:
+ Description: Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ GatewayName:
+ Description: The name tag of the Security Gateway instances. (optional)
+ Type: String
+ Default: Check-Point-Gateway
+ GatewayInstanceType:
+ Description: The EC2 instance type for the Security Gateways.
+ Type: String
+ Default: c5.xlarge
+ AllowedValues:
+ - c4.large
+ - c4.xlarge
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: Must be a valid EC2 instance type
+ GatewaysMinSize:
+ Description: The minimal number of Security Gateways.
+ Type: Number
+ Default: 2
+ MinValue: 1
+ GatewaysMaxSize:
+ Description: The maximal number of Security Gateways.
+ Type: Number
+ Default: 10
+ MinValue: 1
+ GatewayVersion:
+ Description: The version and license to install on the Security Gateways.
+ Type: String
+ Default: R80.40-BYOL
+ AllowedValues:
+ - R80.40-BYOL
+ - R80.40-PAYG-NGTP
+ - R80.40-PAYG-NGTX
+ GatewayPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+ NoEcho: true
+ GatewayMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ GatewaySICKey:
+ Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters.
+ Type: String
+ AllowedPattern: '^[a-zA-Z0-9]{8,}$'
+ ConstraintDescription: Secure Internal Communication acti.vation key should contain only alpha numeric characters and be at least 8 characters long.
+ NoEcho: true
+ ControlGatewayOverPrivateOrPublicAddress:
+ Description: Determines if the gateways are provisioned using their private or public address.
+ Type: String
+ Default: private
+ AllowedValues:
+ - private
+ - public
+ AllocatePublicAddress:
+ Description: Allocate a Public IP for gateway members.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ CloudWatch:
+ Description: Report Check Point specific CloudWatch metrics.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ GatewayBootstrapScript:
+ Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+ Type: String
+ Default: ''
+ NoEcho: true
+ ManagementDeploy:
+ Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ ManagementInstanceType:
+ Description: The EC2 instance type of the Security Management Server.
+ Type: String
+ Default: m5.xlarge
+ AllowedValues:
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: Must be a valid EC2 instance type
+ ManagementVersion:
+ Description: The license to install on the Security Management Server.
+ Type: String
+ Default: R80.40-BYOL
+ AllowedValues:
+ - R80.40-BYOL
+ - R80.40-PAYG
+ ManagementPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+ NoEcho: true
+ ManagementMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ GatewaysPolicy:
+ Description: The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group.
+ Type: String
+ Default: Standard
+ MinLength: 1
+ AdminCIDR:
+ Description: Allow web, SSH, and graphical clients only from this network to communicate with the Security Management Server.
+ Type: String
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+ GatewayManagement:
+ Description: Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address.
+ Type: String
+ Default: Locally managed
+ AllowedValues:
+ - Locally managed
+ - Over the internet
+ GatewaysAddresses:
+ Description: Allow gateways only from this network to communicate with the Security Management Server.
+ Type: String
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+Conditions:
+ DeployManagement: !Equals [!Ref ManagementDeploy, true]
+ VolumeEncryption: !Equals [!Ref EnableVolumeEncryption, true]
+Resources:
+ GatewayLoadBalancer:
+ Type: AWS::ElasticLoadBalancingV2::LoadBalancer
+ Properties:
+ Type: gateway
+ Name: !Ref GWLBName
+ LoadBalancerAttributes:
+ - Key: load_balancing.cross_zone.enabled
+ Value: !Ref CrossZoneLoadBalancing
+ Subnets: !Ref GatewaysSubnets
+ Tags:
+ - Key: x-chkp-management
+ Value: !Ref ManagementServer
+ - Key: x-chkp-template
+ Value: !Ref ConfigurationTemplate
+ VpcEndpointService:
+ Type: AWS::EC2::VPCEndpointService
+ Properties:
+ AcceptanceRequired: !Ref AcceptConnectionRequired
+ GatewayLoadBalancerArns:
+ - !Ref GatewayLoadBalancer
+ TargetGroup:
+ Type: AWS::ElasticLoadBalancingV2::TargetGroup
+ Properties:
+ Name: !Ref TargetGroupName
+ Port: 6081
+ Protocol: GENEVE
+ HealthCheckPort: 8117
+ HealthCheckProtocol: TCP
+ TargetGroupAttributes:
+ - Key: deregistration_delay.timeout_seconds
+ Value: 20
+ VpcId: !Ref VPC
+ TargetType: instance
+ Tags:
+ - Key: Name
+ Value: !Join
+ - ""
+ - - !Ref AWS::StackName
+ - "-tg1"
+ Listener:
+ Type: AWS::ElasticLoadBalancingV2::Listener
+ Properties:
+ DefaultActions:
+ - Type: forward
+ TargetGroupArn: !Ref TargetGroup
+ LoadBalancerArn: !Ref GatewayLoadBalancer
+ SecurityGatewaysStack:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/gwlb/autoscale-gwlb.yaml
+ Parameters:
+ VPC: !Ref VPC
+ GatewaysSubnets: !Join [',', !Ref GatewaysSubnets]
+ GatewayName: !Ref GatewayName
+ GatewayInstanceType: !Ref GatewayInstanceType
+ KeyName: !Ref KeyName
+ Shell: !Ref Shell
+ EnableVolumeEncryption: !Ref EnableVolumeEncryption
+ VolumeType: !Ref VolumeType
+ VolumeSize: !Ref VolumeSize
+ EnableInstanceConnect: !Ref EnableInstanceConnect
+ MetaDataToken: !Ref MetaDataToken
+ GatewaysMinSize: !Ref GatewaysMinSize
+ GatewaysMaxSize: !Ref GatewaysMaxSize
+ AdminEmail: !Ref AdminEmail
+ GatewaysTargetGroups: !Ref TargetGroup
+ GatewayVersion: !Ref GatewayVersion
+ GatewayPasswordHash: !Ref GatewayPasswordHash
+ GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
+ GatewaySICKey: !Ref GatewaySICKey
+ AllowUploadDownload: !Ref AllowUploadDownload
+ ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress
+ AllocatePublicAddress: !Ref AllocatePublicAddress
+ CloudWatch: !Ref CloudWatch
+ GatewayBootstrapScript: !Ref GatewayBootstrapScript
+ ManagementServer: !Ref ManagementServer
+ ConfigurationTemplate: !Ref ConfigurationTemplate
+ ManagementStack:
+ Type: AWS::CloudFormation::Stack
+ Condition: DeployManagement
+ Properties:
+ TemplateURL: __URL__/gwlb/management-gwlb.yaml
+ Parameters:
+ VPC: !Ref VPC
+ ManagementSubnet: !Select [0, !Ref GatewaysSubnets]
+ ManagementName: !Ref ManagementServer
+ ManagementInstanceType: !Ref ManagementInstanceType
+ KeyName: !Ref KeyName
+ Shell: !Ref Shell
+ VolumeEncryption: !If [VolumeEncryption, alias/aws/ebs, '']
+ VolumeType: !Ref VolumeType
+ VolumeSize: !Ref VolumeSize
+ EnableInstanceConnect: !Ref EnableInstanceConnect
+ ManagementPermissions: Create with read-write permissions
+ ManagementVersion: !Ref ManagementVersion
+ ManagementPasswordHash: !Ref ManagementPasswordHash
+ ManagementMaintenancePasswordHash: !Ref ManagementMaintenancePasswordHash
+ AllowUploadDownload: !Ref AllowUploadDownload
+ AdminCIDR: !Ref AdminCIDR
+ GatewayManagement: !Ref GatewayManagement
+ GatewaysAddresses: !Ref GatewaysAddresses
+ TerminationProtection: !Ref TerminationProtection
+ MetaDataToken: !Ref MetaDataToken
+ ManagementBootstrapScript: !Join
+ - ';'
+ - - 'echo -e "\nStarting Bootstrap script\n"'
+ - !Sub 'policy=${GatewaysPolicy} ; region=${AWS::Region} ; conf_template=${ConfigurationTemplate} ; mgmt=${ManagementServer}'
+ - !Sub ['version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}]
+ - !Join ['', ['sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ' | base64 -d)"']]
+ - 'controller="gwlb-controller"'
+ - 'echo "Creating CME configuration"'
+ - 'autoprov_cfg -f init AWS -mn "${mgmt}" -tn "${conf_template}" -cn "${controller}" -po "${policy}" -otp "${sic}" -r "${region}" -ver "${version}" -iam'
+ - 'echo -e "\nFinished Bootstrap script\n"'
+Outputs:
+ VPCID:
+ Description: VPC ID.
+ Value: !Ref VPC
+ ManagementPublicAddress:
+ Description: The public address of the management server.
+ Value: !GetAtt ManagementStack.Outputs.PublicAddress
+ Condition: DeployManagement
+ ConfigurationTemplateName:
+ Description: The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name.
+ Value: !Ref ConfigurationTemplate
+ ControllerName:
+ Description: The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name.
+ Value: gwlb-controller
+ GWLBName:
+ Description: Gateway Load Balancer Name.
+ Value: !Ref GWLBName
+ GWLBServiceName:
+ Description: Gateway Load Balancer Service Name.
+ Value: !Sub ['com.amazonaws.vpce.${AWS::Region}.${Service}', {Service: !Ref VpcEndpointService}]
+Rules:
+ GatewayAddressAllocationRule:
+ RuleCondition: !Equals [!Ref ControlGatewayOverPrivateOrPublicAddress, 'public']
+ Assertions:
+ - AssertDescription: "Gateway's selected to be provisioned by public IP, but ['AllocatePublicAddress'] parameter is false"
+ Assert: !Equals [!Ref AllocatePublicAddress, 'true']
diff --git a/deprecated/aws/templates/R80.40/gwlb/management-gwlb.yaml b/deprecated/aws/templates/R80.40/gwlb/management-gwlb.yaml
new file mode 100755
index 00000000..d90c292e
--- /dev/null
+++ b/deprecated/aws/templates/R80.40/gwlb/management-gwlb.yaml
@@ -0,0 +1,584 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Deploys a Check Point Management Server (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: VPC Network Configuration
+ Parameters:
+ - VPC
+ - ManagementSubnet
+ - Label:
+ default: EC2 Instance Configuration
+ Parameters:
+ - ManagementName
+ - ManagementInstanceType
+ - KeyName
+ - AllocatePublicAddress
+ - VolumeSize
+ - VolumeType
+ - VolumeEncryption
+ - EnableInstanceConnect
+ - TerminationProtection
+ - MetaDataToken
+ - Label:
+ default: IAM Permissions (ignored when the installation is not Primary Management
+ Server)
+ Parameters:
+ - ManagementPermissions
+ - ManagementPredefinedRole
+ - ManagementSTSRoles
+ - Label:
+ default: Check Point Settings
+ Parameters:
+ - ManagementVersion
+ - Shell
+ - ManagementPasswordHash
+ - ManagementMaintenancePasswordHash
+ - Label:
+ default: Security Management Server Settings
+ Parameters:
+ - ManagementHostname
+ - PrimaryManagement
+ - ManagementSICKey
+ - AllowUploadDownload
+ - AdminCIDR
+ - GatewayManagement
+ - GatewaysAddresses
+ - ManagementBootstrapScript
+ - NTPPrimary
+ - NTPSecondary
+ ParameterLabels:
+ VPC:
+ default: VPC
+ ManagementSubnet:
+ default: Management subnet
+ ManagementName:
+ default: Management name
+ ManagementInstanceType:
+ default: Instance type
+ KeyName:
+ default: Key name
+ AllocatePublicAddress:
+ default: Allocate an Elastic IP
+ VolumeSize:
+ default: Root volume size (GB)
+ VolumeType:
+ default: Volume Type
+ VolumeEncryption:
+ default: Volume encryption KMS key identifier
+ EnableInstanceConnect:
+ default: Enable AWS Instance Connect
+ TerminationProtection:
+ default: Termination Protection
+ MetaDataToken:
+ default: Metadata HTTP token
+ ManagementPermissions:
+ default: IAM role
+ ManagementPredefinedRole:
+ default: Existing IAM role name
+ ManagementSTSRoles:
+ default: STS roles
+ ManagementVersion:
+ default: Version & license
+ Shell:
+ default: Admin shell
+ ManagementPasswordHash:
+ default: Password hash
+ ManagementMaintenancePasswordHash:
+ default: Management Maintenance Password hash
+ ManagementHostname:
+ default: Management hostname
+ PrimaryManagement:
+ default: Primary management
+ ManagementSICKey:
+ default: SIC key
+ AllowUploadDownload:
+ default: Allow upload & download
+ AdminCIDR:
+ default: Administrator addresses
+ GatewayManagement:
+ default: Gateways management
+ GatewaysAddresses:
+ default: Gateways addresses
+ ManagementBootstrapScript:
+ default: Management bootstrap script
+ NTPPrimary:
+ default: Primary NTP server
+ NTPSecondary:
+ default: Secondary NTP server
+Parameters:
+ VPC:
+ Description: Select an existing VPC.
+ Type: AWS::EC2::VPC::Id
+ MinLength: 1
+ ManagementSubnet:
+ Description: To access the instance from the internet, make sure the subnet has
+ a route to the internet
+ Type: AWS::EC2::Subnet::Id
+ MinLength: 1
+ ManagementName:
+ Description: The Management name tag.
+ Type: String
+ Default: Check-Point-Management
+ ManagementInstanceType:
+ Description: The instance type of the Security Management Server.
+ Type: String
+ Default: m5.xlarge
+ AllowedValues:
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: must be a valid EC2 instance type.
+ KeyName:
+ Description: The EC2 Key Pair to allow SSH access to the instance.
+ Type: AWS::EC2::KeyPair::KeyName
+ MinLength: 1
+ ConstraintDescription: must be the name of an existing EC2 KeyPair.
+ AllocatePublicAddress:
+ Description: Allocate an elastic IP for the Management.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ VolumeSize:
+ Type: Number
+ MinValue: 100
+ Default: 100
+ VolumeType:
+ Description: General Purpose SSD Volume Type
+ Type: String
+ Default: gp3
+ AllowedValues:
+ - gp3
+ - gp2
+ VolumeEncryption:
+ Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
+ Type: String
+ Default: alias/aws/ebs
+ EnableInstanceConnect:
+ Description: Enable SSH connection over AWS web console.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ TerminationProtection:
+ Description: Prevents an instance from accidental termination.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ MetaDataToken:
+ Description: Set true to deploy the instance with metadata v2 token required.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ ManagementPermissions:
+ Description: IAM role to attach to the instance profile.
+ Type: String
+ Default: Create with read permissions
+ AllowedValues:
+ - None (configure later)
+ - Use existing (specify an existing IAM role name)
+ - Create with assume role permissions (specify an STS role ARN)
+ - Create with read permissions
+ - Create with read-write permissions
+ ManagementPredefinedRole:
+ Description: A predefined IAM role to attach to the instance profile. Ignored
+ if IAM role is not set to 'Use existing'.
+ Type: String
+ Default: ''
+ ManagementSTSRoles:
+ Description: The IAM role will be able to assume these STS Roles (comma separated
+ list of ARNs, without spaces). Ignored if IAM role is set to 'None' or 'Use
+ existing'.
+ Type: CommaDelimitedList
+ Default: ''
+ ManagementVersion:
+ Description: The license to install on the Security Management Server.
+ Type: String
+ Default: R80.40-BYOL
+ AllowedValues:
+ - R80.40-BYOL
+ - R80.40-PAYG
+ Shell:
+ Description: Change the admin shell to enable advanced command line configuration.
+ Type: String
+ Default: /etc/cli.sh
+ AllowedValues:
+ - /etc/cli.sh
+ - /bin/bash
+ - /bin/csh
+ - /bin/tcsh
+ ManagementPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD"
+ to get the PASSWORD's hash). (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ ManagementMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ ManagementHostname:
+ Description: (optional)
+ Type: String
+ Default: mgmt-aws
+ AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$'
+ ConstraintDescription: A valid hostname label or an empty string.
+ PrimaryManagement:
+ Description: Determines if this is the primary Management Server or not.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ ManagementSICKey:
+ Description: >-
+ Mandatory only if deploying a secondary Management Server, the Secure Internal
+ Communication key creates trusted connections between Check Point components.
+ Choose a random string consisting of at least 8 alphanumeric characters.
+ Type: String
+ Default: ''
+ AllowedPattern: '(|[a-zA-Z0-9]{8,})'
+ ConstraintDescription: Can be empty if this is a primary Management Server. Otherwise,
+ at least 8 alpha numeric characters.
+ NoEcho: true
+ AllowUploadDownload:
+ Description: Automatically download updates and share statistical data for product improvement purpose.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ AdminCIDR:
+ Description: Allow web, SSH, and graphical clients only from this network to communicate
+ with the Management Server.
+ Type: String
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+ GatewaysAddresses:
+ Description: Allow gateways only from this network to communicate with the Management.
+ Server
+ Type: String
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+ GatewayManagement:
+ Description: Select 'Over the internet' if any of the gateways you wish to manage
+ are not directly accessed via their private IP address.
+ Type: String
+ Default: Locally managed
+ AllowedValues:
+ - Locally managed
+ - Over the internet
+ ManagementBootstrapScript:
+ Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+ Type: String
+ Default: ''
+ NoEcho: true
+ NTPPrimary:
+ Description: (optional)
+ Type: String
+ Default: 169.254.169.123
+ AllowedPattern: '[\.a-zA-Z0-9\-]*'
+ NTPSecondary:
+ Description: (optional)
+ Type: String
+ Default: 0.pool.ntp.org
+ AllowedPattern: '[\.a-zA-Z0-9\-]*'
+Conditions:
+ EIP: !Equals [!Ref AllocatePublicAddress, true]
+ ManageOverInternet: !Equals [!Ref GatewayManagement, Over the internet]
+ ManageOverInternetAndEIP: !And [!Condition EIP, !Condition ManageOverInternet]
+ CreateRole: !Or
+ - !Equals [!Ref ManagementPermissions, Create with assume role permissions (specify an STS role ARN)]
+ - !Equals [!Ref ManagementPermissions, Create with read permissions]
+ - !Equals [!Ref ManagementPermissions, Create with read-write permissions]
+ EncryptedVolume: !Not [!Equals [!Ref VolumeEncryption, '']]
+ UseRole: !Not [!Equals [!Ref ManagementPermissions, None (configure later)]]
+ NoSIC: !Equals [!Ref ManagementSICKey, '']
+ PreRole: !And [!Condition UseRole, !Not [!Condition CreateRole]]
+ EnableMetaDataToken: !Equals [!Ref MetaDataToken, true]
+Resources:
+ AMI:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/utils/amis.yaml
+ Parameters:
+ Version: !Join ['-', [!Ref ManagementVersion, MGMT]]
+ ManagementReadyHandle:
+ Type: AWS::CloudFormation::WaitConditionHandle
+ Condition: EIP
+ Properties: {}
+ ManagementReadyCondition:
+ Type: AWS::CloudFormation::WaitCondition
+ Condition: EIP
+ DependsOn: ManagementInstance
+ Properties:
+ Handle: !Ref ManagementReadyHandle
+ Timeout: 1800
+ ManagementSecurityGroup:
+ Type: AWS::EC2::SecurityGroup
+ Properties:
+ GroupDescription: Management security group.
+ VpcId: !Ref VPC
+ SecurityGroupIngress:
+ - CidrIp: !Ref GatewaysAddresses
+ IpProtocol: tcp
+ FromPort: 257
+ ToPort: 257
+ - CidrIp: !Ref GatewaysAddresses
+ IpProtocol: tcp
+ FromPort: 8211
+ ToPort: 8211
+ - CidrIp: !Ref GatewaysAddresses
+ IpProtocol: tcp
+ FromPort: 18191
+ ToPort: 18191
+ - CidrIp: !Ref GatewaysAddresses
+ IpProtocol: tcp
+ FromPort: 18192
+ ToPort: 18192
+ - CidrIp: !Ref GatewaysAddresses
+ IpProtocol: tcp
+ FromPort: 18208
+ ToPort: 18208
+ - CidrIp: !Ref GatewaysAddresses
+ IpProtocol: tcp
+ FromPort: 18210
+ ToPort: 18210
+ - CidrIp: !Ref GatewaysAddresses
+ IpProtocol: tcp
+ FromPort: 18211
+ ToPort: 18211
+ - CidrIp: !Ref GatewaysAddresses
+ IpProtocol: tcp
+ FromPort: 18221
+ ToPort: 18221
+ - CidrIp: !Ref GatewaysAddresses
+ IpProtocol: tcp
+ FromPort: 18264
+ ToPort: 18264
+ - CidrIp: !Ref AdminCIDR
+ IpProtocol: tcp
+ FromPort: 22
+ ToPort: 22
+ - CidrIp: !Ref AdminCIDR
+ IpProtocol: tcp
+ FromPort: 443
+ ToPort: 443
+ - CidrIp: !Ref AdminCIDR
+ IpProtocol: tcp
+ FromPort: 18190
+ ToPort: 18190
+ - CidrIp: !Ref AdminCIDR
+ IpProtocol: tcp
+ FromPort: 19009
+ ToPort: 19009
+ ManagementRoleStack:
+ Type: AWS::CloudFormation::Stack
+ Condition: CreateRole
+ Properties:
+ TemplateURL: __URL__/gwlb/cme-iam-role-gwlb.yaml
+ Parameters:
+ Permissions: !Ref ManagementPermissions
+ STSRoles: !Join [',', !Ref ManagementSTSRoles]
+ InstanceProfile:
+ Type: AWS::IAM::InstanceProfile
+ Condition: PreRole
+ Properties:
+ Path: /
+ Roles:
+ - !Ref ManagementPredefinedRole
+ ManagementInstance:
+ Type: AWS::EC2::Instance
+ DependsOn: ManagementLaunchTemplate
+ Properties:
+ LaunchTemplate:
+ LaunchTemplateId: !Ref ManagementLaunchTemplate
+ Version: !GetAtt ManagementLaunchTemplate.LatestVersionNumber
+ DisableApiTermination: !Ref TerminationProtection
+ Tags:
+ - Key: Name
+ Value: !Ref ManagementName
+ NetworkInterfaces:
+ - DeviceIndex: 0
+ AssociatePublicIpAddress: false
+ Description: eth0
+ GroupSet:
+ - !Ref ManagementSecurityGroup
+ DeleteOnTermination: true
+ SubnetId: !Ref ManagementSubnet
+ ManagementLaunchTemplate:
+ Type: AWS::EC2::LaunchTemplate
+ Properties:
+ LaunchTemplateData:
+ KeyName: !Ref KeyName
+ ImageId: !GetAtt AMI.Outputs.ImageId
+ InstanceType: !Ref ManagementInstanceType
+ MetadataOptions:
+ HttpTokens: !If [EnableMetaDataToken, required, optional]
+ BlockDeviceMappings:
+ - DeviceName: '/dev/xvda'
+ Ebs:
+ Encrypted: !If [ EncryptedVolume, true, false ]
+ KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ]
+ VolumeType: !Ref VolumeType
+ VolumeSize: !Ref VolumeSize
+ IamInstanceProfile:
+ Name: !If [ UseRole, !If [ PreRole, !Ref InstanceProfile, !GetAtt ManagementRoleStack.Outputs.CMEIAMRole ], !Ref 'AWS::NoValue' ]
+ UserData:
+ 'Fn::Base64':
+ !Join
+ - |+
+
+ - - '#cloud-config'
+ - 'runcmd:'
+ - ' - |'
+ - ' set -e'
+ - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; hostname=${ManagementHostname} ; primary_mgmt=${PrimaryManagement} ; eic=${EnableInstanceConnect} ; admin_subnet=${AdminCIDR} ; eip=${AllocatePublicAddress} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary}'
+ - !If [EIP, !Sub ' wait_handle=''${ManagementReadyHandle}''',!Ref 'AWS::NoValue']
+ - !If [NoSIC, ' sic=""', !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref ManagementSICKey, ')"']]]
+ - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref ManagementPasswordHash, ')"']]
+ - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref ManagementMaintenancePasswordHash, ')"']]
+ - !If [ManageOverInternetAndEIP, ' pub_mgmt=true', ' pub_mgmt=false']
+ - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref ManagementBootstrapScript, ')"']]
+ - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref ManagementVersion]]}]
+ - ' python3 /etc/cloud_config.py waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" installationType=\"management\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"management_gwlb\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" primary=\"${primary_mgmt}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" adminSubnet=\"${admin_subnet}\" allocatePublicAddress=\"${eip}\" overTheInternet=\"${pub_mgmt}\" bootstrapScript64=\"${bootstrap}\"'
+ VersionDescription: Initial template version
+ PublicAddress:
+ Type: AWS::EC2::EIP
+ Condition: EIP
+ Properties:
+ Domain: vpc
+ AddressAssoc:
+ Type: AWS::EC2::EIPAssociation
+ Condition: EIP
+ DependsOn: ManagementInstance
+ Properties:
+ InstanceId: !Ref ManagementInstance
+ AllocationId: !GetAtt PublicAddress.AllocationId
+Outputs:
+ PublicAddress:
+ Condition: EIP
+ Description: The public address of the Management Server.
+ Value: !Ref PublicAddress
+ SSH:
+ Condition: EIP
+ Description: SSH command.
+ Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref PublicAddress]]
+ URL:
+ Condition: EIP
+ Description: URL to the portal.
+ Value: !Join ['', ['https://', !Ref PublicAddress]]
diff --git a/deprecated/aws/templates/R80.40/gwlb/tgw-gwlb-master.yaml b/deprecated/aws/templates/R80.40/gwlb/tgw-gwlb-master.yaml
new file mode 100755
index 00000000..051781e3
--- /dev/null
+++ b/deprecated/aws/templates/R80.40/gwlb/tgw-gwlb-master.yaml
@@ -0,0 +1,873 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, in a new VPC for Transit Gateway (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: VPC Network Configuration
+ Parameters:
+ - AvailabilityZones
+ - NumberOfAZs
+ - VPCCIDR
+ - PublicSubnet1CIDR
+ - PublicSubnet2CIDR
+ - PublicSubnet3CIDR
+ - PublicSubnet4CIDR
+ - TgwSubnet1CIDR
+ - TgwSubnet2CIDR
+ - TgwSubnet3CIDR
+ - TgwSubnet4CIDR
+ - NatGwSubnet1CIDR
+ - NatGwSubnet2CIDR
+ - NatGwSubnet3CIDR
+ - NatGwSubnet4CIDR
+ - GWLBeSubnet1CIDR
+ - GWLBeSubnet2CIDR
+ - GWLBeSubnet3CIDR
+ - GWLBeSubnet4CIDR
+ - Label:
+ default: General Settings
+ Parameters:
+ - KeyName
+ - EnableVolumeEncryption
+ - VolumeSize
+ - VolumeType
+ - EnableInstanceConnect
+ - TerminationProtection
+ - MetaDataToken
+ - AllowUploadDownload
+ - ManagementServer
+ - ConfigurationTemplate
+ - AdminEmail
+ - Shell
+ - Label:
+ default: Gateway Load Balancer Configuration
+ Parameters:
+ - GWLBName
+ - TargetGroupName
+ - CrossZoneLoadBalancing
+ - Label:
+ default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration
+ Parameters:
+ - GatewayName
+ - GatewayInstanceType
+ - GatewaysMinSize
+ - GatewaysMaxSize
+ - GatewayVersion
+ - GatewayPasswordHash
+ - GatewayMaintenancePasswordHash
+ - GatewaySICKey
+ - ControlGatewayOverPrivateOrPublicAddress
+ - AllocatePublicAddress
+ - CloudWatch
+ - GatewayBootstrapScript
+ - Label:
+ default: Check Point CloudGuard IaaS Security Management Server Configuration
+ Parameters:
+ - ManagementDeploy
+ - ManagementInstanceType
+ - ManagementVersion
+ - ManagementPasswordHash
+ - ManagementMaintenancePasswordHash
+ - GatewaysPolicy
+ - AdminCIDR
+ - GatewayManagement
+ - GatewaysAddresses
+ ParameterLabels:
+ AvailabilityZones:
+ default: Availability Zones
+ NumberOfAZs:
+ default: Number of AZs
+ VPCCIDR:
+ default: VPC CIDR
+ PublicSubnet1CIDR:
+ default: Public subnet 1 CIDR
+ PublicSubnet2CIDR:
+ default: Public subnet 2 CIDR
+ PublicSubnet3CIDR:
+ default: Public subnet 3 CIDR
+ PublicSubnet4CIDR:
+ default: Public subnet 4 CIDR
+ TgwSubnet1CIDR:
+ default: TGW subnet 1 CIDR
+ TgwSubnet2CIDR:
+ default: TGW subnet 2 CIDR
+ TgwSubnet3CIDR:
+ default: TGW subnet 3 CIDR
+ TgwSubnet4CIDR:
+ default: TGW subnet 4 CIDR
+ NatGwSubnet1CIDR:
+ default: NAT subnet 1 CIDR
+ NatGwSubnet2CIDR:
+ default: NAT subnet 2 CIDR
+ NatGwSubnet3CIDR:
+ default: NAT subnet 3 CIDR
+ NatGwSubnet4CIDR:
+ default: NAT subnet 4 CIDR
+ GWLBeSubnet1CIDR:
+ default: Gateway Load Balancer Endpoint subnet 1 CIDR
+ GWLBeSubnet2CIDR:
+ default: Gateway Load Balancer Endpoint subnet 2 CIDR
+ GWLBeSubnet3CIDR:
+ default: Gateway Load Balancer Endpoint subnet 3 CIDR
+ GWLBeSubnet4CIDR:
+ default: Gateway Load Balancer Endpoint subnet 4 CIDR
+ KeyName:
+ default: Key name
+ EnableVolumeEncryption:
+ default: Enable environment volume encryption
+ VolumeSize:
+ default: Root volume size (GB)
+ VolumeType:
+ default: Volume Type
+ EnableInstanceConnect:
+ default: Enable AWS Instance Connect
+ TerminationProtection:
+ default: Termination Protection
+ MetaDataToken:
+ default: Metadata HTTP token
+ AllowUploadDownload:
+ default: Allow upload & download
+ ManagementServer:
+ default: Management Server
+ ConfigurationTemplate:
+ default: Configuration template
+ AdminEmail:
+ default: Email address
+ Shell:
+ default: Admin shell
+ GWLBName:
+ default: Gateway Load Balancer Name
+ TargetGroupName:
+ default: Target Group Name
+ CrossZoneLoadBalancing:
+ default: Enable Cross Zone Load Balancing
+ GatewayName:
+ default: Gateways instance name
+ GatewayInstanceType:
+ default: Gateways instance type
+ GatewaysMinSize:
+ default: Minimum group size
+ GatewaysMaxSize:
+ default: Maximum group size
+ GatewayVersion:
+ default: Gateways version & license
+ GatewayPasswordHash:
+ default: Gateways Password hash
+ GatewayMaintenancePasswordHash:
+ default: Gateway Maintenance Password hash
+ GatewaySICKey:
+ default: Gateways SIC key
+ ControlGatewayOverPrivateOrPublicAddress:
+ default: Gateways addresses
+ AllocatePublicAddress:
+ default: Allocate Public IPs
+ CloudWatch:
+ default: CloudWatch metrics
+ GatewayBootstrapScript:
+ default: Gateways bootstrap script
+ ManagementDeploy:
+ default: Deploy Management Server
+ ManagementInstanceType:
+ default: Management instance type
+ ManagementVersion:
+ default: Management version & license
+ ManagementPasswordHash:
+ default: Management password hash
+ ManagementMaintenancePasswordHash:
+ default: Management Maintenance Password hash
+ GatewaysPolicy:
+ default: Security Policy
+ AdminCIDR:
+ default: Administrator addresses
+ GatewayManagement:
+ default: Manage Gateways
+ GatewaysAddresses:
+ default: Gateways addresses
+Parameters:
+ AvailabilityZones:
+ Description: The Availability Zones (AZs) to use for the subnets in the VPC. Select two (the logical order is preserved).
+ Type: List
+ MinLength: 2
+ NumberOfAZs:
+ Description: Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter.
+ Type: Number
+ Default: 2
+ MinValue: 2
+ MaxValue: 4
+ VPCCIDR:
+ Description: The CIDR block of the provided VPC.
+ Type: String
+ Default: 10.0.0.0/16
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PublicSubnet1CIDR:
+ Description: CIDR block for public subnet 1 located in the 1st Availability Zone.
+ Type: String
+ Default: 10.0.10.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PublicSubnet2CIDR:
+ Description: CIDR block for public subnet 2 located in the 2nd Availability Zone.
+ Type: String
+ Default: 10.0.20.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PublicSubnet3CIDR:
+ Description: CIDR block for public subnet 3 located in the 3rd Availability Zone.
+ Type: String
+ Default: 10.0.30.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PublicSubnet4CIDR:
+ Description: CIDR block for public subnet 4 located in the 4th Availability Zone.
+ Type: String
+ Default: 10.0.40.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ TgwSubnet1CIDR:
+ Description: CIDR block for TGW subnet 1 located in the 1st Availability Zone.
+ Type: String
+ Default: 10.0.12.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ TgwSubnet2CIDR:
+ Description: CIDR block for TGW subnet 2 located in the 2nd Availability Zone.
+ Type: String
+ Default: 10.0.22.0/24
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ TgwSubnet3CIDR:
+ Description: CIDR block for TGW subnet 3 located in the 3rd Availability Zone.
+ Type: String
+ Default: 10.0.32.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ TgwSubnet4CIDR:
+ Description: CIDR block for TGW subnet 4 located in the 4th Availability Zone.
+ Type: String
+ Default: 10.0.42.0/24
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ NatGwSubnet1CIDR:
+ Description: CIDR block for NAT subnet 1 located in the 1st Availability Zone.
+ Type: String
+ Default: 10.0.13.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ NatGwSubnet2CIDR:
+ Description: CIDR block for NAT subnet 2 located in the 2nd Availability Zone.
+ Type: String
+ Default: 10.0.23.0/24
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ NatGwSubnet3CIDR:
+ Description: CIDR block for NAT subnet 3 located in the 3rd Availability Zone.
+ Type: String
+ Default: 10.0.33.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ NatGwSubnet4CIDR:
+ Description: CIDR block for NAT subnet 4 located in the 4th Availability Zone.
+ Type: String
+ Default: 10.0.43.0/24
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ GWLBeSubnet1CIDR:
+ Description: CIDR block for GWLBe subnet 1 located in the 1st Availability Zone.
+ Type: String
+ Default: 10.0.14.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ GWLBeSubnet2CIDR:
+ Description: CIDR block for GWLBe subnet 2 located in the 2nd Availability Zone.
+ Type: String
+ Default: 10.0.24.0/24
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ GWLBeSubnet3CIDR:
+ Description: CIDR block for GWLBe subnet 3 located in the 3rd Availability Zone.
+ Type: String
+ Default: 10.0.34.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ GWLBeSubnet4CIDR:
+ Description: CIDR block for GWLBe subnet 4 located in the 4th Availability Zone.
+ Type: String
+ Default: 10.0.44.0/24
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ KeyName:
+ Description: The EC2 Key Pair to allow SSH access to the instances created by this stack.
+ Type: AWS::EC2::KeyPair::KeyName
+ MinLength: 1
+ ConstraintDescription: Must be the name of an existing EC2 KeyPair.
+ EnableVolumeEncryption:
+ Description: Encrypt Environment instances volume with default AWS KMS key.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ VolumeSize:
+ Type: Number
+ MinValue: 100
+ Default: 100
+ VolumeType:
+ Description: General Purpose SSD Volume Type
+ Type: String
+ Default: gp3
+ AllowedValues:
+ - gp3
+ - gp2
+ EnableInstanceConnect:
+ Description: Enable SSH connection over AWS web console.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ TerminationProtection:
+ Description: Prevents an instance from accidental termination.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ MetaDataToken:
+ Description: Set true to deploy the instance with metadata v2 token required.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ AllowUploadDownload:
+ Description: Automatically download updates and share statistical data for product improvement purpose.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ ManagementServer:
+ Description: The name that represents the Security Management Server in the automatic provisioning configuration.
+ Type: String
+ Default: gwlb-management-server
+ MinLength: 1
+ ConfigurationTemplate:
+ Description: A name of a gateway configuration template in the automatic provisioning configuration.
+ Type: String
+ Default: gwlb-ASG-configuration
+ MinLength: 1
+ MaxLength: 30
+ AdminEmail:
+ Description: Notifications about scaling events will be sent to this email address. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$'
+ Shell:
+ Description: Change the admin shell to enable advanced command line configuration. Applies for Security Gateways and Security Management Server if deployed.
+ Type: String
+ Default: /etc/cli.sh
+ AllowedValues:
+ - /etc/cli.sh
+ - /bin/bash
+ - /bin/csh
+ - /bin/tcsh
+ GWLBName:
+ Description: Gateway Load Balancer name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen.
+ Type: String
+ AllowedPattern: '^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])$'
+ Default: gwlb1
+ MaxLength: 32
+ ConstraintDescription: Must be a valid GWLB Name
+ TargetGroupName:
+ Description: Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen.
+ Type: String
+ AllowedPattern: '^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])$'
+ Default: tg1
+ MaxLength: 32
+ ConstraintDescription: Must be a valid target group name.
+ CrossZoneLoadBalancing:
+ Description: Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ GatewayName:
+ Description: The name tag of the Security Gateway instances. (optional)
+ Type: String
+ Default: Check-Point-Gateway
+ GatewayInstanceType:
+ Description: The EC2 instance type for the Security Gateways
+ Type: String
+ Default: c5.xlarge
+ AllowedValues:
+ - c4.large
+ - c4.xlarge
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: Must be a valid EC2 instance type
+ GatewaysMinSize:
+ Description: The minimal number of Security Gateways.
+ Type: Number
+ Default: 2
+ MinValue: 1
+ GatewaysMaxSize:
+ Description: The maximal number of Security Gateways.
+ Type: Number
+ Default: 10
+ MinValue: 1
+ GatewayVersion:
+ Description: The version and license to install on the Security Gateways.
+ Type: String
+ Default: R80.40-BYOL
+ AllowedValues:
+ - R80.40-BYOL
+ - R80.40-PAYG-NGTP
+ - R80.40-PAYG-NGTX
+ GatewayPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+ NoEcho: true
+ GatewayMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ GatewaySICKey:
+ Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters.
+ Type: String
+ AllowedPattern: '^[a-zA-Z0-9]{8,}$'
+ ConstraintDescription: Secure Internal Communication activation key should contain only alpha numeric characters and be at least 8 characters long.
+ NoEcho: true
+ ControlGatewayOverPrivateOrPublicAddress:
+ Description: Determines if the gateways are provisioned using their private or public address.
+ Type: String
+ Default: private
+ AllowedValues:
+ - private
+ - public
+ AllocatePublicAddress:
+ Description: Allocate a Public IP for gateway members.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ CloudWatch:
+ Description: Report Check Point specific CloudWatch metrics.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ GatewayBootstrapScript:
+ Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+ Type: String
+ Default: ''
+ NoEcho: true
+ ManagementDeploy:
+ Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ ManagementInstanceType:
+ Description: The EC2 instance type of the Security Management Server.
+ Type: String
+ Default: m5.xlarge
+ AllowedValues:
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: Must be a valid EC2 instance type
+ ManagementVersion:
+ Description: The license to install on the Security Management Server.
+ Type: String
+ Default: R80.40-BYOL
+ AllowedValues:
+ - R80.40-BYOL
+ - R80.40-PAYG
+ ManagementPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+ NoEcho: true
+ ManagementMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ GatewaysPolicy:
+ Description: The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group.
+ Type: String
+ Default: Standard
+ MinLength: 1
+ AdminCIDR:
+ Description: Allow web, SSH, and graphical clients only from this network to communicate with the Security Management Server.
+ Type: String
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+ GatewayManagement:
+ Description: Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address.
+ Type: String
+ Default: Locally managed
+ AllowedValues:
+ - Locally managed
+ - Over the internet
+ GatewaysAddresses:
+ Description: Allow gateways only from this network to communicate with the Security Management Server.
+ Type: String
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+Conditions:
+ 4AZs: !Equals [!Ref NumberOfAZs, 4]
+ 3AZs: !Or [!Equals [!Ref NumberOfAZs, 3], !Condition 4AZs]
+ DeployManagement: !Equals [!Ref ManagementDeploy, true]
+ VolumeEncryption: !Equals [!Ref EnableVolumeEncryption, true]
+Resources:
+ VPCStack:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/utils/vpc.yaml
+ Parameters:
+ AvailabilityZones: !Join [',', !Ref AvailabilityZones]
+ NumberOfAZs: !Ref NumberOfAZs
+ VPCCIDR: !Ref VPCCIDR
+ PublicSubnet1CIDR: !Ref PublicSubnet1CIDR
+ PublicSubnet2CIDR: !Ref PublicSubnet2CIDR
+ PublicSubnet3CIDR: !Ref PublicSubnet3CIDR
+ PublicSubnet4CIDR: !Ref PublicSubnet4CIDR
+ CreatePrivateSubnets: false
+ CreateAttachmentSubnets: true
+ AttachmentSubnet1CIDR: !Ref TgwSubnet1CIDR
+ AttachmentSubnet2CIDR: !Ref TgwSubnet2CIDR
+ AttachmentSubnet3CIDR: !Ref TgwSubnet3CIDR
+ AttachmentSubnet4CIDR: !Ref TgwSubnet4CIDR
+ TgwGwlbStack:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/gwlb/tgw-gwlb.yaml
+ Parameters:
+ VPC: !GetAtt VPCStack.Outputs.VPCID
+ IGWID: !GetAtt VPCStack.Outputs.IGWID
+ AvailabilityZones: !Join [',', !Ref AvailabilityZones]
+ NumberOfAZs: !Ref NumberOfAZs
+ GatewaysSubnets: !Join
+ - ','
+ - - !GetAtt VPCStack.Outputs.PublicSubnet1ID
+ - !GetAtt VPCStack.Outputs.PublicSubnet2ID
+ - !If [3AZs, !GetAtt VPCStack.Outputs.PublicSubnet3ID, !Ref 'AWS::NoValue']
+ - !If [4AZs, !GetAtt VPCStack.Outputs.PublicSubnet4ID, !Ref 'AWS::NoValue']
+ TgwSubnet1Id: !GetAtt VPCStack.Outputs.AttachmentSubnet1ID
+ TgwSubnet2Id: !GetAtt VPCStack.Outputs.AttachmentSubnet2ID
+ TgwSubnet3Id: !If [3AZs, !GetAtt VPCStack.Outputs.AttachmentSubnet3ID, ""]
+ TgwSubnet4Id: !If [4AZs, !GetAtt VPCStack.Outputs.AttachmentSubnet4ID, ""]
+ NatGwSubnet1CIDR: !Ref NatGwSubnet1CIDR
+ NatGwSubnet2CIDR: !Ref NatGwSubnet2CIDR
+ NatGwSubnet3CIDR: !Ref NatGwSubnet3CIDR
+ NatGwSubnet4CIDR: !Ref NatGwSubnet4CIDR
+ GWLBeSubnet1CIDR: !Ref GWLBeSubnet1CIDR
+ GWLBeSubnet2CIDR: !Ref GWLBeSubnet2CIDR
+ GWLBeSubnet3CIDR: !Ref GWLBeSubnet3CIDR
+ GWLBeSubnet4CIDR: !Ref GWLBeSubnet4CIDR
+ KeyName: !Ref KeyName
+ EnableVolumeEncryption: !Ref EnableVolumeEncryption
+ VolumeType: !Ref VolumeType
+ VolumeSize: !Ref VolumeSize
+ EnableInstanceConnect: !Ref EnableInstanceConnect
+ TerminationProtection: !Ref TerminationProtection
+ MetaDataToken: !Ref MetaDataToken
+ AllowUploadDownload: !Ref AllowUploadDownload
+ ManagementServer: !Ref ManagementServer
+ ConfigurationTemplate: !Ref ConfigurationTemplate
+ AdminEmail: !Ref AdminEmail
+ Shell: !Ref Shell
+ GatewayName: !Ref GatewayName
+ GatewayInstanceType: !Ref GatewayInstanceType
+ GatewaysMinSize: !Ref GatewaysMinSize
+ GatewaysMaxSize: !Ref GatewaysMaxSize
+ GatewayVersion: !Ref GatewayVersion
+ GatewayPasswordHash: !Ref GatewayPasswordHash
+ GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
+ GatewaySICKey: !Ref GatewaySICKey
+ ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress
+ AllocatePublicAddress: !Ref AllocatePublicAddress
+ CloudWatch: !Ref CloudWatch
+ GatewayBootstrapScript: !Ref GatewayBootstrapScript
+ GWLBName: !Ref GWLBName
+ TargetGroupName: !Ref TargetGroupName
+ CrossZoneLoadBalancing: !Ref CrossZoneLoadBalancing
+ ManagementDeploy: !Ref ManagementDeploy
+ ManagementInstanceType: !Ref ManagementInstanceType
+ ManagementVersion: !Ref ManagementVersion
+ ManagementPasswordHash: !Ref ManagementPasswordHash
+ ManagementMaintenancePasswordHash: !Ref ManagementMaintenancePasswordHash
+ GatewaysPolicy: !Ref GatewaysPolicy
+ AdminCIDR: !Ref AdminCIDR
+ GatewayManagement: !Ref GatewayManagement
+ GatewaysAddresses: !Ref GatewaysAddresses
+Outputs:
+ VPCID:
+ Description: VPC ID.
+ Value: !GetAtt VPCStack.Outputs.VPCID
+ ManagementPublicAddress:
+ Description: The public address of the management server.
+ Value: !GetAtt TgwGwlbStack.Outputs.ManagementPublicAddress
+ Condition: DeployManagement
+ ConfigurationTemplateName:
+ Description: The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name.
+ Value: !GetAtt TgwGwlbStack.Outputs.ConfigurationTemplateName
+ ControllerName:
+ Description: The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name.
+ Value: !GetAtt TgwGwlbStack.Outputs.ControllerName
+ GWLBName:
+ Description: Gateway Load Balancer Name.
+ Value: !Ref GWLBName
+ GWLBServiceName:
+ Description: Gateway Load Balancer Service Name.
+ Value: !GetAtt TgwGwlbStack.Outputs.GWLBServiceName
+ TgwSubnet1ID:
+ Description: TGW subnet 1 ID in Availability Zone 1.
+ Value: !GetAtt VPCStack.Outputs.AttachmentSubnet1ID
+ TgwSubnet2ID:
+ Description: TGW subnet 2 ID in Availability Zone 2.
+ Value: !GetAtt VPCStack.Outputs.AttachmentSubnet2ID
+ TgwSubnet3ID:
+ Description: TGW subnet 3 ID in Availability Zone 3.
+ Value: !GetAtt VPCStack.Outputs.AttachmentSubnet3ID
+ Condition: 3AZs
+ TgwSubnet4ID:
+ Description: TGW subnet 4 ID in Availability Zone 4.
+ Value: !GetAtt VPCStack.Outputs.AttachmentSubnet4ID
+ Condition: 4AZs
+ TgwSubnet1CIDR:
+ Description: TGW subnet 1 CIDR in Availability Zone 1.
+ Value: !GetAtt VPCStack.Outputs.AttachmentSubnet1CIDR
+ TgwSubnet2CIDR:
+ Description: TGW subnet 2 CIDR in Availability Zone 2.
+ Value: !GetAtt VPCStack.Outputs.AttachmentSubnet2CIDR
+ TgwSubnet3CIDR:
+ Description: TGW subnet 3 CIDR in Availability Zone 3.
+ Value: !GetAtt VPCStack.Outputs.AttachmentSubnet3CIDR
+ Condition: 3AZs
+ TgwSubnet4CIDR:
+ Description: TGW subnet 4 CIDR in Availability Zone 4.
+ Value: !GetAtt VPCStack.Outputs.AttachmentSubnet4CIDR
+ Condition: 4AZs
+Rules:
+ GatewayAddressAllocationRule:
+ RuleCondition: !Equals [!Ref ControlGatewayOverPrivateOrPublicAddress, 'public']
+ Assertions:
+ - AssertDescription: "Gateway's selected to be provisioned by public IP, but ['AllocatePublicAddress'] parameter is false"
+ Assert: !Equals [!Ref AllocatePublicAddress, 'true']
diff --git a/deprecated/aws/templates/R80.40/gwlb/tgw-gwlb.yaml b/deprecated/aws/templates/R80.40/gwlb/tgw-gwlb.yaml
new file mode 100755
index 00000000..72823cfb
--- /dev/null
+++ b/deprecated/aws/templates/R80.40/gwlb/tgw-gwlb.yaml
@@ -0,0 +1,1221 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, in an existing VPC for Transit Gateway (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: VPC Network Configuration
+ Parameters:
+ - VPC
+ - IGWID
+ - AvailabilityZones
+ - NumberOfAZs
+ - GatewaysSubnets
+ - TgwSubnet1Id
+ - TgwSubnet2Id
+ - TgwSubnet3Id
+ - TgwSubnet4Id
+ - NatGwSubnet1CIDR
+ - NatGwSubnet2CIDR
+ - NatGwSubnet3CIDR
+ - NatGwSubnet4CIDR
+ - GWLBeSubnet1CIDR
+ - GWLBeSubnet2CIDR
+ - GWLBeSubnet3CIDR
+ - GWLBeSubnet4CIDR
+ - Label:
+ default: General Settings
+ Parameters:
+ - KeyName
+ - EnableVolumeEncryption
+ - VolumeSize
+ - VolumeType
+ - EnableInstanceConnect
+ - TerminationProtection
+ - MetaDataToken
+ - AllowUploadDownload
+ - ManagementServer
+ - ConfigurationTemplate
+ - AdminEmail
+ - Shell
+ - Label:
+ default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration
+ Parameters:
+ - GatewayName
+ - GatewayInstanceType
+ - GatewaysMinSize
+ - GatewaysMaxSize
+ - GatewayVersion
+ - GatewayPasswordHash
+ - GatewayMaintenancePasswordHash
+ - GatewaySICKey
+ - ControlGatewayOverPrivateOrPublicAddress
+ - AllocatePublicAddress
+ - CloudWatch
+ - GatewayBootstrapScript
+ - Label:
+ default: Gateway Load Balancer Configuration
+ Parameters:
+ - GWLBName
+ - TargetGroupName
+ - CrossZoneLoadBalancing
+ - Label:
+ default: Check Point CloudGuard IaaS Security Management Server Configuration
+ Parameters:
+ - ManagementDeploy
+ - ManagementInstanceType
+ - ManagementVersion
+ - ManagementPasswordHash
+ - ManagementMaintenancePasswordHash
+ - GatewaysPolicy
+ - AdminCIDR
+ - GatewayManagement
+ - GatewaysAddresses
+ ParameterLabels:
+ VPC:
+ default: VPC
+ IGWID:
+ default: Internet Gateway ID
+ AvailabilityZones:
+ default: Availability Zones
+ NumberOfAZs:
+ default: Number of AZs
+ GatewaysSubnets:
+ default: Gateways subnets
+ TgwSubnet1Id:
+ default: Transit Gateway Attachment subnet 1 Id
+ TgwSubnet2Id:
+ default: Transit Gateway Attachment subnet 2 Id
+ TgwSubnet3Id:
+ default: Transit Gateway Attachment subnet 3 Id
+ TgwSubnet4Id:
+ default: Transit Gateway Attachment subnet 4 Id
+ NatGwSubnet1CIDR:
+ default: NAT subnet 1 CIDR
+ NatGwSubnet2CIDR:
+ default: NAT subnet 2 CIDR
+ NatGwSubnet3CIDR:
+ default: NAT subnet 3 CIDR
+ NatGwSubnet4CIDR:
+ default: NAT subnet 4 CIDR
+ GWLBeSubnet1CIDR:
+ default: Gateway Load Balancer Endpoint subnet 1 CIDR
+ GWLBeSubnet2CIDR:
+ default: Gateway Load Balancer Endpoint subnet 2 CIDR
+ GWLBeSubnet3CIDR:
+ default: Gateway Load Balancer Endpoint subnet 3 CIDR
+ GWLBeSubnet4CIDR:
+ default: Gateway Load Balancer Endpoint subnet 4 CIDR
+ KeyName:
+ default: Key name
+ EnableVolumeEncryption:
+ default: Enable environment volume encryption
+ VolumeSize:
+ default: Root volume size (GB)
+ VolumeType:
+ default: Volume Type
+ EnableInstanceConnect:
+ default: Enable AWS Instance Connect
+ TerminationProtection:
+ default: Termination Protection
+ MetaDataToken:
+ default: Metadata HTTP token
+ AllowUploadDownload:
+ default: Allow upload & download
+ ManagementServer:
+ default: Management Server
+ ConfigurationTemplate:
+ default: Configuration template
+ AdminEmail:
+ default: Email address
+ Shell:
+ default: Admin shell
+ GatewayName:
+ default: Gateways instance name
+ GatewayInstanceType:
+ default: Gateways instance type
+ GatewaysMinSize:
+ default: Minimum group size
+ GatewaysMaxSize:
+ default: Maximum group size
+ GatewayVersion:
+ default: Gateways version & license
+ GatewayPasswordHash:
+ default: Gateways Password hash
+ GatewayMaintenancePasswordHash:
+ default: Gateway Maintenance Password hash
+ GatewaySICKey:
+ default: Gateways SIC key
+ ControlGatewayOverPrivateOrPublicAddress:
+ default: Gateways addresses
+ AllocatePublicAddress:
+ default: Allocate Public IPs
+ CloudWatch:
+ default: CloudWatch metrics
+ GatewayBootstrapScript:
+ default: Gateways bootstrap script
+ GWLBName:
+ default: Gateway Load Balancer Name
+ TargetGroupName:
+ default: Target Group Name
+ CrossZoneLoadBalancing:
+ default: Enable Cross Zone Load Balancing
+ ManagementDeploy:
+ default: Deploy Management Server
+ ManagementInstanceType:
+ default: Management instance type
+ ManagementVersion:
+ default: Management version & license
+ ManagementPasswordHash:
+ default: Management password hash
+ ManagementMaintenancePasswordHash:
+ default: Management Maintenance Password hash
+ GatewaysPolicy:
+ default: Security Policy
+ AdminCIDR:
+ default: Administrator addresses
+ GatewayManagement:
+ default: Manage Gateways
+ GatewaysAddresses:
+ default: Gateways addresses
+Parameters:
+ VPC:
+ Description: Select an existing VPC.
+ Type: AWS::EC2::VPC::Id
+ MinLength: 1
+ ConstraintDescription: You must select a VPC.
+ IGWID:
+ Description: VPC's Internet Gateway Id (e.g. igw-123a4567).
+ Type: String
+ MinLength: 1
+ ConstraintDescription: You must insert an Internet Gateway Id.
+ AvailabilityZones:
+ Description: The Availability Zones (AZs) to use for the subnets in the VPC. Select two (the logical order is preserved).
+ Type: List
+ MinLength: 2
+ NumberOfAZs:
+ Description: Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter.
+ Type: Number
+ Default: 2
+ MinValue: 2
+ MaxValue: 4
+ GatewaysSubnets:
+ Description: Select at least 2 public subnets in the VPC. If you choose to deploy a Security Management Server it will be deployed in the first subnet.
+ Type: List
+ MinLength: 2
+ TgwSubnet1Id:
+ Description: The TGW attachment subnet ID located in the 1st Availability Zone.
+ Type: String
+ MinLength: 1
+ ConstraintDescription: You must insert Tgw Subnet Id for Availability Zone 1.
+ TgwSubnet2Id:
+ Description: The TGW attachment subnet ID located in the 2nd Availability Zone.
+ Type: String
+ MinLength: 1
+ ConstraintDescription: You must insert Tgw Subnet Id for Availability Zone 2.
+ TgwSubnet3Id:
+ Description: The TGW attachment subnet ID located in the 3rd Availability Zone.
+ Type: String
+ TgwSubnet4Id:
+ Description: The TGW attachment subnet ID located in the 4th Availability Zone.
+ Type: String
+ NatGwSubnet1CIDR:
+ Description: CIDR block for NAT subnet 1 located in the 1st Availability Zone.
+ Type: String
+ Default: 10.0.13.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ NatGwSubnet2CIDR:
+ Description: CIDR block for NAT subnet 2 located in the 2nd Availability Zone.
+ Type: String
+ Default: 10.0.23.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ NatGwSubnet3CIDR:
+ Description: CIDR block for NAT subnet 3 located in the 3rd Availability Zone.
+ Type: String
+ Default: 10.0.33.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ NatGwSubnet4CIDR:
+ Description: CIDR block for NAT subnet 4 located in the 4th Availability Zone.
+ Type: String
+ Default: 10.0.43.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ GWLBeSubnet1CIDR:
+ Description: CIDR block for GWLBe subnet 1 located in the 1st Availability Zone.
+ Type: String
+ Default: 10.0.14.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ GWLBeSubnet2CIDR:
+ Description: CIDR block for GWLBe subnet 2 located in the 2nd Availability Zone.
+ Type: String
+ Default: 10.0.24.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ GWLBeSubnet3CIDR:
+ Description: CIDR block for GWLBe subnet 3 located in the 3rd Availability Zone.
+ Type: String
+ Default: 10.0.34.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ GWLBeSubnet4CIDR:
+ Description: CIDR block for GWLBe subnet 4 located in the 4th Availability Zone.
+ Type: String
+ Default: 10.0.44.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ KeyName:
+ Description: The EC2 Key Pair to allow SSH access to the instances created by this stack.
+ Type: AWS::EC2::KeyPair::KeyName
+ MinLength: 1
+ ConstraintDescription: Must be the name of an existing EC2 KeyPair.
+ EnableVolumeEncryption:
+ Description: Encrypt Environment instances volume with default AWS KMS key.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ VolumeSize:
+ Type: Number
+ MinValue: 100
+ Default: 100
+ VolumeType:
+ Description: General Purpose SSD Volume Type
+ Type: String
+ Default: gp3
+ AllowedValues:
+ - gp3
+ - gp2
+ EnableInstanceConnect:
+ Description: Enable SSH connection over AWS web console.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ TerminationProtection:
+ Description: Prevents an instance from accidental termination.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ MetaDataToken:
+ Description: Set true to deploy the instance with metadata v2 token required.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ AllowUploadDownload:
+ Description: Automatically download updates and share statistical data for product improvement purpose.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ ManagementServer:
+ Description: The name that represents the Security Management Server in the automatic provisioning configuration.
+ Type: String
+ Default: gwlb-management-server
+ MinLength: 1
+ ConfigurationTemplate:
+ Description: A name of a gateway configuration template in the automatic provisioning configuration.
+ Type: String
+ Default: gwlb-ASG-configuration
+ MinLength: 1
+ MaxLength: 30
+ AdminEmail:
+ Description: Notifications about scaling events will be sent to this email address. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$'
+ Shell:
+ Description: Change the admin shell to enable advanced command line configuration. Applies for Security Gateways and Security Management Server if deployed.
+ Type: String
+ Default: /etc/cli.sh
+ AllowedValues:
+ - /etc/cli.sh
+ - /bin/bash
+ - /bin/csh
+ - /bin/tcsh
+ GatewayName:
+ Description: The name tag of the Security Gateway instances. (optional)
+ Type: String
+ Default: Check-Point-Gateway
+ GatewayInstanceType:
+ Description: The EC2 instance type for the Security Gateways.
+ Type: String
+ Default: c5.xlarge
+ AllowedValues:
+ - c4.large
+ - c4.xlarge
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: Must be a valid EC2 instance type.
+ GatewaysMinSize:
+ Description: The minimal number of Security Gateways.
+ Type: Number
+ Default: 2
+ MinValue: 1
+ GatewaysMaxSize:
+ Description: The maximal number of Security Gateways.
+ Type: Number
+ Default: 10
+ MinValue: 1
+ GatewayVersion:
+ Description: The version and license to install on the Security Gateways.
+ Type: String
+ Default: R80.40-BYOL
+ AllowedValues:
+ - R80.40-BYOL
+ - R80.40-PAYG-NGTP
+ - R80.40-PAYG-NGTX
+ GatewayPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+ NoEcho: true
+ GatewayMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ GatewaySICKey:
+ Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters.
+ Type: String
+ AllowedPattern: '^[a-zA-Z0-9]{8,}$'
+ ConstraintDescription: Secure Internal Communication activation key should contain only alpha numeric characters and be at least 8 characters long.
+ NoEcho: true
+ ControlGatewayOverPrivateOrPublicAddress:
+ Description: Determines if the gateways are provisioned using their private or public address.
+ Type: String
+ Default: private
+ AllowedValues:
+ - private
+ - public
+ AllocatePublicAddress:
+ Description: Allocate a Public IP for gateway members.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ CloudWatch:
+ Description: Report Check Point specific CloudWatch metrics.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ GatewayBootstrapScript:
+ Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+ Type: String
+ Default: ''
+ NoEcho: true
+ GWLBName:
+ Description: Gateway Load Balancer name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen.
+ Type: String
+ Default: gwlb1
+ ConstraintDescription: Must be a valid GWLB Name
+ TargetGroupName:
+ Description: Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen.
+ Type: String
+ Default: tg1
+ ConstraintDescription: Must be a valid target group name.
+ CrossZoneLoadBalancing:
+ Description: Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ ManagementDeploy:
+ Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ ManagementInstanceType:
+ Description: The EC2 instance type of the Security Management Server.
+ Type: String
+ Default: m5.xlarge
+ AllowedValues:
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: Must be a valid EC2 instance type.
+ ManagementVersion:
+ Description: The license to install on the Security Management Server.
+ Type: String
+ Default: R80.40-BYOL
+ AllowedValues:
+ - R80.40-BYOL
+ - R80.40-PAYG
+ ManagementPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+ NoEcho: true
+ ManagementMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ GatewaysPolicy:
+ Description: The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group.
+ Type: String
+ Default: Standard
+ MinLength: 1
+ AdminCIDR:
+ Description: Allow web, SSH, and graphical clients only from this network to communicate with the Security Management Server.
+ Type: String
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+ GatewayManagement:
+ Description: Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address.
+ Type: String
+ Default: Locally managed
+ AllowedValues:
+ - Locally managed
+ - Over the internet
+ GatewaysAddresses:
+ Description: Allow gateways only from this network to communicate with the Security Management Server.
+ Type: String
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+Conditions:
+ 4AZs: !Equals [!Ref NumberOfAZs, 4]
+ 3AZs: !Or [!Equals [!Ref NumberOfAZs, 3], !Condition 4AZs]
+ DeployManagement: !Equals [!Ref ManagementDeploy, true]
+ VolumeEncryption: !Equals [!Ref EnableVolumeEncryption, true]
+Resources:
+ GWLBeSubnet1:
+ Type: AWS::EC2::Subnet
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref GWLBeSubnet1CIDR
+ AvailabilityZone: !Select [0, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: GWLBe subnet 1
+ - Key: Network
+ Value: Private
+ GWLBeSubnet2:
+ Type: AWS::EC2::Subnet
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref GWLBeSubnet2CIDR
+ AvailabilityZone: !Select [1, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: GWLBe subnet 2
+ - Key: Network
+ Value: Private
+ GWLBeSubnet3:
+ Type: AWS::EC2::Subnet
+ Condition: 3AZs
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref GWLBeSubnet3CIDR
+ AvailabilityZone: !Select [2, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: GWLBe subnet 3
+ - Key: Network
+ Value: Private
+ GWLBeSubnet4:
+ Type: AWS::EC2::Subnet
+ Condition: 4AZs
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref GWLBeSubnet4CIDR
+ AvailabilityZone: !Select [3, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: GWLBe subnet 4
+ - Key: Network
+ Value: Private
+ GWLBeSubnet1RouteTable:
+ Type: AWS::EC2::RouteTable
+ Properties:
+ VpcId: !Ref VPC
+ Tags:
+ - Key: Name
+ Value: GWLBe Subnet 1 Route Table
+ - Key: Network
+ Value: Private
+ GWLBeSubnet1NatGwDefaultRoute:
+ Type: AWS::EC2::Route
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ NatGatewayId: !Ref NatGateway1
+ RouteTableId: !Ref GWLBeSubnet1RouteTable
+ GWLBeSubnet1RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Properties:
+ RouteTableId: !Ref GWLBeSubnet1RouteTable
+ SubnetId: !Ref GWLBeSubnet1
+ GWLBeSubnet2RouteTable:
+ Type: AWS::EC2::RouteTable
+ Properties:
+ VpcId: !Ref VPC
+ Tags:
+ - Key: Name
+ Value: GWLBe Subnet 2 Route Table
+ - Key: Network
+ Value: Private
+ GWLBeSubnet2NatGwDefaultRoute:
+ Type: AWS::EC2::Route
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ NatGatewayId: !Ref NatGateway2
+ RouteTableId: !Ref GWLBeSubnet2RouteTable
+ GWLBeSubnet2RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Properties:
+ RouteTableId: !Ref GWLBeSubnet2RouteTable
+ SubnetId: !Ref GWLBeSubnet2
+ GWLBeSubnet3RouteTable:
+ Type: AWS::EC2::RouteTable
+ Condition: 3AZs
+ Properties:
+ VpcId: !Ref VPC
+ Tags:
+ - Key: Name
+ Value: GWLBe Subnet 3 Route Table
+ - Key: Network
+ Value: Private
+ GWLBeSubnet3NatGwDefaultRoute:
+ Type: AWS::EC2::Route
+ Condition: 3AZs
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ NatGatewayId: !Ref NatGateway3
+ RouteTableId: !Ref GWLBeSubnet3RouteTable
+ GWLBeSubnet3RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Condition: 3AZs
+ Properties:
+ RouteTableId: !Ref GWLBeSubnet3RouteTable
+ SubnetId: !Ref GWLBeSubnet3
+ GWLBeSubnet4RouteTable:
+ Type: AWS::EC2::RouteTable
+ Condition: 4AZs
+ Properties:
+ VpcId: !Ref VPC
+ Tags:
+ - Key: Name
+ Value: GWLBe Subnet 4 Route Table
+ - Key: Network
+ Value: Private
+ GWLBeSubnet4NatGwDefaultRoute:
+ Type: AWS::EC2::Route
+ Condition: 4AZs
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ NatGatewayId: !Ref NatGateway4
+ RouteTableId: !Ref GWLBeSubnet4RouteTable
+ GWLBeSubnet4RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Condition: 4AZs
+ Properties:
+ RouteTableId: !Ref GWLBeSubnet4RouteTable
+ SubnetId: !Ref GWLBeSubnet4
+ NatGwSubnet1:
+ Type: AWS::EC2::Subnet
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref NatGwSubnet1CIDR
+ AvailabilityZone: !Select [0, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: NAT subnet 1
+ - Key: Network
+ Value: Private
+ NatGwSubnet2:
+ Type: AWS::EC2::Subnet
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref NatGwSubnet2CIDR
+ AvailabilityZone: !Select [1, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: NAT subnet 2
+ - Key: Network
+ Value: Private
+ NatGwSubnet3:
+ Type: AWS::EC2::Subnet
+ Condition: 3AZs
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref NatGwSubnet3CIDR
+ AvailabilityZone: !Select [2, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: NAT subnet 3
+ - Key: Network
+ Value: Private
+ NatGwSubnet4:
+ Type: AWS::EC2::Subnet
+ Condition: 4AZs
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref NatGwSubnet4CIDR
+ AvailabilityZone: !Select [3, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: NAT subnet 4
+ - Key: Network
+ Value: Private
+ NatGwSubnet1RouteTable:
+ Type: AWS::EC2::RouteTable
+ Properties:
+ VpcId: !Ref VPC
+ Tags:
+ - Key: Name
+ Value: NAT Subnet 1 Route Table
+ - Key: Network
+ Value: Public
+ NatGwSubnet1NatGwDefaultRoute:
+ Type: AWS::EC2::Route
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ GatewayId: !Ref IGWID
+ RouteTableId: !Ref NatGwSubnet1RouteTable
+ NatGwSubnet1RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Properties:
+ RouteTableId: !Ref NatGwSubnet1RouteTable
+ SubnetId: !Ref NatGwSubnet1
+ NatGwSubnet2RouteTable:
+ Type: AWS::EC2::RouteTable
+ Properties:
+ VpcId: !Ref VPC
+ Tags:
+ - Key: Name
+ Value: NAT Subnet 2 Route Table
+ - Key: Network
+ Value: Public
+ NatGwSubnet2NatGwDefaultRoute:
+ Type: AWS::EC2::Route
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ GatewayId: !Ref IGWID
+ RouteTableId: !Ref NatGwSubnet2RouteTable
+ NatGwSubnet2RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Properties:
+ RouteTableId: !Ref NatGwSubnet2RouteTable
+ SubnetId: !Ref NatGwSubnet2
+ NatGwSubnet3RouteTable:
+ Type: AWS::EC2::RouteTable
+ Condition: 3AZs
+ Properties:
+ VpcId: !Ref VPC
+ Tags:
+ - Key: Name
+ Value: NAT Subnet 3 Route Table
+ - Key: Network
+ Value: Public
+ NatGwSubnet3NatGwDefaultRoute:
+ Type: AWS::EC2::Route
+ Condition: 3AZs
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ GatewayId: !Ref IGWID
+ RouteTableId: !Ref NatGwSubnet3RouteTable
+ NatGwSubnet3RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Condition: 3AZs
+ Properties:
+ RouteTableId: !Ref NatGwSubnet3RouteTable
+ SubnetId: !Ref NatGwSubnet3
+ NatGwSubnet4RouteTable:
+ Type: AWS::EC2::RouteTable
+ Condition: 4AZs
+ Properties:
+ VpcId: !Ref VPC
+ Tags:
+ - Key: Name
+ Value: NAT Subnet 4 Route Table
+ - Key: Network
+ Value: Public
+ NatGwSubnet4NatGwDefaultRoute:
+ Type: AWS::EC2::Route
+ Condition: 4AZs
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ GatewayId: !Ref IGWID
+ RouteTableId: !Ref NatGwSubnet4RouteTable
+ NatGwSubnet4RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Condition: 4AZs
+ Properties:
+ RouteTableId: !Ref NatGwSubnet4RouteTable
+ SubnetId: !Ref NatGwSubnet4
+ GWLBStack:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/gwlb/gwlb.yaml
+ Parameters:
+ VPC: !Ref VPC
+ GatewaysSubnets: !Join [',', !Ref GatewaysSubnets]
+ KeyName: !Ref KeyName
+ EnableVolumeEncryption: !Ref EnableVolumeEncryption
+ VolumeType: !Ref VolumeType
+ VolumeSize: !Ref VolumeSize
+ EnableInstanceConnect: !Ref EnableInstanceConnect
+ TerminationProtection: !Ref TerminationProtection
+ MetaDataToken: !Ref MetaDataToken
+ AllowUploadDownload: !Ref AllowUploadDownload
+ ManagementServer: !Ref ManagementServer
+ ConfigurationTemplate: !Ref ConfigurationTemplate
+ AdminEmail: !Ref AdminEmail
+ Shell: !Ref Shell
+ GWLBName: !Ref GWLBName
+ TargetGroupName: !Ref TargetGroupName
+ AcceptConnectionRequired: false
+ CrossZoneLoadBalancing: !Ref CrossZoneLoadBalancing
+ GatewayName: !Ref GatewayName
+ GatewayInstanceType: !Ref GatewayInstanceType
+ GatewaysMinSize: !Ref GatewaysMinSize
+ GatewaysMaxSize: !Ref GatewaysMaxSize
+ GatewayVersion: !Ref GatewayVersion
+ GatewayPasswordHash: !Ref GatewayPasswordHash
+ GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
+ GatewaySICKey: !Ref GatewaySICKey
+ ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress
+ AllocatePublicAddress: !Ref AllocatePublicAddress
+ CloudWatch: !Ref CloudWatch
+ GatewayBootstrapScript: !Ref GatewayBootstrapScript
+ ManagementDeploy: !Ref ManagementDeploy
+ ManagementInstanceType: !Ref ManagementInstanceType
+ ManagementVersion: !Ref ManagementVersion
+ ManagementPasswordHash: !Ref ManagementPasswordHash
+ ManagementMaintenancePasswordHash: !Ref ManagementMaintenancePasswordHash
+ GatewaysPolicy: !Ref GatewaysPolicy
+ AdminCIDR: !Ref AdminCIDR
+ GatewayManagement: !Ref GatewayManagement
+ GatewaysAddresses: !Ref GatewaysAddresses
+ GWLBe1:
+ DependsOn: [GWLBStack, GWLBeSubnet1]
+ Type: AWS::EC2::VPCEndpoint
+ Properties:
+ VpcId: !Ref VPC
+ VpcEndpointType: GatewayLoadBalancer
+ SubnetIds:
+ - !Ref GWLBeSubnet1
+ ServiceName: !GetAtt GWLBStack.Outputs.GWLBServiceName
+ GWLBe2:
+ DependsOn: [GWLBStack, GWLBeSubnet2]
+ Type: AWS::EC2::VPCEndpoint
+ Properties:
+ VpcId: !Ref VPC
+ VpcEndpointType: GatewayLoadBalancer
+ SubnetIds:
+ - !Ref GWLBeSubnet2
+ ServiceName: !GetAtt GWLBStack.Outputs.GWLBServiceName
+ GWLBe3:
+ DependsOn: [GWLBStack, GWLBeSubnet3]
+ Type: AWS::EC2::VPCEndpoint
+ Condition: 3AZs
+ Properties:
+ VpcId: !Ref VPC
+ VpcEndpointType: GatewayLoadBalancer
+ SubnetIds:
+ - !Ref GWLBeSubnet3
+ ServiceName: !GetAtt GWLBStack.Outputs.GWLBServiceName
+ GWLBe4:
+ DependsOn: [GWLBStack, GWLBeSubnet4]
+ Type: AWS::EC2::VPCEndpoint
+ Condition: 4AZs
+ Properties:
+ VpcId: !Ref VPC
+ VpcEndpointType: GatewayLoadBalancer
+ SubnetIds:
+ - !Ref GWLBeSubnet4
+ ServiceName: !GetAtt GWLBStack.Outputs.GWLBServiceName
+ TGWAttachmentSubnet1RouteTable:
+ Type: AWS::EC2::RouteTable
+ Properties:
+ VpcId: !Ref VPC
+ Tags:
+ - Key: Name
+ Value: TGW Attachment Subnet 1 Route Table
+ - Key: Network
+ Value: Private
+ TGWAttachmentSubnet1GWLBeDefaultRoute:
+ Type: AWS::EC2::Route
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ VpcEndpointId: !Ref GWLBe1
+ RouteTableId: !Ref TGWAttachmentSubnet1RouteTable
+ TGWAttachmentSubnet1RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Properties:
+ RouteTableId: !Ref TGWAttachmentSubnet1RouteTable
+ SubnetId: !Ref TgwSubnet1Id
+ TGWAttachmentSubnet2RouteTable:
+ Type: AWS::EC2::RouteTable
+ Properties:
+ VpcId: !Ref VPC
+ Tags:
+ - Key: Name
+ Value: TGW Attachment Subnet 2 Route Table
+ - Key: Network
+ Value: Private
+ TGWAttachmentSubnet2GWLBeDefaultRoute:
+ Type: AWS::EC2::Route
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ VpcEndpointId: !Ref GWLBe2
+ RouteTableId: !Ref TGWAttachmentSubnet2RouteTable
+ TGWAttachmentSubnet2RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Properties:
+ RouteTableId: !Ref TGWAttachmentSubnet2RouteTable
+ SubnetId: !Ref TgwSubnet2Id
+ TGWAttachmentSubnet3RouteTable:
+ Type: AWS::EC2::RouteTable
+ Condition: 3AZs
+ Properties:
+ VpcId: !Ref VPC
+ Tags:
+ - Key: Name
+ Value: TGW Attachment Subnet 3 Route Table
+ - Key: Network
+ Value: Private
+ TGWAttachmentSubnet3GWLBeDefaultRoute:
+ Type: AWS::EC2::Route
+ Condition: 3AZs
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ VpcEndpointId: !Ref GWLBe3
+ RouteTableId: !Ref TGWAttachmentSubnet3RouteTable
+ TGWAttachmentSubnet3RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Condition: 3AZs
+ Properties:
+ RouteTableId: !Ref TGWAttachmentSubnet3RouteTable
+ SubnetId: !Ref TgwSubnet3Id
+ TGWAttachmentSubnet4RouteTable:
+ Type: AWS::EC2::RouteTable
+ Condition: 4AZs
+ Properties:
+ VpcId: !Ref VPC
+ Tags:
+ - Key: Name
+ Value: TGW Attachment Subnet 4 Route Table
+ - Key: Network
+ Value: Private
+ TGWAttachmentSubnet4GWLBeDefaultRoute:
+ Type: AWS::EC2::Route
+ Condition: 4AZs
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ VpcEndpointId: !Ref GWLBe4
+ RouteTableId: !Ref TGWAttachmentSubnet4RouteTable
+ TGWAttachmentSubnet4RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Condition: 4AZs
+ Properties:
+ RouteTableId: !Ref TGWAttachmentSubnet4RouteTable
+ SubnetId: !Ref TgwSubnet4Id
+ NatGwPublicAddress1:
+ Type: AWS::EC2::EIP
+ Properties:
+ Domain: vpc
+ NatGwPublicAddress2:
+ Type: AWS::EC2::EIP
+ Properties:
+ Domain: vpc
+ NatGwPublicAddress3:
+ Type: AWS::EC2::EIP
+ Condition: 3AZs
+ Properties:
+ Domain: vpc
+ NatGwPublicAddress4:
+ Type: AWS::EC2::EIP
+ Condition: 4AZs
+ Properties:
+ Domain: vpc
+ NatGateway1:
+ DependsOn: [GWLBStack, NatGwSubnet1]
+ Type: AWS::EC2::NatGateway
+ Properties:
+ AllocationId: !GetAtt NatGwPublicAddress1.AllocationId
+ SubnetId: !Ref NatGwSubnet1
+ Tags:
+ - Key: Name
+ Value: NatGW1
+ NatGateway2:
+ DependsOn: [GWLBStack, NatGwSubnet2]
+ Type: AWS::EC2::NatGateway
+ Properties:
+ AllocationId: !GetAtt NatGwPublicAddress2.AllocationId
+ SubnetId: !Ref NatGwSubnet2
+ Tags:
+ - Key: Name
+ Value: NatGW2
+ NatGateway3:
+ DependsOn: [GWLBStack, NatGwSubnet3]
+ Type: AWS::EC2::NatGateway
+ Condition: 3AZs
+ Properties:
+ AllocationId: !GetAtt NatGwPublicAddress3.AllocationId
+ SubnetId: !Ref NatGwSubnet3
+ Tags:
+ - Key: Name
+ Value: NatGW3
+ NatGateway4:
+ DependsOn: [GWLBStack, NatGwSubnet4]
+ Type: AWS::EC2::NatGateway
+ Condition: 4AZs
+ Properties:
+ AllocationId: !GetAtt NatGwPublicAddress4.AllocationId
+ SubnetId: !Ref NatGwSubnet4
+ Tags:
+ - Key: Name
+ Value: NatGW4
+Outputs:
+ ManagementPublicAddress:
+ Description: The public address of the management server.
+ Value: !GetAtt GWLBStack.Outputs.ManagementPublicAddress
+ Condition: DeployManagement
+ ConfigurationTemplateName:
+ Description: The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name.
+ Value: !GetAtt GWLBStack.Outputs.ConfigurationTemplateName
+ ControllerName:
+ Description: The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name.
+ Value: !GetAtt GWLBStack.Outputs.ControllerName
+ GWLBName:
+ Description: Gateway Load Balancer Name.
+ Value: !Ref GWLBName
+ GWLBServiceName:
+ Description: Gateway Load Balancer Service Name.
+ Value: !GetAtt GWLBStack.Outputs.GWLBServiceName
+Rules:
+ GatewayAddressAllocationRule:
+ RuleCondition: !Equals [!Ref ControlGatewayOverPrivateOrPublicAddress, 'public']
+ Assertions:
+ - AssertDescription: "Gateway's selected to be provisioned by public IP, but ['AllocatePublicAddress'] parameter is false"
+ Assert: !Equals [!Ref AllocatePublicAddress, 'true']
diff --git a/deprecated/aws/templates/R80.40/iam/cloudwatch-policy.yaml b/deprecated/aws/templates/R80.40/iam/cloudwatch-policy.yaml
new file mode 100755
index 00000000..a9a233e8
--- /dev/null
+++ b/deprecated/aws/templates/R80.40/iam/cloudwatch-policy.yaml
@@ -0,0 +1,39 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Creates an IAM role for selected permissions (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: Policy Attributes
+ Parameters:
+ - PolicyName
+ - PolicyRole
+ ParameterLabels:
+ PolicyName:
+ default: Policy name
+ PolicyRole:
+ default: IAM role name
+Parameters:
+ PolicyName:
+ Description: ''
+ Type: String
+ Default: 'Cloudwatch'
+ AllowedPattern: '[\w+=,.@-]+'
+ PolicyRole:
+ Description: ''
+ Type: String
+ AllowedPattern: '[\w+=,.@-]+'
+Resources:
+ IAMPolicy:
+ Type: AWS::IAM::Policy
+ Properties:
+ PolicyName: !Sub "${PolicyName}-iam-policy"
+ PolicyDocument:
+ Version: 2012-10-17
+ Statement:
+ - Effect: Allow
+ Action:
+ - cloudwatch:PutMetricData
+ Resource: '*'
+ Roles:
+ - !Ref PolicyRole
diff --git a/deprecated/aws/templates/R80.40/iam/cluster-iam-role.yaml b/deprecated/aws/templates/R80.40/iam/cluster-iam-role.yaml
new file mode 100755
index 00000000..85d52102
--- /dev/null
+++ b/deprecated/aws/templates/R80.40/iam/cluster-iam-role.yaml
@@ -0,0 +1,35 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Creates an IAM role for selected permissions (__VERSION__)
+Resources:
+ ClusterIAMRole:
+ Type: AWS::IAM::Role
+ Properties:
+ AssumeRolePolicyDocument:
+ Version: 2012-10-17
+ Statement:
+ - Effect: Allow
+ Principal:
+ Service: [ec2.amazonaws.com]
+ Action: sts:AssumeRole
+ Path: /
+ Policies:
+ - PolicyName: ClusterPolicy
+ PolicyDocument:
+ Version: 2012-10-17
+ Statement:
+ - Effect: Allow
+ Action:
+ - ec2:AssignPrivateIpAddresses
+ - ec2:AssociateAddress
+ - ec2:CreateRoute
+ - ec2:DescribeNetworkInterfaces
+ - ec2:DescribeRouteTables
+ - ec2:ReplaceRoute
+ Resource: '*'
+Outputs:
+ ClusterIAMRole:
+ Description: The IAM role.
+ Value: !Ref ClusterIAMRole
+ ClusterARNRole:
+ Description: The IAM role ARN.
+ Value: !GetAtt ClusterIAMRole.Arn
diff --git a/deprecated/aws/templates/R80.40/iam/cme-iam-role.yaml b/deprecated/aws/templates/R80.40/iam/cme-iam-role.yaml
new file mode 100755
index 00000000..b9f6c2bf
--- /dev/null
+++ b/deprecated/aws/templates/R80.40/iam/cme-iam-role.yaml
@@ -0,0 +1,159 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Creates an IAM role for selected permissions (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: IAM
+ Parameters:
+ - Permissions
+ - Label:
+ default: Advanced Configuration (optional)
+ Parameters:
+ - STSRoles
+ - TrustedAccount
+ ParameterLabels:
+ Permissions:
+ default: IAM role
+ STSRoles:
+ default: STS roles
+ TrustedAccount:
+ default: Trusted Account ID
+Parameters:
+ Permissions:
+ Type: String
+ Default: Create with read permissions
+ AllowedValues:
+ - Create with read permissions
+ - Create with read-write permissions
+ - Create with assume role permissions (specify an STS role ARN)
+ STSRoles:
+ Description: The IAM role will be able to assume these STS Roles (comma separated list of ARNs, without spaces).
+ Type: String
+ Default: ''
+ TrustedAccount:
+ Description: A 12 digits number that represents the ID of a trusted account. IAM users in this account will be able assume the IAM role and receive the permissions attached to it.
+ Type: String
+ Default: ''
+ AllowedPattern: '^([0-9]{12})|$'
+Conditions:
+ AllowReadPermissions: !Or
+ - !Equals [!Ref Permissions, Create with read permissions]
+ - !Equals [!Ref Permissions, Create with read-write permissions]
+ AllowWritePermissions: !Equals [!Ref Permissions, Create with read-write permissions]
+ ProvidedSTSRoles: !Not [!Equals [!Ref STSRoles, '']]
+ NotProvidedTrustedAccount: !Equals ['', !Ref TrustedAccount]
+ ProvidedTrustedAccount: !Not [!Condition NotProvidedTrustedAccount]
+Resources:
+ CMEIAMRole:
+ Type: AWS::IAM::Role
+ Properties:
+ AssumeRolePolicyDocument:
+ Version: 2012-10-17
+ Statement:
+ - !If
+ - ProvidedTrustedAccount
+ - Effect: Allow
+ Principal:
+ AWS: [!Ref TrustedAccount]
+ Action: ['sts:AssumeRole']
+ - !Ref 'AWS::NoValue'
+ - !If
+ - NotProvidedTrustedAccount
+ - Effect: Allow
+ Principal:
+ Service: [ec2.amazonaws.com]
+ Action: ['sts:AssumeRole']
+ - !Ref 'AWS::NoValue'
+ Path: /
+ Policies:
+ - PolicyName: CMEPolicy
+ PolicyDocument:
+ Version: 2012-10-17
+ Statement:
+ - !If
+ - ProvidedSTSRoles
+ - Effect: Allow
+ Action: ['sts:AssumeRole']
+ Resource: !Split [',', !Ref STSRoles]
+ - !Ref 'AWS::NoValue'
+ - !If
+ - AllowReadPermissions
+ - Effect: Allow
+ Action:
+ - autoscaling:DescribeAutoScalingGroups
+ - ec2:DescribeRegions
+ - ec2:DescribeCustomerGateways
+ - ec2:DescribeInstances
+ - ec2:DescribeNetworkInterfaces
+ - ec2:DescribeRouteTables
+ - ec2:DescribeSecurityGroups
+ - ec2:DescribeSubnets
+ - ec2:DescribeTransitGateways
+ - ec2:DescribeTransitGatewayAttachments
+ - ec2:DescribeTransitGatewayRouteTables
+ - ec2:DescribeVpcs
+ - ec2:DescribeVpnGateways
+ - ec2:DescribeVpnConnections
+ - ec2:GetTransitGatewayAttachmentPropagations
+ - elasticloadbalancing:DescribeLoadBalancers
+ - elasticloadbalancing:DescribeTags
+ - elasticloadbalancing:DescribeListeners
+ - elasticloadbalancing:DescribeTargetGroups
+ - elasticloadbalancing:DescribeRules
+ - elasticloadbalancing:DescribeTargetHealth
+ Resource: '*'
+ - !Ref 'AWS::NoValue'
+ - !If
+ - AllowWritePermissions
+ - Effect: Allow
+ Action:
+ - ec2:AssociateTransitGatewayRouteTable
+ - ec2:AttachVpnGateway
+ - ec2:CreateCustomerGateway
+ - ec2:CreateVpnConnection
+ - ec2:CreateVpnGateway
+ - ec2:DeleteCustomerGateway
+ - ec2:DeleteVpnConnection
+ - ec2:DeleteVpnGateway
+ - ec2:DetachVpnGateway
+ - ec2:DisableTransitGatewayRouteTablePropagation
+ - ec2:DisableVgwRoutePropagation
+ - ec2:DisassociateTransitGatewayRouteTable
+ - ec2:EnableTransitGatewayRouteTablePropagation
+ - ec2:EnableVgwRoutePropagation
+ Resource: '*'
+ - !Ref 'AWS::NoValue'
+ - !If
+ - AllowWritePermissions
+ - Effect: Allow
+ Action:
+ - cloudformation:DescribeStacks
+ - cloudformation:DescribeStackResources
+ - cloudformation:ListStacks
+ Resource: '*'
+ - !Ref 'AWS::NoValue'
+ - !If
+ - AllowWritePermissions
+ - Effect: Allow
+ Action:
+ - cloudformation:CreateStack
+ - cloudformation:DeleteStack
+ Resource: 'arn:aws:cloudformation:*:*:stack/vpn-by-tag--*/*'
+ - !Ref 'AWS::NoValue'
+ InstanceProfile:
+ Type: AWS::IAM::InstanceProfile
+ Properties:
+ InstanceProfileName: !Ref CMEIAMRole
+ Roles:
+ - !Ref CMEIAMRole
+Outputs:
+ CMEIAMRole:
+ Description: The IAM role.
+ Value: !Ref CMEIAMRole
+ CMEARNRole:
+ Description: The IAM role ARN.
+ Value: !GetAtt CMEIAMRole.Arn
+ InstanceProfile:
+ Description: The Instance Profile ARN.
+ Value: !GetAtt InstanceProfile.Arn
\ No newline at end of file
diff --git a/deprecated/aws/templates/R80.40/iam/sts-role.yaml b/deprecated/aws/templates/R80.40/iam/sts-role.yaml
new file mode 100755
index 00000000..93f5cb40
--- /dev/null
+++ b/deprecated/aws/templates/R80.40/iam/sts-role.yaml
@@ -0,0 +1,119 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Creates an IAM role for cross account permissions (20190313)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: Cross Account Permissions Configuration
+ Parameters:
+ - TrustedAccount
+ - Permissions
+ ParameterLabels:
+ TrustedAccount:
+ default: Trusted Account ID
+ STSPermissions:
+ default: IAM Role Permissions
+Parameters:
+ TrustedAccount:
+ Description: A 12 digits number that represents the ID of the trusted account.
+ Type: String
+ AllowedPattern: '^[0-9]{12}$'
+ STSPermissions:
+ Description: Select Read-Write if you intend to use this role with Transit VPC.
+ Type: String
+ Default: Read only
+ AllowedValues:
+ - Read only
+ - Read-Write
+Conditions:
+ AllowReadPermissions: !Or
+ - !Equals [!Ref STSPermissions, Read only]
+ - !Equals [!Ref STSPermissions, Read-Write]
+ AllowCreateVPNPermissions: !Equals [!Ref STSPermissions, Read-Write]
+Resources:
+ Role:
+ Type: AWS::IAM::Role
+ Properties:
+ AssumeRolePolicyDocument:
+ Version: 2012-10-17
+ Statement:
+ - Effect: Allow
+ Principal:
+ AWS:
+ - !Ref TrustedAccount
+ Action:
+ - sts:AssumeRole
+ Path: /
+ Policies:
+ - PolicyName: Policy
+ PolicyDocument:
+ Version: 2012-10-17
+ Statement:
+ - !If
+ - AllowReadPermissions
+ - Effect: Allow
+ Action:
+ - ec2:DescribeInstances
+ - ec2:DescribeNetworkInterfaces
+ - ec2:DescribeSubnets
+ - ec2:DescribeVpcs
+ - ec2:DescribeVpnGateways
+ - ec2:DescribeVpnConnections
+ - ec2:DescribeSecurityGroups
+ - elasticloadbalancing:DescribeLoadBalancers
+ - elasticloadbalancing:DescribeTags
+ - elasticloadbalancing:DescribeListeners
+ - elasticloadbalancing:DescribeTargetGroups
+ - elasticloadbalancing:DescribeRules
+ - elasticloadbalancing:DescribeTargetHealth
+ - autoscaling:DescribeAutoScalingGroups
+ Resource: '*'
+ - !Ref 'AWS::NoValue'
+ - !If
+ - AllowCreateVPNPermissions
+ - Effect: Allow
+ Action:
+ - ec2:DescribeCustomerGateways
+ - ec2:CreateCustomerGateway
+ - ec2:DeleteCustomerGateway
+ - ec2:DescribeRouteTables
+ - ec2:EnableVgwRoutePropagation
+ - ec2:DisableVgwRoutePropagation
+ - ec2:DescribeVpnGateways
+ - ec2:CreateVpnGateway
+ - ec2:AttachVpnGateway
+ - ec2:DetachVpnGateway
+ - ec2:DeleteVpnGateway
+ - ec2:DescribeVpnConnections
+ - ec2:CreateVpnConnection
+ - ec2:DeleteVpnConnection
+ - ec2:DescribeTransitGateways
+ - ec2:DescribeTransitGatewayRouteTables
+ - ec2:DescribeTransitGatewayAttachments
+ - ec2:AssociateTransitGatewayRouteTable
+ - ec2:DisassociateTransitGatewayRouteTable
+ - ec2:EnableTransitGatewayRouteTablePropagation
+ - ec2:DisableTransitGatewayRouteTablePropagation
+ - ec2:GetTransitGatewayAttachmentPropagations
+ Resource: '*'
+ - !Ref 'AWS::NoValue'
+ - !If
+ - AllowCreateVPNPermissions
+ - Effect: Allow
+ Action:
+ - cloudformation:DescribeStacks
+ - cloudformation:DescribeStackResources
+ Resource: '*'
+ - !Ref 'AWS::NoValue'
+ - !If
+ - AllowCreateVPNPermissions
+ - Effect: Allow
+ Action:
+ - cloudformation:CreateStack
+ - cloudformation:DeleteStack
+ Resource: arn:aws:cloudformation:*:*:stack/vpn-by-tag--*/*
+ - !Ref 'AWS::NoValue'
+Outputs:
+ Role:
+ Description: The role ARN to assume by the trusted account.
+ Value: !GetAtt Role.Arn
diff --git a/deprecated/aws/templates/R80.40/management/management.yaml b/deprecated/aws/templates/R80.40/management/management.yaml
new file mode 100755
index 00000000..c3ccc1d7
--- /dev/null
+++ b/deprecated/aws/templates/R80.40/management/management.yaml
@@ -0,0 +1,585 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Deploys a Check Point Management Server (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: VPC Network Configuration
+ Parameters:
+ - VPC
+ - ManagementSubnet
+ - Label:
+ default: EC2 Instance Configuration
+ Parameters:
+ - ManagementName
+ - ManagementInstanceType
+ - KeyName
+ - AllocatePublicAddress
+ - VolumeSize
+ - VolumeType
+ - VolumeEncryption
+ - EnableInstanceConnect
+ - TerminationProtection
+ - MetaDataToken
+ - Label:
+ default: IAM Permissions (ignored when the installation is not Primary Management
+ Server)
+ Parameters:
+ - ManagementPermissions
+ - ManagementPredefinedRole
+ - ManagementSTSRoles
+ - Label:
+ default: Check Point Settings
+ Parameters:
+ - ManagementVersion
+ - Shell
+ - ManagementPasswordHash
+ - ManagementMaintenancePasswordHash
+ - Label:
+ default: Security Management Server Settings
+ Parameters:
+ - ManagementHostname
+ - ManagementInstallationType
+ - SICKey
+ - AllowUploadDownload
+ - AdminCIDR
+ - GatewayManagement
+ - GatewaysAddresses
+ - ManagementBootstrapScript
+ - NTPPrimary
+ - NTPSecondary
+ ParameterLabels:
+ VPC:
+ default: VPC
+ ManagementSubnet:
+ default: Management subnet
+ ManagementName:
+ default: Management name
+ ManagementInstanceType:
+ default: Instance type
+ KeyName:
+ default: Key name
+ AllocatePublicAddress:
+ default: Allocate an Elastic IP
+ VolumeSize:
+ default: Root volume size (GB)
+ VolumeType:
+ default: Volume Type
+ VolumeEncryption:
+ default: Volume encryption KMS key identifier
+ EnableInstanceConnect:
+ default: Enable AWS Instance Connect
+ TerminationProtection:
+ default: Termination Protection
+ MetaDataToken:
+ default: Metadata HTTP token
+ ManagementPermissions:
+ default: IAM role
+ ManagementPredefinedRole:
+ default: Existing IAM role name
+ ManagementSTSRoles:
+ default: STS roles
+ ManagementVersion:
+ default: Version & license
+ Shell:
+ default: Admin shell
+ ManagementPasswordHash:
+ default: Password hash
+ ManagementMaintenancePasswordHash:
+ default: Management Maintenance Password hash
+ ManagementHostname:
+ default: Management hostname
+ ManagementInstallationType:
+ default: Management installation type
+ SICKey:
+ default: SIC key
+ AllowUploadDownload:
+ default: Allow upload & download
+ AdminCIDR:
+ default: Administrator addresses
+ GatewayManagement:
+ default: Gateways management
+ GatewaysAddresses:
+ default: Gateways addresses
+ ManagementBootstrapScript:
+ default: Management bootstrap script
+ NTPPrimary:
+ default: Primary NTP server
+ NTPSecondary:
+ default: Secondary NTP server
+Parameters:
+ VPC:
+ Description: Select an existing VPC.
+ Type: AWS::EC2::VPC::Id
+ MinLength: 1
+ ManagementSubnet:
+ Description: To access the instance from the internet, make sure the subnet has
+ a route to the internet.
+ Type: AWS::EC2::Subnet::Id
+ MinLength: 1
+ ManagementName:
+ Description: The Management name tag.
+ Type: String
+ Default: Check-Point-Management
+ ManagementInstanceType:
+ Description: The instance type of the Security Management Server.
+ Type: String
+ Default: m5.xlarge
+ AllowedValues:
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: must be a valid EC2 instance type.
+ KeyName:
+ Description: The EC2 Key Pair to allow SSH access to the instance.
+ Type: AWS::EC2::KeyPair::KeyName
+ MinLength: 1
+ ConstraintDescription: must be the name of an existing EC2 KeyPair.
+ AllocatePublicAddress:
+ Description: Allocate an elastic IP for the Management.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ VolumeSize:
+ Type: Number
+ MinValue: 100
+ Default: 100
+ VolumeType:
+ Description: General Purpose SSD Volume Type
+ Type: String
+ Default: gp3
+ AllowedValues:
+ - gp3
+ - gp2
+ VolumeEncryption:
+ Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
+ Type: String
+ Default: alias/aws/ebs
+ EnableInstanceConnect:
+ Description: Enable SSH connection over AWS web console.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ TerminationProtection:
+ Description: Prevents an instance from accidental termination.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ MetaDataToken:
+ Description: Set true to deploy the instance with metadata v2 token required.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ ManagementPermissions:
+ Description: IAM role to attach to the instance profile.
+ Type: String
+ Default: Create with read permissions
+ AllowedValues:
+ - None (configure later)
+ - Use existing (specify an existing IAM role name)
+ - Create with assume role permissions (specify an STS role ARN)
+ - Create with read permissions
+ - Create with read-write permissions
+ ManagementPredefinedRole:
+ Description: A predefined IAM role to attach to the instance profile. Ignored.
+ if IAM role is not set to 'Use existing'
+ Type: String
+ Default: ''
+ ManagementSTSRoles:
+ Description: The IAM role will be able to assume these STS Roles (comma separated
+ list of ARNs, without spaces). Ignored if IAM role is set to 'None' or 'Use
+ existing'.
+ Type: CommaDelimitedList
+ Default: ''
+ ManagementVersion:
+ Description: The license to install on the Security Management Server.
+ Type: String
+ Default: R80.40-BYOL
+ AllowedValues:
+ - R80.40-BYOL
+ - R80.40-PAYG
+ Shell:
+ Description: Change the admin shell to enable advanced command line configuration.
+ Type: String
+ Default: /etc/cli.sh
+ AllowedValues:
+ - /etc/cli.sh
+ - /bin/bash
+ - /bin/csh
+ - /bin/tcsh
+ ManagementPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD"
+ to get the PASSWORD's hash). (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ ManagementMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ ManagementHostname:
+ Description: The name must not contain reserved words. For details, refer to sk40179. (optional)
+ Type: String
+ Default: mgmt-aws
+ AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$'
+ ConstraintDescription: A valid hostname label or an empty string.
+ ManagementInstallationType:
+ Description: Determines the Management Server installation type.
+ Type: String
+ Default: Primary management
+ AllowedValues:
+ - Primary management
+ - Secondary management
+ - Log Server
+ SICKey:
+ Description: >-
+ Mandatory only if deploying a secondary Management Server or Log Server, the Secure Internal
+ Communication key creates trusted connections between Check Point components.
+ Choose a random string consisting of at least 8 alphanumeric characters.
+ Type: String
+ Default: ''
+ AllowedPattern: '(|[a-zA-Z0-9]{8,})'
+ ConstraintDescription: Can be empty if this is a primary Management Server. Otherwise,
+ at least 8 alpha numeric characters.
+ NoEcho: true
+ AllowUploadDownload:
+ Description: Automatically download updates and share statistical data for product improvement purpose.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ AdminCIDR:
+ Description: Allow web, SSH, and graphical clients only from this network to communicate
+ with the Management Server.
+ Type: String
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+ GatewaysAddresses:
+ Description: Allow gateways only from this network to communicate with the Management
+ Server.
+ Type: String
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+ GatewayManagement:
+ Description: Select 'Over the internet' if any of the gateways you wish to manage
+ are not directly accessed via their private IP address.
+ Type: String
+ Default: Locally managed
+ AllowedValues:
+ - Locally managed
+ - Over the internet
+ ManagementBootstrapScript:
+ Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+ Type: String
+ Default: ''
+ NoEcho: true
+ NTPPrimary:
+ Description: (optional)
+ Type: String
+ Default: 169.254.169.123
+ AllowedPattern: '[\.a-zA-Z0-9\-]*'
+ NTPSecondary:
+ Description: (optional)
+ Type: String
+ Default: 0.pool.ntp.org
+ AllowedPattern: '[\.a-zA-Z0-9\-]*'
+Conditions:
+ EIP: !Equals [!Ref AllocatePublicAddress, true]
+ ManageOverInternet: !Equals [!Ref GatewayManagement, Over the internet]
+ ManageOverInternetAndEIP: !And [!Condition EIP, !Condition ManageOverInternet]
+ CreateRole: !Or
+ - !Equals [!Ref ManagementPermissions, Create with assume role permissions (specify an STS role ARN)]
+ - !Equals [!Ref ManagementPermissions, Create with read permissions]
+ - !Equals [!Ref ManagementPermissions, Create with read-write permissions]
+ EncryptedVolume: !Not [!Equals [!Ref VolumeEncryption, '']]
+ UseRole: !Not [!Equals [!Ref ManagementPermissions, None (configure later)]]
+ NoSIC: !Equals [!Ref SICKey, '']
+ PreRole: !And [!Condition UseRole, !Not [!Condition CreateRole]]
+ EnableMetaDataToken: !Equals [!Ref MetaDataToken, true]
+Resources:
+ AMI:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/utils/amis.yaml
+ Parameters:
+ Version: !Join ['-', [!Ref ManagementVersion, MGMT]]
+ ManagementReadyHandle:
+ Type: AWS::CloudFormation::WaitConditionHandle
+ Condition: EIP
+ Properties: {}
+ ManagementReadyCondition:
+ Type: AWS::CloudFormation::WaitCondition
+ Condition: EIP
+ DependsOn: ManagementInstance
+ Properties:
+ Handle: !Ref ManagementReadyHandle
+ Timeout: 1800
+ ManagementSecurityGroup:
+ Type: AWS::EC2::SecurityGroup
+ Properties:
+ GroupDescription: Management security group
+ VpcId: !Ref VPC
+ SecurityGroupIngress:
+ - CidrIp: !Ref GatewaysAddresses
+ IpProtocol: tcp
+ FromPort: 257
+ ToPort: 257
+ - CidrIp: !Ref GatewaysAddresses
+ IpProtocol: tcp
+ FromPort: 8211
+ ToPort: 8211
+ - CidrIp: !Ref GatewaysAddresses
+ IpProtocol: tcp
+ FromPort: 18191
+ ToPort: 18191
+ - CidrIp: !Ref GatewaysAddresses
+ IpProtocol: tcp
+ FromPort: 18192
+ ToPort: 18192
+ - CidrIp: !Ref GatewaysAddresses
+ IpProtocol: tcp
+ FromPort: 18208
+ ToPort: 18208
+ - CidrIp: !Ref GatewaysAddresses
+ IpProtocol: tcp
+ FromPort: 18210
+ ToPort: 18210
+ - CidrIp: !Ref GatewaysAddresses
+ IpProtocol: tcp
+ FromPort: 18211
+ ToPort: 18211
+ - CidrIp: !Ref GatewaysAddresses
+ IpProtocol: tcp
+ FromPort: 18221
+ ToPort: 18221
+ - CidrIp: !Ref GatewaysAddresses
+ IpProtocol: tcp
+ FromPort: 18264
+ ToPort: 18264
+ - CidrIp: !Ref AdminCIDR
+ IpProtocol: tcp
+ FromPort: 22
+ ToPort: 22
+ - CidrIp: !Ref AdminCIDR
+ IpProtocol: tcp
+ FromPort: 443
+ ToPort: 443
+ - CidrIp: !Ref AdminCIDR
+ IpProtocol: tcp
+ FromPort: 18190
+ ToPort: 18190
+ - CidrIp: !Ref AdminCIDR
+ IpProtocol: tcp
+ FromPort: 19009
+ ToPort: 19009
+ ManagementRoleStack:
+ Type: AWS::CloudFormation::Stack
+ Condition: CreateRole
+ Properties:
+ TemplateURL: __URL__/iam/cme-iam-role.yaml
+ Parameters:
+ Permissions: !Ref ManagementPermissions
+ STSRoles: !Join [',', !Ref ManagementSTSRoles]
+ InstanceProfile:
+ Type: AWS::IAM::InstanceProfile
+ Condition: PreRole
+ Properties:
+ Path: /
+ Roles:
+ - !Ref ManagementPredefinedRole
+ ManagementInstance:
+ Type: AWS::EC2::Instance
+ DependsOn: ManagementLaunchTemplate
+ Properties:
+ LaunchTemplate:
+ LaunchTemplateId: !Ref ManagementLaunchTemplate
+ Version: !GetAtt ManagementLaunchTemplate.LatestVersionNumber
+ DisableApiTermination: !Ref TerminationProtection
+ Tags:
+ - Key: Name
+ Value: !Ref ManagementName
+ NetworkInterfaces:
+ - DeviceIndex: 0
+ AssociatePublicIpAddress: false
+ Description: eth0
+ GroupSet:
+ - !Ref ManagementSecurityGroup
+ DeleteOnTermination: true
+ SubnetId: !Ref ManagementSubnet
+ ManagementLaunchTemplate:
+ Type: AWS::EC2::LaunchTemplate
+ Properties:
+ LaunchTemplateData:
+ KeyName: !Ref KeyName
+ ImageId: !GetAtt AMI.Outputs.ImageId
+ InstanceType: !Ref ManagementInstanceType
+ MetadataOptions:
+ HttpTokens: !If [EnableMetaDataToken, required, optional]
+ BlockDeviceMappings:
+ - DeviceName: '/dev/xvda'
+ Ebs:
+ Encrypted: !If [ EncryptedVolume, true, false ]
+ KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ]
+ VolumeType: !Ref VolumeType
+ VolumeSize: !Ref VolumeSize
+ IamInstanceProfile:
+ Name: !If [ UseRole, !If [ PreRole, !Ref InstanceProfile, !GetAtt ManagementRoleStack.Outputs.CMEIAMRole ], !Ref 'AWS::NoValue' ]
+ UserData:
+ 'Fn::Base64':
+ !Join
+ - |+
+
+ - - '#cloud-config'
+ - 'runcmd:'
+ - ' - |'
+ - ' set -e'
+ - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; hostname=${ManagementHostname} ; eic=${EnableInstanceConnect} ; admin_subnet=${AdminCIDR} ; eip=${AllocatePublicAddress} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; mgmt_install_type=''${ManagementInstallationType}'''
+ - !If [EIP, !Sub ' wait_handle=''${ManagementReadyHandle}''',!Ref 'AWS::NoValue']
+ - !If [NoSIC, ' sic=""', !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref SICKey, ')"']]]
+ - !If [ManageOverInternetAndEIP, ' pub_mgmt=true', ' pub_mgmt=false']
+ - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref ManagementBootstrapScript, ')"']]
+ - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref ManagementPasswordHash, ')"']]
+ - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref ManagementMaintenancePasswordHash, ')"']]
+ - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref ManagementVersion]]}]
+ - ' python3 /etc/cloud_config.py waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" installationType=\"management\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"management\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" "management_installation_type=\"${mgmt_install_type}\"" adminSubnet=\"${admin_subnet}\" allocatePublicAddress=\"${eip}\" overTheInternet=\"${pub_mgmt}\" bootstrapScript64=\"${bootstrap}\"'
+ VersionDescription: Initial template version
+ PublicAddress:
+ Type: AWS::EC2::EIP
+ Condition: EIP
+ Properties:
+ Domain: vpc
+ AddressAssoc:
+ Type: AWS::EC2::EIPAssociation
+ Condition: EIP
+ DependsOn: ManagementInstance
+ Properties:
+ InstanceId: !Ref ManagementInstance
+ AllocationId: !GetAtt PublicAddress.AllocationId
+Outputs:
+ PublicAddress:
+ Condition: EIP
+ Description: The public address of the Management Server.
+ Value: !Ref PublicAddress
+ SSH:
+ Condition: EIP
+ Description: SSH command.
+ Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref PublicAddress]]
+ URL:
+ Condition: EIP
+ Description: URL to the portal.
+ Value: !Join ['', ['https://', !Ref PublicAddress]]
diff --git a/deprecated/aws/templates/R80.40/management/mds.yaml b/deprecated/aws/templates/R80.40/management/mds.yaml
new file mode 100755
index 00000000..6099ed35
--- /dev/null
+++ b/deprecated/aws/templates/R80.40/management/mds.yaml
@@ -0,0 +1,529 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: Deploys a Check Point Multi-Domain Server (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: VPC Network Configuration
+ Parameters:
+ - VPC
+ - MDSSubnet
+ - Label:
+ default: EC2 Instance Configuration
+ Parameters:
+ - MDSName
+ - MDSInstanceType
+ - KeyName
+ - VolumeSize
+ - VolumeType
+ - VolumeEncryption
+ - EnableInstanceConnect
+ - TerminationProtection
+ - MetaDataToken
+ - Label:
+ default: IAM Permissions (ignored when the installation type is not Primary
+ Multi-Domain Server)
+ Parameters:
+ - MDSPermissions
+ - MDSPredefinedRole
+ - MDSSTSRoles
+ - Label:
+ default: Check Point Settings
+ Parameters:
+ - MDSVersion
+ - Shell
+ - MDSPasswordHash
+ - MDSMaintenancePasswordHash
+ - Label:
+ default: Multi-Domain Server Settings
+ Parameters:
+ - MDSHostname
+ - MDSInstallationType
+ - MDSSICKey
+ - AllowUploadDownload
+ - AdminCIDR
+ - GatewaysAddresses
+ - MDSBootstrapScript
+ - NTPPrimary
+ - NTPSecondary
+ ParameterLabels:
+ VPC:
+ default: VPC
+ MDSSubnet:
+ default: MDS subnet
+ MDSName:
+ default: MDS name
+ MDSInstanceType:
+ default: Instance type
+ KeyName:
+ default: Key name
+ VolumeSize:
+ default: Root volume size (GB)
+ VolumeType:
+ default: Volume Type
+ VolumeEncryption:
+ default: Volume encryption KMS key identifier
+ EnableInstanceConnect:
+ default: Enable AWS Instance Connect
+ TerminationProtection:
+ default: Termination Protection
+ MetaDataToken:
+ default: Metadata HTTP token
+ MDSPermissions:
+ default: IAM role
+ MDSPredefinedRole:
+ default: Existing IAM role name
+ MDSSTSRoles:
+ default: STS roles
+ MDSVersion:
+ default: Version & license
+ Shell:
+ default: Admin shell
+ MDSPasswordHash:
+ default: Password hash
+ MDSMaintenancePasswordHash:
+ default: MDS Maintenance Password hash
+ MDSHostname:
+ default: MDS hostname
+ MDSInstallationType:
+ default: MDS installation type
+ MDSSICKey:
+ default: SIC key
+ AllowUploadDownload:
+ default: Allow upload & download
+ AdminCIDR:
+ default: Administrator addresses
+ GatewaysAddresses:
+ default: Gateways addresses
+ MDSBootstrapScript:
+ default: MDS Bootstrap script
+ NTPPrimary:
+ default: Primary NTP server
+ NTPSecondary:
+ default: Secondary NTP server
+Parameters:
+ VPC:
+ Description: Select an existing VPC.
+ Type: AWS::EC2::VPC::Id
+ MinLength: 1
+ MDSSubnet:
+ Description: To access the instance from the internet, make sure the subnet has.
+ a route to the internet
+ Type: AWS::EC2::Subnet::Id
+ MinLength: 1
+ MDSName:
+ Description: The MDS name tag.
+ Type: String
+ Default: Check-Point-MDS
+ MDSInstanceType:
+ Description: The instance type of the Multi-Domain Server.
+ Type: String
+ Default: m5.2xlarge
+ AllowedValues:
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: must be a valid EC2 instance type.
+ KeyName:
+ Description: The EC2 Key Pair to allow SSH access to the instance.
+ Type: AWS::EC2::KeyPair::KeyName
+ MinLength: 1
+ ConstraintDescription: must be the name of an existing EC2 KeyPair.
+ VolumeSize:
+ Type: Number
+ MinValue: 100
+ Default: 100
+ VolumeType:
+ Description: General Purpose SSD Volume Type
+ Type: String
+ Default: gp3
+ AllowedValues:
+ - gp3
+ - gp2
+ VolumeEncryption:
+ Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
+ Type: String
+ Default: alias/aws/ebs
+ EnableInstanceConnect:
+ Description: Enable SSH connection over AWS web console.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ TerminationProtection:
+ Description: Prevents an instance from accidental termination.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ MetaDataToken:
+ Description: Set true to deploy the instance with metadata v2 token required.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ MDSPermissions:
+ Description: IAM role to attach to the instance profile.
+ Type: String
+ Default: Create with read permissions
+ AllowedValues:
+ - None (configure later)
+ - Use existing (specify an existing IAM role name)
+ - Create with assume role permissions (specify an STS role ARN)
+ - Create with read permissions
+ - Create with read-write permissions
+ MDSPredefinedRole:
+ Description: A predefined IAM role to attach to the instance profile. Ignored
+ if IAM role is not set to 'Use existing'.
+ Type: String
+ Default: ''
+ MDSSTSRoles:
+ Description: The IAM role will be able to assume these STS Roles (comma separated
+ list of ARNs, without spaces). Ignored if IAM role is set to 'None' or 'Use
+ existing'.
+ Type: CommaDelimitedList
+ Default: ''
+ MDSVersion:
+ Description: The license to install on the Multi-Domain Server.
+ Type: String
+ Default: R80.40-BYOL
+ AllowedValues:
+ - R80.40-BYOL
+ Shell:
+ Description: Change the admin shell to enable advanced command line configuration.
+ Type: String
+ Default: /etc/cli.sh
+ AllowedValues:
+ - /etc/cli.sh
+ - /bin/bash
+ - /bin/csh
+ - /bin/tcsh
+ MDSPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD"
+ to get the PASSWORD's hash). (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ MDSMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ MDSHostname:
+ Description: The name must not contain reserved words. For details, refer to sk40179. (optional)
+ Type: String
+ Default: mds-aws
+ AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$'
+ ConstraintDescription: A valid hostname label or an empty string.
+ MDSInstallationType:
+ Description: Determines the Multi-Domain Server installation type.
+ Type: String
+ Default: Primary Multi-Domain Server
+ AllowedValues:
+ - Primary Multi-Domain Server
+ - Secondary Multi-Domain Server
+ - Multi-Domain Log Server
+ MDSSICKey:
+ Description: >-
+ Mandatory if deploying a Secondary Multi-Domain Server or Multi-Domain Log Server,
+ the Secure Internal Communication key creates trusted connections between Check
+ Point components. Choose a random string consisting of at least 8 alphanumeric
+ characters.
+ Type: String
+ Default: ''
+ AllowedPattern: '(|[a-zA-Z0-9]{8,})'
+ ConstraintDescription: Can be empty if this is a Primary Multi-Domain Server.
+ Otherwise, at least 8 alpha numeric characters.
+ NoEcho: true
+ AllowUploadDownload:
+ Description: Automatically download updates and share statistical data for product improvement purpose.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ AdminCIDR:
+ Description: Allow web, SSH, and graphical clients only from this network to communicate
+ with the Multi-Domain Server. The address should be either 0.0.0.0/0 (any address) or /32 (specific address)
+ Type: String
+ AllowedPattern: '^((0.0.0.0\/0)|)$|^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/32)$'
+ ConstraintDescription: Administrator address must be either 0.0.0.0/0 or /32
+ GatewaysAddresses:
+ Description: Allow gateways only from this network to communicate with the Multi-Domain.
+ Server
+ Type: String
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+ MDSBootstrapScript:
+ Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+ Type: String
+ Default: ''
+ NoEcho: true
+ NTPPrimary:
+ Description: (optional)
+ Type: String
+ Default: 169.254.169.123
+ AllowedPattern: '[\.a-zA-Z0-9\-]*'
+ NTPSecondary:
+ Description: (optional)
+ Type: String
+ Default: '0.pool.ntp.org'
+ AllowedPattern: '[\.a-zA-Z0-9\-]*'
+Conditions:
+ EncryptedVolume: !Not [!Equals [!Ref VolumeEncryption, '']]
+ CreateRole: !And
+ - !Or
+ - !Condition PrimaryMDS
+ - !Condition SecondaryMDS
+ - !Or
+ - !Equals [!Ref MDSPermissions, Create with assume role permissions (specify an STS role ARN)]
+ - !Equals [!Ref MDSPermissions, Create with read permissions]
+ - !Equals [!Ref MDSPermissions, Create with read-write permissions]
+ UseRole: !And [!Or [!Condition PrimaryMDS, !Condition SecondaryMDS], !Not [!Equals [!Ref MDSPermissions, None (configure later)]]]
+ PrimaryMDS: !Equals [!Ref MDSInstallationType, Primary Multi-Domain Server]
+ SecondaryMDS: !Equals [!Ref MDSInstallationType, Secondary Multi-Domain Server]
+ PreRole: !And [!Condition UseRole, !Not [!Condition CreateRole]]
+ EnableMetaDataToken: !Equals [!Ref MetaDataToken, true]
+Resources:
+ AMI:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/utils/amis.yaml
+ Parameters:
+ Version: !Join ['-', [!Ref MDSVersion, MGMT]]
+ MDSSecurityGroup:
+ Type: AWS::EC2::SecurityGroup
+ Properties:
+ GroupDescription: MDS security group
+ VpcId: !Ref VPC
+ SecurityGroupIngress:
+ - CidrIp: !Ref GatewaysAddresses
+ IpProtocol: tcp
+ FromPort: 257
+ ToPort: 257
+ - CidrIp: !Ref GatewaysAddresses
+ IpProtocol: tcp
+ FromPort: 8211
+ ToPort: 8211
+ - CidrIp: !Ref GatewaysAddresses
+ IpProtocol: tcp
+ FromPort: 18191
+ ToPort: 18191
+ - CidrIp: !Ref GatewaysAddresses
+ IpProtocol: tcp
+ FromPort: 18192
+ ToPort: 18192
+ - CidrIp: !Ref GatewaysAddresses
+ IpProtocol: tcp
+ FromPort: 18208
+ ToPort: 18208
+ - CidrIp: !Ref GatewaysAddresses
+ IpProtocol: tcp
+ FromPort: 18210
+ ToPort: 18210
+ - CidrIp: !Ref GatewaysAddresses
+ IpProtocol: tcp
+ FromPort: 18211
+ ToPort: 18211
+ - CidrIp: !Ref GatewaysAddresses
+ IpProtocol: tcp
+ FromPort: 18221
+ ToPort: 18221
+ - CidrIp: !Ref GatewaysAddresses
+ IpProtocol: tcp
+ FromPort: 18264
+ ToPort: 18264
+ - CidrIp: !Ref AdminCIDR
+ IpProtocol: tcp
+ FromPort: 22
+ ToPort: 22
+ - CidrIp: !Ref AdminCIDR
+ IpProtocol: tcp
+ FromPort: 443
+ ToPort: 443
+ - CidrIp: !Ref AdminCIDR
+ IpProtocol: tcp
+ FromPort: 18190
+ ToPort: 18190
+ - CidrIp: !Ref AdminCIDR
+ IpProtocol: tcp
+ FromPort: 19009
+ ToPort: 19009
+ MDSRoleStack:
+ Type: AWS::CloudFormation::Stack
+ Condition: CreateRole
+ Properties:
+ TemplateURL: __URL__/iam/cme-iam-role.yaml
+ Parameters:
+ Permissions: !Ref MDSPermissions
+ STSRoles: !Join [',', !Ref MDSSTSRoles]
+ InstanceProfile:
+ Type: AWS::IAM::InstanceProfile
+ Condition: PreRole
+ Properties:
+ Path: /
+ Roles:
+ - !Ref MDSPredefinedRole
+ MDSInstance:
+ Type: AWS::EC2::Instance
+ DependsOn: [MDSSecurityGroup, MDSLaunchTemplate]
+ Properties:
+ LaunchTemplate:
+ LaunchTemplateId: !Ref MDSLaunchTemplate
+ Version: !GetAtt MDSLaunchTemplate.LatestVersionNumber
+ DisableApiTermination: !Ref TerminationProtection
+ Tags:
+ - Key: Name
+ Value: !Ref MDSName
+ NetworkInterfaces:
+ - DeviceIndex: 0
+ AssociatePublicIpAddress: false
+ Description: eth0
+ GroupSet:
+ - !Ref MDSSecurityGroup
+ DeleteOnTermination: true
+ SubnetId: !Ref MDSSubnet
+ MDSLaunchTemplate:
+ Type: AWS::EC2::LaunchTemplate
+ Properties:
+ LaunchTemplateData:
+ KeyName: !Ref KeyName
+ ImageId: !GetAtt AMI.Outputs.ImageId
+ InstanceType: !Ref MDSInstanceType
+ MetadataOptions:
+ HttpTokens: !If [EnableMetaDataToken, required, optional]
+ BlockDeviceMappings:
+ - DeviceName: '/dev/xvda'
+ Ebs:
+ Encrypted: !If [ EncryptedVolume, true, false ]
+ KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ]
+ VolumeType: !Ref VolumeType
+ VolumeSize: !Ref VolumeSize
+ IamInstanceProfile:
+ Name: !If [ UseRole, !If [ PreRole, !Ref InstanceProfile, !GetAtt MDSRoleStack.Outputs.CMEIAMRole ], !Ref 'AWS::NoValue' ]
+ UserData: !Base64
+ Fn::Join:
+ - |+
+
+ - - '#cloud-config'
+ - 'runcmd:'
+ - ' - |'
+ - ' set -e'
+ - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; hostname=${MDSHostname} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; admin_subnet=${AdminCIDR}'
+ - !If [PrimaryMDS, ' primary=true ; secondary=false', !If [SecondaryMDS, ' primary=false ; secondary=true', ' primary=false ; secondary=false']]
+ - !If [PrimaryMDS, ' sic=notused', !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref MDSSICKey, ')"']]]
+ - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref MDSBootstrapScript, ')"']]
+ - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref MDSPasswordHash, ')"']]
+ - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref MDSMaintenancePasswordHash, ')"']]
+ - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref MDSVersion]]}]
+ - ' python3 /etc/cloud_config.py sicKey=\"${sic}\" installationType=\"mds\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"mds\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" primary=\"${primary}\" secondary=\"${secondary}\" adminSubnet=\"${admin_subnet}\" bootstrapScript64=\"${bootstrap}\"'
+ VersionDescription: Initial template version
\ No newline at end of file
diff --git a/deprecated/aws/templates/R80.40/utils/copy-lambda-zip.yaml b/deprecated/aws/templates/R80.40/utils/copy-lambda-zip.yaml
new file mode 100755
index 00000000..f5cdcfd2
--- /dev/null
+++ b/deprecated/aws/templates/R80.40/utils/copy-lambda-zip.yaml
@@ -0,0 +1,138 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Create an S3 bucket in the same region as the stack, and copy a zip of a Lambda from remote bucket to it (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: Lambda zip location
+ Parameters:
+ - SourceBucketName
+ - FolderName
+ - LambdaPathObjects
+ ParameterLabels:
+ SourceBucketName:
+ default: Source Bucket Name
+ FolderName:
+ default: Folder Name
+ LambdaPathObjects:
+ default: Lambda Path
+Parameters:
+ SourceBucketName:
+ Description: The source bucket (e.g. lambda-bucket ).
+ Type: String
+ MinLength: 1
+ FolderName:
+ Description: The source folder (e.g. lambda-prefix/ ).
+ Type: String
+ AllowedPattern: '^[0-9a-zA-Z-_/]*/$'
+ LambdaPathObjects:
+ Description: A zip file (e.g. lambda.zip).
+ Type: String
+ AllowedPattern: '.*\.zip'
+Resources:
+ LambdaZipBucket:
+ Type: AWS::S3::Bucket
+ CopyZips:
+ Type: Custom::CopyZips
+ Properties:
+ ServiceToken: !GetAtt CopyZipsFunction.Arn
+ SourceBucket: !Ref SourceBucketName
+ DestBucket: !Ref LambdaZipBucket
+ Prefix: !Ref FolderName
+ Objects:
+ - !Ref LambdaPathObjects
+ CopyZipsRole:
+ Type: AWS::IAM::Role
+ Properties:
+ AssumeRolePolicyDocument:
+ Version: 2012-10-17
+ Statement:
+ - Effect: Allow
+ Principal:
+ Service: lambda.amazonaws.com
+ Action: sts:AssumeRole
+ Path: /
+ Policies:
+ - PolicyName: !Sub lambda-copier-${LambdaZipBucket}
+ PolicyDocument:
+ Version: 2012-10-17
+ Statement:
+ - Effect: Allow
+ Action:
+ - s3:GetObject
+ Resource:
+ - !Sub arn:aws:s3:::${SourceBucketName}/${FolderName}*
+ - Effect: Allow
+ Action:
+ - s3:PutObject
+ - s3:DeleteObject
+ Resource:
+ - !Sub arn:aws:s3:::${LambdaZipBucket}/${FolderName}*
+ CopyZipsFunction:
+ Type: AWS::Lambda::Function
+ Properties:
+ Description: Copies objects from a source S3 bucket to a destination.
+ Handler: index.handler
+ Runtime: python3.7
+ Role: !GetAtt CopyZipsRole.Arn
+ Timeout: 240
+ Code:
+ ZipFile: |
+ import json
+ import logging
+ import threading
+ import boto3
+ import cfnresponse
+
+
+ def copy_objects(source_bucket, dest_bucket, prefix, objects):
+ s3 = boto3.client('s3')
+ for o in objects:
+ key = prefix + o
+ copy_source = {'Bucket': source_bucket, 'Key': key }
+ print(f'copy_source: {copy_source}')
+ print(f'dest_bucket = {dest_bucket}')
+ print(f'key = {key}')
+ s3.copy_object(CopySource=copy_source, Bucket=dest_bucket, Key=key)
+
+
+ def delete_objects(bucket, prefix, objects):
+ s3 = boto3.client('s3')
+ objects = {'Objects': [{'Key': prefix + o} for o in objects]}
+ s3.delete_objects(Bucket=bucket, Delete=objects)
+
+
+ def timeout(event, context):
+ logging.error('Execution is about to time out, sending failure'
+ ' response to CloudFormation')
+ cfnresponse.send(event, context, cfnresponse.FAILED, {}, None)
+
+
+ def handler(event, context):
+ # make sure we send a failure to CloudFormation if the function
+ # is going to timeout
+ timer = threading.Timer((context.get_remaining_time_in_millis()
+ / 1000.00) - 0.5, timeout, args=[event, context])
+ timer.start()
+
+ print(f'Received event: {json.dumps(event)}')
+ status = cfnresponse.SUCCESS
+ try:
+ source_bucket = event['ResourceProperties']['SourceBucket']
+ dest_bucket = event['ResourceProperties']['DestBucket']
+ prefix = event['ResourceProperties']['Prefix']
+ objects = event['ResourceProperties']['Objects']
+ if event['RequestType'] == 'Delete':
+ delete_objects(dest_bucket, prefix, objects)
+ else:
+ copy_objects(source_bucket, dest_bucket, prefix, objects)
+ except Exception as e:
+ logging.error('Exception: %s' % e, exc_info=True)
+ status = cfnresponse.FAILED
+ finally:
+ timer.cancel()
+ cfnresponse.send(event, context, status, {}, None)
+Outputs:
+ LambdaZipBucket:
+ Description: The new S3 bucket in the local region.
+ Value: !Ref LambdaZipBucket
\ No newline at end of file
diff --git a/deprecated/aws/templates/R80.40/utils/tap-target-and-filter.yaml b/deprecated/aws/templates/R80.40/utils/tap-target-and-filter.yaml
new file mode 100755
index 00000000..89c60ac5
--- /dev/null
+++ b/deprecated/aws/templates/R80.40/utils/tap-target-and-filter.yaml
@@ -0,0 +1,68 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Deploy a traffic-mirror-filter and traffic-mirror-target (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: General Settings
+ Parameters:
+ - MirroringNetworkInterfaceId
+ - EnvironmentPrefix
+ ParameterLabels:
+ MirroringNetworkInterfaceId:
+ default: Mirroring target network interface id
+ EnvironmentPrefix:
+ default: Environment prefix for created resources
+Parameters:
+ MirroringNetworkInterfaceId:
+ Description: The network interface ID to which all the traffic will be mirrored.
+ Type: String
+ AllowedPattern: '^eni-[a-z0-9]+$'
+ EnvironmentPrefix:
+ Description: The environment prefix for created resources. (optional)
+ Type: String
+ AllowedPattern: '[a-zA-Z0-9-_]*'
+ Default: cp-tap
+Resources:
+ TrafficMirrorFilter:
+ Type: AWS::EC2::TrafficMirrorFilter
+ Properties:
+ Description: Traffic mirror filter.
+ Tags:
+ - Key: Name
+ Value: !Join ['-', [!Ref EnvironmentPrefix, traffic-filter]]
+ TrafficMirrorFilterRuleIngress:
+ Type: AWS::EC2::TrafficMirrorFilterRule
+ Properties:
+ Description: Traffic mirror filter rule - ingress.
+ DestinationCidrBlock: 0.0.0.0/0
+ RuleAction: accept
+ RuleNumber: 100
+ SourceCidrBlock: 0.0.0.0/0
+ TrafficDirection: ingress
+ TrafficMirrorFilterId: !Ref TrafficMirrorFilter
+ TrafficMirrorFilterRuleEgress:
+ Type: AWS::EC2::TrafficMirrorFilterRule
+ Properties:
+ Description: Traffic mirror filter rule - egress.
+ DestinationCidrBlock: 0.0.0.0/0
+ RuleAction: accept
+ RuleNumber: 100
+ SourceCidrBlock: 0.0.0.0/0
+ TrafficDirection: egress
+ TrafficMirrorFilterId: !Ref TrafficMirrorFilter
+ TrafficMirrorTarget:
+ Type: AWS::EC2::TrafficMirrorTarget
+ Properties:
+ Description: Traffic mirror target.
+ NetworkInterfaceId: !Ref MirroringNetworkInterfaceId
+ Tags:
+ - Key: Name
+ Value: !Join ['-', [!Ref EnvironmentPrefix, traffic-target]]
+Outputs:
+ TrafficMirrorTargetId:
+ Description: Traffic mirror target id.
+ Value: !Ref TrafficMirrorTarget
+ TrafficMirrorFilterId:
+ Description: Traffic mirror filter id.
+ Value: !Ref TrafficMirrorFilter
\ No newline at end of file
diff --git a/deprecated/aws/templates/R80.40/utils/vpc.yaml b/deprecated/aws/templates/R80.40/utils/vpc.yaml
new file mode 100755
index 00000000..e04e0832
--- /dev/null
+++ b/deprecated/aws/templates/R80.40/utils/vpc.yaml
@@ -0,0 +1,571 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: This template creates a Multi-AZ, multi-subnet VPC infrastructure (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: Availability Zone Configuration
+ Parameters:
+ - AvailabilityZones
+ - NumberOfAZs
+ - Label:
+ default: Network Configuration
+ Parameters:
+ - VPCCIDR
+ - PublicSubnet1CIDR
+ - PublicSubnet2CIDR
+ - PublicSubnet3CIDR
+ - PublicSubnet4CIDR
+ - CreatePrivateSubnets
+ - PrivateSubnet1CIDR
+ - PrivateSubnet2CIDR
+ - PrivateSubnet3CIDR
+ - PrivateSubnet4CIDR
+ - CreateAttachmentSubnets
+ - AttachmentSubnet1CIDR
+ - AttachmentSubnet2CIDR
+ - AttachmentSubnet3CIDR
+ - AttachmentSubnet4CIDR
+ ParameterLabels:
+ AvailabilityZones:
+ default: Availability Zones
+ NumberOfAZs:
+ default: Number of Availability Zones
+ VPCCIDR:
+ default: VPC CIDR
+ PublicSubnet1CIDR:
+ default: Public subnet 1 CIDR
+ PublicSubnet2CIDR:
+ default: Public subnet 2 CIDR
+ PublicSubnet3CIDR:
+ default: Public subnet 3 CIDR
+ PublicSubnet4CIDR:
+ default: Public subnet 4 CIDR
+ CreatePrivateSubnets:
+ default: Create private subnets
+ PrivateSubnet1CIDR:
+ default: Private subnet 1 CIDR
+ PrivateSubnet2CIDR:
+ default: Private subnet 2 CIDR
+ PrivateSubnet3CIDR:
+ default: Private subnet 3 CIDR
+ PrivateSubnet4CIDR:
+ default: Private subnet 4 CIDR
+ CreateAttachmentSubnets:
+ default: Create Attachment subnets
+ AttachmentSubnet1CIDR:
+ default: Attachment subnet 1 CIDR
+ AttachmentSubnet2CIDR:
+ default: Attachment subnet 2 CIDR
+ AttachmentSubnet3CIDR:
+ default: Attachment subnet 3 CIDR
+ AttachmentSubnet4CIDR:
+ default: Attachment subnet 4 CIDR
+Parameters:
+ AvailabilityZones:
+ Description: 'List of Availability Zones to use for the subnets in the VPC. Note: The logical order is preserved.'
+ Type: List
+ MinLength: 1
+ NumberOfAZs:
+ Description: Number of Availability Zones to use in the VPC. This must match your
+ selections in the list of Availability Zones parameter.
+ Type: Number
+ Default: 2
+ MinValue: 1
+ MaxValue: 4
+ VPCCIDR:
+ Description: CIDR block for the VPC.
+ Type: String
+ Default: 10.0.0.0/16
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PublicSubnet1CIDR:
+ Description: CIDR block for the public DMZ subnet 1 located in Availability Zone 1.
+ Type: String
+ Default: 10.0.10.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PublicSubnet2CIDR:
+ Description: CIDR block for the public DMZ subnet 2 located in Availability Zone 2.
+ Type: String
+ Default: 10.0.20.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PublicSubnet3CIDR:
+ Description: CIDR block for the public DMZ subnet 3 located in Availability Zone 3.
+ Type: String
+ Default: 10.0.30.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PublicSubnet4CIDR:
+ Description: CIDR block for the public DMZ subnet 4 located in Availability Zone 4.
+ Type: String
+ Default: 10.0.40.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ CreatePrivateSubnets:
+ Description: Set to false to create only public subnets. If false, the CIDR parameters.
+ for ALL private subnets will be ignored.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ PrivateSubnet1CIDR:
+ Description: CIDR block for private subnet 1 located in Availability Zone 1.
+ Type: String
+ Default: 10.0.11.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PrivateSubnet2CIDR:
+ Description: CIDR block for private subnet 2 located in Availability Zone 2.
+ Type: String
+ Default: 10.0.21.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PrivateSubnet3CIDR:
+ Description: CIDR block for private subnet 3 located in Availability Zone 3.
+ Type: String
+ Default: 10.0.31.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PrivateSubnet4CIDR:
+ Description: CIDR block for private subnet 4 located in Availability Zone 4.
+ Type: String
+ Default: 10.0.41.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ CreateAttachmentSubnets:
+ Description: Set true for creating designated subnets for VPC attachments. If false,
+ the CIDR parameters for the Attachment subnets will be ignored.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ AttachmentSubnet1CIDR:
+ Description: CIDR block for Attachment subnet 1 located in Availability Zone 1.
+ Type: String
+ Default: 10.0.12.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ AttachmentSubnet2CIDR:
+ Description: CIDR block for Attachment subnet 2 located in Availability Zone 2.
+ Type: String
+ Default: 10.0.22.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ AttachmentSubnet3CIDR:
+ Description: CIDR block for Attachment subnet 3 located in Availability Zone 3.
+ Type: String
+ Default: 10.0.32.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ AttachmentSubnet4CIDR:
+ Description: CIDR block for Attachment subnet 4 located in Availability Zone 4.
+ Type: String
+ Default: 10.0.42.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+Conditions:
+ 4AZs: !Equals [!Ref NumberOfAZs, 4]
+ 3AZs: !Or [!Equals [!Ref NumberOfAZs, 3], !Condition 4AZs]
+ 2AZs: !Or [!Equals [!Ref NumberOfAZs, 2], !Condition 3AZs]
+ PrivateSubnets: !Equals [!Ref CreatePrivateSubnets, true]
+ 2AZsPrivateSubnets: !And [!Condition PrivateSubnets, !Condition 2AZs]
+ 3AZsPrivateSubnets: !And [!Condition PrivateSubnets, !Condition 3AZs]
+ 4AZsPrivateSubnets: !And [!Condition PrivateSubnets, !Condition 4AZs]
+ AttachmentSubnets: !Equals [!Ref CreateAttachmentSubnets, true]
+ 2AZsAttachmentSubnets: !And [!Condition AttachmentSubnets, !Condition 2AZs]
+ 3AZsAttachmentSubnets: !And [!Condition AttachmentSubnets, !Condition 3AZs]
+ 4AZsAttachmentSubnets: !And [!Condition AttachmentSubnets, !Condition 4AZs]
+Resources:
+ VPC:
+ Type: AWS::EC2::VPC
+ Properties:
+ CidrBlock: !Ref VPCCIDR
+ EnableDnsSupport: true
+ EnableDnsHostnames: true
+ Tags:
+ - Key: Name
+ Value: !Ref 'AWS::StackName'
+ InternetGateway:
+ Type: AWS::EC2::InternetGateway
+ Properties:
+ Tags:
+ - Key: Name
+ Value: !Ref 'AWS::StackName'
+ - Key: Network
+ Value: Public
+ VPCGatewayAttachment:
+ Type: AWS::EC2::VPCGatewayAttachment
+ DependsOn: [VPC, InternetGateway]
+ Properties:
+ VpcId: !Ref VPC
+ InternetGatewayId: !Ref InternetGateway
+ PublicSubnet1:
+ Type: AWS::EC2::Subnet
+ DependsOn: VPC
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref PublicSubnet1CIDR
+ AvailabilityZone: !Select [0, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: Public subnet 1
+ - Key: Network
+ Value: Public
+ MapPublicIpOnLaunch: true
+ PublicSubnet2:
+ Condition: 2AZs
+ DependsOn: VPC
+ Type: AWS::EC2::Subnet
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref PublicSubnet2CIDR
+ AvailabilityZone: !Select [1, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: Public subnet 2
+ - Key: Network
+ Value: Public
+ MapPublicIpOnLaunch: true
+ PublicSubnet3:
+ Condition: 3AZs
+ DependsOn: VPC
+ Type: AWS::EC2::Subnet
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref PublicSubnet3CIDR
+ AvailabilityZone: !Select [2, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: Public subnet 3
+ - Key: Network
+ Value: Public
+ MapPublicIpOnLaunch: true
+ PublicSubnet4:
+ Condition: 4AZs
+ DependsOn: VPC
+ Type: AWS::EC2::Subnet
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref PublicSubnet4CIDR
+ AvailabilityZone: !Select [3, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: Public subnet 4
+ - Key: Network
+ Value: Public
+ MapPublicIpOnLaunch: true
+ PublicSubnetRouteTable:
+ Type: AWS::EC2::RouteTable
+ DependsOn: VPC
+ Properties:
+ VpcId: !Ref VPC
+ Tags:
+ - Key: Name
+ Value: Public Subnets Route Table
+ - Key: Network
+ Value: Public
+ PublicSubnetRoute:
+ DependsOn: [VPCGatewayAttachment, PublicSubnetRouteTable]
+ Type: AWS::EC2::Route
+ Properties:
+ RouteTableId: !Ref PublicSubnetRouteTable
+ DestinationCidrBlock: 0.0.0.0/0
+ GatewayId: !Ref InternetGateway
+ PublicSubnet1RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ DependsOn: [PublicSubnet1, PublicSubnetRouteTable]
+ Properties:
+ SubnetId: !Ref PublicSubnet1
+ RouteTableId: !Ref PublicSubnetRouteTable
+ PublicSubnet2RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Condition: 2AZs
+ DependsOn: [PublicSubnet2, PublicSubnetRouteTable]
+ Properties:
+ SubnetId: !Ref PublicSubnet2
+ RouteTableId: !Ref PublicSubnetRouteTable
+ PublicSubnet3RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Condition: 3AZs
+ DependsOn: [PublicSubnet3, PublicSubnetRouteTable]
+ Properties:
+ SubnetId: !Ref PublicSubnet3
+ RouteTableId: !Ref PublicSubnetRouteTable
+ PublicSubnet4RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Condition: 4AZs
+ DependsOn: [PublicSubnet4, PublicSubnetRouteTable]
+ Properties:
+ SubnetId: !Ref PublicSubnet4
+ RouteTableId: !Ref PublicSubnetRouteTable
+ PrivateSubnet1:
+ Type: AWS::EC2::Subnet
+ Condition: PrivateSubnets
+ DependsOn: VPC
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref PrivateSubnet1CIDR
+ AvailabilityZone: !Select [0, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: Private subnet 1
+ - Key: Network
+ Value: Private
+ PrivateSubnet2:
+ Type: AWS::EC2::Subnet
+ Condition: 2AZsPrivateSubnets
+ DependsOn: VPC
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref PrivateSubnet2CIDR
+ AvailabilityZone: !Select [1, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: Private subnet 2
+ - Key: Network
+ Value: Private
+ PrivateSubnet3:
+ Type: AWS::EC2::Subnet
+ Condition: 3AZsPrivateSubnets
+ DependsOn: VPC
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref PrivateSubnet3CIDR
+ AvailabilityZone: !Select [2, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: Private subnet 3
+ - Key: Network
+ Value: Private
+ PrivateSubnet4:
+ Type: AWS::EC2::Subnet
+ Condition: 4AZsPrivateSubnets
+ DependsOn: VPC
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref PrivateSubnet4CIDR
+ AvailabilityZone: !Select [3, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: Private subnet 4
+ - Key: Network
+ Value: Private
+ AttachmentSubnet1:
+ Condition: AttachmentSubnets
+ DependsOn: VPC
+ Type: AWS::EC2::Subnet
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref AttachmentSubnet1CIDR
+ AvailabilityZone: !Select [0, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: Attachment subnet 1
+ - Key: Network
+ Value: Private
+ AttachmentSubnet2:
+ Condition: AttachmentSubnets
+ DependsOn: VPC
+ Type: AWS::EC2::Subnet
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref AttachmentSubnet2CIDR
+ AvailabilityZone: !Select [1, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: Attachment subnet 2
+ - Key: Network
+ Value: Private
+ AttachmentSubnet3:
+ Condition: 3AZsAttachmentSubnets
+ DependsOn: VPC
+ Type: AWS::EC2::Subnet
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref AttachmentSubnet3CIDR
+ AvailabilityZone: !Select [2, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: Attachment subnet 3
+ - Key: Network
+ Value: Private
+ AttachmentSubnet4:
+ Condition: 4AZsAttachmentSubnets
+ DependsOn: VPC
+ Type: AWS::EC2::Subnet
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref AttachmentSubnet4CIDR
+ AvailabilityZone: !Select [3, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: Attachment subnet 4
+ - Key: Network
+ Value: Private
+Outputs:
+ VPCID:
+ Value: !Ref VPC
+ Description: VPC ID.
+ Export:
+ Name: !Sub '${AWS::StackName}-VPCID'
+ VPCCIDR:
+ Value: !Ref VPCCIDR
+ Description: VPC CIDR
+ Export:
+ Name: !Sub '${AWS::StackName}-VPCCIDR'
+ PublicSubnet1CIDR:
+ Description: Public subnet 1 CIDR in Availability Zone 1.
+ Value: !Ref PublicSubnet1CIDR
+ Export:
+ Name: !Sub '${AWS::StackName}-PublicSubnet1CIDR'
+ PublicSubnet1ID:
+ Description: Public subnet 1 ID in Availability Zone 1.
+ Value: !Ref PublicSubnet1
+ Export:
+ Name: !Sub '${AWS::StackName}-PublicSubnet1ID'
+ PublicSubnet2CIDR:
+ Condition: 2AZs
+ Description: Public subnet 2 CIDR in Availability Zone 2.
+ Value: !Ref PublicSubnet2CIDR
+ Export:
+ Name: !Sub '${AWS::StackName}-PublicSubnet2CIDR'
+ PublicSubnet2ID:
+ Condition: 2AZs
+ Description: Public subnet 2 ID in Availability Zone 2.
+ Value: !Ref PublicSubnet2
+ Export:
+ Name: !Sub '${AWS::StackName}-PublicSubnet2ID'
+ PublicSubnet3CIDR:
+ Condition: 3AZs
+ Description: Public subnet 3 CIDR in Availability Zone 3.
+ Value: !Ref PublicSubnet3CIDR
+ Export:
+ Name: !Sub '${AWS::StackName}-PublicSubnet3CIDR'
+ PublicSubnet3ID:
+ Condition: 3AZs
+ Description: Public subnet 3 ID in Availability Zone 3.
+ Value: !Ref PublicSubnet3
+ Export:
+ Name: !Sub '${AWS::StackName}-PublicSubnet3ID'
+ PublicSubnet4CIDR:
+ Condition: 4AZs
+ Description: Public subnet 4 CIDR in Availability Zone 4.
+ Value: !Ref PublicSubnet4CIDR
+ Export:
+ Name: !Sub '${AWS::StackName}-PublicSubnet4CIDR'
+ PublicSubnet4ID:
+ Condition: 4AZs
+ Description: Public subnet 4 ID in Availability Zone 4.
+ Value: !Ref PublicSubnet4
+ Export:
+ Name: !Sub '${AWS::StackName}-PublicSubnet4ID'
+ PublicSubnetRouteTable:
+ Value: !Ref PublicSubnetRouteTable
+ Description: Public subnet route table.
+ Export:
+ Name: !Sub '${AWS::StackName}-PublicSubnetRouteTable'
+ PrivateSubnet1CIDR:
+ Condition: PrivateSubnets
+ Description: Private subnet 1 CIDR in Availability Zone 1.
+ Value: !Ref PrivateSubnet1CIDR
+ Export:
+ Name: !Sub '${AWS::StackName}-PrivateSubnet1CIDR'
+ PrivateSubnet1ID:
+ Condition: PrivateSubnets
+ Description: Private subnet 1 ID in Availability Zone 1.
+ Value: !Ref PrivateSubnet1
+ Export:
+ Name: !Sub '${AWS::StackName}-PrivateSubnet1ID'
+ PrivateSubnet2CIDR:
+ Condition: 2AZsPrivateSubnets
+ Description: Private subnet 2 CIDR in Availability Zone 2.
+ Value: !Ref PrivateSubnet2CIDR
+ Export:
+ Name: !Sub '${AWS::StackName}-PrivateSubnet2CIDR'
+ PrivateSubnet2ID:
+ Condition: 2AZsPrivateSubnets
+ Description: Private subnet 2 ID in Availability Zone 2.
+ Value: !Ref PrivateSubnet2
+ Export:
+ Name: !Sub '${AWS::StackName}-PrivateSubnet2ID'
+ PrivateSubnet3CIDR:
+ Condition: 3AZsPrivateSubnets
+ Description: Private subnet 3 CIDR in Availability Zone 3.
+ Value: !Ref PrivateSubnet3CIDR
+ Export:
+ Name: !Sub '${AWS::StackName}-PrivateSubnet3CIDR'
+ PrivateSubnet3ID:
+ Condition: 3AZsPrivateSubnets
+ Description: Private subnet 3 ID in Availability Zone 3.
+ Value: !Ref PrivateSubnet3
+ Export:
+ Name: !Sub '${AWS::StackName}-PrivateSubnet3ID'
+ PrivateSubnet4CIDR:
+ Condition: 4AZsPrivateSubnets
+ Description: Private subnet 4 CIDR in Availability Zone 4.
+ Value: !Ref PrivateSubnet4CIDR
+ Export:
+ Name: !Sub '${AWS::StackName}-PrivateSubnet4CIDR'
+ PrivateSubnet4ID:
+ Condition: 4AZsPrivateSubnets
+ Description: Private subnet 4 ID in Availability Zone 4.
+ Value: !Ref PrivateSubnet4
+ Export:
+ Name: !Sub '${AWS::StackName}-PrivateSubnet4ID'
+ AttachmentSubnet1CIDR:
+ Condition: AttachmentSubnets
+ Description: Attachment subnet 1 CIDR in Availability Zone 1.
+ Value: !Ref AttachmentSubnet1CIDR
+ Export:
+ Name: !Sub '${AWS::StackName}-AttachmentSubnet1CIDR'
+ AttachmentSubnet1ID:
+ Condition: AttachmentSubnets
+ Description: Attachment subnet 1 ID in Availability Zone 1.
+ Value: !Ref AttachmentSubnet1
+ Export:
+ Name: !Sub '${AWS::StackName}-AttachmentSubnet1ID'
+ AttachmentSubnet2CIDR:
+ Condition: 2AZsAttachmentSubnets
+ Description: Attachment subnet 2 CIDR in Availability Zone 2.
+ Value: !Ref AttachmentSubnet2CIDR
+ Export:
+ Name: !Sub '${AWS::StackName}-AttachmentSubnet2CIDR'
+ AttachmentSubnet2ID:
+ Condition: 2AZsAttachmentSubnets
+ Description: Attachment subnet 2 ID in Availability Zone 2.
+ Value: !Ref AttachmentSubnet2
+ Export:
+ Name: !Sub '${AWS::StackName}-AttachmentSubnet2ID'
+ AttachmentSubnet3CIDR:
+ Condition: 3AZsAttachmentSubnets
+ Description: Attachment subnet 3 CIDR in Availability Zone 3.
+ Value: !Ref AttachmentSubnet3CIDR
+ Export:
+ Name: !Sub '${AWS::StackName}-AttachmentSubnet3CIDR'
+ AttachmentSubnet3ID:
+ Condition: 3AZsAttachmentSubnets
+ Description: Attachment subnet 3 ID in Availability Zone 3.
+ Value: !Ref AttachmentSubnet3
+ Export:
+ Name: !Sub '${AWS::StackName}-AttachmentSubnet3ID'
+ AttachmentSubnet4CIDR:
+ Condition: 4AZsAttachmentSubnets
+ Description: Attachment subnet 4 CIDR in Availability Zone 4.
+ Value: !Ref AttachmentSubnet4CIDR
+ Export:
+ Name: !Sub '${AWS::StackName}-AttachmentSubnet4CIDR'
+ AttachmentSubnet4ID:
+ Condition: 4AZsAttachmentSubnets
+ Description: Attachment subnet 4 ID in Availability Zone 4.
+ Value: !Ref AttachmentSubnet4
+ Export:
+ Name: !Sub '${AWS::StackName}-AttachmentSubnet4ID'
+ IGWID:
+ Description: IGW ID.
+ Value: !Join ['', [!Ref InternetGateway]]
+ Export:
+ Name: !Sub '${AWS::StackName}-IGWID'
\ No newline at end of file
diff --git a/deprecated/aws/templates/management-r80/README.md b/deprecated/aws/templates/R80/management-r80/README.md
old mode 100644
new mode 100755
similarity index 100%
rename from deprecated/aws/templates/management-r80/README.md
rename to deprecated/aws/templates/R80/management-r80/README.md
diff --git a/deprecated/aws/templates/management-r80/r80.json b/deprecated/aws/templates/R80/management-r80/r80.json
similarity index 100%
rename from deprecated/aws/templates/management-r80/r80.json
rename to deprecated/aws/templates/R80/management-r80/r80.json
diff --git a/deprecated/aws/templates/R81/autoscale/autoscale.yaml b/deprecated/aws/templates/R81/autoscale/autoscale.yaml
new file mode 100755
index 00000000..28f3a637
--- /dev/null
+++ b/deprecated/aws/templates/R81/autoscale/autoscale.yaml
@@ -0,0 +1,612 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Create an Auto Scaling group of Check Point gateways (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: VPC Network Configuration
+ Parameters:
+ - VPC
+ - GatewaysSubnets
+ - Label:
+ default: EC2 Instances Configuration
+ Parameters:
+ - GatewayName
+ - GatewayInstanceType
+ - KeyName
+ - VolumeSize
+ - VolumeType
+ - EnableVolumeEncryption
+ - EnableInstanceConnect
+ - MetaDataToken
+ - Label:
+ default: Auto Scaling Configuration
+ Parameters:
+ - GatewaysMinSize
+ - GatewaysMaxSize
+ - AdminEmail
+ - GatewaysTargetGroups
+ - Label:
+ default: Check Point Settings
+ Parameters:
+ - GatewayVersion
+ - Shell
+ - GatewayPasswordHash
+ - GatewayMaintenancePasswordHash
+ - GatewaySICKey
+ - AllowUploadDownload
+ - CloudWatch
+ - GatewayBootstrapScript
+ - Label:
+ default: Automatic Provisioning with Security Management Server Settings
+ Parameters:
+ - ControlGatewayOverPrivateOrPublicAddress
+ - ManagementServer
+ - ConfigurationTemplate
+ - Label:
+ default: Proxy Configuration (optional)
+ Parameters:
+ - ELBType
+ - ELBPort
+ - ELBClients
+ ParameterLabels:
+ VPC:
+ default: VPC
+ GatewaysSubnets:
+ default: Gateways subnets
+ GatewayName:
+ default: Gateways name
+ GatewayInstanceType:
+ default: Gateways instance type
+ KeyName:
+ default: Key name
+ VolumeSize:
+ default: Root volume size (GB)
+ VolumeType:
+ default: Volume Type
+ EnableVolumeEncryption:
+ default: Enable volume encryption
+ EnableInstanceConnect:
+ default: Enable AWS Instance Connect
+ MetaDataToken:
+ default: Metadata HTTP token
+ GatewaysMinSize:
+ default: Minimum Gateway group size
+ GatewaysMaxSize:
+ default: Maximum Gateway group size
+ AdminEmail:
+ default: Email address
+ GatewaysTargetGroups:
+ default: Gateways target groups
+ GatewayVersion:
+ default: Gateways version & license
+ Shell:
+ default: Admin shell
+ GatewayPasswordHash:
+ default: Gateways Password hash
+ GatewayMaintenancePasswordHash:
+ default: Gateway Maintenance Password hash
+ GatewaySICKey:
+ default: Gateways SIC key
+ AllowUploadDownload:
+ default: Allow upload & download
+ CloudWatch:
+ default: CloudWatch metrics
+ GatewayBootstrapScript:
+ default: Gateways bootstrap script
+ ControlGatewayOverPrivateOrPublicAddress:
+ default: Gateways addresses
+ ManagementServer:
+ default: Management Server
+ ConfigurationTemplate:
+ default: Configuration template
+ ELBType:
+ default: Proxy type
+ ELBPort:
+ default: Proxy port
+ ELBClients:
+ default: Allowed proxy clients
+Parameters:
+ VPC:
+ Description: Select an existing VPC.
+ Type: AWS::EC2::VPC::Id
+ MinLength: 1
+ GatewaysSubnets:
+ Description: Select at least 2 public subnets in the VPC.
+ Type: List
+ MinLength: 2
+ GatewayName:
+ Description: The name tag of the Security Gateway instances. (optional)
+ Type: String
+ Default: Check-Point-Gateway
+ GatewayInstanceType:
+ Description: The instance type of the Secutiry Gateways.
+ Type: String
+ Default: c5.xlarge
+ AllowedValues:
+ - c4.large
+ - c4.xlarge
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: must be a valid EC2 instance type.
+ KeyName:
+ Description: The EC2 Key Pair to allow SSH access to the instances.
+ Type: AWS::EC2::KeyPair::KeyName
+ MinLength: 1
+ ConstraintDescription: Must be the name of an existing EC2 KeyPair.
+ VolumeSize:
+ Type: Number
+ Default: 100
+ MinValue: 100
+ VolumeType:
+ Description: General Purpose SSD Volume Type
+ Type: String
+ Default: gp3
+ AllowedValues:
+ - gp3
+ - gp2
+ EnableVolumeEncryption:
+ Description: Encrypt Auto Scaling instances volume with default AWS KMS key.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ EnableInstanceConnect:
+ Description: Enable SSH connection over AWS web console.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ MetaDataToken:
+ Description: Set true to deploy the instance with metadata v2 token required.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ GatewaysMinSize:
+ Description: The minimal number of gateways in the Auto Scaling group.
+ Type: Number
+ Default: 2
+ MinValue: 1
+ GatewaysMaxSize:
+ Description: The maximal number of gateways in the Auto Scaling group.
+ Type: Number
+ Default: 10
+ MinValue: 1
+ AdminEmail:
+ Description: Notifications about scaling events will be sent to this email address. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$'
+ ConstraintDescription: Must be a valid email address.
+ GatewaysTargetGroups:
+ Description: A list of Target Groups to associate with the Auto Scaling.
+ group (comma separated list of ARNs, without spaces) (optional)
+ Type: String
+ Default: ''
+ GatewayVersion:
+ Type: String
+ Default: R81-BYOL
+ AllowedValues:
+ - R81-BYOL
+ - R81-PAYG-NGTP
+ - R81-PAYG-NGTX
+ Shell:
+ Description: Change the admin shell to enable advanced command line configuration.
+ Type: String
+ Default: /etc/cli.sh
+ AllowedValues:
+ - /etc/cli.sh
+ - /bin/bash
+ - /bin/csh
+ - /bin/tcsh
+ GatewayPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD".
+ to get the PASSWORD's hash) (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+ NoEcho: true
+ GatewayMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ GatewaySICKey:
+ Description: The Secure Internal Communication key creates trusted connections.
+ between Check Point components. Choose a random string consisting of at least
+ 8 alphanumeric characters.
+ Type: String
+ AllowedPattern: '^[a-zA-Z0-9]{8,}$'
+ ConstraintDescription: At least 8 alpha numeric characters.
+ NoEcho: true
+ AllowUploadDownload:
+ Description: Automatically download updates and share statistical data for product improvement purpose.
+ Improve product experience by sending data to Check Point
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ CloudWatch:
+ Description: Report Check Point specific CloudWatch metrics.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ GatewayBootstrapScript:
+ Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+ Type: String
+ Default: ''
+ NoEcho: true
+ ControlGatewayOverPrivateOrPublicAddress:
+ Description: Determines if the gateways are provisioned using their private or public address.
+ Type: String
+ Default: private
+ AllowedValues:
+ - private
+ - public
+ ManagementServer:
+ Description: The name that represents the Security Management Server in the automatic provisioning configuration.
+ Type: String
+ Default: management-server
+ MinLength: 1
+ ConfigurationTemplate:
+ Description: A name of a gateway configuration template in the automatic provisioning configuration.
+ Type: String
+ Default: ASG-configuration
+ MinLength: 1
+ MaxLength: 30
+ ELBType:
+ Type: String
+ Default: none
+ AllowedValues:
+ - none
+ - internal
+ - internet-facing
+ ELBPort:
+ Type: Number
+ Default: 8080
+ ELBClients:
+ Type: String
+ Default: 0.0.0.0/0
+ AllowedPattern: '^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})$'
+Conditions:
+ ProvidedAdminEmail: !Not [!Equals [!Ref AdminEmail, '']]
+ ProvidedTargetGroups: !Not [!Equals [!Ref GatewaysTargetGroups, '']]
+ EnableCloudWatch: !Equals [!Ref CloudWatch, true]
+ CreateELB: !Not [!Equals [!Ref ELBType, none]]
+ EnableMetaDataToken: !Equals [!Ref MetaDataToken, true]
+Resources:
+ ChkpGatewayRole:
+ Type: AWS::IAM::Role
+ Condition: EnableCloudWatch
+ Properties:
+ AssumeRolePolicyDocument:
+ Version: 2012-10-17
+ Statement:
+ - Effect: Allow
+ Principal:
+ Service:
+ - ec2.amazonaws.com
+ Action:
+ - sts:AssumeRole
+ Path: /
+ CloudwatchPolicy:
+ Condition: EnableCloudWatch
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/iam/cloudwatch-policy.yaml
+ Parameters:
+ PolicyName: ChkpGatewayPolicy
+ PolicyRole: !Ref ChkpGatewayRole
+ InstanceProfile:
+ Type: AWS::IAM::InstanceProfile
+ Condition: EnableCloudWatch
+ Properties:
+ Path: /
+ Roles:
+ - !Ref ChkpGatewayRole
+ AMI:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/utils/amis.yaml
+ Parameters:
+ Version: !Join ['-', [!Ref GatewayVersion, GW]]
+ NotificationTopic:
+ Type: AWS::SNS::Topic
+ Condition: ProvidedAdminEmail
+ Properties:
+ Subscription:
+ - Endpoint: !Ref AdminEmail
+ Protocol: email
+ ElasticLoadBalancer:
+ Type: AWS::ElasticLoadBalancing::LoadBalancer
+ Condition: CreateELB
+ Properties:
+ CrossZone: true
+ Listeners:
+ - LoadBalancerPort: !Ref ELBPort
+ InstancePort: !Ref ELBPort
+ Protocol: TCP
+ HealthCheck:
+ Target: !Join [':', [TCP, !Ref ELBPort]]
+ HealthyThreshold: 3
+ UnhealthyThreshold: 5
+ Interval: 30
+ Timeout: 5
+ Scheme: !Ref ELBType
+ Subnets: !Ref GatewaysSubnets
+ Policies:
+ - PolicyName: EnableProxyProtocol
+ PolicyType: ProxyProtocolPolicyType
+ Attributes:
+ - Name: ProxyProtocol
+ Value: true
+ InstancePorts:
+ - !Ref ELBPort
+ SecurityGroups:
+ - !Ref ELBSecurityGroup
+ PermissiveSecurityGroup:
+ Type: AWS::EC2::SecurityGroup
+ Properties:
+ Tags:
+ - Key: Name
+ Value: !Join ['_', [!Ref 'AWS::StackName', PermissiveSecurityGroup]]
+ GroupDescription: Permissive security group.
+ VpcId: !Ref VPC
+ SecurityGroupIngress:
+ - IpProtocol: -1
+ CidrIp: 0.0.0.0/0
+ GatewayGroup:
+ Type: AWS::AutoScaling::AutoScalingGroup
+ DependsOn: GatewayLaunchTemplate
+ Properties:
+ VPCZoneIdentifier: !Ref GatewaysSubnets
+ LaunchTemplate:
+ LaunchTemplateId: !Ref GatewayLaunchTemplate
+ Version: !GetAtt GatewayLaunchTemplate.LatestVersionNumber
+ MinSize: !Ref GatewaysMinSize
+ MaxSize: !Ref GatewaysMaxSize
+ LoadBalancerNames: !If [CreateELB, [!Ref ElasticLoadBalancer], !Ref 'AWS::NoValue']
+ TargetGroupARNs: !If [ProvidedTargetGroups, !Split [',', !Ref GatewaysTargetGroups], !Ref 'AWS::NoValue']
+ HealthCheckType: ELB
+ HealthCheckGracePeriod: 3600
+ NotificationConfiguration: !If
+ - ProvidedAdminEmail
+ - TopicARN: !Ref NotificationTopic
+ NotificationTypes:
+ - autoscaling:EC2_INSTANCE_LAUNCH
+ - autoscaling:EC2_INSTANCE_LAUNCH_ERROR
+ - autoscaling:EC2_INSTANCE_TERMINATE
+ - autoscaling:EC2_INSTANCE_TERMINATE_ERROR
+ - !Ref 'AWS::NoValue'
+ Tags:
+ - Key: Name
+ Value: !Ref GatewayName
+ PropagateAtLaunch: true
+ - Key: x-chkp-tags
+ Value: !Join
+ - ':'
+ - - !Join ['=', [management, !Ref ManagementServer]]
+ - !Join ['=', [template, !Ref ConfigurationTemplate]]
+ - !Join ['=', [ip-address, !Ref ControlGatewayOverPrivateOrPublicAddress]]
+ PropagateAtLaunch: true
+ GatewayLaunchTemplate:
+ Type: AWS::EC2::LaunchTemplate
+ Properties:
+ LaunchTemplateData:
+ NetworkInterfaces:
+ - DeviceIndex: 0
+ AssociatePublicIpAddress: true
+ Groups:
+ - !Ref PermissiveSecurityGroup
+ Monitoring:
+ Enabled: true
+ KeyName: !Ref KeyName
+ ImageId: !GetAtt AMI.Outputs.ImageId
+ InstanceType: !Ref GatewayInstanceType
+ MetadataOptions:
+ HttpTokens: !If [EnableMetaDataToken, required, optional]
+ BlockDeviceMappings:
+ - DeviceName: '/dev/xvda'
+ Ebs:
+ Encrypted: !Ref EnableVolumeEncryption
+ VolumeType: !Ref VolumeType
+ VolumeSize: !Ref VolumeSize
+ IamInstanceProfile:
+ Name: !If [EnableCloudWatch, !Ref InstanceProfile, !Ref 'AWS::NoValue']
+ UserData:
+ 'Fn::Base64':
+ !Join
+ - |+
+
+ - - '#cloud-config'
+ - 'runcmd:'
+ - ' - |'
+ - ' set -e'
+ - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect}'
+ - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']]
+ - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']]
+ - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']]
+ - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']]
+ - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}]
+ - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" sicKey=\"${sic}\" installationType=\"autoscale\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"autoscale\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" bootstrapScript64=\"${bootstrap}\"'
+ VersionDescription: Initial template version
+ GatewayScaleUpPolicy:
+ Type: AWS::AutoScaling::ScalingPolicy
+ Properties:
+ AdjustmentType: ChangeInCapacity
+ AutoScalingGroupName: !Ref GatewayGroup
+ Cooldown: 300
+ ScalingAdjustment: 1
+ GatewayScaleDownPolicy:
+ Type: AWS::AutoScaling::ScalingPolicy
+ Properties:
+ AdjustmentType: ChangeInCapacity
+ AutoScalingGroupName: !Ref GatewayGroup
+ Cooldown: 300
+ ScalingAdjustment: -1
+ CPUAlarmHigh:
+ Type: AWS::CloudWatch::Alarm
+ Properties:
+ AlarmDescription: Scale-up if CPU > 80% for 10 minutes.
+ MetricName: CPUUtilization
+ Namespace: AWS/EC2
+ Statistic: Average
+ Period: 300
+ EvaluationPeriods: 2
+ Threshold: 80
+ AlarmActions:
+ - !Ref GatewayScaleUpPolicy
+ Dimensions:
+ - Name: AutoScalingGroupName
+ Value: !Ref GatewayGroup
+ ComparisonOperator: GreaterThanThreshold
+ CPUAlarmLow:
+ Type: AWS::CloudWatch::Alarm
+ Properties:
+ AlarmDescription: Scale-down if CPU < 60% for 10 minutes.
+ MetricName: CPUUtilization
+ Namespace: AWS/EC2
+ Statistic: Average
+ Period: 300
+ EvaluationPeriods: 2
+ Threshold: 60
+ AlarmActions:
+ - !Ref GatewayScaleDownPolicy
+ Dimensions:
+ - Name: AutoScalingGroupName
+ Value: !Ref GatewayGroup
+ ComparisonOperator: LessThanThreshold
+ ELBSecurityGroup:
+ Type: AWS::EC2::SecurityGroup
+ Condition: CreateELB
+ Properties:
+ GroupDescription: ELB security group.
+ VpcId: !Ref VPC
+ SecurityGroupIngress:
+ - IpProtocol: tcp
+ CidrIp: !Ref ELBClients
+ FromPort: !Ref ELBPort
+ ToPort: !Ref ELBPort
+Outputs:
+ URL:
+ Description: The URL of the Proxy.
+ Condition: CreateELB
+ Value: !Join ['', ['http://', !GetAtt ElasticLoadBalancer.DNSName]]
+ SecurityGroup:
+ Description: The Security Group of the Auto Scaling group.
+ Value: !GetAtt PermissiveSecurityGroup.GroupId
+
diff --git a/deprecated/aws/templates/R81/autoscale/custom-autoscale.yaml b/deprecated/aws/templates/R81/autoscale/custom-autoscale.yaml
new file mode 100755
index 00000000..70782d13
--- /dev/null
+++ b/deprecated/aws/templates/R81/autoscale/custom-autoscale.yaml
@@ -0,0 +1,226 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Create an Auto Scaling group of workload servers (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: VPC Network Configuration
+ Parameters:
+ - VPC
+ - ServersSubnets
+ - Label:
+ default: EC2 Instances Configuration
+ Parameters:
+ - ServerAMI
+ - ServerName
+ - ServerInstanceType
+ - KeyName
+ - AllocatePublicAddress
+ - Label:
+ default: Auto Scaling Configuration
+ Parameters:
+ - ServersMinSize
+ - ServersMaxSize
+ - AdminEmail
+ - ServersTargetGroups
+ - SourceSecurityGroup
+ ParameterLabels:
+ VPC:
+ default: VPC
+ ServersSubnets:
+ default: Servers subnets
+ ServerAMI:
+ default: Amazon Image ID
+ ServerName:
+ default: Instance Name
+ ServerInstanceType:
+ default: Instance type
+ KeyName:
+ default: Key name
+ AllocatePublicAddress:
+ default: Allocate an Elastic IP
+ ServersMinSize:
+ default: Minimum group size
+ ServerMaxSize:
+ default: Maximum group size
+ AdminEmail:
+ default: Email address
+ ServersTargetGroups:
+ default: Target Groups
+ SourceSecurityGroup:
+ default: Source Security Group
+Parameters:
+ VPC:
+ Description: Select an existing VPC.
+ Type: AWS::EC2::VPC::Id
+ MinLength: 1
+ ServersSubnets:
+ Description: Select at least 2 subnets in the VPC.
+ Type: List
+ MinLength: 2
+ ServerAMI:
+ Description: AMI of the servers.
+ Type: String
+ AllowedPattern: '^(ami-(([0-9a-f]{8})|([0-9a-f]{17})))?$'
+ ConstraintDescription: Must be a valid Amazon Machine Image ID.
+ ServerName:
+ Description: The servers name tag.
+ Type: String
+ Default: Server
+ ServerInstanceType:
+ Description: The instance type of the servers.
+ Type: String
+ Default: t3.micro
+ AllowedValues:
+ - t3.nano
+ - t3.micro
+ - t3.small
+ - t3.medium
+ - t3.large
+ - t3.xlarge
+ - t3.2xlarge
+ ConstraintDescription: must be a valid EC2 instance type.
+ KeyName:
+ Description: The EC2 Key Pair to allow SSH access to the instances.
+ Type: AWS::EC2::KeyPair::KeyName
+ MinLength: 1
+ ConstraintDescription: Must be the name of an existing EC2 KeyPair.
+ AllocatePublicAddress:
+ Description: Allocate an elastic IP for each server.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ ServersMinSize:
+ Description: The minimal number of servers in the Auto Scaling group.
+ Type: Number
+ Default: 2
+ MinValue: 1
+ ServersMaxSize:
+ Description: The maximal number of servers in the Auto Scaling group.
+ Type: Number
+ Default: 10
+ MinValue: 1
+ AdminEmail:
+ Description: Notifications about scaling events will be sent to this email address.
+ (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '(|([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))'
+ ConstraintDescription: Must be a valid email address.
+ ServersTargetGroups:
+ Description: An optional list of Target Groups to associate with the Auto Scaling group (comma separated list of ARNs, without spaces).
+ Type: String
+ Default: ''
+ SourceSecurityGroup:
+ Description: The ID of Security Group from which access will be allowed to the instances in this Auto Scaling group.
+ Type: String
+ Default: ''
+Conditions:
+ ProvidedAdminEmail: !Not [!Equals [!Ref AdminEmail, '']]
+ ProvidedTargetGroups: !Not [!Equals [!Ref ServersTargetGroups, '']]
+ NotProvidedSecurityGroup: !Equals [!Ref SourceSecurityGroup, '']
+Resources:
+ NotificationTopic:
+ Type: AWS::SNS::Topic
+ Condition: ProvidedAdminEmail
+ Properties:
+ Subscription:
+ - Endpoint: !Ref AdminEmail
+ Protocol: email
+ ServersSecurityGroup:
+ Type: AWS::EC2::SecurityGroup
+ Condition: NotProvidedSecurityGroup
+ Properties:
+ Tags:
+ - Key: Name
+ Value: !Join ['_', [!Ref 'AWS::StackName', ServersSecurityGroup]]
+ GroupDescription: Servers security group.
+ VpcId: !Ref VPC
+ SecurityGroupIngress:
+ - IpProtocol: -1
+ CidrIp: 0.0.0.0/0
+ ServersLaunchTemplate:
+ Type: AWS::EC2::LaunchTemplate
+ Properties:
+ LaunchTemplateData:
+ NetworkInterfaces:
+ - DeviceIndex: 0
+ AssociatePublicIpAddress: !Ref AllocatePublicAddress
+ Groups: !If [NotProvidedSecurityGroup, [!Ref ServersSecurityGroup], [!Ref SourceSecurityGroup]]
+ Monitoring:
+ Enabled: true
+ KeyName: !Ref KeyName
+ ImageId: !Ref ServerAMI
+ InstanceType: !Ref ServerInstanceType
+ VersionDescription: Initial template version
+ ServersGroup:
+ Type: AWS::AutoScaling::AutoScalingGroup
+ Properties:
+ VPCZoneIdentifier: !Ref ServersSubnets
+ LaunchTemplate:
+ LaunchTemplateId: !Ref ServersLaunchTemplate
+ Version: !GetAtt ServersLaunchTemplate.LatestVersionNumber
+ MinSize: !Ref ServersMinSize
+ MaxSize: !Ref ServersMaxSize
+ TargetGroupARNs: !If [ProvidedTargetGroups, !Split [',', !Ref ServersTargetGroups], !Ref 'AWS::NoValue']
+ NotificationConfiguration: !If
+ - ProvidedAdminEmail
+ - TopicARN: !Ref NotificationTopic
+ NotificationTypes:
+ - autoscaling:EC2_INSTANCE_LAUNCH
+ - autoscaling:EC2_INSTANCE_LAUNCH_ERROR
+ - autoscaling:EC2_INSTANCE_TERMINATE
+ - autoscaling:EC2_INSTANCE_TERMINATE_ERROR
+ - !Ref 'AWS::NoValue'
+ Tags:
+ - Key: Name
+ Value: !Ref ServerName
+ PropagateAtLaunch: true
+ ScaleUpPolicy:
+ Type: AWS::AutoScaling::ScalingPolicy
+ Properties:
+ AdjustmentType: ChangeInCapacity
+ AutoScalingGroupName: !Ref ServersGroup
+ Cooldown: 300
+ ScalingAdjustment: 1
+ ScaleDownPolicy:
+ Type: AWS::AutoScaling::ScalingPolicy
+ Properties:
+ AdjustmentType: ChangeInCapacity
+ AutoScalingGroupName: !Ref ServersGroup
+ Cooldown: 300
+ ScalingAdjustment: -1
+ CPUAlarmHigh:
+ Type: AWS::CloudWatch::Alarm
+ Properties:
+ AlarmDescription: Scale-up if CPU > 80% for 10 minutes.
+ MetricName: CPUUtilization
+ Namespace: AWS/EC2
+ Statistic: Average
+ Period: 300
+ EvaluationPeriods: 2
+ Threshold: 80
+ AlarmActions:
+ - !Ref ScaleUpPolicy
+ Dimensions:
+ - Name: AutoScalingGroupName
+ Value: !Ref ServersGroup
+ ComparisonOperator: GreaterThanThreshold
+ CPUAlarmLow:
+ Type: AWS::CloudWatch::Alarm
+ Properties:
+ AlarmDescription: Scale-down if CPU < 60% for 10 minutes.
+ MetricName: CPUUtilization
+ Namespace: AWS/EC2
+ Statistic: Average
+ Period: 300
+ EvaluationPeriods: 2
+ Threshold: 60
+ AlarmActions:
+ - !Ref ScaleDownPolicy
+ Dimensions:
+ - Name: AutoScalingGroupName
+ Value: !Ref ServersGroup
+ ComparisonOperator: LessThanThreshold
diff --git a/deprecated/aws/templates/R81/autoscale/tgw-asg-master.yaml b/deprecated/aws/templates/R81/autoscale/tgw-asg-master.yaml
new file mode 100755
index 00000000..43033b4a
--- /dev/null
+++ b/deprecated/aws/templates/R81/autoscale/tgw-asg-master.yaml
@@ -0,0 +1,690 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Deploy an Auto Scaling Group of CloudGuard Security Gateways for Transit Gateway with an optional Management Server in a new VPC (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: Network Configuration
+ Parameters:
+ - AvailabilityZones
+ - NumberOfAZs
+ - VPCCIDR
+ - PublicSubnet1CIDR
+ - PublicSubnet2CIDR
+ - PublicSubnet3CIDR
+ - PublicSubnet4CIDR
+ - Label:
+ default: General Settings
+ Parameters:
+ - KeyName
+ - EnableVolumeEncryption
+ - VolumeSize
+ - VolumeType
+ - EnableInstanceConnect
+ - TerminationProtection
+ - MetaDataToken
+ - AllowUploadDownload
+ - Label:
+ default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration
+ Parameters:
+ - GatewayName
+ - GatewayInstanceType
+ - GatewaysMinSize
+ - GatewaysMaxSize
+ - GatewayVersion
+ - GatewayPasswordHash
+ - GatewayMaintenancePasswordHash
+ - GatewaySICKey
+ - CloudWatch
+ - ASN
+ - AdminEmail
+ - Label:
+ default: Check Point CloudGuard IaaS Security Management Server Configuration
+ Parameters:
+ - ManagementDeploy
+ - ManagementInstanceType
+ - ManagementVersion
+ - ManagementPasswordHash
+ - ManagementMaintenancePasswordHash
+ - ManagementPermissions
+ - ManagementPredefinedRole
+ - GatewaysBlades
+ - AdminCIDR
+ - GatewayManagement
+ - GatewaysAddresses
+ - Label:
+ default: Automatic Provisioning with Security Management Server Settings
+ Parameters:
+ - ControlGatewayOverPrivateOrPublicAddress
+ - ManagementServer
+ - ConfigurationTemplate
+ ParameterLabels:
+ AvailabilityZones:
+ default: Availability Zones
+ NumberOfAZs:
+ default: Number of AZs
+ VPCCIDR:
+ default: VPC CIDR
+ PublicSubnet1CIDR:
+ default: Public Subnet 1
+ PublicSubnet2CIDR:
+ default: Public Subnet 2
+ PublicSubnet3CIDR:
+ default: Public Subnet 3
+ PublicSubnet4CIDR:
+ default: Public Subnet 4
+ KeyName:
+ default: Key name
+ EnableVolumeEncryption:
+ default: Enable environment volume encryption
+ VolumeSize:
+ default: Root volume size (GB)
+ VolumeType:
+ default: Volume Type
+ EnableInstanceConnect:
+ default: Enable AWS Instance Connect
+ TerminationProtection:
+ default: Termination Protection
+ MetaDataToken:
+ default: Metadata HTTP token
+ AllowUploadDownload:
+ default: Allow upload & download
+ GatewayName:
+ default: GatewayName
+ GatewayInstanceType:
+ default: Gateways instance type
+ GatewaysMinSize:
+ default: Minimum group size
+ GatewaysMaxSize:
+ default: Maximum group size
+ GatewayVersion:
+ default: Gateways version & license
+ GatewayPasswordHash:
+ default: Password hash
+ GatewayMaintenancePasswordHash:
+ default: Gateway Maintenance Password hash
+ GatewaySICKey:
+ default: SIC key
+ CloudWatch:
+ default: CloudWatch metrics
+ ASN:
+ default: BGP ASN
+ AdminEmail:
+ default: Email address
+ ManagementDeploy:
+ default: Deploy Management Server
+ ManagementInstanceType:
+ default: Instance type
+ ManagementVersion:
+ default: Version & license
+ ManagementPasswordHash:
+ default: Password hash
+ ManagementMaintenancePasswordHash:
+ default: Management Maintenance Password hash
+ ManagementPermissions:
+ default: IAM role
+ ManagementPredefinedRole:
+ default: Existing IAM role name
+ GatewaysBlades:
+ default: Default Blades
+ AdminCIDR:
+ default: Administrator addresses
+ GatewayManagement:
+ default: Manage Gateways
+ GatewaysAddresses:
+ default: Gateways addresses
+ ControlGatewayOverPrivateOrPublicAddress:
+ default: Gateways addresses
+ ManagementServer:
+ default: Management Server
+ ConfigurationTemplate:
+ default: Configuration template
+Parameters:
+ AvailabilityZones:
+ Description: List of Availability Zones (AZs) to use for the subnets in the VPC. Select at least two.
+ Type: List
+ MinLength: 2
+ NumberOfAZs:
+ Description: Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter.
+ Type: Number
+ Default: 2
+ MinValue: 2
+ MaxValue: 4
+ VPCCIDR:
+ Description: CIDR block for the VPC.
+ Type: String
+ Default: 10.0.0.0/16
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PublicSubnet1CIDR:
+ Description: CIDR block for public subnet 1 located in the 1st Availability Zone. If you choose to deploy a Security Management Server it will be deployed in this subnet.
+ Type: String
+ Default: 10.0.10.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PublicSubnet2CIDR:
+ Description: CIDR block for public subnet 2 located in the 2nd Availability Zone.
+ Type: String
+ Default: 10.0.20.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PublicSubnet3CIDR:
+ Description: CIDR block for public subnet 3 located in the 3rd Availability Zone.
+ Type: String
+ Default: 10.0.30.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PublicSubnet4CIDR:
+ Description: CIDR block for public subnet 4 located in the 4th Availability Zone.
+ Type: String
+ Default: 10.0.40.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ KeyName:
+ Description: The EC2 Key Pair to allow SSH access to the instances created by this stack.
+ Type: AWS::EC2::KeyPair::KeyName
+ MinLength: 1
+ ConstraintDescription: Must be the name of an existing EC2 KeyPair.
+ EnableVolumeEncryption:
+ Description: Encrypt Environment instances volume with default AWS KMS key.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ VolumeSize:
+ Type: Number
+ MinValue: 100
+ Default: 100
+ VolumeType:
+ Description: General Purpose SSD Volume Type
+ Type: String
+ Default: gp3
+ AllowedValues:
+ - gp3
+ - gp2
+ EnableInstanceConnect:
+ Description: Enable SSH connection over AWS web console.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ TerminationProtection:
+ Description: Prevents an instance from accidental termination.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ MetaDataToken:
+ Description: Set true to deploy the instance with metadata v2 token required.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ AllowUploadDownload:
+ Description: Automatically download updates and share statistical data for product improvement purpose.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ GatewayName:
+ Description: The name tag of the Security Gateway instances. (optional)
+ Type: String
+ Default: Check-Point-Gateway
+ GatewayInstanceType:
+ Description: The EC2 instance type for the Security Gateways.
+ Type: String
+ Default: c5.xlarge
+ AllowedValues:
+ - c4.large
+ - c4.xlarge
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: Must be a valid EC2 instance type
+ GatewaysMinSize:
+ Description: The minimal number of Security Gateways.
+ Type: Number
+ Default: 2
+ MinValue: 1
+ GatewaysMaxSize:
+ Description: The maximal number of Security Gateways.
+ Type: Number
+ Default: 10
+ MinValue: 1
+ GatewayVersion:
+ Description: The version and license to install on the Security Gateways.
+ Type: String
+ Default: R81-BYOL
+ AllowedValues:
+ - R81-BYOL
+ - R81-PAYG-NGTP
+ - R81-PAYG-NGTX
+ GatewayPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+ NoEcho: true
+ GatewayMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ GatewaySICKey:
+ Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters.
+ Type: String
+ AllowedPattern: '[a-zA-Z0-9]{8,}'
+ ConstraintDescription: Secure Internal Communication activation key should contain only alpha numeric characters and be at least 8 characters long.
+ NoEcho: true
+ CloudWatch:
+ Description: Report Check Point specific CloudWatch metrics.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ ASN:
+ Description: The organization Autonomous System Number (ASN) that identifies the routing domain for the Security Gateways.
+ Type: String
+ AllowedPattern: '^[0-9]+$'
+ Default: 65000
+ AdminEmail:
+ Description: Notifications about scaling events will be sent to this email address. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$'
+ ConstraintDescription: Must be a valid email address.
+ ManagementDeploy:
+ Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ ManagementInstanceType:
+ Description: The EC2 instance type of the Security Management Server.
+ Type: String
+ Default: m5.xlarge
+ AllowedValues:
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: Must be a valid EC2 instance type
+ ManagementVersion:
+ Description: The version and license to install on the Security Management Server.
+ Type: String
+ Default: R81.20-BYOL
+ AllowedValues:
+ - R81-BYOL
+ - R81-PAYG
+ - R81.10-BYOL
+ - R81.10-PAYG
+ - R81.20-BYOL
+ - R81.20-PAYG
+ - R82-BYOL
+ - R82-PAYG
+ ManagementPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+ NoEcho: true
+ ManagementMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ ManagementPermissions:
+ Description: IAM role to attach to the instance profile.
+ Type: String
+ Default: Create with read-write permissions
+ AllowedValues:
+ - None (configure later)
+ - Use existing (specify an existing IAM role name)
+ - Create with assume role permissions (specify an STS role ARN)
+ - Create with read permissions
+ - Create with read-write permissions
+ ManagementPredefinedRole:
+ Description: A predefined IAM role to attach to the instance profile. Ignored if IAM role is not set to 'Use existing'.
+ Type: String
+ Default: ''
+ GatewaysBlades:
+ Description: Turn on the Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (these and additional Blades can be manually turned on or off later).
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ AdminCIDR:
+ Description: Allow web, SSH, and graphical clients only from this network to communicate with the Security Management Server.
+ Type: String
+ AllowedPattern: '^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2])))?$'
+ GatewayManagement:
+ Description: Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address.
+ Type: String
+ Default: Locally managed
+ AllowedValues:
+ - Locally managed
+ - Over the internet
+ GatewaysAddresses:
+ Description: Allow gateways only from this network to communicate with the Security Management Server.
+ Type: String
+ AllowedPattern: '^$|^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+ ControlGatewayOverPrivateOrPublicAddress:
+ Description: Determines if the gateways are provisioned using their private or public address.
+ Type: String
+ Default: private
+ AllowedValues:
+ - private
+ - public
+ ManagementServer:
+ Description: The name that represents the Security Management Server in the automatic provisioning configuration.
+ Type: String
+ Default: management-server
+ MinLength: 1
+ ConfigurationTemplate:
+ Description: A name of a gateway configuration template in the automatic provisioning configuration.
+ Type: String
+ Default: TGW-ASG-configuration
+ MinLength: 1
+ MaxLength: 30
+Conditions:
+ 4AZs: !Equals [!Ref NumberOfAZs, 4]
+ 3AZs: !Or [!Equals [!Ref NumberOfAZs, 3], !Condition 4AZs]
+ DeployManagement: !Equals [!Ref ManagementDeploy, true]
+Resources:
+ VPCStack:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/utils/vpc.yaml
+ Parameters:
+ AvailabilityZones: !Join [',', !Ref AvailabilityZones]
+ NumberOfAZs: !Ref NumberOfAZs
+ VPCCIDR: !Ref VPCCIDR
+ PublicSubnet1CIDR: !Ref PublicSubnet1CIDR
+ PublicSubnet2CIDR: !Ref PublicSubnet2CIDR
+ PublicSubnet3CIDR: !Ref PublicSubnet3CIDR
+ PublicSubnet4CIDR: !Ref PublicSubnet4CIDR
+ CreatePrivateSubnets: false
+ MainStack:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/autoscale/tgw-asg.yaml
+ Parameters:
+ VPC: !GetAtt VPCStack.Outputs.VPCID
+ GatewaysSubnets: !Join
+ - ','
+ - - !GetAtt VPCStack.Outputs.PublicSubnet1ID
+ - !GetAtt VPCStack.Outputs.PublicSubnet2ID
+ - !If [3AZs, !GetAtt VPCStack.Outputs.PublicSubnet3ID, !Ref 'AWS::NoValue']
+ - !If [4AZs, !GetAtt VPCStack.Outputs.PublicSubnet4ID, !Ref 'AWS::NoValue']
+ KeyName: !Ref KeyName
+ EnableVolumeEncryption: !Ref EnableVolumeEncryption
+ VolumeType: !Ref VolumeType
+ VolumeSize: !Ref VolumeSize
+ EnableInstanceConnect: !Ref EnableInstanceConnect
+ TerminationProtection: !Ref TerminationProtection
+ MetaDataToken: !Ref MetaDataToken
+ AllowUploadDownload: !Ref AllowUploadDownload
+ GatewayName: !Ref GatewayName
+ GatewayInstanceType: !Ref GatewayInstanceType
+ GatewaysMinSize: !Ref GatewaysMinSize
+ GatewaysMaxSize: !Ref GatewaysMaxSize
+ GatewayVersion: !Ref GatewayVersion
+ GatewayPasswordHash: !Ref GatewayPasswordHash
+ GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
+ GatewaySICKey: !Ref GatewaySICKey
+ CloudWatch: !Ref CloudWatch
+ ASN: !Ref ASN
+ AdminEmail: !Ref AdminEmail
+ ManagementDeploy: !Ref ManagementDeploy
+ ManagementInstanceType: !Ref ManagementInstanceType
+ ManagementVersion: !Ref ManagementVersion
+ ManagementPasswordHash: !Ref ManagementPasswordHash
+ ManagementMaintenancePasswordHash: !Ref ManagementMaintenancePasswordHash
+ ManagementPermissions: !Ref ManagementPermissions
+ ManagementPredefinedRole: !Ref ManagementPredefinedRole
+ GatewaysBlades: !Ref GatewaysBlades
+ AdminCIDR: !Ref AdminCIDR
+ GatewayManagement: !Ref GatewayManagement
+ GatewaysAddresses: !Ref GatewaysAddresses
+ ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress
+ ManagementServer: !Ref ManagementServer
+ ConfigurationTemplate: !Ref ConfigurationTemplate
+Outputs:
+ ManagementName:
+ Description: The name that represents the Security Management Server.
+ Value: !Ref ManagementServer
+ ConfigurationTemplateName:
+ Description: The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name.
+ Value: !Ref ConfigurationTemplate
+ ControllerName:
+ Description: The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name.
+ Value: !GetAtt MainStack.Outputs.ControllerName
+ ManagementPublicAddress:
+ Description: The public address of the management servers.
+ Value: !GetAtt MainStack.Outputs.ManagementPublicAddress
+ Condition: DeployManagement
+Rules:
+ GatewayAddressRule:
+ RuleCondition: !Equals [!Ref ManagementDeploy, 'true']
+ Assertions:
+ - AssertDescription: "Gateway's netowrk to communicate with the Security Management Server must be provided"
+ Assert: !Not [ !Equals [!Ref GatewaysAddresses, '']]
\ No newline at end of file
diff --git a/deprecated/aws/templates/R81/autoscale/tgw-asg.yaml b/deprecated/aws/templates/R81/autoscale/tgw-asg.yaml
new file mode 100755
index 00000000..3d196a90
--- /dev/null
+++ b/deprecated/aws/templates/R81/autoscale/tgw-asg.yaml
@@ -0,0 +1,682 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: Deploy an Auto Scaling Group of CloudGuard Security Gateways for Transit Gateway with an optional Management Server into an existing VPC (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: Network Configuration
+ Parameters:
+ - VPC
+ - GatewaysSubnets
+ - Label:
+ default: General Settings
+ Parameters:
+ - KeyName
+ - EnableVolumeEncryption
+ - VolumeSize
+ - VolumeType
+ - EnableInstanceConnect
+ - TerminationProtection
+ - MetaDataToken
+ - AllowUploadDownload
+ - Label:
+ default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration
+ Parameters:
+ - GatewayName
+ - GatewayInstanceType
+ - GatewaysMinSize
+ - GatewaysMaxSize
+ - GatewayVersion
+ - GatewayPasswordHash
+ - GatewayMaintenancePasswordHash
+ - GatewaySICKey
+ - CloudWatch
+ - ASN
+ - AdminEmail
+ - Label:
+ default: Check Point CloudGuard IaaS Security Management Server Configuration
+ Parameters:
+ - ManagementDeploy
+ - ManagementInstanceType
+ - ManagementVersion
+ - ManagementPasswordHash
+ - ManagementMaintenancePasswordHash
+ - ManagementPermissions
+ - ManagementPredefinedRole
+ - GatewaysBlades
+ - AdminCIDR
+ - GatewayManagement
+ - GatewaysAddresses
+ - Label:
+ default: Automatic Provisioning with Security Management Server Settings
+ Parameters:
+ - ControlGatewayOverPrivateOrPublicAddress
+ - ManagementServer
+ - ConfigurationTemplate
+ ParameterLabels:
+ VPC:
+ default: VPC
+ GatewaysSubnets:
+ default: Subnets
+ KeyName:
+ default: Key name
+ EnableVolumeEncryption:
+ default: Enable environment volume encryption
+ VolumeSize:
+ default: Root volume size (GB)
+ VolumeType:
+ default: Volume Type
+ EnableInstanceConnect:
+ default: Enable AWS Instance Connect
+ TerminationProtection:
+ default: Termination Protection
+ MetaDataToken:
+ default: Metadata HTTP token
+ AllowUploadDownload:
+ default: Allow upload & download
+ GatewayName:
+ default: Name
+ GatewayInstanceType:
+ default: Instance type
+ GatewaysMinSize:
+ default: Minimum group size
+ GatewaysMaxSize:
+ default: Maximum group size
+ GatewayVersion:
+ default: Version & license
+ GatewayPasswordHash:
+ default: Password hash
+ GatewayMaintenancePasswordHash:
+ default: Gateway Maintenance Password hash
+ GatewaySICKey:
+ default: SIC key
+ CloudWatch:
+ default: CloudWatch metrics
+ ASN:
+ default: BGP ASN
+ AdminEmail:
+ default: Email address
+ ManagementDeploy:
+ default: Deploy Management Server
+ ManagementInstanceType:
+ default: Instance type
+ ManagementVersion:
+ default: Version & license
+ ManagementPasswordHash:
+ default: Password hash
+ ManagementMaintenancePasswordHash:
+ default: Management Maintenance Password hash
+ ManagementPermissions:
+ default: IAM role
+ ManagementPredefinedRole:
+ default: Existing IAM role name
+ GatewaysBlades:
+ default: Default Blades
+ AdminCIDR:
+ default: Administrator addresses
+ GatewaysAddresses:
+ default: Gateways addresses
+ GatewayManagement:
+ default: Manage Gateways
+ ControlGatewayOverPrivateOrPublicAddress:
+ default: Gateways addresses
+ ManagementServer:
+ default: Management Server
+ ConfigurationTemplate:
+ default: Configuration template
+Parameters:
+ VPC:
+ Description: Select an existing VPC.
+ Type: AWS::EC2::VPC::Id
+ MinLength: 1
+ ConstraintDescription: You must select a VPC.
+ GatewaysSubnets:
+ Description: Select at least 2 external subnets in the VPC. If you choose to deploy a Security Management Server it will be deployed in the first subnet.
+ Type: List
+ MinLength: 2
+ KeyName:
+ Description: The EC2 Key Pair to allow SSH access to the instances created by this stack.
+ Type: AWS::EC2::KeyPair::KeyName
+ MinLength: 1
+ ConstraintDescription: Must be the name of an existing EC2 KeyPair.
+ EnableVolumeEncryption:
+ Description: Encrypt Environment instances volume with default AWS KMS key.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ VolumeSize:
+ Type: Number
+ MinValue: 100
+ Default: 100
+ VolumeType:
+ Description: General Purpose SSD Volume Type
+ Type: String
+ Default: gp3
+ AllowedValues:
+ - gp3
+ - gp2
+ EnableInstanceConnect:
+ Description: Enable SSH connection over AWS web console.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ TerminationProtection:
+ Description: Prevents an instance from accidental termination.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ MetaDataToken:
+ Description: Set true to deploy the instance with metadata v2 token required.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ AllowUploadDownload:
+ Description: Automatically download updates and share statistical data for product improvement purpose.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ GatewayName:
+ Description: The name tag of the Security Gateway instances. (optional)
+ Type: String
+ Default: Check-Point-Gateway
+ GatewayInstanceType:
+ Description: The EC2 instance type for the Security Gateways.
+ Type: String
+ Default: c5.xlarge
+ AllowedValues:
+ - c4.large
+ - c4.xlarge
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: Must be a valid EC2 instance type
+ GatewaysMinSize:
+ Description: The minimal number of Security Gateways.
+ Type: Number
+ Default: 2
+ MinValue: 1
+ GatewaysMaxSize:
+ Description: The maximal number of Security Gateways.
+ Type: Number
+ Default: 10
+ MinValue: 1
+ GatewayVersion:
+ Description: The version and license to install on the Security Gateways.
+ Type: String
+ Default: R81-BYOL
+ AllowedValues:
+ - R81-BYOL
+ - R81-PAYG-NGTP
+ - R81-PAYG-NGTX
+ GatewayPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+ NoEcho: true
+ GatewayMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ GatewaySICKey:
+ Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters.
+ Type: String
+ AllowedPattern: '[a-zA-Z0-9]{8,}'
+ ConstraintDescription: Secure Internal Communication activation key should contain only alpha numeric characters and be at least 8 characters long.
+ NoEcho: true
+ CloudWatch:
+ Description: Report Check Point specific CloudWatch metrics.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ ASN:
+ Description: The organization Autonomous System Number (ASN) that identifies the routing domain for the Security Gateways.
+ Type: String
+ Default: 65000
+ AllowedPattern: '^[0-9]+$'
+ AdminEmail:
+ Description: Notifications about scaling events will be sent to this email address. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$'
+ ConstraintDescription: Must be a valid email address.
+ ManagementDeploy:
+ Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ ManagementInstanceType:
+ Description: The EC2 instance type of the Security Management Server.
+ Type: String
+ Default: m5.xlarge
+ AllowedValues:
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: Must be a valid EC2 instance type
+ ManagementVersion:
+ Description: The version and license to install on the Security Management Server.
+ Type: String
+ Default: R81.20-BYOL
+ AllowedValues:
+ - R81-BYOL
+ - R81-PAYG
+ - R81.10-BYOL
+ - R81.10-PAYG
+ - R81.20-BYOL
+ - R81.20-PAYG
+ - R82-BYOL
+ - R82-PAYG
+ ManagementPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ ManagementMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ ManagementPermissions:
+ Description: IAM role to attach to the instance profile.
+ Type: String
+ Default: Create with read-write permissions
+ AllowedValues:
+ - None (configure later)
+ - Use existing (specify an existing IAM role name)
+ - Create with assume role permissions (specify an STS role ARN)
+ - Create with read permissions
+ - Create with read-write permissions
+ ManagementPredefinedRole:
+ Description: A predefined IAM role to attach to the instance profile. Ignored if IAM role is not set to 'Use existing'.
+ Type: String
+ Default: ''
+ GatewaysBlades:
+ Description: Turn on the Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (these and additional Blades can be manually turned on or off later).
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ AdminCIDR:
+ Description: Allow web, SSH, and graphical clients only from this network to communicate with the Security Management Server.
+ Type: String
+ AllowedPattern: '^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2])))?$'
+ GatewayManagement:
+ Description: Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address.
+ Type: String
+ Default: Locally managed
+ AllowedValues:
+ - Locally managed
+ - Over the internet
+ GatewaysAddresses:
+ Description: Allow gateways only from this network to communicate with the Security Management Server.
+ Type: String
+ AllowedPattern: '^$|^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+ ControlGatewayOverPrivateOrPublicAddress:
+ Description: Determines if the gateways are provisioned using their private or public address.
+ Type: String
+ Default: private
+ AllowedValues:
+ - private
+ - public
+ ManagementServer:
+ Description: The name that represents the Security Management Server in the automatic provisioning configuration.
+ Type: String
+ Default: management-server
+ MinLength: 1
+ ConfigurationTemplate:
+ Description: A name of a gateway configuration template in the automatic provisioning configuration.
+ Type: String
+ Default: TGW-ASG-configuration
+ MinLength: 1
+ MaxLength: 30
+Conditions:
+ VolumeEncryption: !Equals [!Ref EnableVolumeEncryption, true]
+ DeployManagement: !Equals [!Ref ManagementDeploy, true]
+Resources:
+ ManagementStack:
+ Type: AWS::CloudFormation::Stack
+ Condition: DeployManagement
+ Properties:
+ TemplateURL: __URL__/management/management.yaml
+ Parameters:
+ VPC: !Ref VPC
+ ManagementSubnet: !Select [0, !Ref GatewaysSubnets]
+ ManagementName: !Ref ManagementServer
+ ManagementInstanceType: !Ref ManagementInstanceType
+ KeyName: !Ref KeyName
+ AllocatePublicAddress: true
+ VolumeEncryption: !If [VolumeEncryption, alias/aws/ebs, '']
+ VolumeType: !Ref VolumeType
+ VolumeSize: !Ref VolumeSize
+ EnableInstanceConnect: !Ref EnableInstanceConnect
+ TerminationProtection: !Ref TerminationProtection
+ MetaDataToken: !Ref MetaDataToken
+ ManagementPermissions: !Ref ManagementPermissions
+ ManagementPredefinedRole: !Ref ManagementPredefinedRole
+ ManagementVersion: !Ref ManagementVersion
+ ManagementPasswordHash: !Ref ManagementPasswordHash
+ ManagementMaintenancePasswordHash: !Ref ManagementMaintenancePasswordHash
+ AllowUploadDownload: !Ref AllowUploadDownload
+ AdminCIDR: !Ref AdminCIDR
+ GatewayManagement: !Ref GatewayManagement
+ GatewaysAddresses: !Ref GatewaysAddresses
+ ManagementBootstrapScript: !Join
+ - ';'
+ - - 'echo -e "\nStarting Bootstrap script\n"'
+ - 'echo "Setting up bootstrap parameters"'
+ - !Sub 'conf_template=${ConfigurationTemplate} ; mgmt=${ManagementServer} ; region=${AWS::Region} ; blades=${GatewaysBlades}'
+ - !Sub ['version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}]
+ - !Join ['', ['sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ' | base64 -d)"']]
+ - 'community="tgw-community" ; controller="tgw-controller"'
+ - 'echo "Adding tgw identifier to cloud-version"'
+ - 'template="management_tgw_asg"'
+ - 'cv_path="/etc/cloud-version"'
+ - 'if test -f ${cv_path}; then sed -i ''/template_name/c\template_name: ''"${template}"'''' /etc/cloud-version; fi'
+ - 'cv_json_path="/etc/cloud-version.json"'
+ - 'cv_json_path_tmp="/etc/cloud-version-tmp.json"'
+ - 'if test -f ${cv_json_path}; then cat ${cv_json_path} | jq ''.template_name = "''"${template}"''"'' > ${cv_json_path_tmp}; mv ${cv_json_path_tmp} ${cv_json_path}; fi'
+ - 'echo "Configuring VPN community: ${community}"'
+ - '[[ -d /opt/CPcme/menu/additions ]] && /opt/CPcme/menu/additions/config-community.sh "${community}" || /etc/fw/scripts/autoprovision/config-community.sh "${community}"'
+ - 'echo "Setting VPN rules"'
+ - 'mgmt_cli -r true add access-layer name "Inline"'
+ - 'mgmt_cli -r true add access-rule layer Network position 1 name "${community} VPN Traffic Rule" vpn.directional.1.from "${community}" vpn.directional.1.to "${community}" vpn.directional.2.from "${community}" vpn.directional.2.to External_clear action "Apply Layer" source "Any" destination "Any" service "Any" inline-layer "Inline"'
+ - 'mgmt_cli -r true add dynamic-object name "LocalGateway"'
+ - 'mgmt_cli -r true add nat-rule package standard position bottom install-on "Policy Targets" original-source All_Internet translated-source "LocalGateway" method hide'
+ - 'echo "Setting CME configurations"'
+ - 'autoprov_cfg -f init AWS -mn "${mgmt}" -tn "${conf_template}" -cn "${controller}" -po Standard -otp "${sic}" -r "${region}" -ver "${version}" -iam -dt TGW'
+ - 'autoprov_cfg -f set controller AWS -cn "${controller}" -sv -com "${community}"'
+ - 'autoprov_cfg -f set template -tn "${conf_template}" -vpn -vd "" -con "${community}"'
+ - '${blades} && autoprov_cfg -f set template -tn "${conf_template}" -ia -ips -appi -av -ab'
+ - 'echo -e "\nFinished Bootstrap script\n"'
+ SecurityGatewaysStack:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/autoscale/autoscale.yaml
+ Parameters:
+ VPC: !Ref VPC
+ GatewaysSubnets: !Join [',', !Ref GatewaysSubnets]
+ GatewayName: !Ref GatewayName
+ GatewayInstanceType: !Ref GatewayInstanceType
+ KeyName: !Ref KeyName
+ EnableVolumeEncryption: !Ref EnableVolumeEncryption
+ VolumeType: !Ref VolumeType
+ VolumeSize: !Ref VolumeSize
+ EnableInstanceConnect: !Ref EnableInstanceConnect
+ MetaDataToken: !Ref MetaDataToken
+ GatewaysMinSize: !Ref GatewaysMinSize
+ GatewaysMaxSize: !Ref GatewaysMaxSize
+ AdminEmail: !Ref AdminEmail
+ GatewayVersion: !Ref GatewayVersion
+ GatewayPasswordHash: !Ref GatewayPasswordHash
+ GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
+ GatewaySICKey: !Ref GatewaySICKey
+ AllowUploadDownload: !Ref AllowUploadDownload
+ CloudWatch: !Ref CloudWatch
+ GatewayBootstrapScript: !Join
+ - ';'
+ - - 'echo -e "\nStarting Bootstrap script\n"'
+ - 'echo "Setting up bootstrap parameters"'
+ - !Sub 'asn=${ASN}'
+ - 'echo "Adding tgw identifier to cloud-version"'
+ - 'template="autoscale_tgw"'
+ - 'cv_path="/etc/cloud-version"'
+ - 'if test -f ${cv_path}; then sed -i ''/template_name/c\template_name: ''"${template}"'''' /etc/cloud-version; fi'
+ - 'cv_json_path="/etc/cloud-version.json"'
+ - 'cv_json_path_tmp="/etc/cloud-version-tmp.json"'
+ - 'if test -f ${cv_json_path}; then cat ${cv_json_path} | jq ''.template_name = "''"${template}"''"'' > ${cv_json_path_tmp}; mv ${cv_json_path_tmp} ${cv_json_path}; fi'
+ - 'echo "Setting ASN to: ${asn}"'
+ - 'clish -c "set as ${asn}" -s'
+ - 'echo -e "\nFinished Bootstrap script\n"'
+ ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress
+ ManagementServer: !Ref ManagementServer
+ ConfigurationTemplate: !Ref ConfigurationTemplate
+Outputs:
+ ManagementName:
+ Description: The name that represents the Security Management Server.
+ Value: !Ref ManagementServer
+ ConfigurationTemplateName:
+ Description: The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name.
+ Value: !Ref ConfigurationTemplate
+ ControllerName:
+ Description: The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name.
+ Value: tgw-controller
+ ManagementPublicAddress:
+ Description: The public address of the management servers.
+ Value: !GetAtt ManagementStack.Outputs.PublicAddress
+ Condition: DeployManagement
+Rules:
+ GatewayAddressRule:
+ RuleCondition: !Equals [!Ref ManagementDeploy, 'true']
+ Assertions:
+ - AssertDescription: "Gateway's netowrk to communicate with the Security Management Server must be provided"
+ Assert: !Not [ !Equals [!Ref GatewaysAddresses, '']]
\ No newline at end of file
diff --git a/deprecated/aws/templates/R81/cluster/cluster-master.yaml b/deprecated/aws/templates/R81/cluster/cluster-master.yaml
new file mode 100755
index 00000000..db6a1b89
--- /dev/null
+++ b/deprecated/aws/templates/R81/cluster/cluster-master.yaml
@@ -0,0 +1,512 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Deploy a Check Point Cluster in a new VPC (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: VPC Network Configuration
+ Parameters:
+ - AvailabilityZone
+ - VPCCIDR
+ - PublicSubnetCIDR
+ - PrivateSubnetCIDR
+ - Label:
+ default: EC2 Instance Configuration
+ Parameters:
+ - GatewayName
+ - GatewayInstanceType
+ - KeyName
+ - AllocatePublicAddress
+ - VolumeSize
+ - VolumeType
+ - VolumeEncryption
+ - EnableInstanceConnect
+ - GatewayPredefinedRole
+ - TerminationProtection
+ - MetaDataToken
+ - Label:
+ default: Check Point Settings
+ Parameters:
+ - GatewayVersion
+ - Shell
+ - GatewayPasswordHash
+ - GatewayMaintenancePasswordHash
+ - GatewaySICKey
+ - Label:
+ default: Quick connect to Smart-1 Cloud (Recommended)
+ Parameters:
+ - MemberAToken
+ - MemberBToken
+ - Label:
+ default: Advanced Settings
+ Parameters:
+ - ResourcesTagName
+ - GatewayHostname
+ - AllowUploadDownload
+ - CloudWatch
+ - GatewayBootstrapScript
+ - NTPPrimary
+ - NTPSecondary
+ ParameterLabels:
+ VPCCIDR:
+ default: VPC CIDR
+ AvailabilityZone:
+ default: Availability zone
+ PublicSubnetCIDR:
+ default: Public subnet CIDR
+ PrivateSubnetCIDR:
+ default: Private subnet CIDR
+ GatewayName:
+ default: Gateway Name
+ GatewayInstanceType:
+ default: Security Gateways instance type
+ KeyName:
+ default: Key name
+ AllocatePublicAddress:
+ default: Allocate Elastic IPs
+ VolumeSize:
+ default: Root volume size (GB)
+ VolumeType:
+ default: Volume Type
+ VolumeEncryption:
+ default: Volume encryption KMS key identifier
+ EnableInstanceConnect:
+ default: Enable AWS Instance Connect
+ GatewayPredefinedRole:
+ default: Existing IAM role name
+ TerminationProtection:
+ default: Termination Protection
+ MetaDataToken:
+ default: Metadata HTTP token
+ GatewayVersion:
+ default: Version & license
+ Shell:
+ default: Admin shell
+ GatewayPasswordHash:
+ default: Password hash
+ GatewayMaintenancePasswordHash:
+ default: Gateway Maintenance Password hash
+ GatewaySICKey:
+ default: SIC key
+ MemberAToken:
+ default: Smart-1 Cloud Token for member A
+ MemberBToken:
+ default: Smart-1 Cloud Token for member B
+ ResourcesTagName:
+ default: Resources prefix tag
+ GatewayHostname:
+ default: Gateway Hostname
+ AllowUploadDownload:
+ default: Allow upload & download
+ CloudWatch:
+ default: CloudWatch metrics
+ GatewayBootstrapScript:
+ default: Bootstrap Script
+ NTPPrimary:
+ default: Primary NTP server
+ NTPSecondary:
+ default: Secondary NTP server
+Parameters:
+ AvailabilityZone:
+ Description: The availability zone in which to deploy the cluster.
+ Type: AWS::EC2::AvailabilityZone::Name
+ MinLength: 1
+ VPCCIDR:
+ Description: The CIDR block for your VPC.
+ Type: String
+ Default: 10.0.0.0/16
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PublicSubnetCIDR:
+ Description: The external subnet of the cluster. The cluster's public IPs will be generated from this subnet.
+ Type: String
+ Default: 10.0.10.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PrivateSubnetCIDR:
+ Description: The internal subnet of the cluster. The cluster's private IPs will be generated from this subnet.
+ Type: String
+ Default: 10.0.11.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ GatewayName:
+ Description: The name tag of the Security Gateway instances. (optional)
+ Type: String
+ Default: Check-Point-Cluster
+ GatewayInstanceType:
+ Description: The instance type of the Secutiry Gateway.
+ Type: String
+ Default: c5.xlarge
+ AllowedValues:
+ - c4.large
+ - c4.xlarge
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: must be a valid EC2 instance type.
+ KeyName:
+ Description: The EC2 Key Pair to allow SSH access to the instance.
+ Type: AWS::EC2::KeyPair::KeyName
+ MinLength: 1
+ AllocatePublicAddress:
+ Description: Allocate an Elastic IP for each cluster member, in addition to the shared cluster Elastic IP.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ VolumeSize:
+ Type: Number
+ Default: 100
+ MinValue: 100
+ VolumeType:
+ Description: General Purpose SSD Volume Type
+ Type: String
+ Default: gp3
+ AllowedValues:
+ - gp3
+ - gp2
+ VolumeEncryption:
+ Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
+ Type: String
+ Default: alias/aws/ebs
+ EnableInstanceConnect:
+ Description: Enable SSH connection over AWS web console.
+ Default: false
+ Type: String
+ AllowedValues:
+ - true
+ - false
+ GatewayPredefinedRole:
+ Description: A predefined IAM role to attach to the cluster profile. (optional)
+ Type: String
+ Default: ''
+ TerminationProtection:
+ Description: Prevents an instance from accidental termination.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ MetaDataToken:
+ Description: Set true to deploy the instance with metadata v2 token required.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ GatewayVersion:
+ Type: String
+ Default: R81-BYOL
+ AllowedValues:
+ - R81-BYOL
+ - R81-PAYG-NGTP
+ - R81-PAYG-NGTX
+ Shell:
+ Description: Change the admin shell to enable advanced command line configuration.
+ Type: String
+ Default: /etc/cli.sh
+ AllowedValues:
+ - /etc/cli.sh
+ - /bin/bash
+ - /bin/csh
+ - /bin/tcsh
+ GatewayPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD".
+ to get the PASSWORD's hash) (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+ NoEcho: true
+ GatewayMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ GatewaySICKey:
+ Description: The Secure Internal Communication key creates trusted connections.
+ between Check Point components. Choose a random string consisting of at least
+ 8 alphanumeric characters
+ Type: String
+ AllowedPattern: '^[a-zA-Z0-9]{8,}$'
+ ConstraintDescription: At least 8 alpha numeric characters.
+ NoEcho: true
+ MemberAToken:
+ Description: Follow the instructions in sk180501 to quickly connect this Single AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+ AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+ Type: String
+ NoEcho: true
+ MemberBToken:
+ Description: Follow the instructions in sk180501 to quickly connect this Single AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+ AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+ Type: String
+ NoEcho: true
+ ResourcesTagName:
+ Description: Name tag prefix of the resources (optional).
+ Type: String
+ Default: ''
+ GatewayHostname:
+ Description: The host name will be appended with member-a/b accordingly (optional). The name must not contain reserved words. For details, refer to sk40179.
+ Type: String
+ Default: ''
+ AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z]))?$'
+ ConstraintDescription: A valid hostname label or an empty string.
+ AllowUploadDownload:
+ Description: Automatically download updates and share statistical data for product improvement purpose.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ CloudWatch:
+ Description: Report Check Point specific CloudWatch metrics.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ GatewayBootstrapScript:
+ Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+ Type: String
+ Default: ''
+ NoEcho: true
+ NTPPrimary:
+ Description: (optional)
+ Type: String
+ Default: 169.254.169.123
+ AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+ NTPSecondary:
+ Description: (optional)
+ Type: String
+ Default: 0.pool.ntp.org
+ AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+Conditions:
+ AllocateAddress: !Equals [!Ref AllocatePublicAddress, true]
+Resources:
+ VPCStack:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/utils/vpc.yaml
+ Parameters:
+ AvailabilityZones: !Ref AvailabilityZone
+ NumberOfAZs: 1
+ VPCCIDR: !Ref VPCCIDR
+ PublicSubnet1CIDR: !Ref PublicSubnetCIDR
+ PrivateSubnet1CIDR: !Ref PrivateSubnetCIDR
+ InternalRouteTable:
+ Type: AWS::EC2::RouteTable
+ DependsOn: VPCStack
+ Properties:
+ VpcId: !GetAtt VPCStack.Outputs.VPCID
+ Tags:
+ - Key: Name
+ Value: Private Subnets Route Table
+ ClusterStack:
+ Type: AWS::CloudFormation::Stack
+ DependsOn: VPCStack
+ Properties:
+ TemplateURL: __URL__/cluster/cluster.yaml
+ Parameters:
+ VPC: !GetAtt VPCStack.Outputs.VPCID
+ PublicSubnet: !GetAtt VPCStack.Outputs.PublicSubnet1ID
+ PrivateSubnet: !GetAtt VPCStack.Outputs.PrivateSubnet1ID
+ InternalRouteTable: !Ref InternalRouteTable
+ GatewayName: !Ref GatewayName
+ GatewayInstanceType: !Ref GatewayInstanceType
+ KeyName: !Ref KeyName
+ AllocatePublicAddress: !Ref AllocatePublicAddress
+ VolumeSize: !Ref VolumeSize
+ VolumeType: !Ref VolumeType
+ VolumeEncryption: !Ref VolumeEncryption
+ EnableInstanceConnect: !Ref EnableInstanceConnect
+ GatewayPredefinedRole: !Ref GatewayPredefinedRole
+ TerminationProtection: !Ref TerminationProtection
+ MetaDataToken: !Ref MetaDataToken
+ GatewayVersion: !Ref GatewayVersion
+ Shell: !Ref Shell
+ GatewayPasswordHash: !Ref GatewayPasswordHash
+ GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
+ GatewaySICKey: !Ref GatewaySICKey
+ MemberAToken: !Ref MemberAToken
+ MemberBToken: !Ref MemberBToken
+ ResourcesTagName: !Ref ResourcesTagName
+ GatewayHostname: !Ref GatewayHostname
+ AllowUploadDownload: !Ref AllowUploadDownload
+ CloudWatch: !Ref CloudWatch
+ GatewayBootstrapScript: !Ref GatewayBootstrapScript
+ NTPPrimary: !Ref NTPPrimary
+ NTPSecondary: !Ref NTPSecondary
+Outputs:
+ ClusterPublicAddress:
+ Description: The public address of the cluster.
+ Value: !GetAtt ClusterStack.Outputs.ClusterPublicAddress
+ MemberAPublicAddress:
+ Condition: AllocateAddress
+ Description: The public address of member A.
+ Value: !GetAtt ClusterStack.Outputs.MemberAPublicAddress
+ MemberASSH:
+ Condition: AllocateAddress
+ Description: SSH command to member A.
+ Value: !GetAtt ClusterStack.Outputs.MemberASSH
+ MemberAURL:
+ Condition: AllocateAddress
+ Description: URL to the member A portal.
+ Value: !GetAtt ClusterStack.Outputs.MemberAURL
+ MemberAExternalInterface:
+ Condition: AllocateAddress
+ Description: The external interface of member A.
+ Value: !GetAtt ClusterStack.Outputs.MemberAExternalInterface
+ MemberAPrivateExternalAddress:
+ Description: The private external address of member A.
+ Value: !GetAtt ClusterStack.Outputs.MemberAPrivateExternalAddress
+ MemberAPrivateInternalAddress:
+ Description: The private internal address of member A.
+ Value: !GetAtt ClusterStack.Outputs.MemberAPrivateInternalAddress
+ MemberBPublicAddress:
+ Condition: AllocateAddress
+ Description: The public address of member B.
+ Value: !GetAtt ClusterStack.Outputs.MemberBPublicAddress
+ MemberBSSH:
+ Condition: AllocateAddress
+ Description: SSH command to member B.
+ Value: !GetAtt ClusterStack.Outputs.MemberBSSH
+ MemberBURL:
+ Condition: AllocateAddress
+ Description: URL to the member B portal.
+ Value: !GetAtt ClusterStack.Outputs.MemberBURL
+ MemberBPrivateExternalAddress:
+ Description: The private external address of member B.
+ Value: !GetAtt ClusterStack.Outputs.MemberBPrivateExternalAddress
+ MemberBPrivateInternalAddress:
+ Description: The private internal address of member B.
+ Value: !GetAtt ClusterStack.Outputs.MemberBPrivateInternalAddress
+ ClusterPrivateAliasExternalAddress:
+ Description: The secondary external private IP address of the cluster.
+ Value: !GetAtt ClusterStack.Outputs.ClusterPrivateAliasExternalAddress
+ ClusterPrivateAliasInternalAddress:
+ Description: The secondary internal private IP address of the cluster.
+ Value: !GetAtt ClusterStack.Outputs.ClusterPrivateAliasInternalAddress
+Rules:
+ MemberATokenNotProvided:
+ RuleCondition: !Equals [!Ref MemberAToken, '']
+ Assertions:
+ - AssertDescription: "Smart-1 Cloud Token for member A can not be empty"
+ Assert: !Equals [!Ref MemberBToken, '']
+ MemberBTokenNotProvided:
+ RuleCondition: !Equals [ !Ref MemberBToken, '' ]
+ Assertions:
+ - AssertDescription: "Smart-1 Cloud Token for member B can not be empty"
+ Assert: !Equals [ !Ref MemberAToken, '' ]
+ MembersTokenValueEquals:
+ RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ]
+ Assertions:
+ - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+ Assert: !Equals [ !Ref MemberAToken, '' ]
+ - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+ Assert: !Equals [ !Ref MemberBToken, '' ]
\ No newline at end of file
diff --git a/deprecated/aws/templates/R81/cluster/cluster.yaml b/deprecated/aws/templates/R81/cluster/cluster.yaml
new file mode 100755
index 00000000..d47be332
--- /dev/null
+++ b/deprecated/aws/templates/R81/cluster/cluster.yaml
@@ -0,0 +1,762 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Deploys a Check Point Cluster into an existing VPC (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: VPC Network Configuration
+ Parameters:
+ - VPC
+ - PublicSubnet
+ - PrivateSubnet
+ - InternalRouteTable
+ - Label:
+ default: EC2 Instance Configuration
+ Parameters:
+ - GatewayName
+ - GatewayInstanceType
+ - KeyName
+ - AllocatePublicAddress
+ - VolumeSize
+ - VolumeType
+ - VolumeEncryption
+ - EnableInstanceConnect
+ - GatewayPredefinedRole
+ - TerminationProtection
+ - MetaDataToken
+ - Label:
+ default: Check Point Settings
+ Parameters:
+ - GatewayVersion
+ - Shell
+ - GatewayPasswordHash
+ - GatewayMaintenancePasswordHash
+ - GatewaySICKey
+ - Label:
+ default: Quick connect to Smart-1 Cloud (Recommended)
+ Parameters:
+ - MemberAToken
+ - MemberBToken
+ - Label:
+ default: Advanced Settings
+ Parameters:
+ - ResourcesTagName
+ - GatewayHostname
+ - AllowUploadDownload
+ - CloudWatch
+ - GatewayBootstrapScript
+ - NTPPrimary
+ - NTPSecondary
+ ParameterLabels:
+ VPC:
+ default: VPC
+ PublicSubnet:
+ default: Public subnet
+ PrivateSubnet:
+ default: Private subnet
+ InternalRouteTable:
+ default: Internal route table
+ GatewayName:
+ default: Gateway Name
+ GatewayInstanceType:
+ default: Security Gateways instance type
+ KeyName:
+ default: Key name
+ AllocatePublicAddress:
+ default: Allocate Elastic IPs
+ VolumeSize:
+ default: Root volume size (GB)
+ VolumeType:
+ default: Volume Type
+ VolumeEncryption:
+ default: Volume encryption KMS key identifier
+ EnableInstanceConnect:
+ default: Enable AWS Instance Connect
+ GatewayPredefinedRole:
+ default: Existing IAM role name
+ TerminationProtection:
+ default: Termination Protection
+ MetaDataToken:
+ default: Metadata HTTP token
+ GatewayVersion:
+ default: Version & license
+ Shell:
+ default: Admin shell
+ GatewayPasswordHash:
+ default: Password hash
+ GatewayMaintenancePasswordHash:
+ default: Gateway Maintenance Password hash
+ GatewaySICKey:
+ default: SIC key
+ MemberAToken:
+ default: Smart-1 Cloud Token for member A
+ MemberBToken:
+ default: Smart-1 Cloud Token for member B
+ ResourcesTagName:
+ default: Resources prefix tag
+ GatewayHostname:
+ default: Gateway Hostname
+ AllowUploadDownload:
+ default: Allow upload & download
+ CloudWatch:
+ default: CloudWatch metrics
+ GatewayBootstrapScript:
+ default: Bootstrap Script
+ NTPPrimary:
+ default: Primary NTP server
+ NTPSecondary:
+ default: Secondary NTP server
+Parameters:
+ VPC:
+ Description: Select an existing VPC.
+ Type: AWS::EC2::VPC::Id
+ MinLength: 1
+ PublicSubnet:
+ Description: The public subnet of the cluster. The cluster's public IPs will be generated from this subnet. The subnet's route table must have 0.0.0.0/0 route to Internet Gateway.
+ Type: AWS::EC2::Subnet::Id
+ MinLength: 1
+ PrivateSubnet:
+ Description: The private subnet of the cluster. The cluster's private IPs will be generated from this subnet.
+ Type: AWS::EC2::Subnet::Id
+ MinLength: 1
+ InternalRouteTable:
+ Description: The route table id in which to set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route. If empty - traffic will not be routed through the Security Cluster, this requires manual configuration in the route table. (optional)
+ Type: String
+ Default: ''
+ GatewayName:
+ Description: The name tag of the Security Gateway instances. (optional)
+ Type: String
+ Default: Check-Point-Cluster
+ GatewayInstanceType:
+ Description: The instance type of the Secutiry Gateway.
+ Type: String
+ Default: c5.xlarge
+ AllowedValues:
+ - c4.large
+ - c4.xlarge
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: must be a valid EC2 instance type.
+ KeyName:
+ Description: The EC2 Key Pair to allow SSH access to the instance.
+ Type: AWS::EC2::KeyPair::KeyName
+ MinLength: 1
+ ConstraintDescription: must be the name of an existing EC2 KeyPair.
+ AllocatePublicAddress:
+ Description: Allocate an Elastic IP for each cluster member, in addition to the shared cluster Elastic IP.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ VolumeSize:
+ Type: Number
+ Default: 100
+ MinValue: 100
+ VolumeType:
+ Description: General Purpose SSD Volume Type
+ Type: String
+ Default: gp3
+ AllowedValues:
+ - gp3
+ - gp2
+ VolumeEncryption:
+ Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
+ Type: String
+ Default: alias/aws/ebs
+ EnableInstanceConnect:
+ Description: Enable SSH connection over AWS web console.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ GatewayPredefinedRole:
+ Description: A predefined IAM role to attach to the cluster profile. (optional)
+ Type: String
+ Default: ''
+ TerminationProtection:
+ Description: Prevents an instance from accidental termination.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ MetaDataToken:
+ Description: Set true to deploy the instance with metadata v2 token required.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ GatewayVersion:
+ Type: String
+ Default: R81-BYOL
+ AllowedValues:
+ - R81-BYOL
+ - R81-PAYG-NGTP
+ - R81-PAYG-NGTX
+ Shell:
+ Description: Change the admin shell to enable advanced command line configuration.
+ Type: String
+ Default: /etc/cli.sh
+ AllowedValues:
+ - /etc/cli.sh
+ - /bin/bash
+ - /bin/csh
+ - /bin/tcsh
+ GatewayPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD".
+ to get the PASSWORD's hash) (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+ NoEcho: true
+ GatewayMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ GatewaySICKey:
+ Description: The Secure Internal Communication key creates trusted connections.
+ between Check Point components. Choose a random string consisting of at least
+ 8 alphanumeric characters
+ Type: String
+ AllowedPattern: '^[a-zA-Z0-9]{8,}$'
+ ConstraintDescription: At least 8 alpha numeric characters.
+ NoEcho: true
+ MemberAToken:
+ Description: Follow the instructions in sk180501 to quickly connect this Single AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+ AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+ Type: String
+ NoEcho: true
+ MemberBToken:
+ Description: Follow the instructions in sk180501 to quickly connect this Single AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+ AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+ Type: String
+ NoEcho: true
+ ResourcesTagName:
+ Description: Name tag prefix of the resources (optional).
+ Type: String
+ Default: ''
+ GatewayHostname:
+ Description: The host name will be appended with member-a/b accordingly (optional). The name must not contain reserved words. For details, refer to sk40179.
+ Type: String
+ Default: ''
+ AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z]))?$'
+ ConstraintDescription: A valid hostname label or an empty string.
+ AllowUploadDownload:
+ Description: Automatically download updates and share statistical data for product improvement purpose.
+ Improve product experience by sending data to Check Point
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ CloudWatch:
+ Description: Report Check Point specific CloudWatch metrics.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ GatewayBootstrapScript:
+ Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+ Type: String
+ Default: ''
+ NoEcho: true
+ NTPPrimary:
+ Description: (optional)
+ Type: String
+ Default: 169.254.169.123
+ AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+ NTPSecondary:
+ Description: (optional)
+ Type: String
+ Default: 0.pool.ntp.org
+ AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+Conditions:
+ ProvidedRouteTable: !Not [!Equals [!Ref InternalRouteTable, '']]
+ AllocateAddress: !Equals [!Ref AllocatePublicAddress, true]
+ EncryptedVolume: !Not [!Equals [!Ref VolumeEncryption, '']]
+ CreateRole: !Equals [!Ref GatewayPredefinedRole, '']
+ ProvidedPassHash: !Not [!Equals [!Ref GatewayPasswordHash, '']]
+ ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']]
+ EmptyHostName: !Equals [!Ref GatewayHostname, '']
+ EnableCloudWatch: !Equals [!Ref CloudWatch, true]
+ EnableMetaDataToken: !Equals [!Ref MetaDataToken, true]
+Resources:
+ ClusterReadyHandle:
+ Type: AWS::CloudFormation::WaitConditionHandle
+ Condition: AllocateAddress
+ Properties: {}
+ ClusterReadyCondition:
+ Type: AWS::CloudFormation::WaitCondition
+ DependsOn: [MemberAInstance, MemberBInstance]
+ Condition: AllocateAddress
+ Properties:
+ Count: 2
+ Handle: !Ref ClusterReadyHandle
+ Timeout: 1800
+ ClusterRole:
+ Condition: CreateRole
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/iam/cluster-iam-role.yaml
+ ClusterInstanceProfile:
+ Type: AWS::IAM::InstanceProfile
+ Properties:
+ Path: /
+ Roles: [!If [CreateRole, !GetAtt ClusterRole.Outputs.ClusterIAMRole, !Ref GatewayPredefinedRole]]
+ CloudwatchPolicy:
+ Condition: EnableCloudWatch
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/iam/cloudwatch-policy.yaml
+ Parameters:
+ PolicyName: !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+ PolicyRole: !If [CreateRole, !GetAtt ClusterRole.Outputs.ClusterIAMRole, !Ref GatewayPredefinedRole]
+ AMI:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/utils/amis.yaml
+ Parameters:
+ Version: !Join [-, [!Ref GatewayVersion, GW]]
+ PermissiveSecurityGroup:
+ Type: AWS::EC2::SecurityGroup
+ Properties:
+ GroupDescription: Permissive security group.
+ VpcId: !Ref VPC
+ SecurityGroupIngress:
+ - IpProtocol: -1
+ CidrIp: 0.0.0.0/0
+ Tags:
+ - Key: Name
+ Value:
+ !Join
+ - _
+ - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+ - PermissiveSecurityGroup
+ MemberAExternalInterface:
+ Type: AWS::EC2::NetworkInterface
+ DependsOn: PermissiveSecurityGroup
+ Properties:
+ Description: Member A external.
+ SecondaryPrivateIpAddressCount: 1
+ SourceDestCheck: false
+ GroupSet: [!Ref PermissiveSecurityGroup]
+ SubnetId: !Ref PublicSubnet
+ Tags:
+ - Key: Name
+ Value:
+ !Join
+ - _
+ - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+ - Member_A_ExternalInterface
+ MemberBExternalInterface:
+ Type: AWS::EC2::NetworkInterface
+ DependsOn: PermissiveSecurityGroup
+ Properties:
+ Description: Member B external.
+ SourceDestCheck: false
+ GroupSet: [!Ref PermissiveSecurityGroup]
+ SubnetId: !Ref PublicSubnet
+ Tags:
+ - Key: Name
+ Value:
+ !Join
+ - _
+ - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+ - Member_B_ExternalInterface
+ MemberAInternalInterface:
+ Type: AWS::EC2::NetworkInterface
+ DependsOn: PermissiveSecurityGroup
+ Properties:
+ Description: Member A internal.
+ SecondaryPrivateIpAddressCount: 1
+ GroupSet: [!Ref PermissiveSecurityGroup]
+ SourceDestCheck: false
+ SubnetId: !Ref PrivateSubnet
+ Tags:
+ - Key: Name
+ Value:
+ !Join
+ - _
+ - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+ - Member_A_InternalInterface
+ MemberBInternalInterface:
+ Type: AWS::EC2::NetworkInterface
+ DependsOn: PermissiveSecurityGroup
+ Properties:
+ Description: Member B internal.
+ GroupSet: [!Ref PermissiveSecurityGroup]
+ SourceDestCheck: false
+ SubnetId: !Ref PrivateSubnet
+ Tags:
+ - Key: Name
+ Value:
+ !Join
+ - _
+ - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+ - Member_B_InternalInterface
+ InternalDefaultRoute:
+ Type: AWS::EC2::Route
+ Condition: ProvidedRouteTable
+ DependsOn: MemberAInternalInterface
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ NetworkInterfaceId: !Ref MemberAInternalInterface
+ RouteTableId: !Ref InternalRouteTable
+ PrivateSubnetRouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Condition: ProvidedRouteTable
+ Properties:
+ RouteTableId: !Ref InternalRouteTable
+ SubnetId: !Ref PrivateSubnet
+ MemberAInstance:
+ Type: AWS::EC2::Instance
+ DependsOn: [MemberAExternalInterface, MemberAInternalInterface, MemberAGatewayLaunchTemplate]
+ Properties:
+ LaunchTemplate:
+ LaunchTemplateId: !Ref MemberAGatewayLaunchTemplate
+ Version: !GetAtt MemberAGatewayLaunchTemplate.LatestVersionNumber
+ DisableApiTermination: !Ref TerminationProtection
+ Tags:
+ - Key: Name
+ Value: !Join ['-', [!Ref GatewayName, Member-A]]
+ - Key: x-chkp-member-ips
+ Value: !Join
+ - ':'
+ - - !Join [ '=', [ public-ip, !If [ AllocateAddress, !Ref MemberAPublicAddress, '' ] ] ]
+ - !Join [ '=', [ external-private-ip, !GetAtt MemberAExternalInterface.PrimaryPrivateIpAddress ] ]
+ - !Join [ '=', [ internal-private-ip, !GetAtt MemberAInternalInterface.PrimaryPrivateIpAddress ] ]
+ - Key: x-chkp-cluster-ips
+ Value: !Join
+ - ':'
+ - - !Join [ '=', [ cluster-ip, !Ref ClusterPublicAddress ] ]
+ - !Join [ '=', [ cluster-eth0-private-ip, !Select [ 0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses ] ] ]
+ - !Join [ '=', [ cluster-eth1-private-ip, !Select [ 0, !GetAtt MemberAInternalInterface.SecondaryPrivateIpAddresses ] ] ]
+ MemberBInstance:
+ Type: AWS::EC2::Instance
+ DependsOn: [MemberBExternalInterface, MemberBInternalInterface, MemberBGatewayLaunchTemplate]
+ Properties:
+ LaunchTemplate:
+ LaunchTemplateId: !Ref MemberBGatewayLaunchTemplate
+ Version: !GetAtt MemberBGatewayLaunchTemplate.LatestVersionNumber
+ DisableApiTermination: !Ref TerminationProtection
+ Tags:
+ - Key: Name
+ Value: !Join ['-', [!Ref GatewayName, Member-B]]
+ - Key: x-chkp-member-ips
+ Value: !Join
+ - ':'
+ - - !Join [ '=', [ public-ip, !If [ AllocateAddress, !Ref MemberBPublicAddress, '' ] ] ]
+ - !Join [ '=', [ external-private-ip, !GetAtt MemberBExternalInterface.PrimaryPrivateIpAddress ] ]
+ - !Join [ '=', [ internal-private-ip, !GetAtt MemberBInternalInterface.PrimaryPrivateIpAddress ] ]
+ - Key: x-chkp-cluster-ips
+ Value: !Join
+ - ':'
+ - - !Join [ '=', [ cluster-ip, !Ref ClusterPublicAddress ] ]
+ - !Join [ '=', [ cluster-eth0-private-ip, !Select [ 0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses ] ] ]
+ - !Join [ '=', [ cluster-eth1-private-ip, !Select [ 0, !GetAtt MemberAInternalInterface.SecondaryPrivateIpAddresses ] ] ]
+ MemberAGatewayLaunchTemplate:
+ Type: AWS::EC2::LaunchTemplate
+ Properties:
+ LaunchTemplateData:
+ NetworkInterfaces:
+ - DeviceIndex: 0
+ NetworkInterfaceId: !Ref MemberAExternalInterface
+ - DeviceIndex: 1
+ NetworkInterfaceId: !Ref MemberAInternalInterface
+ KeyName: !Ref KeyName
+ ImageId: !GetAtt AMI.Outputs.ImageId
+ InstanceType: !Ref GatewayInstanceType
+ MetadataOptions:
+ HttpTokens: !If [EnableMetaDataToken, required, optional]
+ BlockDeviceMappings:
+ - DeviceName: '/dev/xvda'
+ Ebs:
+ Encrypted: !If [ EncryptedVolume, true, false ]
+ KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ]
+ VolumeType: !Ref VolumeType
+ VolumeSize: !Ref VolumeSize
+ IamInstanceProfile:
+ Name: !Ref ClusterInstanceProfile
+ UserData:
+ 'Fn::Base64':
+ !Join
+ - |+
+
+ - - '#cloud-config'
+ - 'runcmd:'
+ - ' - |'
+ - ' set -e'
+ - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenA=''${MemberAToken}'''
+ - !If [AllocateAddress, !Sub ' wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue']
+ - !If [EmptyHostName, ' hostname=""',!Sub ' hostname=${GatewayHostname}-member-a']
+ - !Join ['', [' eip="', !If [AllocateAddress, !Ref MemberAPublicAddress, ''], '"']]
+ - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']]
+ - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']]
+ - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']]
+ - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']]
+ - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}]
+ - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenA}\"" installationType=\"cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" bootstrapScript64=\"${bootstrap}\"'
+ VersionDescription: Initial template version
+ MemberBGatewayLaunchTemplate:
+ Type: AWS::EC2::LaunchTemplate
+ Properties:
+ LaunchTemplateData:
+ NetworkInterfaces:
+ - DeviceIndex: 0
+ NetworkInterfaceId: !Ref MemberBExternalInterface
+ - DeviceIndex: 1
+ NetworkInterfaceId: !Ref MemberBInternalInterface
+ KeyName: !Ref KeyName
+ ImageId: !GetAtt AMI.Outputs.ImageId
+ InstanceType: !Ref GatewayInstanceType
+ MetadataOptions:
+ HttpTokens: !If [EnableMetaDataToken, required, optional]
+ BlockDeviceMappings:
+ - DeviceName: '/dev/xvda'
+ Ebs:
+ Encrypted: !If [ EncryptedVolume, true, false ]
+ KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ]
+ VolumeType: !Ref VolumeType
+ VolumeSize: !Ref VolumeSize
+ IamInstanceProfile:
+ Name: !Ref ClusterInstanceProfile
+ UserData:
+ 'Fn::Base64':
+ !Join
+ - |+
+
+ - - '#cloud-config'
+ - 'runcmd:'
+ - ' - |'
+ - ' set -e'
+ - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenB=''${MemberBToken}'''
+ - !If [AllocateAddress, !Sub ' wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue']
+ - !If [EmptyHostName, ' hostname=""',!Sub ' hostname=${GatewayHostname}-member-b']
+ - !Join ['', [' eip="', !If [AllocateAddress, !Ref MemberBPublicAddress, ''], '"']]
+ - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']]
+ - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']]
+ - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']]
+ - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']]
+ - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}]
+ - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenB}\"" installationType=\"cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" bootstrapScript64=\"${bootstrap}\"'
+ VersionDescription: Initial template version
+ ClusterPublicAddress:
+ Type: AWS::EC2::EIP
+ Properties:
+ Domain: vpc
+ MemberAPublicAddress:
+ Type: AWS::EC2::EIP
+ Condition: AllocateAddress
+ Properties:
+ Domain: vpc
+ MemberBPublicAddress:
+ Type: AWS::EC2::EIP
+ Condition: AllocateAddress
+ Properties:
+ Domain: vpc
+ ClusterAddressAssoc:
+ Type: AWS::EC2::EIPAssociation
+ DependsOn: MemberAInstance
+ Properties:
+ NetworkInterfaceId: !Ref MemberAExternalInterface
+ AllocationId: !GetAtt ClusterPublicAddress.AllocationId
+ PrivateIpAddress: !Select [0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses]
+ MemberAAddressAssoc:
+ Type: AWS::EC2::EIPAssociation
+ Condition: AllocateAddress
+ DependsOn: MemberAInstance
+ Properties:
+ NetworkInterfaceId: !Ref MemberAExternalInterface
+ AllocationId: !GetAtt MemberAPublicAddress.AllocationId
+ PrivateIpAddress: !GetAtt MemberAExternalInterface.PrimaryPrivateIpAddress
+ MemberBAddressAssoc:
+ Type: AWS::EC2::EIPAssociation
+ Condition: AllocateAddress
+ DependsOn: MemberBInstance
+ Properties:
+ NetworkInterfaceId: !Ref MemberBExternalInterface
+ AllocationId: !GetAtt MemberBPublicAddress.AllocationId
+ PrivateIpAddress: !GetAtt MemberBExternalInterface.PrimaryPrivateIpAddress
+Outputs:
+ ClusterPublicAddress:
+ Description: The public address of the cluster.
+ Value: !Ref ClusterPublicAddress
+ MemberAPublicAddress:
+ Condition: AllocateAddress
+ Description: The public address of member A.
+ Value: !Ref MemberAPublicAddress
+ MemberASSH:
+ Condition: AllocateAddress
+ Description: SSH command to member A.
+ Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref MemberAPublicAddress]]
+ MemberAURL:
+ Condition: AllocateAddress
+ Description: URL to the member A portal.
+ Value: !Join ['', ['https://', !Ref MemberAPublicAddress]]
+ MemberAExternalInterface:
+ Condition: AllocateAddress
+ Description: The external interface of member A.
+ Value: !Ref MemberAExternalInterface
+ MemberAPrivateExternalAddress:
+ Description: The private external address of member A.
+ Value: !GetAtt MemberAExternalInterface.PrimaryPrivateIpAddress
+ MemberAPrivateInternalAddress:
+ Description: The private internal address of member A.
+ Value: !GetAtt MemberAInternalInterface.PrimaryPrivateIpAddress
+ MemberBPublicAddress:
+ Condition: AllocateAddress
+ Description: The public address of member B.
+ Value: !Ref MemberBPublicAddress
+ MemberBSSH:
+ Condition: AllocateAddress
+ Description: SSH command to member B.
+ Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref MemberBPublicAddress]]
+ MemberBURL:
+ Condition: AllocateAddress
+ Description: URL to the member B portal.
+ Value: !Join ['', ['https://', !Ref MemberBPublicAddress]]
+ MemberBPrivateExternalAddress:
+ Description: The private external address of member B.
+ Value: !GetAtt MemberBExternalInterface.PrimaryPrivateIpAddress
+ MemberBPrivateInternalAddress:
+ Description: The private internal address of member B.
+ Value: !GetAtt MemberBInternalInterface.PrimaryPrivateIpAddress
+ ClusterPrivateAliasExternalAddress:
+ Description: The secondary external private IP address of the cluster.
+ Value: !Select [ 0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses ]
+ ClusterPrivateAliasInternalAddress:
+ Description: The secondary internal private IP address of the cluster.
+ Value: !Select [ 0, !GetAtt MemberAInternalInterface.SecondaryPrivateIpAddresses ]
+
+Rules:
+ MemberATokenNotProvided:
+ RuleCondition: !Equals [!Ref MemberAToken, '']
+ Assertions:
+ - AssertDescription: "Smart-1 Cloud Token for member A can not be empty"
+ Assert: !Equals [!Ref MemberBToken, '']
+ MemberBTokenNotProvided:
+ RuleCondition: !Equals [ !Ref MemberBToken, '' ]
+ Assertions:
+ - AssertDescription: "Smart-1 Cloud Token for member B can not be empty"
+ Assert: !Equals [ !Ref MemberAToken, '' ]
+ MembersTokenValueEquals:
+ RuleCondition: !EachMemberEquals [[!Ref MemberBToken], !Ref MemberAToken]
+ Assertions:
+ - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+ Assert: !Equals [ !Ref MemberAToken, '' ]
+ - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+ Assert: !Equals [ !Ref MemberBToken, '' ]
+
+
diff --git a/deprecated/aws/templates/R81/cluster/cross-az-cluster.yaml b/deprecated/aws/templates/R81/cluster/cross-az-cluster.yaml
new file mode 100755
index 00000000..fcbe2bf4
--- /dev/null
+++ b/deprecated/aws/templates/R81/cluster/cross-az-cluster.yaml
@@ -0,0 +1,775 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Deploys a Check Point Cluster into an existing VPC (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: VPC Network Configuration
+ Parameters:
+ - VPC
+ - PublicSubnetA
+ - PublicSubnetB
+ - PrivateSubnetA
+ - PrivateSubnetB
+ - InternalRouteTable
+ - Label:
+ default: EC2 Instance Configuration
+ Parameters:
+ - GatewayName
+ - GatewayInstanceType
+ - KeyName
+ - AllocatePublicAddress
+ - VolumeSize
+ - VolumeType
+ - VolumeEncryption
+ - EnableInstanceConnect
+ - GatewayPredefinedRole
+ - TerminationProtection
+ - MetaDataToken
+ - Label:
+ default: Check Point Settings
+ Parameters:
+ - GatewayVersion
+ - Shell
+ - GatewayPasswordHash
+ - GatewayMaintenancePasswordHash
+ - GatewaySICKey
+ - Label:
+ default: Quick connect to Smart-1 Cloud (Recommended)
+ Parameters:
+ - MemberAToken
+ - MemberBToken
+ - Label:
+ default: Advanced Settings
+ Parameters:
+ - ResourcesTagName
+ - GatewayHostname
+ - AllowUploadDownload
+ - CloudWatch
+ - GatewayBootstrapScript
+ - NTPPrimary
+ - NTPSecondary
+ ParameterLabels:
+ VPC:
+ default: VPC
+ PublicSubnetA:
+ default: Public subnet 1
+ PublicSubnetB:
+ default: Public subnet 2
+ PrivateSubnetA:
+ default: Private subnet 1
+ PrivateSubnetB:
+ default: Private subnet 2
+ InternalRouteTable:
+ default: Internal route table
+ GatewayName:
+ default: Gateway Name
+ GatewayInstanceType:
+ default: Security Gateways instance type
+ KeyName:
+ default: Key name
+ AllocatePublicAddress:
+ default: Allocate Elastic IPs
+ VolumeSize:
+ default: Root volume size (GB)
+ VolumeType:
+ default: Volume Type
+ VolumeEncryption:
+ default: Volume encryption KMS key identifier
+ EnableInstanceConnect:
+ default: Enable AWS Instance Connect
+ GatewayPredefinedRole:
+ default: Existing IAM role name
+ TerminationProtection:
+ default: Termination Protection
+ MetaDataToken:
+ default: Metadata HTTP token
+ GatewayVersion:
+ default: Version & license
+ Shell:
+ default: Admin shell
+ GatewayPasswordHash:
+ default: Password hash
+ GatewayMaintenancePasswordHash:
+ default: Gateway Maintenance Password hash
+ GatewaySICKey:
+ default: SIC key
+ MemberAToken:
+ default: Smart-1 Cloud Token for member A
+ MemberBToken:
+ default: Smart-1 Cloud Token for member B
+ ResourcesTagName:
+ default: Resources prefix tag
+ GatewayHostname:
+ default: Gateway Hostname
+ AllowUploadDownload:
+ default: Allow upload & download
+ CloudWatch:
+ default: CloudWatch metrics
+ GatewayBootstrapScript:
+ default: Bootstrap Script
+ NTPPrimary:
+ default: Primary NTP server
+ NTPSecondary:
+ default: Secondary NTP server
+Parameters:
+ VPC:
+ Description: Select an existing VPC.
+ Type: AWS::EC2::VPC::Id
+ MinLength: 1
+ PublicSubnetA:
+ Description: Select a public subnet for the first Security Gateway.
+ Type: AWS::EC2::Subnet::Id
+ MinLength: 1
+ ConstraintDescription: you must select a public subnet for the first Security Gateway.
+ PublicSubnetB:
+ Description: Select a public subnet for the second Security Gateway.
+ Type: AWS::EC2::Subnet::Id
+ MinLength: 1
+ ConstraintDescription: you must select a public subnet for the second Security Gateway.
+ PrivateSubnetA:
+ Description: Select a private subnet for the first Security Gateway.
+ Type: AWS::EC2::Subnet::Id
+ MinLength: 1
+ ConstraintDescription: you must select a private subnet for the first Security Gateway.
+ PrivateSubnetB:
+ Description: Select a private subnet for the second Security Gateway.
+ Type: AWS::EC2::Subnet::Id
+ MinLength: 1
+ ConstraintDescription: you must select a private subnet for the second Security Gateway.
+ InternalRouteTable:
+ Description: Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route. If empty - traffic will not be routed through the Security Cluster, this requires manual configuration in the Route Table. (optional)
+ Type: String
+ Default: ''
+ GatewayName:
+ Description: The name tag of the Security Gateway instances. (optional)
+ Type: String
+ Default: Check-Point-Cluster
+ GatewayInstanceType:
+ Description: The instance type of the Secutiry Gateway.
+ Type: String
+ Default: c5.xlarge
+ AllowedValues:
+ - c4.large
+ - c4.xlarge
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: must be a valid EC2 instance type.
+ KeyName:
+ Description: The EC2 Key Pair to allow SSH access to the instance.
+ Type: AWS::EC2::KeyPair::KeyName
+ MinLength: 1
+ ConstraintDescription: must be the name of an existing EC2 KeyPair.
+ AllocatePublicAddress:
+ Description: Allocate an Elastic IP for each cluster member, in addition to the shared cluster Elastic IP.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ VolumeSize:
+ Type: Number
+ Default: 100
+ MinValue: 100
+ VolumeType:
+ Description: General Purpose SSD Volume Type
+ Type: String
+ Default: gp3
+ AllowedValues:
+ - gp3
+ - gp2
+ VolumeEncryption:
+ Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
+ Type: String
+ Default: alias/aws/ebs
+ EnableInstanceConnect:
+ Description: Enable SSH connection over AWS web console.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ GatewayPredefinedRole:
+ Description: A predefined IAM role to attach to the cluster profile. (optional)
+ Type: String
+ Default: ''
+ TerminationProtection:
+ Description: Prevents an instance from accidental termination.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ MetaDataToken:
+ Description: Set true to deploy the instance with metadata v2 token required.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ GatewayVersion:
+ Type: String
+ Default: R81.20-BYOL
+ AllowedValues:
+ - R81.20-BYOL
+ - R81.20-PAYG-NGTP
+ - R81.20-PAYG-NGTX
+ - R82-BYOL
+ - R82-PAYG-NGTP
+ - R82-PAYG-NGTX
+ Shell:
+ Description: Change the admin shell to enable advanced command line configuration.
+ Type: String
+ Default: /etc/cli.sh
+ AllowedValues:
+ - /etc/cli.sh
+ - /bin/bash
+ - /bin/csh
+ - /bin/tcsh
+ GatewayPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD"
+ to get the PASSWORD's hash). (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+ NoEcho: true
+ GatewayMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ GatewaySICKey:
+ Description: The Secure Internal Communication key creates trusted connections
+ between Check Point components. Choose a random string consisting of at least
+ 8 alphanumeric characters.
+ Type: String
+ AllowedPattern: '^[a-zA-Z0-9]{8,}$'
+ ConstraintDescription: At least 8 alpha numeric characters.
+ NoEcho: true
+ MemberAToken:
+ Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+ AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+ Type: String
+ NoEcho: true
+ MemberBToken:
+ Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+ AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+ Type: String
+ NoEcho: true
+ ResourcesTagName:
+ Description: Name tag prefix of the resources. (optional)
+ Type: String
+ Default: ''
+ GatewayHostname:
+ Description: The host name will be appended with member-a/b accordingly (optional). The name must not contain reserved words. For details, refer to sk40179.
+ Type: String
+ Default: ''
+ AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z]))?$'
+ ConstraintDescription: A valid hostname label or an empty string.
+ AllowUploadDownload:
+ Description: Automatically download updates and share statistical data for product improvement purpose
+ Improve product experience by sending data to Check Point.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ CloudWatch:
+ Description: Report Check Point specific CloudWatch metrics.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ GatewayBootstrapScript:
+ Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+ Type: String
+ Default: ''
+ NoEcho: true
+ NTPPrimary:
+ Description: (optional)
+ Type: String
+ Default: 169.254.169.123
+ AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+ NTPSecondary:
+ Description: (optional)
+ Type: String
+ Default: 0.pool.ntp.org
+ AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+Conditions:
+ ProvidedRouteTable: !Not [!Equals [!Ref InternalRouteTable, '']]
+ AllocateAddress: !Equals [!Ref AllocatePublicAddress, true]
+ EncryptedVolume: !Not [!Equals [!Ref VolumeEncryption, '']]
+ CreateRole: !Equals [!Ref GatewayPredefinedRole, '']
+ ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']]
+ EmptyHostName: !Equals [!Ref GatewayHostname, '']
+ EnableCloudWatch: !Equals [!Ref CloudWatch, true]
+ EnableMetaDataToken: !Equals [!Ref MetaDataToken, true]
+Resources:
+ ClusterReadyHandle:
+ Type: AWS::CloudFormation::WaitConditionHandle
+ Condition: AllocateAddress
+ Properties: {}
+ ClusterReadyCondition:
+ Type: AWS::CloudFormation::WaitCondition
+ DependsOn: [MemberAInstance, MemberBInstance]
+ Condition: AllocateAddress
+ Properties:
+ Count: 2
+ Handle: !Ref ClusterReadyHandle
+ Timeout: 1800
+ ClusterRole:
+ Condition: CreateRole
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/iam/cluster-iam-role.yaml
+ ClusterInstanceProfile:
+ Type: AWS::IAM::InstanceProfile
+ Properties:
+ Path: /
+ Roles: [!If [CreateRole, !GetAtt ClusterRole.Outputs.ClusterIAMRole, !Ref GatewayPredefinedRole]]
+ CloudwatchPolicy:
+ Condition: EnableCloudWatch
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/iam/cloudwatch-policy.yaml
+ Parameters:
+ PolicyName: !If [ ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName' ]
+ PolicyRole: !If [CreateRole, !GetAtt ClusterRole.Outputs.ClusterIAMRole, !Ref GatewayPredefinedRole]
+ AMI:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/utils/amis.yaml
+ Parameters:
+ Version: !Join ['-', [!Ref GatewayVersion, GW]]
+ PermissiveSecurityGroup:
+ Type: AWS::EC2::SecurityGroup
+ Properties:
+ GroupDescription: Permissive security group.
+ VpcId: !Ref VPC
+ SecurityGroupIngress:
+ - IpProtocol: -1
+ CidrIp: 0.0.0.0/0
+ Tags:
+ - Key: Name
+ Value:
+ !Join
+ - _
+ - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+ - PermissiveSecurityGroup
+ MemberAExternalInterface:
+ Type: AWS::EC2::NetworkInterface
+ DependsOn: PermissiveSecurityGroup
+ Properties:
+ Description: Member A external.
+ SecondaryPrivateIpAddressCount: 1
+ SourceDestCheck: false
+ GroupSet: [!Ref PermissiveSecurityGroup]
+ SubnetId: !Ref PublicSubnetA
+ Tags:
+ - Key: x-chkp-interface-type
+ Value: external
+ MemberBExternalInterface:
+ Type: AWS::EC2::NetworkInterface
+ DependsOn: PermissiveSecurityGroup
+ Properties:
+ Description: Member B external.
+ SecondaryPrivateIpAddressCount: 1
+ SourceDestCheck: false
+ GroupSet: [!Ref PermissiveSecurityGroup]
+ SubnetId: !Ref PublicSubnetB
+ Tags:
+ - Key: x-chkp-interface-type
+ Value: external
+ MemberAInternalInterface:
+ Type: AWS::EC2::NetworkInterface
+ DependsOn: PermissiveSecurityGroup
+ Properties:
+ Description: Member A internal.
+ GroupSet: [!Ref PermissiveSecurityGroup]
+ SourceDestCheck: false
+ SubnetId: !Ref PrivateSubnetA
+ Tags:
+ - Key: x-chkp-interface-type
+ Value: internal
+ MemberBInternalInterface:
+ Type: AWS::EC2::NetworkInterface
+ DependsOn: PermissiveSecurityGroup
+ Properties:
+ Description: Member B internal.
+ GroupSet: [!Ref PermissiveSecurityGroup]
+ SourceDestCheck: false
+ SubnetId: !Ref PrivateSubnetB
+ Tags:
+ - Key: x-chkp-interface-type
+ Value: internal
+ InternalDefaultRoute:
+ Type: AWS::EC2::Route
+ Condition: ProvidedRouteTable
+ DependsOn: MemberAInternalInterface
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ NetworkInterfaceId: !Ref MemberAInternalInterface
+ RouteTableId: !Ref InternalRouteTable
+ PrivateSubnet1RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Condition: ProvidedRouteTable
+ Properties:
+ RouteTableId: !Ref InternalRouteTable
+ SubnetId: !Ref PrivateSubnetA
+ PrivateSubnet2RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Condition: ProvidedRouteTable
+ Properties:
+ RouteTableId: !Ref InternalRouteTable
+ SubnetId: !Ref PrivateSubnetB
+ ClusterPublicAddress:
+ Type: AWS::EC2::EIP
+ Properties:
+ Domain: vpc
+ MemberAPublicAddress:
+ Type: AWS::EC2::EIP
+ Condition: AllocateAddress
+ Properties:
+ Domain: vpc
+ MemberBPublicAddress:
+ Type: AWS::EC2::EIP
+ Condition: AllocateAddress
+ Properties:
+ Domain: vpc
+ ClusterAddressAssoc:
+ Type: AWS::EC2::EIPAssociation
+ DependsOn: MemberAInstance
+ Properties:
+ NetworkInterfaceId: !Ref MemberAExternalInterface
+ AllocationId: !GetAtt ClusterPublicAddress.AllocationId
+ PrivateIpAddress: !Select [0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses]
+ MemberAAddressAssoc:
+ Type: AWS::EC2::EIPAssociation
+ Condition: AllocateAddress
+ DependsOn: MemberAInstance
+ Properties:
+ NetworkInterfaceId: !Ref MemberAExternalInterface
+ AllocationId: !GetAtt MemberAPublicAddress.AllocationId
+ PrivateIpAddress: !GetAtt MemberAExternalInterface.PrimaryPrivateIpAddress
+ MemberBAddressAssoc:
+ Type: AWS::EC2::EIPAssociation
+ Condition: AllocateAddress
+ DependsOn: MemberBInstance
+ Properties:
+ NetworkInterfaceId: !Ref MemberBExternalInterface
+ AllocationId: !GetAtt MemberBPublicAddress.AllocationId
+ PrivateIpAddress: !GetAtt MemberBExternalInterface.PrimaryPrivateIpAddress
+ MemberAInstance:
+ Type: AWS::EC2::Instance
+ DependsOn: [MemberAExternalInterface, MemberAInternalInterface, ClusterPublicAddress, MemberBInternalInterface, MemberBExternalInterface, MemberAGatewayLaunchTemplate]
+ Properties:
+ LaunchTemplate:
+ LaunchTemplateId: !Ref MemberAGatewayLaunchTemplate
+ Version: !GetAtt MemberAGatewayLaunchTemplate.LatestVersionNumber
+ DisableApiTermination: !Ref TerminationProtection
+ Tags:
+ - Key: Name
+ Value: !Join ['-', [!Ref GatewayName, Member-A]]
+ - Key: x-chkp-member-ips
+ Value: !Join
+ - ':'
+ - - !Join [ '=', [ public-ip, !Ref MemberAPublicAddress ] ]
+ - !Join [ '=', [ external-private-ip, !GetAtt MemberAExternalInterface.PrimaryPrivateIpAddress ] ]
+ - !Join [ '=', [ internal-private-ip, !GetAtt MemberAInternalInterface.PrimaryPrivateIpAddress ] ]
+ - Key: x-chkp-cluster-ips
+ Value: !Join
+ - ':'
+ - - !Join [ '=', [ cluster-ip, !Ref ClusterPublicAddress ] ]
+ - !Join [ '=', [ secondary-external-private-ip, !Select [ 0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses ] ] ]
+ MemberBInstance:
+ Type: AWS::EC2::Instance
+ DependsOn: [MemberBExternalInterface, MemberBInternalInterface, ClusterPublicAddress, MemberAInternalInterface, MemberBGatewayLaunchTemplate]
+ Properties:
+ LaunchTemplate:
+ LaunchTemplateId: !Ref MemberBGatewayLaunchTemplate
+ Version: !GetAtt MemberBGatewayLaunchTemplate.LatestVersionNumber
+ DisableApiTermination: !Ref TerminationProtection
+ Tags:
+ - Key: Name
+ Value: !Join ['-', [!Ref GatewayName, Member-B]]
+ - Key: x-chkp-member-ips
+ Value: !Join
+ - ':'
+ - - !Join [ '=', [ public-ip, !Ref MemberBPublicAddress ] ]
+ - !Join [ '=', [ external-private-ip, !GetAtt MemberBExternalInterface.PrimaryPrivateIpAddress ] ]
+ - !Join [ '=', [ internal-private-ip, !GetAtt MemberBInternalInterface.PrimaryPrivateIpAddress ] ]
+ - Key: x-chkp-cluster-ips
+ Value: !Join
+ - ':'
+ - - !Join [ '=', [ cluster-ip, !Ref ClusterPublicAddress ] ]
+ - !Join [ '=', [ secondary-external-private-ip, !Select [ 0, !GetAtt MemberBExternalInterface.SecondaryPrivateIpAddresses ] ] ]
+ MemberAGatewayLaunchTemplate:
+ Type: AWS::EC2::LaunchTemplate
+ Properties:
+ LaunchTemplateData:
+ NetworkInterfaces:
+ - DeviceIndex: 0
+ NetworkInterfaceId: !Ref MemberAExternalInterface
+ - DeviceIndex: 1
+ NetworkInterfaceId: !Ref MemberAInternalInterface
+ KeyName: !Ref KeyName
+ ImageId: !GetAtt AMI.Outputs.ImageId
+ InstanceType: !Ref GatewayInstanceType
+ MetadataOptions:
+ HttpTokens: !If [EnableMetaDataToken, required, optional]
+ BlockDeviceMappings:
+ - DeviceName: '/dev/xvda'
+ Ebs:
+ Encrypted: !If [ EncryptedVolume, true, false ]
+ KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ]
+ VolumeType: !Ref VolumeType
+ VolumeSize: !Ref VolumeSize
+ IamInstanceProfile:
+ Name: !Ref ClusterInstanceProfile
+ UserData:
+ 'Fn::Base64':
+ !Join
+ - |+
+
+ - - '#cloud-config'
+ - 'runcmd:'
+ - ' - |'
+ - ' set -e'
+ - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenA=''${MemberAToken}'''
+ - !If [AllocateAddress, !Sub ' wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue']
+ - !If [EmptyHostName, ' hostname=""',!Sub ' hostname=${GatewayHostname}-member-a']
+ - !Join ['', [' other_member_ip="', !GetAtt MemberBInternalInterface.PrimaryPrivateIpAddress, '"']]
+ - !Join ['', [' secondary_ip="', !Select [0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses], '"']]
+ - !Join ['', [' remote_secondary_ip="', !Select [0, !GetAtt MemberBExternalInterface.SecondaryPrivateIpAddresses], '"']]
+ - !Join ['', [' cluster_ip="', !Ref ClusterPublicAddress, '"']]
+ - !Join ['', [' eip="', !If [AllocateAddress, !Ref MemberAPublicAddress, ''], '"']]
+ - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']]
+ - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']]
+ - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']]
+ - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']]
+ - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}]
+ - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenA}\"" installationType=\"cross-az-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"cross_az_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" otherMemberIp=\"${other_member_ip}\" clusterIp=\"${cluster_ip}\" secondaryIp=\"${secondary_ip}\" otherMemberPrivateClusterIp=\"${remote_secondary_ip}\" bootstrapScript64=\"${bootstrap}\"'
+ VersionDescription: Initial template version
+ MemberBGatewayLaunchTemplate:
+ Type: AWS::EC2::LaunchTemplate
+ Properties:
+ LaunchTemplateData:
+ NetworkInterfaces:
+ - DeviceIndex: 0
+ NetworkInterfaceId: !Ref MemberBExternalInterface
+ - DeviceIndex: 1
+ NetworkInterfaceId: !Ref MemberBInternalInterface
+ KeyName: !Ref KeyName
+ ImageId: !GetAtt AMI.Outputs.ImageId
+ InstanceType: !Ref GatewayInstanceType
+ MetadataOptions:
+ HttpTokens: !If [EnableMetaDataToken, required, optional]
+ BlockDeviceMappings:
+ - DeviceName: '/dev/xvda'
+ Ebs:
+ Encrypted: !If [ EncryptedVolume, true, false ]
+ KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ]
+ VolumeType: !Ref VolumeType
+ VolumeSize: !Ref VolumeSize
+ IamInstanceProfile:
+ Name: !Ref ClusterInstanceProfile
+ UserData:
+ 'Fn::Base64':
+ !Join
+ - |+
+
+ - - '#cloud-config'
+ - 'runcmd:'
+ - ' - |'
+ - ' set -e'
+ - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenB=''${MemberBToken}'''
+ - !If [AllocateAddress, !Sub ' wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue']
+ - !If [EmptyHostName, ' hostname=""',!Sub ' hostname=${GatewayHostname}-member-b']
+ - !Join ['', [' other_member_ip="', !GetAtt MemberAInternalInterface.PrimaryPrivateIpAddress, '"']]
+ - !Join ['', [' secondary_ip="', !Select [0, !GetAtt MemberBExternalInterface.SecondaryPrivateIpAddresses], '"']]
+ - !Join ['', [' remote_secondary_ip="', !Select [0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses], '"']]
+ - !Join ['', [' cluster_ip="', !Ref ClusterPublicAddress, '"']]
+ - !Join ['', [' eip="', !If [AllocateAddress, !Ref MemberBPublicAddress, ''], '"']]
+ - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']]
+ - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']]
+ - !Join [ '', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"' ] ]
+ - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']]
+ - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}]
+ - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenB}\"" installationType=\"cross-az-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"cross_az_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" otherMemberIp=\"${other_member_ip}\" clusterIp=\"${cluster_ip}\" secondaryIp=\"${secondary_ip}\" otherMemberPrivateClusterIp=\"${remote_secondary_ip}\" bootstrapScript64=\"${bootstrap}\"'
+ VersionDescription: Initial template version
+Outputs:
+ ClusterPublicAddress:
+ Description: The public address of the cluster.
+ Value: !Ref ClusterPublicAddress
+ MemberAPublicAddress:
+ Condition: AllocateAddress
+ Description: The public address of member A.
+ Value: !Ref MemberAPublicAddress
+ MemberASSH:
+ Condition: AllocateAddress
+ Description: SSH command to member A.
+ Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref MemberAPublicAddress]]
+ MemberAURL:
+ Condition: AllocateAddress
+ Description: URL to the member A portal.
+ Value: !Join ['', ['https://', !Ref MemberAPublicAddress]]
+ MemberAExternalInterface:
+ Condition: AllocateAddress
+ Description: The external interface of member A.
+ Value: !Ref MemberAExternalInterface
+ MemberAPrivateExternalAddress:
+ Description: The primary external private address of member A.
+ Value: !GetAtt MemberAExternalInterface.PrimaryPrivateIpAddress
+ MemberAPrivateAliasAddress:
+ Description: The secondary external private IP address of Member A.
+ Value: !Select [0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses]
+ MemberAPrivateInternalAddress:
+ Description: The private Internal address of member A.
+ Value: !GetAtt MemberAInternalInterface.PrimaryPrivateIpAddress
+ MemberBPublicAddress:
+ Condition: AllocateAddress
+ Description: The public address of member B.
+ Value: !Ref MemberBPublicAddress
+ MemberBSSH:
+ Condition: AllocateAddress
+ Description: SSH command to member B.
+ Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref MemberBPublicAddress]]
+ MemberBURL:
+ Condition: AllocateAddress
+ Description: URL to the member B portal.
+ Value: !Join ['', ['https://', !Ref MemberBPublicAddress]]
+ MemberBPrivateExternalAddress:
+ Description: The primary external private address of member B.
+ Value: !GetAtt MemberBExternalInterface.PrimaryPrivateIpAddress
+ MemberBPrivateAliasAddress:
+ Description: The secondary external private IP address of Member B.
+ Value: !Select [0, !GetAtt MemberBExternalInterface.SecondaryPrivateIpAddresses]
+ MemberBPrivateInternalAddress:
+ Description: The private Internal address of member B.
+ Value: !GetAtt MemberBInternalInterface.PrimaryPrivateIpAddress
+Rules:
+ MemberATokenNotProvided:
+ RuleCondition: !Equals [!Ref MemberAToken, '']
+ Assertions:
+ - AssertDescription: "Smart-1 Cloud Token for member A can not be empty"
+ Assert: !Equals [!Ref MemberBToken, '']
+ MemberBTokenNotProvided:
+ RuleCondition: !Equals [ !Ref MemberBToken, '' ]
+ Assertions:
+ - AssertDescription: "Smart-1 Cloud Token for member B can not be empty"
+ Assert: !Equals [ !Ref MemberAToken, '' ]
+ MembersTokenValueEquals:
+ RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ]
+ Assertions:
+ - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+ Assert: !Equals [ !Ref MemberAToken, '' ]
+ - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+ Assert: !Equals [ !Ref MemberBToken, '' ]
diff --git a/deprecated/aws/templates/R81/cluster/geo-cluster-master.yaml b/deprecated/aws/templates/R81/cluster/geo-cluster-master.yaml
new file mode 100755
index 00000000..3c7c11a9
--- /dev/null
+++ b/deprecated/aws/templates/R81/cluster/geo-cluster-master.yaml
@@ -0,0 +1,523 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Deploy a Check Point cross AZ Cluster in a new VPC (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: VPC Network Configuration
+ Parameters:
+ - AvailabilityZones
+ - VPCCIDR
+ - PublicSubnet1CIDR
+ - PublicSubnet2CIDR
+ - PrivateSubnet1CIDR
+ - PrivateSubnet2CIDR
+ - Label:
+ default: EC2 Instance Configuration
+ Parameters:
+ - GatewayName
+ - GatewayInstanceType
+ - KeyName
+ - AllocatePublicAddress
+ - VolumeSize
+ - VolumeType
+ - VolumeEncryption
+ - EnableInstanceConnect
+ - GatewayPredefinedRole
+ - TerminationProtection
+ - MetaDataToken
+ - Label:
+ default: Check Point Settings
+ Parameters:
+ - GatewayVersion
+ - Shell
+ - GatewayPasswordHash
+ - GatewayMaintenancePasswordHash
+ - GatewaySICKey
+ - Label:
+ default: Quick connect to Smart-1 Cloud (Recommended)
+ Parameters:
+ - MemberAToken
+ - MemberBToken
+ - Label:
+ default: Advanced Settings
+ Parameters:
+ - ResourcesTagName
+ - GatewayHostname
+ - AllowUploadDownload
+ - CloudWatch
+ - GatewayBootstrapScript
+ - NTPPrimary
+ - NTPSecondary
+ ParameterLabels:
+ AvailabilityZones:
+ default: Availability Zones
+ VPCCIDR:
+ default: VPC CIDR
+ PublicSubnet1CIDR:
+ default: Public subnet 1 CIDR
+ PublicSubnet2CIDR:
+ default: Public subnet 2 CIDR
+ PrivateSubnet1CIDR:
+ default: Private subnet 1 CIDR
+ PrivateSubnet2CIDR:
+ default: Private subnet 2 CIDR
+ GatewayName:
+ default: Gateway Name
+ GatewayInstanceType:
+ default: Security Gateways instance type
+ KeyName:
+ default: Key name
+ AllocatePublicAddress:
+ default: Allocate Elastic IPs for cluster members
+ VolumeSize:
+ default: Root volume size (GB)
+ VolumeType:
+ default: Volume Type
+ VolumeEncryption:
+ default: Volume encryption KMS key identifier
+ EnableInstanceConnect:
+ default: Enable AWS Instance Connect
+ GatewayPredefinedRole:
+ default: Existing IAM role name
+ TerminationProtection:
+ default: Termination Protection
+ MetaDataToken:
+ default: Metadata HTTP token
+ GatewayVersion:
+ default: Gateways version & license
+ Shell:
+ default: Admin shell
+ GatewayPasswordHash:
+ default: Password hash
+ GatewayMaintenancePasswordHash:
+ default: Gateway Maintenance Password hash
+ GatewaySICKey:
+ default: SIC key
+ MemberAToken:
+ default: Smart-1 Cloud Token for member A
+ MemberBToken:
+ default: Smart-1 Cloud Token for member B
+ ResourcesTagName:
+ default: Resources prefix tag
+ GatewayHostname:
+ default: Gateway Hostname
+ AllowUploadDownload:
+ default: Allow upload & download
+ CloudWatch:
+ default: CloudWatch metrics
+ GatewayBootstrapScript:
+ default: Bootstrap Script
+ NTPPrimary:
+ default: Primary NTP server
+ NTPSecondary:
+ default: Secondary NTP server
+Parameters:
+ AvailabilityZones:
+ Description: The Availability Zones (AZs) to use for the subnets in the VPC. Select two (the logical order is preserved).
+ Type: List
+ MinLength: 2
+ VPCCIDR:
+ Description: CIDR block for the VPC.
+ Type: String
+ Default: 10.0.0.0/16
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PublicSubnet1CIDR:
+ Description: CIDR block for public subnet 1 located in the 1st Availability Zone. The cluster's public IPs will be generated from this subnet.
+ Type: String
+ Default: 10.0.10.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PublicSubnet2CIDR:
+ Description: CIDR block for public subnet 2 located in the 2nd Availability Zone. The cluster's public IPs will be generated from this subnet.
+ Type: String
+ Default: 10.0.20.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PrivateSubnet1CIDR:
+ Description: CIDR block for private subnet 1 located in the 1st Availability Zone. The cluster's private IPs will be generated from this subnet.
+ Type: String
+ Default: 10.0.11.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PrivateSubnet2CIDR:
+ Description: CIDR block for private subnet 2 located in the 2nd Availability Zone. The cluster's private IPs will be generated from this subnet.
+ Type: String
+ Default: 10.0.21.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ GatewayName:
+ Description: The name tag of the Security Gateway instances. (optional)
+ Type: String
+ Default: Check-Point-Cluster
+ GatewayInstanceType:
+ Description: The instance type of the Secutiry Gateway.
+ Type: String
+ Default: c5.xlarge
+ AllowedValues:
+ - c4.large
+ - c4.xlarge
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: must be a valid EC2 instance type.
+ KeyName:
+ Description: The EC2 Key Pair to allow SSH access to the Security Gateways.
+ Type: AWS::EC2::KeyPair::KeyName
+ MinLength: 1
+ ConstraintDescription: must be the name of an existing EC2 KeyPair.
+ AllocatePublicAddress:
+ Description: When choosing "false", make sure the cluster members can connect to an ec2 endpoint.
+ Default: true
+ Type: String
+ AllowedValues:
+ - true
+ - false
+ VolumeSize:
+ Type: Number
+ Default: 100
+ MinValue: 100
+ VolumeType:
+ Description: General Purpose SSD Volume Type
+ Type: String
+ Default: gp3
+ AllowedValues:
+ - gp3
+ - gp2
+ VolumeEncryption:
+ Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
+ Type: String
+ Default: alias/aws/ebs
+ EnableInstanceConnect:
+ Description: Enable SSH connection over AWS web console.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ GatewayPredefinedRole:
+ Description: A predefined IAM role to attach to the cluster profile. (optional)
+ Type: String
+ Default: ''
+ TerminationProtection:
+ Description: Prevents an instance from accidental termination.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ MetaDataToken:
+ Description: Set true to deploy the instance with metadata v2 token required.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ GatewayVersion:
+ Description: The license to install on the Security Gateways.
+ Type: String
+ Default: R81-BYOL
+ AllowedValues:
+ - R81-BYOL
+ - R81-PAYG-NGTP
+ - R81-PAYG-NGTX
+ Shell:
+ Description: Change the admin shell to enable advanced command line configuration.
+ Type: String
+ Default: /etc/cli.sh
+ AllowedValues:
+ - /etc/cli.sh
+ - /bin/bash
+ - /bin/csh
+ - /bin/tcsh
+ GatewayPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to
+ get the PASSWORD's hash). (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+ NoEcho: true
+ GatewayMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ GatewaySICKey:
+ Description: The Secure Internal Communication key creates trusted connections between
+ Check Point components. Choose a random string consisting of at least 8
+ alphanumeric characters.
+ Type: String
+ AllowedPattern: '^[a-zA-Z0-9]{8,}$'
+ ConstraintDescription: At least 8 alpha numeric characters.
+ NoEcho: true
+ MemberAToken:
+ Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+ AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+ Type: String
+ NoEcho: true
+ MemberBToken:
+ Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+ AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+ Type: String
+ NoEcho: true
+ ResourcesTagName:
+ Description: Name tag prefix of the resources. (optional)
+ Type: String
+ Default: ''
+ GatewayHostname:
+ Description: The host name will be appended with member-a/b accordingly (optional). The name must not contain reserved words. For details, refer to sk40179.
+ Type: String
+ Default: ''
+ AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z]))?$'
+ ConstraintDescription: A valid hostname label or an empty string.
+ AllowUploadDownload:
+ Description: >-
+ Automatically download updates and share statistical data for product improvement purpose.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ CloudWatch:
+ Description: Report Check Point specific CloudWatch metrics.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ GatewayBootstrapScript:
+ Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+ Type: String
+ Default: ''
+ NoEcho: true
+ NTPPrimary:
+ Description: (optional)
+ Type: String
+ Default: 169.254.169.123
+ AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+ NTPSecondary:
+ Description: (optional)
+ Type: String
+ Default: 0.pool.ntp.org
+ AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+Conditions:
+ AllocateAddress: !Equals [!Ref AllocatePublicAddress, true]
+Resources:
+ VPCStack:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/utils/vpc.yaml
+ Parameters:
+ AvailabilityZones: !Join [',', !Ref AvailabilityZones]
+ NumberOfAZs: 2
+ VPCCIDR: !Ref VPCCIDR
+ PublicSubnet1CIDR: !Ref PublicSubnet1CIDR
+ PublicSubnet2CIDR: !Ref PublicSubnet2CIDR
+ PrivateSubnet1CIDR: !Ref PrivateSubnet1CIDR
+ PrivateSubnet2CIDR: !Ref PrivateSubnet2CIDR
+ InternalRouteTable:
+ Type: AWS::EC2::RouteTable
+ DependsOn: VPCStack
+ Properties:
+ VpcId: !GetAtt VPCStack.Outputs.VPCID
+ Tags:
+ - Key: Name
+ Value: Private Subnets Route Table
+ ClusterStack:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/cluster/geo-cluster.yaml
+ Parameters:
+ VPC: !GetAtt VPCStack.Outputs.VPCID
+ PublicSubnetA: !GetAtt VPCStack.Outputs.PublicSubnet1ID
+ PublicSubnetB: !GetAtt VPCStack.Outputs.PublicSubnet2ID
+ PrivateSubnetA: !GetAtt VPCStack.Outputs.PrivateSubnet1ID
+ PrivateSubnetB: !GetAtt VPCStack.Outputs.PrivateSubnet2ID
+ InternalRouteTable: !Ref InternalRouteTable
+ GatewayName: !Ref GatewayName
+ GatewayInstanceType: !Ref GatewayInstanceType
+ KeyName: !Ref KeyName
+ AllocatePublicAddress: !Ref AllocatePublicAddress
+ VolumeSize: !Ref VolumeSize
+ VolumeType: !Ref VolumeType
+ VolumeEncryption: !Ref VolumeEncryption
+ EnableInstanceConnect: !Ref EnableInstanceConnect
+ GatewayPredefinedRole: !Ref GatewayPredefinedRole
+ TerminationProtection: !Ref TerminationProtection
+ MetaDataToken: !Ref MetaDataToken
+ GatewayVersion: !Ref GatewayVersion
+ Shell: !Ref Shell
+ GatewayPasswordHash: !Ref GatewayPasswordHash
+ GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
+ GatewaySICKey: !Ref GatewaySICKey
+ MemberAToken: !Ref MemberAToken
+ MemberBToken: !Ref MemberBToken
+ ResourcesTagName: !Ref ResourcesTagName
+ GatewayHostname: !Ref GatewayHostname
+ AllowUploadDownload: !Ref AllowUploadDownload
+ CloudWatch: !Ref CloudWatch
+ GatewayBootstrapScript: !Ref GatewayBootstrapScript
+ NTPPrimary: !Ref NTPPrimary
+ NTPSecondary: !Ref NTPSecondary
+Outputs:
+ MemberAPublicAddress:
+ Condition: AllocateAddress
+ Description: The public address of member A.
+ Value: !GetAtt ClusterStack.Outputs.MemberAPublicAddress
+ MemberAPrivateExternalAddress:
+ Description: The private external address of member A.
+ Value: !GetAtt ClusterStack.Outputs.MemberAPrivateExternalAddress
+ MemberAPrivateInternalAddress:
+ Description: The private internal address of member A.
+ Value: !GetAtt ClusterStack.Outputs.MemberAPrivateInternalAddress
+ MemberASSH:
+ Condition: AllocateAddress
+ Description: SSH command to member A.
+ Value: !GetAtt ClusterStack.Outputs.MemberASSH
+ MemberAURL:
+ Condition: AllocateAddress
+ Description: URL to the member A portal.
+ Value: !GetAtt ClusterStack.Outputs.MemberAURL
+ MemberBPublicAddress:
+ Condition: AllocateAddress
+ Description: The public address of member B.
+ Value: !GetAtt ClusterStack.Outputs.MemberBPublicAddress
+ MemberBPrivateExternalAddress:
+ Description: The private external address of member B.
+ Value: !GetAtt ClusterStack.Outputs.MemberBPrivateExternalAddress
+ MemberBPrivateInternalAddress:
+ Description: The private internal address of member B.
+ Value: !GetAtt ClusterStack.Outputs.MemberBPrivateInternalAddress
+ MemberBSSH:
+ Condition: AllocateAddress
+ Description: SSH command to member B.
+ Value: !GetAtt ClusterStack.Outputs.MemberBSSH
+ MemberBURL:
+ Condition: AllocateAddress
+ Description: URL to the member B portal.
+ Value: !GetAtt ClusterStack.Outputs.MemberBURL
+Rules:
+ MemberATokenNotProvided:
+ RuleCondition: !Equals [!Ref MemberAToken, '']
+ Assertions:
+ - AssertDescription: "Smart-1 Cloud Token for member A can not be empty"
+ Assert: !Equals [!Ref MemberBToken, '']
+ MemberBTokenNotProvided:
+ RuleCondition: !Equals [ !Ref MemberBToken, '' ]
+ Assertions:
+ - AssertDescription: "Smart-1 Cloud Token for member B can not be empty"
+ Assert: !Equals [ !Ref MemberAToken, '' ]
+ MembersTokenValueEquals:
+ RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ]
+ Assertions:
+ - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+ Assert: !Equals [ !Ref MemberAToken, '' ]
+ - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+ Assert: !Equals [ !Ref MemberBToken, '' ]
\ No newline at end of file
diff --git a/deprecated/aws/templates/R81/cluster/geo-cluster.yaml b/deprecated/aws/templates/R81/cluster/geo-cluster.yaml
new file mode 100755
index 00000000..bf9ec48a
--- /dev/null
+++ b/deprecated/aws/templates/R81/cluster/geo-cluster.yaml
@@ -0,0 +1,734 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Deploys a Check Point cross AZ Cluster into an existing VPC (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: VPC Network Configuration
+ Parameters:
+ - VPC
+ - PublicSubnetA
+ - PublicSubnetB
+ - PrivateSubnetA
+ - PrivateSubnetB
+ - InternalRouteTable
+ - Label:
+ default: EC2 Instance Configuration
+ Parameters:
+ - GatewayName
+ - GatewayInstanceType
+ - KeyName
+ - AllocatePublicAddress
+ - VolumeSize
+ - VolumeType
+ - VolumeEncryption
+ - EnableInstanceConnect
+ - GatewayPredefinedRole
+ - TerminationProtection
+ - MetaDataToken
+ - Label:
+ default: Check Point Settings
+ Parameters:
+ - GatewayVersion
+ - Shell
+ - GatewayPasswordHash
+ - GatewayMaintenancePasswordHash
+ - GatewaySICKey
+ - Label:
+ default: Quick connect to Smart-1 Cloud (Recommended)
+ Parameters:
+ - MemberAToken
+ - MemberBToken
+ - Label:
+ default: Advanced Settings
+ Parameters:
+ - ResourcesTagName
+ - GatewayHostname
+ - AllowUploadDownload
+ - CloudWatch
+ - GatewayBootstrapScript
+ - NTPPrimary
+ - NTPSecondary
+ ParameterLabels:
+ VPC:
+ default: VPC
+ PublicSubnetA:
+ default: Public subnet 1
+ PublicSubnetB:
+ default: Public subnet 2
+ PrivateSubnetA:
+ default: Private subnet 1
+ PrivateSubnetB:
+ default: Private subnet 2
+ InternalRouteTable:
+ default: Internal route table
+ GatewayName:
+ default: Gateway Name
+ GatewayInstanceType:
+ default: Security Gateways instance type
+ KeyName:
+ default: Key name
+ AllocatePublicAddress:
+ default: Allocate Elastic IPs for cluster members
+ VolumeSize:
+ default: Root volume size (GB)
+ VolumeType:
+ default: Volume Type
+ VolumeEncryption:
+ default: Volume encryption KMS key identifier
+ EnableInstanceConnect:
+ default: Enable AWS Instance Connect
+ GatewayPredefinedRole:
+ default: Existing IAM role name
+ TerminationProtection:
+ default: Termination Protection
+ MetaDataToken:
+ default: Metadata HTTP token
+ GatewayVersion:
+ default: Gateways version & license
+ Shell:
+ default: Admin shell
+ GatewayPasswordHash:
+ default: Password hash
+ GatewayMaintenancePasswordHash:
+ default: Gateway Maintenance Password hash
+ GatewaySICKey:
+ default: SIC key
+ MemberAToken:
+ default: Smart-1 Cloud Token for member A
+ MemberBToken:
+ default: Smart-1 Cloud Token for member B
+ ResourcesTagName:
+ default: Resources prefix tag
+ GatewayHostname:
+ default: Gateway Hostname
+ AllowUploadDownload:
+ default: Allow upload & download
+ CloudWatch:
+ default: CloudWatch metrics
+ GatewayBootstrapScript:
+ default: Bootstrap Script
+ NTPPrimary:
+ default: Primary NTP server
+ NTPSecondary:
+ default: Secondary NTP server
+Parameters:
+ VPC:
+ Description: Select an existing VPC.
+ Type: AWS::EC2::VPC::Id
+ MinLength: 1
+ ConstraintDescription: you must select a VPC.
+ PublicSubnetA:
+ Description: Select a public subnet for the first Security Gateway.
+ Type: AWS::EC2::Subnet::Id
+ MinLength: 1
+ ConstraintDescription: you must select a public subnet for the first Security Gateway.
+ PublicSubnetB:
+ Description: Select a public subnet for the second Security Gateway.
+ Type: AWS::EC2::Subnet::Id
+ MinLength: 1
+ ConstraintDescription: you must select a public subnet for the second Security Gateway.
+ PrivateSubnetA:
+ Description: Select a private subnet for the first Security Gateway.
+ Type: AWS::EC2::Subnet::Id
+ MinLength: 1
+ ConstraintDescription: you must select a private subnet for the first Security Gateway.
+ PrivateSubnetB:
+ Description: Select a private subnet for the second Security Gateway.
+ Type: AWS::EC2::Subnet::Id
+ MinLength: 1
+ ConstraintDescription: you must select a private subnet for the second Security Gateway.
+ InternalRouteTable:
+ Description: Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route. If empty - traffic will not be routed through the Security Cluster, this requires manual configuration in the Route Table. (optional)
+ Type: String
+ Default: ''
+ GatewayName:
+ Description: The name tag of the Security Gateway instances. (optional)
+ Type: String
+ Default: Check-Point-Cluster
+ GatewayInstanceType:
+ Type: String
+ Default: c5.xlarge
+ AllowedValues:
+ - c4.large
+ - c4.xlarge
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: must be a valid EC2 instance type.
+ KeyName:
+ Description: The EC2 Key Pair to allow SSH access to the Security Gateways.
+ Type: AWS::EC2::KeyPair::KeyName
+ MinLength: 1
+ ConstraintDescription: must be the name of an existing EC2 KeyPair.
+ AllocatePublicAddress:
+ Description: When choosing "false", make sure the cluster members can connect to an ec2 endpoint.
+ Default: true
+ Type: String
+ AllowedValues:
+ - true
+ - false
+ VolumeSize:
+ Type: Number
+ Default: 100
+ MinValue: 100
+ VolumeType:
+ Description: General Purpose SSD Volume Type
+ Type: String
+ Default: gp3
+ AllowedValues:
+ - gp3
+ - gp2
+ VolumeEncryption:
+ Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
+ Type: String
+ Default: alias/aws/ebs
+ EnableInstanceConnect:
+ Description: Enable SSH connection over AWS web console.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ GatewayPredefinedRole:
+ Description: A predefined IAM role to attach to the cluster profile. (optional)
+ Type: String
+ Default: ''
+ TerminationProtection:
+ Description: Prevents an instance from accidental termination.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ MetaDataToken:
+ Description: Set true to deploy the instance with metadata v2 token required.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ GatewayVersion:
+ Description: The license to install on the Security Gateways.
+ Type: String
+ Default: R81-BYOL
+ AllowedValues:
+ - R81-BYOL
+ - R81-PAYG-NGTP
+ - R81-PAYG-NGTX
+ Shell:
+ Description: Change the admin shell to enable advanced command line configuration.
+ Type: String
+ Default: /etc/cli.sh
+ AllowedValues:
+ - /etc/cli.sh
+ - /bin/bash
+ - /bin/csh
+ - /bin/tcsh
+ GatewayPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to
+ get the PASSWORD's hash). (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+ NoEcho: true
+ GatewayMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ GatewaySICKey:
+ Description: The Secure Internal Communication key creates trusted connections between
+ Check Point components. Choose a random string consisting of at least 8
+ alphanumeric characters.
+ Type: String
+ AllowedPattern: '^[a-zA-Z0-9]{8,}$'
+ ConstraintDescription: At least 8 alpha numeric characters.
+ NoEcho: true
+ MemberAToken:
+ Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+ AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+ Type: String
+ NoEcho: true
+ MemberBToken:
+ Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+ AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+ Type: String
+ NoEcho: true
+ ResourcesTagName:
+ Description: Name tag prefix of the resources. (optional)
+ Type: String
+ Default: ''
+ GatewayHostname:
+ Description: The host name will be appended with member-a/b accordingly (optional). The name must not contain reserved words. For details, refer to sk40179.
+ Type: String
+ Default: ''
+ AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z]))?$'
+ ConstraintDescription: A valid hostname label or an empty string.
+ AllowUploadDownload:
+ Description: >-
+ Automatically download updates and share statistical data for product improvement purpose.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ CloudWatch:
+ Description: Report Check Point specific CloudWatch metrics.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ GatewayBootstrapScript:
+ Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+ Type: String
+ Default: ''
+ NoEcho: true
+ NTPPrimary:
+ Description: (optional)
+ Type: String
+ Default: 169.254.169.123
+ AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+ NTPSecondary:
+ Description: (optional)
+ Type: String
+ Default: 0.pool.ntp.org
+ AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+Conditions:
+ ProvidedRouteTable: !Not [!Equals [!Ref InternalRouteTable, '']]
+ AllocateAddress: !Equals [!Ref AllocatePublicAddress, true]
+ EncryptedVolume: !Not [!Equals [!Ref VolumeEncryption, '']]
+ CreateRole: !Equals [!Ref GatewayPredefinedRole, '']
+ ProvidedPassHash: !Not [!Equals [!Ref GatewayPasswordHash, '']]
+ ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']]
+ EmptyHostName: !Equals [!Ref GatewayHostname, '']
+ EnableCloudWatch: !Equals [!Ref CloudWatch, true]
+ EnableMetaDataToken: !Equals [!Ref MetaDataToken, true]
+Resources:
+ ClusterReadyHandle:
+ Type: AWS::CloudFormation::WaitConditionHandle
+ Condition: AllocateAddress
+ Properties: {}
+ ClusterReadyCondition:
+ Type: AWS::CloudFormation::WaitCondition
+ Condition: AllocateAddress
+ DependsOn: [MemberAInstance, MemberBInstance]
+ Properties:
+ Count: 2
+ Handle: !Ref ClusterReadyHandle
+ Timeout: 1800
+ ClusterRole:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/iam/cluster-iam-role.yaml
+ ClusterInstanceProfile:
+ Type: AWS::IAM::InstanceProfile
+ Properties:
+ Path: /
+ Roles: [!If [CreateRole, !GetAtt ClusterRole.Outputs.ClusterIAMRole, !Ref GatewayPredefinedRole]]
+ CloudwatchPolicy:
+ Condition: EnableCloudWatch
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/iam/cloudwatch-policy.yaml
+ Parameters:
+ PolicyName: !If [ ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName' ]
+ PolicyRole: !If [CreateRole, !GetAtt ClusterRole.Outputs.ClusterIAMRole, !Ref GatewayPredefinedRole]
+ AMI:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/utils/amis.yaml
+ Parameters:
+ Version: !Join ['-', [!Ref GatewayVersion, GW]]
+ PermissiveSecurityGroup:
+ Type: AWS::EC2::SecurityGroup
+ Properties:
+ GroupDescription: Permissive security group.
+ VpcId: !Ref VPC
+ SecurityGroupIngress:
+ - IpProtocol: -1
+ CidrIp: 0.0.0.0/0
+ Tags:
+ - Key: Name
+ Value:
+ !Join
+ - _
+ - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+ - PermissiveSecurityGroup
+ MemberAExternalInterface:
+ Type: AWS::EC2::NetworkInterface
+ Properties:
+ Description: External.
+ SourceDestCheck: false
+ GroupSet: [!Ref PermissiveSecurityGroup]
+ SubnetId: !Ref PublicSubnetA
+ Tags:
+ - Key: Name
+ Value:
+ !Join
+ - _
+ - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+ - Member_A_ExternalInterface
+ MemberBExternalInterface:
+ Type: AWS::EC2::NetworkInterface
+ Properties:
+ Description: External.
+ SourceDestCheck: false
+ GroupSet: [!Ref PermissiveSecurityGroup]
+ SubnetId: !Ref PublicSubnetB
+ Tags:
+ - Key: Name
+ Value:
+ !Join
+ - _
+ - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+ - Member_B_ExternalInterface
+ MemberAInternalInterface:
+ Type: AWS::EC2::NetworkInterface
+ Properties:
+ Description: Internal.
+ GroupSet: [!Ref PermissiveSecurityGroup]
+ SourceDestCheck: false
+ SubnetId: !Ref PrivateSubnetA
+ Tags:
+ - Key: Name
+ Value:
+ !Join
+ - _
+ - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+ - Member_A_InternalInterface
+ MemberBInternalInterface:
+ Type: AWS::EC2::NetworkInterface
+ Properties:
+ Description: Internal.
+ GroupSet: [!Ref PermissiveSecurityGroup]
+ SourceDestCheck: false
+ SubnetId: !Ref PrivateSubnetB
+ Tags:
+ - Key: Name
+ Value:
+ !Join
+ - _
+ - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+ - Member_B_InternalInterface
+ InternalDefaultRoute:
+ Type: AWS::EC2::Route
+ Condition: ProvidedRouteTable
+ DependsOn: MemberAInternalInterface
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ NetworkInterfaceId: !Ref MemberAInternalInterface
+ RouteTableId: !Ref InternalRouteTable
+ PrivateSubnet1RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Condition: ProvidedRouteTable
+ Properties:
+ RouteTableId: !Ref InternalRouteTable
+ SubnetId: !Ref PrivateSubnetA
+ PrivateSubnet2RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Condition: ProvidedRouteTable
+ Properties:
+ RouteTableId: !Ref InternalRouteTable
+ SubnetId: !Ref PrivateSubnetB
+ MemberAInstance:
+ Type: AWS::EC2::Instance
+ DependsOn: [MemberAInternalInterface, MemberAGatewayLaunchTemplate]
+ Properties:
+ LaunchTemplate:
+ LaunchTemplateId: !Ref MemberAGatewayLaunchTemplate
+ Version: !GetAtt MemberAGatewayLaunchTemplate.LatestVersionNumber
+ DisableApiTermination: !Ref TerminationProtection
+ Tags:
+ - Key: Name
+ Value: !Join ['-', [!Ref GatewayName, Member-A]]
+ MemberBInstance:
+ Type: AWS::EC2::Instance
+ DependsOn: [MemberBInternalInterface, MemberBGatewayLaunchTemplate]
+ Properties:
+ LaunchTemplate:
+ LaunchTemplateId: !Ref MemberBGatewayLaunchTemplate
+ Version: !GetAtt MemberBGatewayLaunchTemplate.LatestVersionNumber
+ DisableApiTermination: !Ref TerminationProtection
+ Tags:
+ - Key: Name
+ Value: !Join ['-', [!Ref GatewayName, Member-B]]
+ MemberAGatewayLaunchTemplate:
+ Type: AWS::EC2::LaunchTemplate
+ Properties:
+ LaunchTemplateData:
+ NetworkInterfaces:
+ - DeviceIndex: 0
+ NetworkInterfaceId: !Ref MemberAExternalInterface
+ - DeviceIndex: 1
+ NetworkInterfaceId: !Ref MemberAInternalInterface
+ KeyName: !Ref KeyName
+ ImageId: !GetAtt AMI.Outputs.ImageId
+ InstanceType: !Ref GatewayInstanceType
+ MetadataOptions:
+ HttpTokens: !If [EnableMetaDataToken, required, optional]
+ BlockDeviceMappings:
+ - DeviceName: '/dev/xvda'
+ Ebs:
+ Encrypted: !If [ EncryptedVolume, true, false ]
+ KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ]
+ VolumeType: !Ref VolumeType
+ VolumeSize: !Ref VolumeSize
+ IamInstanceProfile:
+ Name: !Ref ClusterInstanceProfile
+ UserData: !Base64
+ 'Fn::Join':
+ - |+
+
+ - - '#cloud-config'
+ - 'runcmd:'
+ - ' - |'
+ - ' set -e'
+ - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenA=''${MemberAToken}'''
+ - !If [AllocateAddress, !Sub ' wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue']
+ - !If [EmptyHostName, ' hostname=""',!Sub ' hostname=${GatewayHostname}-member-a']
+ - !Join ['', [' other_member_ip="', !GetAtt MemberBInternalInterface.PrimaryPrivateIpAddress, '"']]
+ - !Join ['', [' eip="', !If [AllocateAddress, !Ref MemberAPublicAddress, ''], '"']]
+ - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']]
+ - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']]
+ - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']]
+ - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']]
+ - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}]
+ - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenA}\"" installationType=\"geo-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"geo_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" elasticIp=\"${eip}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" otherMemberIp=\"${other_member_ip}\" bootstrapScript64=\"${bootstrap}\"'
+ MemberBGatewayLaunchTemplate:
+ Type: AWS::EC2::LaunchTemplate
+ Properties:
+ LaunchTemplateData:
+ NetworkInterfaces:
+ - DeviceIndex: 0
+ NetworkInterfaceId: !Ref MemberBExternalInterface
+ - DeviceIndex: 1
+ NetworkInterfaceId: !Ref MemberBInternalInterface
+ KeyName: !Ref KeyName
+ ImageId: !GetAtt AMI.Outputs.ImageId
+ InstanceType: !Ref GatewayInstanceType
+ MetadataOptions:
+ HttpTokens: !If [EnableMetaDataToken, required, optional]
+ BlockDeviceMappings:
+ - DeviceName: '/dev/xvda'
+ Ebs:
+ Encrypted: !If [ EncryptedVolume, true, false ]
+ KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ]
+ VolumeType: !Ref VolumeType
+ VolumeSize: !Ref VolumeSize
+ IamInstanceProfile:
+ Name: !Ref ClusterInstanceProfile
+ UserData: !Base64
+ 'Fn::Join':
+ - |+
+
+ - - '#cloud-config'
+ - 'runcmd:'
+ - ' - |'
+ - ' set -e'
+ - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenB=''${MemberBToken}'''
+ - !If [AllocateAddress, !Sub ' wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue']
+ - !If [EmptyHostName, ' hostname=""',!Sub ' hostname=${GatewayHostname}-member-b']
+ - !Join ['', [' other_member_ip="', !GetAtt MemberAInternalInterface.PrimaryPrivateIpAddress, '"']]
+ - !Join ['', [' eip="', !If [AllocateAddress, !Ref MemberBPublicAddress, ''], '"']]
+ - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']]
+ - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']]
+ - !Join [ '', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"' ] ]
+ - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']]
+ - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}]
+ - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenB}\"" installationType=\"geo-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"geo_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" otherMemberIp=\"${other_member_ip}\" bootstrapScript64=\"${bootstrap}\"'
+ VersionDescription: Initial template version
+ MemberAPublicAddress:
+ Type: AWS::EC2::EIP
+ Condition: AllocateAddress
+ Properties:
+ Domain: vpc
+ MemberBPublicAddress:
+ Type: AWS::EC2::EIP
+ Condition: AllocateAddress
+ Properties:
+ Domain: vpc
+ MemberAAddressAssoc:
+ Type: AWS::EC2::EIPAssociation
+ Condition: AllocateAddress
+ DependsOn: MemberAInstance
+ Properties:
+ NetworkInterfaceId: !Ref MemberAExternalInterface
+ AllocationId: !GetAtt MemberAPublicAddress.AllocationId
+ PrivateIpAddress: !GetAtt MemberAExternalInterface.PrimaryPrivateIpAddress
+ MemberBAddressAssoc:
+ Type: AWS::EC2::EIPAssociation
+ Condition: AllocateAddress
+ DependsOn: MemberBInstance
+ Properties:
+ NetworkInterfaceId: !Ref MemberBExternalInterface
+ AllocationId: !GetAtt MemberBPublicAddress.AllocationId
+ PrivateIpAddress: !GetAtt MemberBExternalInterface.PrimaryPrivateIpAddress
+Outputs:
+ MemberAPublicAddress:
+ Condition: AllocateAddress
+ Description: The public address of member A.
+ Value: !Ref MemberAPublicAddress
+ MemberAPrivateExternalAddress:
+ Description: The private external address of member A.
+ Value: !GetAtt MemberAExternalInterface.PrimaryPrivateIpAddress
+ MemberAPrivateInternalAddress:
+ Description: The private internal address of member A.
+ Value: !GetAtt MemberAInternalInterface.PrimaryPrivateIpAddress
+ MemberAExternalInterface:
+ Description: The external interface of member A.
+ Value: !Ref MemberAExternalInterface
+ MemberASSH:
+ Condition: AllocateAddress
+ Description: SSH command to member A.
+ Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref MemberAPublicAddress]]
+ MemberAURL:
+ Condition: AllocateAddress
+ Description: URL to the member A portal.
+ Value: !Join ['', ['https://', !Ref MemberAPublicAddress]]
+ MemberBPublicAddress:
+ Condition: AllocateAddress
+ Description: The public address of member B.
+ Value: !Ref MemberBPublicAddress
+ MemberBPrivateExternalAddress:
+ Description: The private external address of member B.
+ Value: !GetAtt MemberBExternalInterface.PrimaryPrivateIpAddress
+ MemberBPrivateInternalAddress:
+ Description: The private internal address of member B.
+ Value: !GetAtt MemberBInternalInterface.PrimaryPrivateIpAddress
+ MemberBExternalInterface:
+ Description: The external interface of member B.
+ Value: !Ref MemberBExternalInterface
+ MemberBSSH:
+ Condition: AllocateAddress
+ Description: SSH command to member B.
+ Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref MemberBPublicAddress]]
+ MemberBURL:
+ Condition: AllocateAddress
+ Description: URL to the member B portal.
+ Value: !Join ['', ['https://', !Ref MemberBPublicAddress]]
+Rules:
+ MemberATokenNotProvided:
+ RuleCondition: !Equals [!Ref MemberAToken, '']
+ Assertions:
+ - AssertDescription: "Smart-1 Cloud Token for member A can not be empty"
+ Assert: !Equals [!Ref MemberBToken, '']
+ MemberBTokenNotProvided:
+ RuleCondition: !Equals [ !Ref MemberBToken, '' ]
+ Assertions:
+ - AssertDescription: "Smart-1 Cloud Token for member B can not be empty"
+ Assert: !Equals [ !Ref MemberAToken, '' ]
+ MembersTokenValueEquals:
+ RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ]
+ Assertions:
+ - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+ Assert: !Equals [ !Ref MemberAToken, '' ]
+ - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+ Assert: !Equals [ !Ref MemberBToken, '' ]
\ No newline at end of file
diff --git a/deprecated/aws/templates/R81/cluster/tgw-cross-az-cluster.yaml b/deprecated/aws/templates/R81/cluster/tgw-cross-az-cluster.yaml
new file mode 100755
index 00000000..343d34b8
--- /dev/null
+++ b/deprecated/aws/templates/R81/cluster/tgw-cross-az-cluster.yaml
@@ -0,0 +1,535 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Deploys a Check Point TGW Cross Availabilty Zone Cluster into an
+ existing VPC
+ (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: VPC Network Configuration
+ Parameters:
+ - VPC
+ - PublicSubnetA
+ - PublicSubnetB
+ - PrivateSubnetA
+ - PrivateSubnetB
+ - TgwHASubnetA
+ - TgwHASubnetB
+ - InternalRouteTable
+ - Label:
+ default: EC2 Instance Configuration
+ Parameters:
+ - GatewayName
+ - GatewayInstanceType
+ - KeyName
+ - AllocatePublicAddress
+ - VolumeSize
+ - VolumeType
+ - VolumeEncryption
+ - EnableInstanceConnect
+ - GatewayPredefinedRole
+ - TerminationProtection
+ - MetaDataToken
+ - Label:
+ default: Check Point Settings
+ Parameters:
+ - GatewayVersion
+ - Shell
+ - GatewayPasswordHash
+ - GatewayMaintenancePasswordHash
+ - GatewaySICKey
+ - Label:
+ default: Quick connect to Smart-1 Cloud (Recommended)
+ Parameters:
+ - MemberAToken
+ - MemberBToken
+ - Label:
+ default: Advanced Settings
+ Parameters:
+ - ResourcesTagName
+ - GatewayHostname
+ - AllowUploadDownload
+ - CloudWatch
+ - GatewayBootstrapScript
+ - NTPPrimary
+ - NTPSecondary
+ ParameterLabels:
+ VPC:
+ default: VPC
+ PublicSubnetA:
+ default: Public subnet 1
+ PublicSubnetB:
+ default: Public subnet 2
+ PrivateSubnetA:
+ default: Private subnet 1
+ PrivateSubnetB:
+ default: Private subnet 2
+ TgwHASubnetA:
+ default: TGW HA subnet 1
+ TgwHASubnetB:
+ default: TGW HA subnet 2
+ InternalRouteTable:
+ default: Internal route table
+ GatewayName:
+ default: Gateway Name
+ GatewayInstanceType:
+ default: Security Gateways instance type
+ KeyName:
+ default: Key name
+ AllocatePublicAddress:
+ default: Allocate Elastic IPs for cluster members
+ VolumeSize:
+ default: Root volume size (GB)
+ VolumeType:
+ default: Volume Type
+ VolumeEncryption:
+ default: Volume encryption KMS key identifier
+ EnableInstanceConnect:
+ default: Enable AWS Instance Connect
+ GatewayPredefinedRole:
+ default: Existing IAM role name
+ TerminationProtection:
+ default: Termination Protection
+ MetaDataToken:
+ default: Metadata HTTP token
+ GatewayVersion:
+ default: Gateways version & license
+ Shell:
+ default: Admin shell
+ GatewayPasswordHash:
+ default: Password hash
+ GatewayMaintenancePasswordHash:
+ default: Gateway Maintenance Password hash
+ GatewaySICKey:
+ default: SIC key
+ MemberAToken:
+ default: Smart-1 Cloud Token for member A
+ MemberBToken:
+ default: Smart-1 Cloud Token for member B
+ ResourcesTagName:
+ default: Resources prefix tag
+ GatewayHostname:
+ default: Gateway Hostname
+ AllowUploadDownload:
+ default: Allow upload & download
+ CloudWatch:
+ default: CloudWatch metrics
+ GatewayBootstrapScript:
+ default: Bootstrap Script
+ NTPPrimary:
+ default: Primary NTP server
+ NTPSecondary:
+ default: Secondary NTP server
+Parameters:
+ VPC:
+ Description: Select an existing VPC.
+ Type: AWS::EC2::VPC::Id
+ MinLength: 1
+ ConstraintDescription: you must select a VPC.
+ PublicSubnetA:
+ Description: Select a public subnet for the first Security Gateway.
+ Type: AWS::EC2::Subnet::Id
+ MinLength: 1
+ ConstraintDescription: you must select a public subnet for the first Security Gateway.
+ PublicSubnetB:
+ Description: Select a public subnet for the second Security Gateway.
+ Type: AWS::EC2::Subnet::Id
+ MinLength: 1
+ ConstraintDescription: you must select a public subnet for the second Security Gateway.
+ PrivateSubnetA:
+ Description: Select a private subnet for the first Security Gateway.
+ Type: AWS::EC2::Subnet::Id
+ MinLength: 1
+ ConstraintDescription: you must select a private subnet for the first Security Gateway.
+ PrivateSubnetB:
+ Description: Select a private subnet for the second Security Gateway.
+ Type: AWS::EC2::Subnet::Id
+ MinLength: 1
+ ConstraintDescription: you must select a private subnet for the second Security Gateway.
+ TgwHASubnetA:
+ Description: Select a TGW HA subnet for the first Security Gateway.
+ Type: AWS::EC2::Subnet::Id
+ MinLength: 1
+ ConstraintDescription: you must select a TGW HA subnet for the first Security Gateway.
+ TgwHASubnetB:
+ Description: Select a TGW HA subnet for the second Security Gateway.
+ Type: AWS::EC2::Subnet::Id
+ MinLength: 1
+ ConstraintDescription: you must select a TGW HAsubnet for the second Security Gateway.
+ InternalRouteTable:
+ Description: Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route. If empty - traffic will not be routed through the Security Cluster, this requires manual configuration in the Route Table. (optional)
+ Type: String
+ Default: ''
+ GatewayName:
+ Description: The name tag of the Security Gateway instances. (optional)
+ Type: String
+ Default: Check-Point-Cluster
+ GatewayInstanceType:
+ Description: The instance type of the Secutiry Gateway.
+ Type: String
+ Default: c5.xlarge
+ AllowedValues:
+ - c4.large
+ - c4.xlarge
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: must be a valid EC2 instance type.
+ KeyName:
+ Description: The EC2 Key Pair to allow SSH access to the Security Gateways.
+ Type: AWS::EC2::KeyPair::KeyName
+ MinLength: 1
+ ConstraintDescription: must be the name of an existing EC2 KeyPair.
+ AllocatePublicAddress:
+ Description: Allocate an Elastic IP for each cluster member, in addition to the shared cluster Elastic IP.
+ Default: true
+ Type: String
+ AllowedValues:
+ - true
+ - false
+ VolumeSize:
+ Type: Number
+ Default: 100
+ MinValue: 100
+ VolumeType:
+ Description: General Purpose SSD Volume Type
+ Type: String
+ Default: gp3
+ AllowedValues:
+ - gp3
+ - gp2
+ VolumeEncryption:
+ Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
+ Type: String
+ Default: alias/aws/ebs
+ EnableInstanceConnect:
+ Description: Enable SSH connection over AWS web console.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ GatewayPredefinedRole:
+ Description: A predefined IAM role to attach to the cluster profile. (optional)
+ Type: String
+ Default: ''
+ TerminationProtection:
+ Description: Prevents an instance from accidental termination.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ MetaDataToken:
+ Description: Set true to deploy the instance with metadata v2 token required.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ GatewayVersion:
+ Description: The license to install on the Security Gateways.
+ Type: String
+ Default: R81.20-BYOL
+ AllowedValues:
+ - R81.20-BYOL
+ - R81.20-PAYG-NGTP
+ - R81.20-PAYG-NGTX
+ - R82-BYOL
+ - R82-PAYG-NGTP
+ - R82-PAYG-NGTX
+ Shell:
+ Description: Change the admin shell to enable advanced command line configuration.
+ Type: String
+ Default: /etc/cli.sh
+ AllowedValues:
+ - /etc/cli.sh
+ - /bin/bash
+ - /bin/csh
+ - /bin/tcsh
+ GatewayPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD"
+ to get the PASSWORD's hash). (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+ NoEcho: true
+ GatewayMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ GatewaySICKey:
+ Description: The Secure Internal Communication key creates trusted connections
+ between Check Point components. Choose a random string consisting of at least
+ 8 alphanumeric characters.
+ Type: String
+ AllowedPattern: '^[a-zA-Z0-9]{8,}$'
+ ConstraintDescription: At least 8 alpha numeric characters.
+ NoEcho: true
+ MemberAToken:
+ Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+ AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+ Type: String
+ NoEcho: true
+ MemberBToken:
+ Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+ AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+ Type: String
+ NoEcho: true
+ ResourcesTagName:
+ Description: Name tag prefix of the resources. (optional)
+ Type: String
+ Default: ''
+ GatewayHostname:
+ Description: The host name will be appended with member-a/b accordingly (optional). The name must not contain reserved words. For details, refer to sk40179.
+ Type: String
+ Default: ''
+ AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z]))?$'
+ ConstraintDescription: A valid hostname label or an empty string.
+ AllowUploadDownload:
+ Description: Automatically download updates and share statistical data for product improvement purpose.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ CloudWatch:
+ Description: Report Check Point specific CloudWatch metrics.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ GatewayBootstrapScript:
+ Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+ Type: String
+ Default: ''
+ NoEcho: true
+ NTPPrimary:
+ Description: (optional)
+ Type: String
+ Default: 169.254.169.123
+ AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+ NTPSecondary:
+ Description: (optional)
+ Type: String
+ Default: 0.pool.ntp.org
+ AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+Conditions:
+ AllocateAddress: !Equals [!Ref AllocatePublicAddress, true]
+Resources:
+ ClusterStack:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/cluster/cross-az-cluster.yaml
+ Parameters:
+ VPC: !Ref VPC
+ PublicSubnetA: !Ref PublicSubnetA
+ PublicSubnetB: !Ref PublicSubnetB
+ PrivateSubnetA: !Ref PrivateSubnetA
+ PrivateSubnetB: !Ref PrivateSubnetB
+ InternalRouteTable: !Ref InternalRouteTable
+ GatewayName: !Ref GatewayName
+ GatewayInstanceType: !Ref GatewayInstanceType
+ KeyName: !Ref KeyName
+ AllocatePublicAddress: !Ref AllocatePublicAddress
+ VolumeSize: !Ref VolumeSize
+ VolumeType: !Ref VolumeType
+ VolumeEncryption: !Ref VolumeEncryption
+ EnableInstanceConnect: !Ref EnableInstanceConnect
+ GatewayPredefinedRole: !Ref GatewayPredefinedRole
+ TerminationProtection: !Ref TerminationProtection
+ MetaDataToken: !Ref MetaDataToken
+ GatewayVersion: !Ref GatewayVersion
+ Shell: !Ref Shell
+ GatewayPasswordHash: !Ref GatewayPasswordHash
+ GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
+ GatewaySICKey: !Ref GatewaySICKey
+ MemberAToken: !Ref MemberAToken
+ MemberBToken: !Ref MemberBToken
+ ResourcesTagName: !Ref ResourcesTagName
+ GatewayHostname: !Ref GatewayHostname
+ AllowUploadDownload: !Ref AllowUploadDownload
+ CloudWatch: !Ref CloudWatch
+ GatewayBootstrapScript: !Ref GatewayBootstrapScript
+ NTPPrimary: !Ref NTPPrimary
+ NTPSecondary: !Ref NTPSecondary
+ TGWRouteTable:
+ Type: AWS::EC2::RouteTable
+ Properties:
+ VpcId: !Ref VPC
+ Tags:
+ - Key: Name
+ Value: TGW Subnets
+ TGWDefaultRoute:
+ Type: AWS::EC2::Route
+ DependsOn: ClusterStack
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ NetworkInterfaceId: !GetAtt ClusterStack.Outputs.MemberAExternalInterface
+ RouteTableId: !Ref TGWRouteTable
+ TGWNSubnet1RouteAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ DependsOn: TGWRouteTable
+ Properties:
+ RouteTableId: !Ref TGWRouteTable
+ SubnetId: !Ref TgwHASubnetA
+ TGWSubnet2RouteAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ DependsOn: TGWRouteTable
+ Properties:
+ RouteTableId: !Ref TGWRouteTable
+ SubnetId: !Ref TgwHASubnetB
+Outputs:
+ ClusterPublicAddress:
+ Description: The public address of the cluster.
+ Value: !GetAtt ClusterStack.Outputs.ClusterPublicAddress
+ MemberAPublicAddress:
+ Condition: AllocateAddress
+ Description: The public address of member A.
+ Value: !GetAtt ClusterStack.Outputs.MemberAPublicAddress
+ MemberASSH:
+ Condition: AllocateAddress
+ Description: SSH command to member A.
+ Value: !GetAtt ClusterStack.Outputs.MemberASSH
+ MemberAURL:
+ Condition: AllocateAddress
+ Description: URL to the member A portal.
+ Value: !GetAtt ClusterStack.Outputs.MemberAURL
+ MemberBPublicAddress:
+ Condition: AllocateAddress
+ Description: The public address of member B.
+ Value: !GetAtt ClusterStack.Outputs.MemberBPublicAddress
+ MemberBSSH:
+ Condition: AllocateAddress
+ Description: SSH command to member B.
+ Value: !GetAtt ClusterStack.Outputs.MemberBSSH
+ MemberBURL:
+ Condition: AllocateAddress
+ Description: URL to the member B portal.
+ Value: !GetAtt ClusterStack.Outputs.MemberBURL
+Rules:
+ MemberATokenNotProvided:
+ RuleCondition: !Equals [!Ref MemberAToken, '']
+ Assertions:
+ - AssertDescription: "Smart-1 Cloud Token for member A can not be empty"
+ Assert: !Equals [!Ref MemberBToken, '']
+ MemberBTokenNotProvided:
+ RuleCondition: !Equals [ !Ref MemberBToken, '' ]
+ Assertions:
+ - AssertDescription: "Smart-1 Cloud Token for member B can not be empty"
+ Assert: !Equals [ !Ref MemberAToken, '' ]
+ MembersTokenValueEquals:
+ RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ]
+ Assertions:
+ - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+ Assert: !Equals [ !Ref MemberAToken, '' ]
+ - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+ Assert: !Equals [ !Ref MemberBToken, '' ]
\ No newline at end of file
diff --git a/deprecated/aws/templates/R81/cluster/tgw-ha-master.yaml b/deprecated/aws/templates/R81/cluster/tgw-ha-master.yaml
new file mode 100755
index 00000000..a97886ba
--- /dev/null
+++ b/deprecated/aws/templates/R81/cluster/tgw-ha-master.yaml
@@ -0,0 +1,531 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Deploy a Check Point TGW HA cross AZ Cluster in a new VPC (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: VPC Network Configuration
+ Parameters:
+ - AvailabilityZones
+ - VPCCIDR
+ - PublicSubnet1CIDR
+ - PublicSubnet2CIDR
+ - PrivateSubnet1CIDR
+ - PrivateSubnet2CIDR
+ - TgwSubnet1CIDR
+ - TgwSubnet2CIDR
+ - Label:
+ default: EC2 Instance Configuration
+ Parameters:
+ - GatewayName
+ - GatewayInstanceType
+ - KeyName
+ - AllocatePublicAddress
+ - VolumeSize
+ - VolumeType
+ - VolumeEncryption
+ - EnableInstanceConnect
+ - GatewayPredefinedRole
+ - TerminationProtection
+ - MetaDataToken
+ - Label:
+ default: Check Point Settings
+ Parameters:
+ - GatewayVersion
+ - Shell
+ - GatewayPasswordHash
+ - GatewayMaintenancePasswordHash
+ - GatewaySICKey
+ - Label:
+ default: Quick connect to Smart-1 Cloud (Recommended)
+ Parameters:
+ - MemberAToken
+ - MemberBToken
+ - Label:
+ default: Advanced Settings
+ Parameters:
+ - ResourcesTagName
+ - GatewayHostname
+ - AllowUploadDownload
+ - CloudWatch
+ - GatewayBootstrapScript
+ - NTPPrimary
+ - NTPSecondary
+ ParameterLabels:
+ AvailabilityZones:
+ default: Availability Zones
+ VPCCIDR:
+ default: VPC CIDR
+ PublicSubnet1CIDR:
+ default: Public subnet 1 CIDR
+ PublicSubnet2CIDR:
+ default: Public subnet 2 CIDR
+ PrivateSubnet1CIDR:
+ default: Private subnet 1 CIDR
+ PrivateSubnet2CIDR:
+ default: Private subnet 2 CIDR
+ TgwSubnet1CIDR:
+ default: TGW HA subnet 1 CIDR
+ TgwSubnet2CIDR:
+ default: TGW HA subnet 2 CIDR
+ GatewayName:
+ default: Gateway Name
+ GatewayInstanceType:
+ default: Security Gateways instance type
+ KeyName:
+ default: Key name
+ AllocatePublicAddress:
+ default: Allocate Elastic IPs for cluster members
+ VolumeSize:
+ default: Root volume size (GB)
+ VolumeType:
+ default: Volume Type
+ VolumeEncryption:
+ default: Volume encryption KMS key identifier
+ EnableInstanceConnect:
+ default: Enable AWS Instance Connect
+ GatewayPredefinedRole:
+ default: Existing IAM role name
+ TerminationProtection:
+ default: Termination Protection
+ MetaDataToken:
+ default: Metadata HTTP token
+ GatewayVersion:
+ default: Gateways version & license
+ Shell:
+ default: Admin shell
+ GatewayPasswordHash:
+ default: Password hash
+ GatewayMaintenancePasswordHash:
+ default: Gateway Maintenance Password hash
+ GatewaySICKey:
+ default: SIC key
+ MemberAToken:
+ default: Smart-1 Cloud Token for member A
+ MemberBToken:
+ default: Smart-1 Cloud Token for member B
+ ResourcesTagName:
+ default: Resources prefix tag
+ GatewayHostname:
+ default: Gateway Hostname
+ AllowUploadDownload:
+ default: Allow upload & download
+ CloudWatch:
+ default: CloudWatch metrics
+ GatewayBootstrapScript:
+ default: Bootstrap Script
+ NTPPrimary:
+ default: Primary NTP server
+ NTPSecondary:
+ default: Secondary NTP server
+Parameters:
+ AvailabilityZones:
+ Description: The Availability Zones (AZs) to use for the subnets in the VPC. Select two (the logical order is preserved).
+ Type: List
+ MinLength: 2
+ VPCCIDR:
+ Description: The CIDR block of the provided VPC.
+ Type: String
+ Default: 10.0.0.0/16
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PublicSubnet1CIDR:
+ Description: CIDR block for public subnet 1 located in the 1st Availability Zone.
+ Type: String
+ Default: 10.0.10.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PublicSubnet2CIDR:
+ Description: CIDR block for public subnet 2 located in the 2nd Availability Zone.
+ Type: String
+ Default: 10.0.20.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PrivateSubnet1CIDR:
+ Description: CIDR block for private subnet 1 located in the 1st Availability Zone.
+ Type: String
+ Default: 10.0.11.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PrivateSubnet2CIDR:
+ Description: CIDR block for private subnet 2 located in the 2nd Availability Zone.
+ Type: String
+ Default: 10.0.21.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ TgwSubnet1CIDR:
+ Description: CIDR block for TGW HA subnet 1 located in the 1st Availability Zone.
+ Type: String
+ Default: 10.0.12.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ TgwSubnet2CIDR:
+ Description: CIDR block for TGW HA subnet 2 located in the 2nd Availability Zone.
+ Type: String
+ Default: 10.0.22.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ GatewayName:
+ Description: The name tag of the Security Gateway instances. (optional)
+ Type: String
+ Default: Check-Point-Cluster
+ GatewayInstanceType:
+ Description: The instance type of the Secutiry Gateway.
+ Type: String
+ Default: c5.xlarge
+ AllowedValues:
+ - c4.large
+ - c4.xlarge
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: must be a valid EC2 instance type.
+ KeyName:
+ Description: The EC2 Key Pair to allow SSH access to the instance.
+ Type: AWS::EC2::KeyPair::KeyName
+ MinLength: 1
+ AllocatePublicAddress:
+ Description: Allocate an Elastic IP for each cluster member, in addition to the shared cluster Elastic IP.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ VolumeSize:
+ Type: Number
+ Default: 100
+ MinValue: 100
+ VolumeType:
+ Description: General Purpose SSD Volume Type
+ Type: String
+ Default: gp3
+ AllowedValues:
+ - gp3
+ - gp2
+ VolumeEncryption:
+ Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
+ Type: String
+ Default: alias/aws/ebs
+ EnableInstanceConnect:
+ Description: Enable SSH connection over AWS web console.
+ Default: false
+ Type: String
+ AllowedValues:
+ - true
+ - false
+ GatewayPredefinedRole:
+ Description: A predefined IAM role to attach to the cluster profile. (optional)
+ Type: String
+ Default: ''
+ TerminationProtection:
+ Description: Prevents an instance from accidental termination.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ MetaDataToken:
+ Description: Set true to deploy the instance with metadata v2 token required.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ GatewayVersion:
+ Type: String
+ Default: R81-BYOL
+ AllowedValues:
+ - R81-BYOL
+ - R81-PAYG-NGTP
+ - R81-PAYG-NGTX
+ Shell:
+ Description: Change the admin shell to enable advanced command line configuration.
+ Type: String
+ Default: /etc/cli.sh
+ AllowedValues:
+ - /etc/cli.sh
+ - /bin/bash
+ - /bin/csh
+ - /bin/tcsh
+ GatewayPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD"
+ to get the PASSWORD's hash). (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+ NoEcho: true
+ GatewayMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ GatewaySICKey:
+ Description: The Secure Internal Communication key creates trusted connections
+ between Check Point components. Choose a random string consisting of at least
+ 8 alphanumeric characters.
+ Type: String
+ AllowedPattern: '^[a-zA-Z0-9]{8,}$'
+ ConstraintDescription: At least 8 alpha numeric characters.
+ NoEcho: true
+ MemberAToken:
+ Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+ AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+ Type: String
+ NoEcho: true
+ MemberBToken:
+ Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+ AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+ Type: String
+ NoEcho: true
+ ResourcesTagName:
+ Description: Name tag prefix of the resources. (optional)
+ Type: String
+ Default: ''
+ GatewayHostname:
+ Description: The host name will be appended with member-a/b accordingly (optional). The name must not contain reserved words. For details, refer to sk40179.
+ Type: String
+ Default: ''
+ AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z]))?$'
+ ConstraintDescription: A valid hostname label or an empty string.
+ AllowUploadDownload:
+ Description: Automatically download updates and share statistical data for product improvement purpose.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ CloudWatch:
+ Description: Report Check Point specific CloudWatch metrics.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ GatewayBootstrapScript:
+ Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+ Type: String
+ Default: ''
+ NoEcho: true
+ NTPPrimary:
+ Description: (optional)
+ Type: String
+ Default: 169.254.169.123
+ AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+ NTPSecondary:
+ Description: (optional)
+ Type: String
+ Default: 0.pool.ntp.org
+ AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+Conditions:
+ AllocateAddress: !Equals [!Ref AllocatePublicAddress, true]
+Resources:
+ VPCStack:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/utils/vpc.yaml
+ Parameters:
+ AvailabilityZones: !Join [',', !Ref AvailabilityZones]
+ NumberOfAZs: 2
+ VPCCIDR: !Ref VPCCIDR
+ PublicSubnet1CIDR: !Ref PublicSubnet1CIDR
+ PublicSubnet2CIDR: !Ref PublicSubnet2CIDR
+ PrivateSubnet1CIDR: !Ref PrivateSubnet1CIDR
+ PrivateSubnet2CIDR: !Ref PrivateSubnet2CIDR
+ CreateAttachmentSubnets: true
+ AttachmentSubnet1CIDR: !Ref TgwSubnet1CIDR
+ AttachmentSubnet2CIDR: !Ref TgwSubnet2CIDR
+ InternalRouteTable:
+ Type: AWS::EC2::RouteTable
+ DependsOn: VPCStack
+ Properties:
+ VpcId: !GetAtt VPCStack.Outputs.VPCID
+ Tags:
+ - Key: Name
+ Value: Private Subnets Route Table
+ ClusterStack:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/cluster/tgw-ha.yaml
+ Parameters:
+ VPC: !GetAtt VPCStack.Outputs.VPCID
+ PublicSubnetA: !GetAtt VPCStack.Outputs.PublicSubnet1ID
+ PublicSubnetB: !GetAtt VPCStack.Outputs.PublicSubnet2ID
+ PrivateSubnetA: !GetAtt VPCStack.Outputs.PrivateSubnet1ID
+ PrivateSubnetB: !GetAtt VPCStack.Outputs.PrivateSubnet2ID
+ TgwHASubnetA: !GetAtt VPCStack.Outputs.AttachmentSubnet1ID
+ TgwHASubnetB: !GetAtt VPCStack.Outputs.AttachmentSubnet2ID
+ InternalRouteTable: !Ref InternalRouteTable
+ GatewayName: !Ref GatewayName
+ GatewayInstanceType: !Ref GatewayInstanceType
+ KeyName: !Ref KeyName
+ AllocatePublicAddress: !Ref AllocatePublicAddress
+ VolumeSize: !Ref VolumeSize
+ VolumeType: !Ref VolumeType
+ VolumeEncryption: !Ref VolumeEncryption
+ EnableInstanceConnect: !Ref EnableInstanceConnect
+ GatewayPredefinedRole: !Ref GatewayPredefinedRole
+ TerminationProtection: !Ref TerminationProtection
+ MetaDataToken: !Ref MetaDataToken
+ GatewayVersion: !Ref GatewayVersion
+ Shell: !Ref Shell
+ GatewayPasswordHash: !Ref GatewayPasswordHash
+ GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
+ GatewaySICKey: !Ref GatewaySICKey
+ MemberAToken: !Ref MemberAToken
+ MemberBToken: !Ref MemberBToken
+ ResourcesTagName: !Ref ResourcesTagName
+ GatewayHostname: !Ref GatewayHostname
+ AllowUploadDownload: !Ref AllowUploadDownload
+ CloudWatch: !Ref CloudWatch
+ GatewayBootstrapScript: !Ref GatewayBootstrapScript
+ NTPPrimary: !Ref NTPPrimary
+ NTPSecondary: !Ref NTPSecondary
+Outputs:
+ MemberAPublicAddress:
+ Condition: AllocateAddress
+ Description: The public address of member A.
+ Value: !GetAtt ClusterStack.Outputs.MemberAPublicAddress
+ MemberASSH:
+ Condition: AllocateAddress
+ Description: SSH command to member A.
+ Value: !GetAtt ClusterStack.Outputs.MemberASSH
+ MemberAURL:
+ Condition: AllocateAddress
+ Description: URL to the member A portal.
+ Value: !GetAtt ClusterStack.Outputs.MemberAURL
+ MemberBPublicAddress:
+ Condition: AllocateAddress
+ Description: The public address of member B.
+ Value: !GetAtt ClusterStack.Outputs.MemberBPublicAddress
+ MemberBSSH:
+ Condition: AllocateAddress
+ Description: SSH command to member B.
+ Value: !GetAtt ClusterStack.Outputs.MemberBSSH
+ MemberBURL:
+ Condition: AllocateAddress
+ Description: URL to the member B portal.
+ Value: !GetAtt ClusterStack.Outputs.MemberBURL
+Rules:
+ MemberATokenNotProvided:
+ RuleCondition: !Equals [!Ref MemberAToken, '']
+ Assertions:
+ - AssertDescription: "Smart-1 Cloud Token for member A can not be empty"
+ Assert: !Equals [!Ref MemberBToken, '']
+ MemberBTokenNotProvided:
+ RuleCondition: !Equals [ !Ref MemberBToken, '' ]
+ Assertions:
+ - AssertDescription: "Smart-1 Cloud Token for member B can not be empty"
+ Assert: !Equals [ !Ref MemberAToken, '' ]
+ MembersTokenValueEquals:
+ RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ]
+ Assertions:
+ - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+ Assert: !Equals [ !Ref MemberAToken, '' ]
+ - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+ Assert: !Equals [ !Ref MemberBToken, '' ]
\ No newline at end of file
diff --git a/deprecated/aws/templates/R81/cluster/tgw-ha.yaml b/deprecated/aws/templates/R81/cluster/tgw-ha.yaml
new file mode 100755
index 00000000..beb37fc5
--- /dev/null
+++ b/deprecated/aws/templates/R81/cluster/tgw-ha.yaml
@@ -0,0 +1,527 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Deploys a Check Point TGW HA Cluster into an existing VPC (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: VPC Network Configuration
+ Parameters:
+ - VPC
+ - PublicSubnetA
+ - PublicSubnetB
+ - PrivateSubnetA
+ - PrivateSubnetB
+ - TgwHASubnetA
+ - TgwHASubnetB
+ - InternalRouteTable
+ - Label:
+ default: EC2 Instance Configuration
+ Parameters:
+ - GatewayName
+ - GatewayInstanceType
+ - KeyName
+ - AllocatePublicAddress
+ - VolumeSize
+ - VolumeType
+ - VolumeEncryption
+ - EnableInstanceConnect
+ - GatewayPredefinedRole
+ - TerminationProtection
+ - MetaDataToken
+ - Label:
+ default: Check Point Settings
+ Parameters:
+ - GatewayVersion
+ - Shell
+ - GatewayPasswordHash
+ - GatewayMaintenancePasswordHash
+ - GatewaySICKey
+ - Label:
+ default: Quick connect to Smart-1 Cloud (Recommended)
+ Parameters:
+ - MemberAToken
+ - MemberBToken
+ - Label:
+ default: Advanced Settings
+ Parameters:
+ - ResourcesTagName
+ - GatewayHostname
+ - AllowUploadDownload
+ - CloudWatch
+ - GatewayBootstrapScript
+ - NTPPrimary
+ - NTPSecondary
+ ParameterLabels:
+ VPC:
+ default: VPC
+ PublicSubnetA:
+ default: Public subnet 1
+ PublicSubnetB:
+ default: Public subnet 2
+ PrivateSubnetA:
+ default: Private subnet 1
+ PrivateSubnetB:
+ default: Private subnet 2
+ TgwHASubnetA:
+ default: TGW HA subnet 1
+ TgwHASubnetB:
+ default: TGW HA subnet 2
+ InternalRouteTable:
+ default: Internal route table
+ GatewayName:
+ default: Gateway Name
+ GatewayInstanceType:
+ default: Security Gateways instance type
+ KeyName:
+ default: Key name
+ AllocatePublicAddress:
+ default: Allocate Elastic IPs for cluster members
+ VolumeSize:
+ default: Root volume size (GB)
+ VolumeType:
+ default: Volume Type
+ VolumeEncryption:
+ default: Volume encryption KMS key identifier
+ EnableInstanceConnect:
+ default: Enable AWS Instance Connect
+ GatewayPredefinedRole:
+ default: Existing IAM role name
+ TerminationProtection:
+ default: Termination Protection
+ MetaDataToken:
+ default: Metadata HTTP token
+ GatewayVersion:
+ default: Gateways version & license
+ Shell:
+ default: Admin shell
+ GatewayPasswordHash:
+ default: Password hash
+ GatewayMaintenancePasswordHash:
+ default: Gateway Maintenance Password hash
+ GatewaySICKey:
+ default: SIC key
+ MemberAToken:
+ default: Smart-1 Cloud Token for member A
+ MemberBToken:
+ default: Smart-1 Cloud Token for member B
+ ResourcesTagName:
+ default: Resources prefix tag
+ GatewayHostname:
+ default: Gateway Hostname
+ AllowUploadDownload:
+ default: Allow upload & download
+ CloudWatch:
+ default: CloudWatch metrics
+ GatewayBootstrapScript:
+ default: Bootstrap Script
+ NTPPrimary:
+ default: Primary NTP server
+ NTPSecondary:
+ default: Secondary NTP server
+Parameters:
+ VPC:
+ Description: Select an existing VPC.
+ Type: AWS::EC2::VPC::Id
+ MinLength: 1
+ ConstraintDescription: you must select a VPC.
+ PublicSubnetA:
+ Description: Select a public subnet for the first Security Gateway.
+ Type: AWS::EC2::Subnet::Id
+ MinLength: 1
+ ConstraintDescription: you must select a public subnet for the first Security Gateway.
+ PublicSubnetB:
+ Description: Select a public subnet for the second Security Gateway.
+ Type: AWS::EC2::Subnet::Id
+ MinLength: 1
+ ConstraintDescription: you must select a public subnet for the second Security Gateway.
+ PrivateSubnetA:
+ Description: Select a private subnet for the first Security Gateway.
+ Type: AWS::EC2::Subnet::Id
+ MinLength: 1
+ ConstraintDescription: you must select a private subnet for the first Security Gateway.
+ PrivateSubnetB:
+ Description: Select a private subnet for the second Security Gateway.
+ Type: AWS::EC2::Subnet::Id
+ MinLength: 1
+ ConstraintDescription: you must select a private subnet for the second Security Gateway.
+ TgwHASubnetA:
+ Description: Select a TGW HA subnet for the first Security Gateway.
+ Type: AWS::EC2::Subnet::Id
+ MinLength: 1
+ ConstraintDescription: you must select a TGW HA subnet for the first Security Gateway.
+ TgwHASubnetB:
+ Description: Select a TGW HA subnet for the second Security Gateway.
+ Type: AWS::EC2::Subnet::Id
+ MinLength: 1
+ ConstraintDescription: you must select a TGW HAsubnet for the second Security Gateway.
+ InternalRouteTable:
+ Description: Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route. If empty - traffic will not be routed through the Security Cluster, this requires manual configuration in the Route Table. (optional)
+ Type: String
+ Default: ''
+ GatewayName:
+ Description: The name tag of the Security Gateway instances. (optional)
+ Type: String
+ Default: Check-Point-Cluster
+ GatewayInstanceType:
+ Type: String
+ Default: c5.xlarge
+ AllowedValues:
+ - c4.large
+ - c4.xlarge
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: must be a valid EC2 instance type.
+ KeyName:
+ Description: The EC2 Key Pair to allow SSH access to the Security Gateways.
+ Type: AWS::EC2::KeyPair::KeyName
+ MinLength: 1
+ ConstraintDescription: must be the name of an existing EC2 KeyPair.
+ AllocatePublicAddress:
+ Description: When choosing "false", make sure the cluster members can connect to an ec2 endpoint.
+ Default: true
+ Type: String
+ AllowedValues:
+ - true
+ - false
+ VolumeSize:
+ Type: Number
+ Default: 100
+ MinValue: 100
+ VolumeType:
+ Description: General Purpose SSD Volume Type
+ Type: String
+ Default: gp3
+ AllowedValues:
+ - gp3
+ - gp2
+ VolumeEncryption:
+ Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
+ Type: String
+ Default: alias/aws/ebs
+ EnableInstanceConnect:
+ Description: Enable SSH connection over AWS web console.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ GatewayPredefinedRole:
+ Description: A predefined IAM role to attach to the cluster profile. (optional)
+ Type: String
+ Default: ''
+ TerminationProtection:
+ Description: Prevents an instance from accidental termination.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ MetaDataToken:
+ Description: Set true to deploy the instance with metadata v2 token required.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ GatewayVersion:
+ Description: The license to install on the Security Gateways.
+ Type: String
+ Default: R81-BYOL
+ AllowedValues:
+ - R81-BYOL
+ - R81-PAYG-NGTP
+ - R81-PAYG-NGTX
+ Shell:
+ Description: Change the admin shell to enable advanced command line configuration.
+ Type: String
+ Default: /etc/cli.sh
+ AllowedValues:
+ - /etc/cli.sh
+ - /bin/bash
+ - /bin/csh
+ - /bin/tcsh
+ GatewayPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to
+ get the PASSWORD's hash). (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^[\$\./a-zA-Z0-9]*$'
+ NoEcho: true
+ GatewayMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ GatewaySICKey:
+ Description: The Secure Internal Communication key creates trusted connections between
+ Check Point components. Choose a random string consisting of at least 8
+ alphanumeric characters.
+ Type: String
+ AllowedPattern: '^[a-zA-Z0-9]{8,}$'
+ ConstraintDescription: At least 8 alpha numeric characters.
+ NoEcho: true
+ MemberAToken:
+ Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+ AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+ Type: String
+ NoEcho: true
+ MemberBToken:
+ Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+ AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+ Type: String
+ NoEcho: true
+ ResourcesTagName:
+ Description: Name tag prefix of the resources. (optional)
+ Type: String
+ Default: ''
+ GatewayHostname:
+ Description: The host name will be appended with member-a/b accordingly (optional). The name must not contain reserved words. For details, refer to sk40179.
+ Type: String
+ Default: ''
+ AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z]))?$'
+ ConstraintDescription: A valid hostname label or an empty string.
+ AllowUploadDownload:
+ Description: >-
+ Automatically download updates and share statistical data for product improvement purpose.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ CloudWatch:
+ Description: Report Check Point specific CloudWatch metrics.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ GatewayBootstrapScript:
+ Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+ Type: String
+ Default: ''
+ NoEcho: true
+ NTPPrimary:
+ Description: (optional)
+ Type: String
+ Default: 169.254.169.123
+ AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+ NTPSecondary:
+ Description: (optional)
+ Type: String
+ Default: 0.pool.ntp.org
+ AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+Conditions:
+ AllocateAddress: !Equals [!Ref AllocatePublicAddress, true]
+Resources:
+ ClusterStack:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/cluster/geo-cluster.yaml
+ Parameters:
+ VPC: !Ref VPC
+ PublicSubnetA: !Ref PublicSubnetA
+ PublicSubnetB: !Ref PublicSubnetB
+ PrivateSubnetA: !Ref PrivateSubnetA
+ PrivateSubnetB: !Ref PrivateSubnetB
+ InternalRouteTable: !Ref InternalRouteTable
+ GatewayName: !Ref GatewayName
+ GatewayInstanceType: !Ref GatewayInstanceType
+ KeyName: !Ref KeyName
+ AllocatePublicAddress: !Ref AllocatePublicAddress
+ VolumeSize: !Ref VolumeSize
+ VolumeType: !Ref VolumeType
+ VolumeEncryption: !Ref VolumeEncryption
+ EnableInstanceConnect: !Ref EnableInstanceConnect
+ GatewayPredefinedRole: !Ref GatewayPredefinedRole
+ TerminationProtection: !Ref TerminationProtection
+ MetaDataToken: !Ref MetaDataToken
+ GatewayVersion: !Ref GatewayVersion
+ Shell: !Ref Shell
+ GatewayPasswordHash: !Ref GatewayPasswordHash
+ GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
+ GatewaySICKey: !Ref GatewaySICKey
+ MemberAToken: !Ref MemberAToken
+ MemberBToken: !Ref MemberBToken
+ ResourcesTagName: !Ref ResourcesTagName
+ GatewayHostname: !Ref GatewayHostname
+ AllowUploadDownload: !Ref AllowUploadDownload
+ CloudWatch: !Ref CloudWatch
+ GatewayBootstrapScript: !Ref GatewayBootstrapScript
+ NTPPrimary: !Ref NTPPrimary
+ NTPSecondary: !Ref NTPSecondary
+ TGWRouteTable:
+ Type: AWS::EC2::RouteTable
+ Properties:
+ VpcId: !Ref VPC
+ Tags:
+ - Key: Name
+ Value: TGW Subnets
+ TGWDefaultRoute:
+ Type: AWS::EC2::Route
+ DependsOn: ClusterStack
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ NetworkInterfaceId: !GetAtt ClusterStack.Outputs.MemberAExternalInterface
+ RouteTableId: !Ref TGWRouteTable
+ TGWNSubnet1RouteAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ DependsOn: TGWRouteTable
+ Properties:
+ RouteTableId: !Ref TGWRouteTable
+ SubnetId: !Ref TgwHASubnetA
+ TGWSubnet2RouteAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ DependsOn: TGWRouteTable
+ Properties:
+ RouteTableId: !Ref TGWRouteTable
+ SubnetId: !Ref TgwHASubnetB
+Outputs:
+ MemberAPublicAddress:
+ Condition: AllocateAddress
+ Description: The public address of member A.
+ Value: !GetAtt ClusterStack.Outputs.MemberAPublicAddress
+ MemberASSH:
+ Condition: AllocateAddress
+ Description: SSH command to member A.
+ Value: !GetAtt ClusterStack.Outputs.MemberASSH
+ MemberAURL:
+ Condition: AllocateAddress
+ Description: URL to the member A portal.
+ Value: !GetAtt ClusterStack.Outputs.MemberAURL
+ MemberBPublicAddress:
+ Condition: AllocateAddress
+ Description: The public address of member B.
+ Value: !GetAtt ClusterStack.Outputs.MemberBPublicAddress
+ MemberBSSH:
+ Condition: AllocateAddress
+ Description: SSH command to member B.
+ Value: !GetAtt ClusterStack.Outputs.MemberBSSH
+ MemberBURL:
+ Condition: AllocateAddress
+ Description: URL to the member B portal.
+ Value: !GetAtt ClusterStack.Outputs.MemberBURL
+Rules:
+ MemberATokenNotProvided:
+ RuleCondition: !Equals [!Ref MemberAToken, '']
+ Assertions:
+ - AssertDescription: "Smart-1 Cloud Token for member A can not be empty"
+ Assert: !Equals [!Ref MemberBToken, '']
+ MemberBTokenNotProvided:
+ RuleCondition: !Equals [ !Ref MemberBToken, '' ]
+ Assertions:
+ - AssertDescription: "Smart-1 Cloud Token for member B can not be empty"
+ Assert: !Equals [ !Ref MemberAToken, '' ]
+ MembersTokenValueEquals:
+ RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ]
+ Assertions:
+ - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+ Assert: !Equals [ !Ref MemberAToken, '' ]
+ - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+ Assert: !Equals [ !Ref MemberBToken, '' ]
\ No newline at end of file
diff --git a/deprecated/aws/templates/R81/gateway/gateway-master.yaml b/deprecated/aws/templates/R81/gateway/gateway-master.yaml
new file mode 100755
index 00000000..83e507c2
--- /dev/null
+++ b/deprecated/aws/templates/R81/gateway/gateway-master.yaml
@@ -0,0 +1,495 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Deploys a Check Point Security Gateway into a new VPC (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: VPC Network Configuration
+ Parameters:
+ - AvailabilityZone
+ - VPCCIDR
+ - PublicSubnetCIDR
+ - PrivateSubnetCIDR
+ - Label:
+ default: EC2 Instance Configuration
+ Parameters:
+ - GatewayName
+ - GatewayInstanceType
+ - KeyName
+ - AllocatePublicAddress
+ - VolumeSize
+ - VolumeType
+ - VolumeEncryption
+ - EnableInstanceConnect
+ - TerminationProtection
+ - MetaDataToken
+ - Label:
+ default: Check Point Settings
+ Parameters:
+ - GatewayVersion
+ - Shell
+ - GatewaySICKey
+ - GatewayPasswordHash
+ - GatewayMaintenancePasswordHash
+ - Label:
+ default: Quick connect to Smart-1 Cloud (Recommended)
+ Parameters:
+ - GatewayToken
+ - Label:
+ default: Advanced Settings
+ Parameters:
+ - ResourcesTagName
+ - GatewayHostname
+ - AllowUploadDownload
+ - CloudWatch
+ - GatewayBootstrapScript
+ - NTPPrimary
+ - NTPSecondary
+ - Label:
+ default: Automatic Provisioning with Security Management Server Settings (optional)
+ Parameters:
+ - ControlGatewayOverPrivateOrPublicAddress
+ - ManagementServer
+ - ConfigurationTemplate
+ ParameterLabels:
+ AvailabilityZone:
+ default: Availability zone
+ VPCCIDR:
+ default: VPC CIDR
+ PublicSubnetCIDR:
+ default: Public subnet CIDR
+ PrivateSubnetCIDR:
+ default: Private subnet CIDR
+ GatewayName:
+ default: Gateway Name
+ GatewayInstanceType:
+ default: Gateway Instance type
+ KeyName:
+ default: Key name
+ AllocatePublicAddress:
+ default: Allocate an Elastic IP
+ VolumeSize:
+ default: Root volume size (GB)
+ VolumeType:
+ default: Volume Type
+ VolumeEncryption:
+ default: Volume encryption KMS key identifier
+ EnableInstanceConnect:
+ default: Enable AWS Instance Connect
+ TerminationProtection:
+ default: Termination Protection
+ MetaDataToken:
+ default: Metadata HTTP token
+ GatewayVersion:
+ default: Gateway Version & license
+ Shell:
+ default: Admin shell
+ GatewaySICKey:
+ default: Gateway SIC key
+ GatewayToken:
+ default: Smart-1 Cloud Token
+ GatewayPasswordHash:
+ default: Gateway Password hash
+ GatewayMaintenancePasswordHash:
+ default: Gateway Maintenance Password hash
+ ResourcesTagName:
+ default: Resources prefix tag
+ GatewayHostname:
+ default: Gateway Hostname
+ AllowUploadDownload:
+ default: Allow upload & download
+ CloudWatch:
+ default: CloudWatch metrics
+ GatewayBootstrapScript:
+ default: Bootstrap Script
+ NTPPrimary:
+ default: Primary NTP server
+ NTPSecondary:
+ default: Secondary NTP server
+ ControlGatewayOverPrivateOrPublicAddress:
+ default: Gateway address
+ ManagementServer:
+ default: Management Server
+ ConfigurationTemplate:
+ default: Configuration template
+Parameters:
+ AvailabilityZone:
+ Description: The availability zone in which to deploy the instance.
+ Type: AWS::EC2::AvailabilityZone::Name
+ MinLength: 1
+ VPCCIDR:
+ Description: The CIDR block of the VPC.
+ Type: String
+ Default: 10.0.0.0/16
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PublicSubnetCIDR:
+ Description: The public subnet of the Security Gateway.
+ Type: String
+ Default: 10.0.10.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PrivateSubnetCIDR:
+ Description: The private subnet of the Security Gateway.
+ Type: String
+ Default: 10.0.11.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ GatewayName:
+ Type: String
+ Default: Check-Point-Gateway
+ GatewayInstanceType:
+ Description: The instance type of the Secutiry Gateways.
+ Type: String
+ Default: c5.xlarge
+ AllowedValues:
+ - c4.large
+ - c4.xlarge
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: Must be a valid EC2 instance type
+ KeyName:
+ Description: The EC2 Key Pair to allow SSH access to the instance.
+ Type: AWS::EC2::KeyPair::KeyName
+ MinLength: 1
+ ConstraintDescription: must be the name of an existing EC2 KeyPair.
+ AllocatePublicAddress:
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ VolumeSize:
+ Type: Number
+ Default: 100
+ MinValue: 100
+ VolumeType:
+ Description: General Purpose SSD Volume Type
+ Type: String
+ Default: gp3
+ AllowedValues:
+ - gp3
+ - gp2
+ VolumeEncryption:
+ Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
+ Type: String
+ Default: alias/aws/ebs
+ EnableInstanceConnect:
+ Description: Ec2 Instance Connect is not supported with versions prior to R80.40.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ TerminationProtection:
+ Description: Prevents an instance from accidental termination.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ MetaDataToken:
+ Description: Set true to deploy the instance with metadata v2 token required.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ GatewayVersion:
+ Type: String
+ Default: R81-BYOL
+ AllowedValues:
+ - R81-BYOL
+ - R81-PAYG-NGTP
+ - R81-PAYG-NGTX
+ Shell:
+ Description: Change the admin shell to enable advanced command line configuration.
+ Type: String
+ Default: /etc/cli.sh
+ AllowedValues:
+ - /etc/cli.sh
+ - /bin/bash
+ - /bin/csh
+ - /bin/tcsh
+ GatewaySICKey:
+ Description: The Secure Internal Communication key creates trusted connections
+ between Check Point components. Choose a random string consisting of at least
+ 8 alphanumeric characters.
+ Type: String
+ AllowedPattern: '[a-zA-Z0-9]{8,}'
+ NoEcho: true
+ GatewayToken:
+ Description: Follow the instructions in sk180501 to quickly connect this Gateway to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+ AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+ Type: String
+ NoEcho: true
+ GatewayPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD"
+ to get the PASSWORD's hash). (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ GatewayMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ ResourcesTagName:
+ Description: The name tag of the resources. (optional)
+ Type: String
+ Default: ''
+ GatewayHostname:
+ Description: The name must not contain reserved words. For details, refer to sk40179. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$'
+ ConstraintDescription: A valid hostname label or an empty string.
+ AllowUploadDownload:
+ Description: Automatically download updates and share statistical data for product improvement purpose.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ CloudWatch:
+ Description: Report Check Point specific CloudWatch metrics.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ GatewayBootstrapScript:
+ Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+ Type: String
+ Default: ''
+ NoEcho: true
+ NTPPrimary:
+ Description: (optional)
+ Type: String
+ Default: 169.254.169.123
+ AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+ NTPSecondary:
+ Description: (optional)
+ Type: String
+ Default: 0.pool.ntp.org
+ AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+ ControlGatewayOverPrivateOrPublicAddress:
+ Description: Determines if the Security Gateway is provisioned using its private.
+ or public address
+ Type: String
+ Default: private
+ AllowedValues:
+ - private
+ - public
+ ManagementServer:
+ Description: The name that represents the Security Management Server in the automatic.
+ provisioning configuration.
+ Type: String
+ ConfigurationTemplate:
+ Description: A name of a Security Gateway configuration template in the automatic.
+ provisioning configuration.
+ Type: String
+ MaxLength: 30
+Conditions:
+ AllocateAddress: !Equals [!Ref AllocatePublicAddress, true]
+ ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']]
+Resources:
+ VPCStack:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/utils/vpc.yaml
+ Parameters:
+ AvailabilityZones: !Ref AvailabilityZone
+ NumberOfAZs: 1
+ VPCCIDR: !Ref VPCCIDR
+ PublicSubnet1CIDR: !Ref PublicSubnetCIDR
+ CreatePrivateSubnets: true
+ PrivateSubnet1CIDR: !Ref PrivateSubnetCIDR
+ CreateAttachmentSubnets: false
+ InternalRoutingTable:
+ Type: AWS::EC2::RouteTable
+ Properties:
+ VpcId: !GetAtt VPCStack.Outputs.VPCID
+ Tags:
+ - Key: Name
+ Value:
+ !Join
+ - _
+ - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+ - InternalRoutingTable
+ InternalNetworkRouteAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Properties:
+ RouteTableId: !Ref InternalRoutingTable
+ SubnetId: !GetAtt VPCStack.Outputs.PrivateSubnet1ID
+ GatewayStack:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/gateway/gateway.yaml
+ Parameters:
+ VPC: !GetAtt VPCStack.Outputs.VPCID
+ PublicSubnet: !GetAtt VPCStack.Outputs.PublicSubnet1ID
+ PrivateSubnet: !GetAtt VPCStack.Outputs.PrivateSubnet1ID
+ InternalRouteTable: !Ref InternalRoutingTable
+ GatewayName: !Ref GatewayName
+ GatewayInstanceType: !Ref GatewayInstanceType
+ KeyName: !Ref KeyName
+ AllocatePublicAddress: !Ref AllocatePublicAddress
+ VolumeSize: !Ref VolumeSize
+ VolumeType: !Ref VolumeType
+ VolumeEncryption: !Ref VolumeEncryption
+ EnableInstanceConnect: !Ref EnableInstanceConnect
+ TerminationProtection: !Ref TerminationProtection
+ MetaDataToken: !Ref MetaDataToken
+ GatewayVersion: !Ref GatewayVersion
+ Shell: !Ref Shell
+ GatewaySICKey: !Ref GatewaySICKey
+ GatewayToken: !Ref GatewayToken
+ GatewayPasswordHash: !Ref GatewayPasswordHash
+ GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash
+ ResourcesTagName: !Ref ResourcesTagName
+ GatewayHostname: !Ref GatewayHostname
+ AllowUploadDownload: !Ref AllowUploadDownload
+ CloudWatch: !Ref CloudWatch
+ GatewayBootstrapScript: !Ref GatewayBootstrapScript
+ NTPPrimary: !Ref NTPPrimary
+ NTPSecondary: !Ref NTPSecondary
+ ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress
+ ManagementServer: !Ref ManagementServer
+ ConfigurationTemplate: !Ref ConfigurationTemplate
+Outputs:
+ CheckPointInstancePublicAddress:
+ Condition: AllocateAddress
+ Description: The public address of the Check Point instance.
+ Value: !GetAtt GatewayStack.Outputs.PublicAddress
+ CheckPointInstancePrivateExternalAddress:
+ Description: The private external address of the Check Point instance.
+ Value: !GetAtt GatewayStack.Outputs.PrivateExternalAddress
+ CheckPointInstancePrivateInternalAddress:
+ Description: The private internal address of the Check Point instance.
+ Value: !GetAtt GatewayStack.Outputs.PrivateInternalAddress
+ CheckPointInstanceSSH:
+ Condition: AllocateAddress
+ Description: SSH command to the Check Point instance.
+ Value: !GetAtt GatewayStack.Outputs.SSH
+ CheckPointInstanceURL:
+ Condition: AllocateAddress
+ Description: URL to the portal
+ Value: !GetAtt GatewayStack.Outputs.URL
+ ManagementName:
+ Description: The name that represents the Security Management Server.
+ Value: !Ref ManagementServer
+ ConfigurationTemplateName:
+ Description: The name that represents the configuration template. Configurations
+ required to automatically provision the Gateways in the Auto Scaling Group,
+ such as what Security Policy to install and which Blades to enable, will be
+ placed under this template name.
+ Value: !Ref ConfigurationTemplate
diff --git a/deprecated/aws/templates/R81/gateway/gateway.yaml b/deprecated/aws/templates/R81/gateway/gateway.yaml
new file mode 100755
index 00000000..5f4e8f4a
--- /dev/null
+++ b/deprecated/aws/templates/R81/gateway/gateway.yaml
@@ -0,0 +1,601 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Deploys a Check Point Security Gateway into an existing VPC (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: VPC Network Configuration
+ Parameters:
+ - VPC
+ - PublicSubnet
+ - PrivateSubnet
+ - InternalRouteTable
+ - Label:
+ default: EC2 Instance Configuration
+ Parameters:
+ - GatewayName
+ - GatewayInstanceType
+ - KeyName
+ - AllocatePublicAddress
+ - VolumeSize
+ - VolumeType
+ - VolumeEncryption
+ - EnableInstanceConnect
+ - TerminationProtection
+ - MetaDataToken
+ - Label:
+ default: Check Point Settings
+ Parameters:
+ - GatewayVersion
+ - Shell
+ - GatewaySICKey
+ - GatewayPasswordHash
+ - GatewayMaintenancePasswordHash
+ - Label:
+ default: Quick connect to Smart-1 Cloud (Recommended)
+ Parameters:
+ - GatewayToken
+ - Label:
+ default: Advanced Settings
+ Parameters:
+ - ResourcesTagName
+ - GatewayHostname
+ - AllowUploadDownload
+ - CloudWatch
+ - GatewayBootstrapScript
+ - NTPPrimary
+ - NTPSecondary
+ - Label:
+ default: Automatic Provisioning with Security Management Server Settings (optional)
+ Parameters:
+ - ControlGatewayOverPrivateOrPublicAddress
+ - ManagementServer
+ - ConfigurationTemplate
+ ParameterLabels:
+ VPC:
+ default: VPC
+ PublicSubnet:
+ default: Public subnet
+ PrivateSubnet:
+ default: Private subnet
+ InternalRouteTable:
+ default: Internal route table
+ GatewayName:
+ default: Gateway Name
+ GatewayInstanceType:
+ default: Gateway Instance type
+ KeyName:
+ default: Key name
+ AllocatePublicAddress:
+ default: Allocate an Elastic IP
+ VolumeSize:
+ default: Root volume size (GB)
+ VolumeType:
+ default: Volume Type
+ VolumeEncryption:
+ default: Volume encryption KMS key identifier
+ EnableInstanceConnect:
+ default: Enable AWS Instance Connect
+ TerminationProtection:
+ default: Termination Protection
+ MetaDataToken:
+ default: Metadata HTTP token
+ GatewayVersion:
+ default: Gateway Version & license
+ Shell:
+ default: Admin shell
+ GatewaySICKey:
+ default: Gateway SIC key
+ GatewayToken:
+ default: Smart-1 Cloud Token
+ GatewayPasswordHash:
+ default: Gateway Password hash
+ GatewayMaintenancePasswordHash:
+ default: Gateway Maintenance Password hash
+ ResourcesTagName:
+ default: Resources prefix tag
+ GatewayHostname:
+ default: Gateway Hostname
+ AllowUploadDownload:
+ default: Allow upload & download
+ CloudWatch:
+ default: CloudWatch metrics
+ GatewayBootstrapScript:
+ default: Bootstrap Script
+ NTPPrimary:
+ default: Primary NTP server
+ NTPSecondary:
+ default: Secondary NTP server
+ ControlGatewayOverPrivateOrPublicAddress:
+ default: Gateway address
+ ManagementServer:
+ default: Management Server
+ ConfigurationTemplate:
+ default: Configuration template
+Parameters:
+ VPC:
+ Type: AWS::EC2::VPC::Id
+ MinLength: 1
+ PublicSubnet:
+ Description: The public subnet of the security gateway.
+ Type: AWS::EC2::Subnet::Id
+ MinLength: 1
+ PrivateSubnet:
+ Description: The private subnet of the security gateway.
+ Type: AWS::EC2::Subnet::Id
+ MinLength: 1
+ InternalRouteTable:
+ Description: The route table id in which to set 0.0.0.0/0 route to the Gateway instance (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route. If empty - traffic will not be routed through the Security Gateway, this requires manual configuration in the route table. (optional)
+ Type: String
+ Default: ''
+ GatewayName:
+ Description: The name tag of the Security Gateway instances. (optional)
+ Type: String
+ Default: Check-Point-Gateway
+ GatewayInstanceType:
+ Description: The instance type of the Secutiry Gateway.
+ Type: String
+ Default: c5.xlarge
+ AllowedValues:
+ - c4.large
+ - c4.xlarge
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: Must be a valid EC2 instance type
+ KeyName:
+ Description: The EC2 Key Pair to allow SSH access to the instance.
+ Type: AWS::EC2::KeyPair::KeyName
+ MinLength: 1
+ ConstraintDescription: must be the name of an existing EC2 KeyPair.
+ AllocatePublicAddress:
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ VolumeSize:
+ Type: Number
+ Default: 100
+ MinValue: 100
+ VolumeType:
+ Description: General Purpose SSD Volume Type
+ Type: String
+ Default: gp3
+ AllowedValues:
+ - gp3
+ - gp2
+ VolumeEncryption:
+ Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
+ Type: String
+ Default: alias/aws/ebs
+ EnableInstanceConnect:
+ Description: Ec2 Instance Connect is not supported with versions prior to R80.40.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ TerminationProtection:
+ Description: Prevents an instance from accidental termination.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ MetaDataToken:
+ Description: Set true to deploy the instance with metadata v2 token required.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ GatewayVersion:
+ Type: String
+ Default: R81-BYOL
+ AllowedValues:
+ - R81-BYOL
+ - R81-PAYG-NGTP
+ - R81-PAYG-NGTX
+ Shell:
+ Description: Change the admin shell to enable advanced command line configuration.
+ Type: String
+ Default: /etc/cli.sh
+ AllowedValues:
+ - /etc/cli.sh
+ - /bin/bash
+ - /bin/csh
+ - /bin/tcsh
+ GatewaySICKey:
+ Description: The Secure Internal Communication key creates trusted connections
+ between Check Point components. Choose a random string consisting of at least
+ 8 alphanumeric characters.
+ Type: String
+ AllowedPattern: '[a-zA-Z0-9]{8,}'
+ NoEcho: true
+ GatewayToken:
+ Description: Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal.
+ Type: String
+ AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)'
+ NoEcho: true
+ GatewayPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD"
+ to get the PASSWORD's hash). (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ GatewayMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ ResourcesTagName:
+ Description: The name tag of the resources. (optional)
+ Type: String
+ Default: ''
+ GatewayHostname:
+ Description: The name must not contain reserved words. For details, refer to sk40179. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$'
+ ConstraintDescription: A valid hostname label or an empty string.
+ AllowUploadDownload:
+ Description: Automatically download updates and share statistical data for product improvement purpose.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ CloudWatch:
+ Description: Report Check Point specific CloudWatch metrics.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ GatewayBootstrapScript:
+ Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+ Type: String
+ Default: ''
+ NoEcho: true
+ NTPPrimary:
+ Description: (optional)
+ Type: String
+ Default: 169.254.169.123
+ AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+ NTPSecondary:
+ Description: (optional)
+ Type: String
+ Default: 0.pool.ntp.org
+ AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+ ControlGatewayOverPrivateOrPublicAddress:
+ Description: Determines if the Security Gateway is provisioned using its private
+ or public address.
+ Type: String
+ Default: private
+ AllowedValues:
+ - private
+ - public
+ ManagementServer:
+ Description: The name that represents the Security Management Server in the automatic
+ provisioning configuration.
+ Type: String
+ ConfigurationTemplate:
+ Description: A name of a Security Gateway configuration template in the automatic
+ provisioning configuration.
+ Type: String
+ MaxLength: 30
+Conditions:
+ ProvidedRouteTable: !Not [!Equals [!Ref InternalRouteTable, '']]
+ AllocateAddress: !Equals [!Ref AllocatePublicAddress, true]
+ EncryptedVolume: !Not [!Equals [!Ref VolumeEncryption, '']]
+ ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']]
+ ProvidedManagementParameters: !And [!Not [!Equals [!Ref ManagementServer, '']], !Not [!Equals [!Ref ConfigurationTemplate, '']]]
+ EnableCloudWatch: !Equals [!Ref CloudWatch, true]
+ EnableMetaDataToken: !Equals [!Ref MetaDataToken, true]
+Resources:
+ ReadyHandle:
+ Type: AWS::CloudFormation::WaitConditionHandle
+ Condition: AllocateAddress
+ Properties: {}
+ ReadyCondition:
+ Type: AWS::CloudFormation::WaitCondition
+ Condition: AllocateAddress
+ DependsOn: GatewayInstance
+ Properties:
+ Handle: !Ref ReadyHandle
+ Timeout: 1800
+ GatewayIAMRole:
+ Condition: EnableCloudWatch
+ Type: AWS::IAM::Role
+ Properties:
+ AssumeRolePolicyDocument:
+ Version: 2012-10-17
+ Statement:
+ - Effect: Allow
+ Principal:
+ Service: [ ec2.amazonaws.com ]
+ Action: sts:AssumeRole
+ Path: /
+ GatewayInstanceProfile:
+ Condition: EnableCloudWatch
+ Type: AWS::IAM::InstanceProfile
+ Properties:
+ Path: /
+ Roles: [!Ref GatewayIAMRole]
+ CloudwatchPolicy:
+ Condition: EnableCloudWatch
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/iam/cloudwatch-policy.yaml
+ Parameters:
+ PolicyName: !If [ ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName' ]
+ PolicyRole: !Ref GatewayIAMRole
+ AMI:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/utils/amis.yaml
+ Parameters:
+ Version: !Join ['-', [!Ref GatewayVersion,GW]]
+ ExternalNetworkInterface:
+ Type: AWS::EC2::NetworkInterface
+ Properties:
+ Tags:
+ - Key: Name
+ Value:
+ !Join
+ - _
+ - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+ - ExternalNetworkInterface
+ Description: eth0
+ SourceDestCheck: false
+ GroupSet:
+ - !Ref PermissiveSecurityGroup
+ SubnetId: !Ref PublicSubnet
+ InternalNetworkInterface:
+ Type: AWS::EC2::NetworkInterface
+ Properties:
+ Tags:
+ - Key: Name
+ Value:
+ !Join
+ - _
+ - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+ - InternalNetworkInterface
+ Description: eth1
+ SourceDestCheck: false
+ GroupSet:
+ - !Ref PermissiveSecurityGroup
+ SubnetId: !Ref PrivateSubnet
+ PermissiveSecurityGroup:
+ Type: AWS::EC2::SecurityGroup
+ Properties:
+ Tags:
+ - Key: Name
+ Value:
+ !Join
+ - _
+ - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+ - PermissiveSecurityGroup
+ GroupDescription: Permissive security group.
+ VpcId: !Ref VPC
+ SecurityGroupIngress:
+ - IpProtocol: -1
+ CidrIp: 0.0.0.0/0
+ InternalDefaultRoute:
+ Type: AWS::EC2::Route
+ Condition: ProvidedRouteTable
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ NetworkInterfaceId: !Ref InternalNetworkInterface
+ RouteTableId: !Ref InternalRouteTable
+ GatewayInstance:
+ Type: AWS::EC2::Instance
+ DependsOn: GatewayLaunchTemplate
+ Properties:
+ LaunchTemplate:
+ LaunchTemplateId: !Ref GatewayLaunchTemplate
+ Version: !GetAtt GatewayLaunchTemplate.LatestVersionNumber
+ DisableApiTermination: !Ref TerminationProtection
+ Tags:
+ - Key: Name
+ Value: !Ref GatewayName
+ - !If
+ - ProvidedManagementParameters
+ - Key: x-chkp-tags
+ Value:
+ !Join
+ - ':'
+ - - !Join ['=', [management, !Ref ManagementServer]]
+ - !Join ['=', [template,!Ref ConfigurationTemplate]]
+ - !Join ['=',[ip-address, !Ref ControlGatewayOverPrivateOrPublicAddress]]
+ - !Ref 'AWS::NoValue'
+ GatewayLaunchTemplate:
+ Type: AWS::EC2::LaunchTemplate
+ Properties:
+ LaunchTemplateData:
+ NetworkInterfaces:
+ - DeviceIndex: 0
+ NetworkInterfaceId: !Ref ExternalNetworkInterface
+ - DeviceIndex: 1
+ NetworkInterfaceId: !Ref InternalNetworkInterface
+ KeyName: !Ref KeyName
+ ImageId: !GetAtt AMI.Outputs.ImageId
+ InstanceType: !Ref GatewayInstanceType
+ MetadataOptions:
+ HttpTokens: !If [EnableMetaDataToken, required, optional]
+ BlockDeviceMappings:
+ - DeviceName: '/dev/xvda'
+ Ebs:
+ Encrypted: !If [ EncryptedVolume, true, false ]
+ KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ]
+ VolumeType: !Ref VolumeType
+ VolumeSize: !Ref VolumeSize
+ IamInstanceProfile:
+ Name: !If [EnableCloudWatch, !Ref GatewayInstanceProfile, !Ref 'AWS::NoValue']
+ UserData:
+ 'Fn::Base64':
+ !Join
+ - |+
+
+ - - '#cloud-config'
+ - 'runcmd:'
+ - ' - |'
+ - ' set -e'
+ - !Sub ' admin_shell=${Shell} ; hostname=${GatewayHostname} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; eic=${EnableInstanceConnect} ; eip=${AllocatePublicAddress} ; token=''${GatewayToken}'''
+ - !If [AllocateAddress, !Sub ' wait_handle=''${ReadyHandle}''',!Ref 'AWS::NoValue']
+ - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']]
+ - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']]
+ - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']]
+ - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']]
+ - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}]
+ - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${token}\"" installationType=\"gateway\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"gateway\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" allocatePublicAddress=\"${eip}\" bootstrapScript64=\"${bootstrap}\"'
+ VersionDescription: Initial template version
+ PublicAddress:
+ Type: AWS::EC2::EIP
+ Condition: AllocateAddress
+ Properties:
+ Domain: vpc
+ AddressAssoc:
+ Type: AWS::EC2::EIPAssociation
+ Condition: AllocateAddress
+ DependsOn: GatewayInstance
+ Properties:
+ NetworkInterfaceId: !Ref ExternalNetworkInterface
+ AllocationId: !GetAtt PublicAddress.AllocationId
+ PrivateIpAddress: !GetAtt ExternalNetworkInterface.PrimaryPrivateIpAddress
+Outputs:
+ PublicAddress:
+ Description: The public address of the Check Point instance.
+ Value: !Ref PublicAddress
+ Condition: AllocateAddress
+ PrivateExternalAddress:
+ Description: The private external address of the Check Point instance.
+ Value: !GetAtt ExternalNetworkInterface.PrimaryPrivateIpAddress
+ PrivateInternalAddress:
+ Description: The private internal address of the Check Point instance.
+ Value: !GetAtt InternalNetworkInterface.PrimaryPrivateIpAddress
+ SSH:
+ Description: SSH command to the Check Point instance.
+ Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref PublicAddress]]
+ Condition: AllocateAddress
+ URL:
+ Description: URL to the portal.
+ Value: !Join ['', ['https://', !Ref PublicAddress]]
+ Condition: AllocateAddress
+ ManagementName:
+ Description: The name that represents the Security Management Server.
+ Value: !Ref ManagementServer
+ ConfigurationTemplateName:
+ Description: The name that represents the configuration template. Configurations
+ required to automatically provision the Gateways in the Auto Scaling Group,
+ such as what Security Policy to install and which Blades to enable, will be
+ placed under this template name.
+ Value: !Ref ConfigurationTemplate
diff --git a/deprecated/aws/templates/R81/gateway/standalone-master.yaml b/deprecated/aws/templates/R81/gateway/standalone-master.yaml
new file mode 100755
index 00000000..ed1f12f6
--- /dev/null
+++ b/deprecated/aws/templates/R81/gateway/standalone-master.yaml
@@ -0,0 +1,443 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Deploys either a manually configurable or a Check Point CloudGuard IaaS
+ Security Gateway & Management (Standalone) instance in a new VPC (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: VPC Network Configuration
+ Parameters:
+ - AvailabilityZone
+ - VPCCIDR
+ - PublicSubnetCIDR
+ - PrivateSubnetCIDR
+ - Label:
+ default: EC2 Instance Configuration
+ Parameters:
+ - StandaloneName
+ - StandaloneInstanceType
+ - KeyName
+ - AllocatePublicAddress
+ - VolumeSize
+ - VolumeType
+ - VolumeEncryption
+ - EnableInstanceConnect
+ - TerminationProtection
+ - MetaDataToken
+ - Label:
+ default: Check Point Settings
+ Parameters:
+ - StandaloneVersion
+ - Shell
+ - StandalonePasswordHash
+ - StandaloneMaintenancePasswordHash
+ - Label:
+ default: Advanced Settings
+ Parameters:
+ - ResourcesTagName
+ - StandaloneHostname
+ - AllowUploadDownload
+ - CloudWatch
+ - StandaloneBootstrapScript
+ - NTPPrimary
+ - NTPSecondary
+ - AdminCIDR
+ - GatewaysAddresses
+ ParameterLabels:
+ AvailabilityZone:
+ default: Availability zone
+ VPCCIDR:
+ default: VPC CIDR
+ PublicSubnetCIDR:
+ default: Public subnet CIDR
+ PrivateSubnetCIDR:
+ default: Private subnet CIDR
+ StandaloneName:
+ default: Standalone Name
+ StandaloneInstanceType:
+ default: Instance type
+ KeyName:
+ default: Key name
+ AllocatePublicAddress:
+ default: Allocate an Elastic IP
+ VolumeSize:
+ default: Root volume size (GB)
+ VolumeType:
+ default: Volume Type
+ VolumeEncryption:
+ default: Volume encryption KMS key identifier
+ EnableInstanceConnect:
+ default: Enable AWS Instance Connect
+ TerminationProtection:
+ default: Termination Protection
+ MetaDataToken:
+ default: Metadata HTTP token
+ StandaloneVersion:
+ default: License
+ Shell:
+ default: Admin shell
+ StandalonePasswordHash:
+ default: Standalone Password hash
+ StandaloneMaintenancePasswordHash:
+ default: Gateway Maintenance Password hash
+ ResourcesTagName:
+ default: Resources prefix tag
+ StandaloneHostname:
+ default: Standalone Hostname
+ AllowUploadDownload:
+ default: Allow upload & download
+ CloudWatch:
+ default: CloudWatch metrics
+ StandaloneBootstrapScript:
+ default: Bootstrap Script
+ NTPPrimary:
+ default: Primary NTP server
+ NTPSecondary:
+ default: Secondary NTP server
+ AdminCIDR:
+ default: Administrator addresses
+ GatewaysAddresses:
+ default: Gateways addresses
+Parameters:
+ AvailabilityZone:
+ Description: The availability zone in which to deploy the instance.
+ Type: AWS::EC2::AvailabilityZone::Name
+ MinLength: 1
+ VPCCIDR:
+ Description: The CIDR block of the VPC.
+ Type: String
+ Default: 10.0.0.0/16
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PublicSubnetCIDR:
+ Description: The public subnet of the Security Gateway.
+ Type: String
+ Default: 10.0.10.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PrivateSubnetCIDR:
+ Description: The private subnet of the Security Gateway.
+ Type: String
+ Default: 10.0.11.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ StandaloneName:
+ Type: String
+ Default: Check-Point-Instance
+ KeyName:
+ Description: The EC2 Key Pair to allow SSH access to the instance.
+ Type: AWS::EC2::KeyPair::KeyName
+ MinLength: 1
+ ConstraintDescription: must be the name of an existing EC2 KeyPair.
+ AllocatePublicAddress:
+ Default: true
+ Type: String
+ AllowedValues:
+ - true
+ - false
+ VolumeSize:
+ Type: Number
+ MinValue: 100
+ Default: 100
+ VolumeType:
+ Description: General Purpose SSD Volume Type
+ Type: String
+ Default: gp3
+ AllowedValues:
+ - gp3
+ - gp2
+ VolumeEncryption:
+ Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
+ Type: String
+ Default: alias/aws/ebs
+ EnableInstanceConnect:
+ Description: Ec2 Instance Connect is not supported with versions prior to R80.40.
+ Default: false
+ Type: String
+ AllowedValues:
+ - true
+ - false
+ TerminationProtection:
+ Description: Prevents an instance from accidental termination.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ MetaDataToken:
+ Description: Set true to deploy the instance with metadata v2 token required.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ StandaloneVersion:
+ Description: Standalone Version & License.
+ Type: String
+ Default: R81-BYOL
+ AllowedValues:
+ - R81-PAYG-NGTP
+ - R81-BYOL
+ Shell:
+ Description: Change the admin shell to enable advanced command line configuration.
+ Type: String
+ Default: /etc/cli.sh
+ AllowedValues:
+ - /etc/cli.sh
+ - /bin/bash
+ - /bin/csh
+ - /bin/tcsh
+ StandalonePasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD"
+ to get the PASSWORD's hash). (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ StandaloneMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ StandaloneInstanceType:
+ Description: The instance type of the Security Gateway & Management (Standalone) instance.
+ Type: String
+ Default: c5.xlarge
+ AllowedValues:
+ - c4.large
+ - c4.xlarge
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: Must be a valid EC2 instance type
+ ResourcesTagName:
+ Description: The name tag of the resources. (optional)
+ Type: String
+ Default: ''
+ StandaloneHostname:
+ Description: (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$'
+ ConstraintDescription: A valid hostname label or an empty string.
+ AllowUploadDownload:
+ Description: Automatically download updates and share statistical data for product improvement purpose.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ CloudWatch:
+ Description: Report Check Point specific CloudWatch metrics.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ StandaloneBootstrapScript:
+ Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+ Type: String
+ Default: ''
+ NoEcho: true
+ NTPPrimary:
+ Description: (optional)
+ Type: String
+ Default: 169.254.169.123
+ AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+ NTPSecondary:
+ Description: (optional)
+ Type: String
+ Default: 0.pool.ntp.org
+ AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+ AdminCIDR:
+ Description: Allow web, SSH, and graphical clients only from this network to communicate.
+ with the Management Server
+ Type: String
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+ GatewaysAddresses:
+ Description: Allow gateways only from this network to communicate with the Management.
+ Server. (optional)
+ Type: String
+ AllowedPattern: '^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2])))?$'
+Conditions:
+ AllocateAddress: !Equals [!Ref AllocatePublicAddress, true]
+ ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']]
+Resources:
+ VPCStack:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/utils/vpc.yaml
+ Parameters:
+ AvailabilityZones: !Ref AvailabilityZone
+ NumberOfAZs: 1
+ VPCCIDR: !Ref VPCCIDR
+ PublicSubnet1CIDR: !Ref PublicSubnetCIDR
+ CreatePrivateSubnets: true
+ PrivateSubnet1CIDR: !Ref PrivateSubnetCIDR
+ CreateAttachmentSubnets: false
+ InternalRoutingTable:
+ Type: AWS::EC2::RouteTable
+ Properties:
+ VpcId: !GetAtt VPCStack.Outputs.VPCID
+ Tags:
+ - Key: Name
+ Value: !Join
+ - _
+ - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+ - InternalRoutingTable
+ InternalNetworkRouteAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Properties:
+ RouteTableId: !Ref InternalRoutingTable
+ SubnetId: !GetAtt VPCStack.Outputs.PrivateSubnet1ID
+ StandaloneStack:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/gateway/standalone.yaml
+ Parameters:
+ VPC: !GetAtt VPCStack.Outputs.VPCID
+ PublicSubnet: !GetAtt VPCStack.Outputs.PublicSubnet1ID
+ PrivateSubnet: !GetAtt VPCStack.Outputs.PrivateSubnet1ID
+ InternalRouteTable: !Ref InternalRoutingTable
+ StandaloneName: !Ref StandaloneName
+ StandaloneInstanceType: !Ref StandaloneInstanceType
+ KeyName: !Ref KeyName
+ AllocatePublicAddress: !Ref AllocatePublicAddress
+ VolumeSize: !Ref VolumeSize
+ VolumeType: !Ref VolumeType
+ VolumeEncryption: !Ref VolumeEncryption
+ EnableInstanceConnect: !Ref EnableInstanceConnect
+ TerminationProtection: !Ref TerminationProtection
+ MetaDataToken: !Ref MetaDataToken
+ StandaloneVersion: !Ref StandaloneVersion
+ Shell: !Ref Shell
+ StandalonePasswordHash: !Ref StandalonePasswordHash
+ StandaloneMaintenancePasswordHash: !Ref StandaloneMaintenancePasswordHash
+ ResourcesTagName: !Ref ResourcesTagName
+ StandaloneHostname: !Ref StandaloneHostname
+ AllowUploadDownload: !Ref AllowUploadDownload
+ CloudWatch: !Ref CloudWatch
+ StandaloneBootstrapScript: !Ref StandaloneBootstrapScript
+ NTPPrimary: !Ref NTPPrimary
+ NTPSecondary: !Ref NTPSecondary
+ AdminCIDR: !Ref AdminCIDR
+ GatewaysAddresses: !Ref GatewaysAddresses
+Outputs:
+ CheckPointInstancePublicAddress:
+ Condition: AllocateAddress
+ Description: The public address of the Check Point instance.
+ Value: !GetAtt StandaloneStack.Outputs.PublicAddress
+ CheckPointInstanceSSH:
+ Condition: AllocateAddress
+ Description: SSH command to the Check Point instance.
+ Value: !GetAtt StandaloneStack.Outputs.SSH
+ CheckPointInstanceURL:
+ Condition: AllocateAddress
+ Description: URL to the portal.
+ Value: !GetAtt StandaloneStack.Outputs.URL
diff --git a/deprecated/aws/templates/R81/gateway/standalone.yaml b/deprecated/aws/templates/R81/gateway/standalone.yaml
new file mode 100755
index 00000000..0bf218ef
--- /dev/null
+++ b/deprecated/aws/templates/R81/gateway/standalone.yaml
@@ -0,0 +1,538 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Deploys either a manually configurable or a Check Point CloudGuard IaaS
+ Security Gateway & Management (Standalone) instance into an existing VPC (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: VPC Network Configuration
+ Parameters:
+ - VPC
+ - PublicSubnet
+ - PrivateSubnet
+ - InternalRouteTable
+ - Label:
+ default: EC2 Instance Configuration
+ Parameters:
+ - StandaloneName
+ - StandaloneInstanceType
+ - KeyName
+ - AllocatePublicAddress
+ - VolumeSize
+ - VolumeType
+ - VolumeEncryption
+ - EnableInstanceConnect
+ - TerminationProtection
+ - MetaDataToken
+ - Label:
+ default: Check Point Settings
+ Parameters:
+ - StandaloneVersion
+ - Shell
+ - StandalonePasswordHash
+ - StandaloneMaintenancePasswordHash
+ - Label:
+ default: Advanced Settings
+ Parameters:
+ - ResourcesTagName
+ - StandaloneHostname
+ - AllowUploadDownload
+ - CloudWatch
+ - StandaloneBootstrapScript
+ - NTPPrimary
+ - NTPSecondary
+ - AdminCIDR
+ - GatewaysAddresses
+ ParameterLabels:
+ VPC:
+ default: VPC
+ PublicSubnet:
+ default: Public subnet
+ PrivateSubnet:
+ default: Private subnet
+ InternalRouteTable:
+ default: Internal route table
+ StandaloneName:
+ default: Standalone Name
+ StandaloneInstanceType:
+ default: Standalone Instance type
+ KeyName:
+ default: Key name
+ AllocatePublicAddress:
+ default: Allocate an Elastic IP
+ VolumeSize:
+ default: Root volume size (GB)
+ VolumeType:
+ default: Volume Type
+ VolumeEncryption:
+ default: Volume encryption KMS key identifier
+ EnableInstanceConnect:
+ default: Enable AWS Instance Connect
+ TerminationProtection:
+ default: Termination Protection
+ MetaDataToken:
+ default: Metadata HTTP token
+ StandaloneVersion:
+ default: License
+ Shell:
+ default: Admin shell
+ StandalonePasswordHash:
+ default: Standalone Password hash
+ StandaloneMaintenancePasswordHash:
+ default: Standalone Maintenance Password hash
+ ResourcesTagName:
+ default: Resources prefix tag
+ StandaloneHostname:
+ default: Standalone Hostname
+ AllowUploadDownload:
+ default: Allow upload & download
+ CloudWatch:
+ default: CloudWatch metrics
+ StandaloneBootstrapScript:
+ default: Bootstrap Script
+ NTPPrimary:
+ default: Primary NTP server
+ NTPSecondary:
+ default: Secondary NTP server
+ AdminCIDR:
+ default: Administrator addresses
+ GatewaysAddresses:
+ default: Gateways addresses
+Parameters:
+ VPC:
+ Type: AWS::EC2::VPC::Id
+ MinLength: 1
+ PublicSubnet:
+ Description: The public subnet of the Security Gateway.
+ Type: AWS::EC2::Subnet::Id
+ MinLength: 1
+ PrivateSubnet:
+ Description: The private subnet of the Security Gateway.
+ Type: AWS::EC2::Subnet::Id
+ MinLength: 1
+ InternalRouteTable:
+ Description: The route table id in which to set 0.0.0.0/0 route to the Security Gateway instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route. If empty - traffic will not be routed through the Security Gateway, this requires manual configuration in the route table. (optional)
+ Type: String
+ Default: ''
+ StandaloneName:
+ Type: String
+ Default: Check-Point-Instance
+ StandaloneInstanceType:
+ Description: The instance type of the Security Gateway & Management (Standalone) instance.
+ Type: String
+ Default: c5.xlarge
+ AllowedValues:
+ - c4.large
+ - c4.xlarge
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: Must be a valid EC2 instance type
+ KeyName:
+ Description: The EC2 Key Pair to allow SSH access to the instance.
+ Type: AWS::EC2::KeyPair::KeyName
+ MinLength: 1
+ ConstraintDescription: must be the name of an existing EC2 KeyPair.
+ AllocatePublicAddress:
+ Default: true
+ Type: String
+ AllowedValues:
+ - true
+ - false
+ VolumeSize:
+ Type: Number
+ MinValue: 100
+ Default: 100
+ VolumeType:
+ Description: General Purpose SSD Volume Type
+ Type: String
+ Default: gp3
+ AllowedValues:
+ - gp3
+ - gp2
+ VolumeEncryption:
+ Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
+ Type: String
+ Default: alias/aws/ebs
+ EnableInstanceConnect:
+ Description: Ec2 Instance Connect is not supported with versions prior to R80.40.
+ Default: false
+ Type: String
+ AllowedValues:
+ - true
+ - false
+ TerminationProtection:
+ Description: Prevents an instance from accidental termination.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ MetaDataToken:
+ Description: Set true to deploy the instance with metadata v2 token required.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ StandaloneVersion:
+ Description: Standalone Version & License.
+ Type: String
+ Default: R81-BYOL
+ AllowedValues:
+ - R81-PAYG-NGTP
+ - R81-BYOL
+ Shell:
+ Description: Change the admin shell to enable advanced command line configuration.
+ Type: String
+ Default: /etc/cli.sh
+ AllowedValues:
+ - /etc/cli.sh
+ - /bin/bash
+ - /bin/csh
+ - /bin/tcsh
+ StandalonePasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD"
+ to get the PASSWORD's hash). (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ StandaloneMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ ResourcesTagName:
+ Description: The name tag of the resources. (optional)
+ Type: String
+ Default: ''
+ StandaloneHostname:
+ Description: (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$'
+ ConstraintDescription: A valid hostname label or an empty string.
+ AllowUploadDownload:
+ Description: Automatically download updates and share statistical data for product improvement purpose.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ CloudWatch:
+ Description: Report Check Point specific CloudWatch metrics.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ StandaloneBootstrapScript:
+ Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+ Type: String
+ Default: ''
+ NoEcho: true
+ NTPPrimary:
+ Description: (optional)
+ Type: String
+ Default: 169.254.169.123
+ AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+ NTPSecondary:
+ Description: (optional)
+ Type: String
+ Default: 0.pool.ntp.org
+ AllowedPattern: '^[\.a-zA-Z0-9\-]*$'
+ AdminCIDR:
+ Description: Allow web, SSH, and graphical clients only from this network to communicate.
+ with the Management Server.
+ Type: String
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+ GatewaysAddresses:
+ Description: Allow gateways only from this network to communicate with the Management.
+ Server. (optional)
+ Type: String
+ AllowedPattern: '^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2])))?$'
+Conditions:
+ ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']]
+ AllocateAddress: !Equals [!Ref AllocatePublicAddress, true]
+ EncryptedVolume: !Not [!Equals [!Ref VolumeEncryption, '']]
+ ProvidedRouteTable: !Not [!Equals [!Ref InternalRouteTable, '']]
+ EnableCloudWatch: !Equals [!Ref CloudWatch, true]
+ IsBYOL: !Equals [!Select [1, !Split ['-', !Ref StandaloneVersion]], 'BYOL']
+ EnableMetaDataToken: !Equals [!Ref MetaDataToken, true]
+Resources:
+ ReadyHandle:
+ Type: AWS::CloudFormation::WaitConditionHandle
+ Condition: AllocateAddress
+ Properties: {}
+ ReadyCondition:
+ Type: AWS::CloudFormation::WaitCondition
+ Condition: AllocateAddress
+ DependsOn: StandaloneInstance
+ Properties:
+ Handle: !Ref ReadyHandle
+ Timeout: 1800
+ StandaloneIAMRole:
+ Condition: EnableCloudWatch
+ Type: AWS::IAM::Role
+ Properties:
+ AssumeRolePolicyDocument:
+ Version: 2012-10-17
+ Statement:
+ - Effect: Allow
+ Principal:
+ Service: [ ec2.amazonaws.com ]
+ Action: sts:AssumeRole
+ Path: /
+ StandaloneInstanceProfile:
+ Condition: EnableCloudWatch
+ Type: AWS::IAM::InstanceProfile
+ Properties:
+ Path: /
+ Roles: [ !Ref StandaloneIAMRole ]
+ CloudwatchPolicy:
+ Condition: EnableCloudWatch
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/iam/cloudwatch-policy.yaml
+ Parameters:
+ PolicyName: !If [ ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName' ]
+ PolicyRole: !Ref StandaloneIAMRole
+ AMI:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/utils/amis.yaml
+ Parameters:
+ Version: !If [IsBYOL, !Join ['-', [!Ref StandaloneVersion,MGMT]], !Ref StandaloneVersion]
+ ExternalNetworkInterface:
+ Type: AWS::EC2::NetworkInterface
+ Properties:
+ Tags:
+ - Key: Name
+ Value: !Join
+ - _
+ - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+ - ExternalNetworkInterface
+ Description: eth0
+ SourceDestCheck: false
+ GroupSet:
+ - !Ref PermissiveSecurityGroup
+ SubnetId: !Ref PublicSubnet
+ InternalNetworkInterface:
+ Type: AWS::EC2::NetworkInterface
+ Properties:
+ Tags:
+ - Key: Name
+ Value: !Join
+ - _
+ - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+ - InternalNetworkInterface
+ Description: eth1
+ SourceDestCheck: false
+ GroupSet:
+ - !Ref PermissiveSecurityGroup
+ SubnetId: !Ref PrivateSubnet
+ PermissiveSecurityGroup:
+ Type: AWS::EC2::SecurityGroup
+ Properties:
+ Tags:
+ - Key: Name
+ Value: !Join
+ - _
+ - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName']
+ - PermissiveSecurityGroup
+ GroupDescription: Permissive security group.
+ VpcId: !Ref VPC
+ SecurityGroupIngress:
+ - IpProtocol: -1
+ CidrIp: 0.0.0.0/0
+ InternalDefaultRoute:
+ Type: AWS::EC2::Route
+ Condition: ProvidedRouteTable
+ Properties:
+ DestinationCidrBlock: 0.0.0.0/0
+ NetworkInterfaceId: !Ref InternalNetworkInterface
+ RouteTableId: !Ref InternalRouteTable
+ StandaloneInstance:
+ Type: AWS::EC2::Instance
+ DependsOn: GatewayLaunchTemplate
+ Properties:
+ LaunchTemplate:
+ LaunchTemplateId: !Ref GatewayLaunchTemplate
+ Version: !GetAtt GatewayLaunchTemplate.LatestVersionNumber
+ DisableApiTermination: !Ref TerminationProtection
+ Tags:
+ - Key: Name
+ Value: !Ref StandaloneName
+ GatewayLaunchTemplate:
+ Type: AWS::EC2::LaunchTemplate
+ Properties:
+ LaunchTemplateData:
+ NetworkInterfaces:
+ - DeviceIndex: 0
+ NetworkInterfaceId: !Ref ExternalNetworkInterface
+ - DeviceIndex: 1
+ NetworkInterfaceId: !Ref InternalNetworkInterface
+ KeyName: !Ref KeyName
+ ImageId: !GetAtt AMI.Outputs.ImageId
+ InstanceType: !Ref StandaloneInstanceType
+ MetadataOptions:
+ HttpTokens: !If [EnableMetaDataToken, required, optional]
+ BlockDeviceMappings:
+ - DeviceName: '/dev/xvda'
+ Ebs:
+ Encrypted: !If [ EncryptedVolume, true, false ]
+ KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ]
+ VolumeType: !Ref VolumeType
+ VolumeSize: !Ref VolumeSize
+ IamInstanceProfile:
+ Name: !If [ EnableCloudWatch, !Ref StandaloneInstanceProfile, !Ref 'AWS::NoValue' ]
+ UserData:
+ 'Fn::Base64':
+ !Join
+ - |+
+
+ - - '#cloud-config'
+ - 'runcmd:'
+ - ' - |'
+ - ' set -e'
+ - !Sub ' admin_shell=${Shell} ; hostname=${StandaloneHostname} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; eic=${EnableInstanceConnect} ; eip=${AllocatePublicAddress} ; admin_subnet=${AdminCIDR}'
+ - !If [ AllocateAddress, !Sub ' wait_handle=''${ReadyHandle}''',!Ref 'AWS::NoValue' ]
+ - !Join [ '', [ ' bootstrap="$(echo ', 'Fn::Base64': !Ref StandaloneBootstrapScript, ')"' ] ]
+ - !Join [ '', [ ' pwd_hash="$(echo ', 'Fn::Base64': !Ref StandalonePasswordHash, ')"' ] ]
+ - !Join [ '', [ ' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref StandaloneMaintenancePasswordHash, ')"' ] ]
+ - !Sub [ ' version=${Version}', { Version: !Select [ 0, !Split [ '-', !Ref StandaloneVersion ] ] } ]
+ - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" installationType=\"standalone\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"standalone\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" adminSubnet=\"${admin_subnet}\" allocatePublicAddress=\"${eip}\" bootstrapScript64=\"${bootstrap}\"'
+ VersionDescription: Initial template version
+ PublicAddress:
+ Type: AWS::EC2::EIP
+ Condition: AllocateAddress
+ Properties:
+ Domain: vpc
+ AddressAssoc:
+ Type: AWS::EC2::EIPAssociation
+ DependsOn: StandaloneInstance
+ Condition: AllocateAddress
+ Properties:
+ NetworkInterfaceId: !Ref ExternalNetworkInterface
+ AllocationId: !GetAtt PublicAddress.AllocationId
+ PrivateIpAddress: !GetAtt ExternalNetworkInterface.PrimaryPrivateIpAddress
+Outputs:
+ PublicAddress:
+ Condition: AllocateAddress
+ Description: The public address of the Check Point instance.
+ Value: !Ref PublicAddress
+ SSH:
+ Condition: AllocateAddress
+ Description: SSH command to the Check Point instance.
+ Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref PublicAddress]]
+ URL:
+ Condition: AllocateAddress
+ Description: URL to the portal.
+ Value: !Join ['', ['https://', !Ref PublicAddress ]]
diff --git a/deprecated/aws/templates/R81/iam/cloudwatch-policy.yaml b/deprecated/aws/templates/R81/iam/cloudwatch-policy.yaml
new file mode 100755
index 00000000..a9a233e8
--- /dev/null
+++ b/deprecated/aws/templates/R81/iam/cloudwatch-policy.yaml
@@ -0,0 +1,39 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Creates an IAM role for selected permissions (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: Policy Attributes
+ Parameters:
+ - PolicyName
+ - PolicyRole
+ ParameterLabels:
+ PolicyName:
+ default: Policy name
+ PolicyRole:
+ default: IAM role name
+Parameters:
+ PolicyName:
+ Description: ''
+ Type: String
+ Default: 'Cloudwatch'
+ AllowedPattern: '[\w+=,.@-]+'
+ PolicyRole:
+ Description: ''
+ Type: String
+ AllowedPattern: '[\w+=,.@-]+'
+Resources:
+ IAMPolicy:
+ Type: AWS::IAM::Policy
+ Properties:
+ PolicyName: !Sub "${PolicyName}-iam-policy"
+ PolicyDocument:
+ Version: 2012-10-17
+ Statement:
+ - Effect: Allow
+ Action:
+ - cloudwatch:PutMetricData
+ Resource: '*'
+ Roles:
+ - !Ref PolicyRole
diff --git a/deprecated/aws/templates/R81/iam/cluster-iam-role.yaml b/deprecated/aws/templates/R81/iam/cluster-iam-role.yaml
new file mode 100755
index 00000000..85d52102
--- /dev/null
+++ b/deprecated/aws/templates/R81/iam/cluster-iam-role.yaml
@@ -0,0 +1,35 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Creates an IAM role for selected permissions (__VERSION__)
+Resources:
+ ClusterIAMRole:
+ Type: AWS::IAM::Role
+ Properties:
+ AssumeRolePolicyDocument:
+ Version: 2012-10-17
+ Statement:
+ - Effect: Allow
+ Principal:
+ Service: [ec2.amazonaws.com]
+ Action: sts:AssumeRole
+ Path: /
+ Policies:
+ - PolicyName: ClusterPolicy
+ PolicyDocument:
+ Version: 2012-10-17
+ Statement:
+ - Effect: Allow
+ Action:
+ - ec2:AssignPrivateIpAddresses
+ - ec2:AssociateAddress
+ - ec2:CreateRoute
+ - ec2:DescribeNetworkInterfaces
+ - ec2:DescribeRouteTables
+ - ec2:ReplaceRoute
+ Resource: '*'
+Outputs:
+ ClusterIAMRole:
+ Description: The IAM role.
+ Value: !Ref ClusterIAMRole
+ ClusterARNRole:
+ Description: The IAM role ARN.
+ Value: !GetAtt ClusterIAMRole.Arn
diff --git a/deprecated/aws/templates/R81/iam/cme-iam-role.yaml b/deprecated/aws/templates/R81/iam/cme-iam-role.yaml
new file mode 100755
index 00000000..b9f6c2bf
--- /dev/null
+++ b/deprecated/aws/templates/R81/iam/cme-iam-role.yaml
@@ -0,0 +1,159 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Creates an IAM role for selected permissions (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: IAM
+ Parameters:
+ - Permissions
+ - Label:
+ default: Advanced Configuration (optional)
+ Parameters:
+ - STSRoles
+ - TrustedAccount
+ ParameterLabels:
+ Permissions:
+ default: IAM role
+ STSRoles:
+ default: STS roles
+ TrustedAccount:
+ default: Trusted Account ID
+Parameters:
+ Permissions:
+ Type: String
+ Default: Create with read permissions
+ AllowedValues:
+ - Create with read permissions
+ - Create with read-write permissions
+ - Create with assume role permissions (specify an STS role ARN)
+ STSRoles:
+ Description: The IAM role will be able to assume these STS Roles (comma separated list of ARNs, without spaces).
+ Type: String
+ Default: ''
+ TrustedAccount:
+ Description: A 12 digits number that represents the ID of a trusted account. IAM users in this account will be able assume the IAM role and receive the permissions attached to it.
+ Type: String
+ Default: ''
+ AllowedPattern: '^([0-9]{12})|$'
+Conditions:
+ AllowReadPermissions: !Or
+ - !Equals [!Ref Permissions, Create with read permissions]
+ - !Equals [!Ref Permissions, Create with read-write permissions]
+ AllowWritePermissions: !Equals [!Ref Permissions, Create with read-write permissions]
+ ProvidedSTSRoles: !Not [!Equals [!Ref STSRoles, '']]
+ NotProvidedTrustedAccount: !Equals ['', !Ref TrustedAccount]
+ ProvidedTrustedAccount: !Not [!Condition NotProvidedTrustedAccount]
+Resources:
+ CMEIAMRole:
+ Type: AWS::IAM::Role
+ Properties:
+ AssumeRolePolicyDocument:
+ Version: 2012-10-17
+ Statement:
+ - !If
+ - ProvidedTrustedAccount
+ - Effect: Allow
+ Principal:
+ AWS: [!Ref TrustedAccount]
+ Action: ['sts:AssumeRole']
+ - !Ref 'AWS::NoValue'
+ - !If
+ - NotProvidedTrustedAccount
+ - Effect: Allow
+ Principal:
+ Service: [ec2.amazonaws.com]
+ Action: ['sts:AssumeRole']
+ - !Ref 'AWS::NoValue'
+ Path: /
+ Policies:
+ - PolicyName: CMEPolicy
+ PolicyDocument:
+ Version: 2012-10-17
+ Statement:
+ - !If
+ - ProvidedSTSRoles
+ - Effect: Allow
+ Action: ['sts:AssumeRole']
+ Resource: !Split [',', !Ref STSRoles]
+ - !Ref 'AWS::NoValue'
+ - !If
+ - AllowReadPermissions
+ - Effect: Allow
+ Action:
+ - autoscaling:DescribeAutoScalingGroups
+ - ec2:DescribeRegions
+ - ec2:DescribeCustomerGateways
+ - ec2:DescribeInstances
+ - ec2:DescribeNetworkInterfaces
+ - ec2:DescribeRouteTables
+ - ec2:DescribeSecurityGroups
+ - ec2:DescribeSubnets
+ - ec2:DescribeTransitGateways
+ - ec2:DescribeTransitGatewayAttachments
+ - ec2:DescribeTransitGatewayRouteTables
+ - ec2:DescribeVpcs
+ - ec2:DescribeVpnGateways
+ - ec2:DescribeVpnConnections
+ - ec2:GetTransitGatewayAttachmentPropagations
+ - elasticloadbalancing:DescribeLoadBalancers
+ - elasticloadbalancing:DescribeTags
+ - elasticloadbalancing:DescribeListeners
+ - elasticloadbalancing:DescribeTargetGroups
+ - elasticloadbalancing:DescribeRules
+ - elasticloadbalancing:DescribeTargetHealth
+ Resource: '*'
+ - !Ref 'AWS::NoValue'
+ - !If
+ - AllowWritePermissions
+ - Effect: Allow
+ Action:
+ - ec2:AssociateTransitGatewayRouteTable
+ - ec2:AttachVpnGateway
+ - ec2:CreateCustomerGateway
+ - ec2:CreateVpnConnection
+ - ec2:CreateVpnGateway
+ - ec2:DeleteCustomerGateway
+ - ec2:DeleteVpnConnection
+ - ec2:DeleteVpnGateway
+ - ec2:DetachVpnGateway
+ - ec2:DisableTransitGatewayRouteTablePropagation
+ - ec2:DisableVgwRoutePropagation
+ - ec2:DisassociateTransitGatewayRouteTable
+ - ec2:EnableTransitGatewayRouteTablePropagation
+ - ec2:EnableVgwRoutePropagation
+ Resource: '*'
+ - !Ref 'AWS::NoValue'
+ - !If
+ - AllowWritePermissions
+ - Effect: Allow
+ Action:
+ - cloudformation:DescribeStacks
+ - cloudformation:DescribeStackResources
+ - cloudformation:ListStacks
+ Resource: '*'
+ - !Ref 'AWS::NoValue'
+ - !If
+ - AllowWritePermissions
+ - Effect: Allow
+ Action:
+ - cloudformation:CreateStack
+ - cloudformation:DeleteStack
+ Resource: 'arn:aws:cloudformation:*:*:stack/vpn-by-tag--*/*'
+ - !Ref 'AWS::NoValue'
+ InstanceProfile:
+ Type: AWS::IAM::InstanceProfile
+ Properties:
+ InstanceProfileName: !Ref CMEIAMRole
+ Roles:
+ - !Ref CMEIAMRole
+Outputs:
+ CMEIAMRole:
+ Description: The IAM role.
+ Value: !Ref CMEIAMRole
+ CMEARNRole:
+ Description: The IAM role ARN.
+ Value: !GetAtt CMEIAMRole.Arn
+ InstanceProfile:
+ Description: The Instance Profile ARN.
+ Value: !GetAtt InstanceProfile.Arn
\ No newline at end of file
diff --git a/deprecated/aws/templates/R81/iam/sts-role.yaml b/deprecated/aws/templates/R81/iam/sts-role.yaml
new file mode 100755
index 00000000..93f5cb40
--- /dev/null
+++ b/deprecated/aws/templates/R81/iam/sts-role.yaml
@@ -0,0 +1,119 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Creates an IAM role for cross account permissions (20190313)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: Cross Account Permissions Configuration
+ Parameters:
+ - TrustedAccount
+ - Permissions
+ ParameterLabels:
+ TrustedAccount:
+ default: Trusted Account ID
+ STSPermissions:
+ default: IAM Role Permissions
+Parameters:
+ TrustedAccount:
+ Description: A 12 digits number that represents the ID of the trusted account.
+ Type: String
+ AllowedPattern: '^[0-9]{12}$'
+ STSPermissions:
+ Description: Select Read-Write if you intend to use this role with Transit VPC.
+ Type: String
+ Default: Read only
+ AllowedValues:
+ - Read only
+ - Read-Write
+Conditions:
+ AllowReadPermissions: !Or
+ - !Equals [!Ref STSPermissions, Read only]
+ - !Equals [!Ref STSPermissions, Read-Write]
+ AllowCreateVPNPermissions: !Equals [!Ref STSPermissions, Read-Write]
+Resources:
+ Role:
+ Type: AWS::IAM::Role
+ Properties:
+ AssumeRolePolicyDocument:
+ Version: 2012-10-17
+ Statement:
+ - Effect: Allow
+ Principal:
+ AWS:
+ - !Ref TrustedAccount
+ Action:
+ - sts:AssumeRole
+ Path: /
+ Policies:
+ - PolicyName: Policy
+ PolicyDocument:
+ Version: 2012-10-17
+ Statement:
+ - !If
+ - AllowReadPermissions
+ - Effect: Allow
+ Action:
+ - ec2:DescribeInstances
+ - ec2:DescribeNetworkInterfaces
+ - ec2:DescribeSubnets
+ - ec2:DescribeVpcs
+ - ec2:DescribeVpnGateways
+ - ec2:DescribeVpnConnections
+ - ec2:DescribeSecurityGroups
+ - elasticloadbalancing:DescribeLoadBalancers
+ - elasticloadbalancing:DescribeTags
+ - elasticloadbalancing:DescribeListeners
+ - elasticloadbalancing:DescribeTargetGroups
+ - elasticloadbalancing:DescribeRules
+ - elasticloadbalancing:DescribeTargetHealth
+ - autoscaling:DescribeAutoScalingGroups
+ Resource: '*'
+ - !Ref 'AWS::NoValue'
+ - !If
+ - AllowCreateVPNPermissions
+ - Effect: Allow
+ Action:
+ - ec2:DescribeCustomerGateways
+ - ec2:CreateCustomerGateway
+ - ec2:DeleteCustomerGateway
+ - ec2:DescribeRouteTables
+ - ec2:EnableVgwRoutePropagation
+ - ec2:DisableVgwRoutePropagation
+ - ec2:DescribeVpnGateways
+ - ec2:CreateVpnGateway
+ - ec2:AttachVpnGateway
+ - ec2:DetachVpnGateway
+ - ec2:DeleteVpnGateway
+ - ec2:DescribeVpnConnections
+ - ec2:CreateVpnConnection
+ - ec2:DeleteVpnConnection
+ - ec2:DescribeTransitGateways
+ - ec2:DescribeTransitGatewayRouteTables
+ - ec2:DescribeTransitGatewayAttachments
+ - ec2:AssociateTransitGatewayRouteTable
+ - ec2:DisassociateTransitGatewayRouteTable
+ - ec2:EnableTransitGatewayRouteTablePropagation
+ - ec2:DisableTransitGatewayRouteTablePropagation
+ - ec2:GetTransitGatewayAttachmentPropagations
+ Resource: '*'
+ - !Ref 'AWS::NoValue'
+ - !If
+ - AllowCreateVPNPermissions
+ - Effect: Allow
+ Action:
+ - cloudformation:DescribeStacks
+ - cloudformation:DescribeStackResources
+ Resource: '*'
+ - !Ref 'AWS::NoValue'
+ - !If
+ - AllowCreateVPNPermissions
+ - Effect: Allow
+ Action:
+ - cloudformation:CreateStack
+ - cloudformation:DeleteStack
+ Resource: arn:aws:cloudformation:*:*:stack/vpn-by-tag--*/*
+ - !Ref 'AWS::NoValue'
+Outputs:
+ Role:
+ Description: The role ARN to assume by the trusted account.
+ Value: !GetAtt Role.Arn
diff --git a/deprecated/aws/templates/R81/management/management.yaml b/deprecated/aws/templates/R81/management/management.yaml
new file mode 100755
index 00000000..e637fcfe
--- /dev/null
+++ b/deprecated/aws/templates/R81/management/management.yaml
@@ -0,0 +1,585 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Deploys a Check Point Management Server (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: VPC Network Configuration
+ Parameters:
+ - VPC
+ - ManagementSubnet
+ - Label:
+ default: EC2 Instance Configuration
+ Parameters:
+ - ManagementName
+ - ManagementInstanceType
+ - KeyName
+ - AllocatePublicAddress
+ - VolumeSize
+ - VolumeType
+ - VolumeEncryption
+ - EnableInstanceConnect
+ - TerminationProtection
+ - MetaDataToken
+ - Label:
+ default: IAM Permissions (ignored when the installation is not Primary Management
+ Server)
+ Parameters:
+ - ManagementPermissions
+ - ManagementPredefinedRole
+ - ManagementSTSRoles
+ - Label:
+ default: Check Point Settings
+ Parameters:
+ - ManagementVersion
+ - Shell
+ - ManagementPasswordHash
+ - ManagementMaintenancePasswordHash
+ - Label:
+ default: Security Management Server Settings
+ Parameters:
+ - ManagementHostname
+ - ManagementInstallationType
+ - SICKey
+ - AllowUploadDownload
+ - AdminCIDR
+ - GatewayManagement
+ - GatewaysAddresses
+ - ManagementBootstrapScript
+ - NTPPrimary
+ - NTPSecondary
+ ParameterLabels:
+ VPC:
+ default: VPC
+ ManagementSubnet:
+ default: Management subnet
+ ManagementName:
+ default: Management name
+ ManagementInstanceType:
+ default: Instance type
+ KeyName:
+ default: Key name
+ AllocatePublicAddress:
+ default: Allocate an Elastic IP
+ VolumeSize:
+ default: Root volume size (GB)
+ VolumeType:
+ default: Volume Type
+ VolumeEncryption:
+ default: Volume encryption KMS key identifier
+ EnableInstanceConnect:
+ default: Enable AWS Instance Connect
+ TerminationProtection:
+ default: Termination Protection
+ MetaDataToken:
+ default: Metadata HTTP token
+ ManagementPermissions:
+ default: IAM role
+ ManagementPredefinedRole:
+ default: Existing IAM role name
+ ManagementSTSRoles:
+ default: STS roles
+ ManagementVersion:
+ default: Version & license
+ Shell:
+ default: Admin shell
+ ManagementPasswordHash:
+ default: Password hash
+ ManagementMaintenancePasswordHash:
+ default: Management Maintenance Password hash
+ ManagementHostname:
+ default: Management hostname
+ ManagementInstallationType:
+ default: Management installation type
+ SICKey:
+ default: SIC key
+ AllowUploadDownload:
+ default: Allow upload & download
+ AdminCIDR:
+ default: Administrator addresses
+ GatewayManagement:
+ default: Gateways management
+ GatewaysAddresses:
+ default: Gateways addresses
+ ManagementBootstrapScript:
+ default: Management bootstrap script
+ NTPPrimary:
+ default: Primary NTP server
+ NTPSecondary:
+ default: Secondary NTP server
+Parameters:
+ VPC:
+ Description: Select an existing VPC.
+ Type: AWS::EC2::VPC::Id
+ MinLength: 1
+ ManagementSubnet:
+ Description: To access the instance from the internet, make sure the subnet has
+ a route to the internet.
+ Type: AWS::EC2::Subnet::Id
+ MinLength: 1
+ ManagementName:
+ Description: The Management name tag.
+ Type: String
+ Default: Check-Point-Management
+ ManagementInstanceType:
+ Description: The instance type of the Security Management Server.
+ Type: String
+ Default: m5.xlarge
+ AllowedValues:
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: must be a valid EC2 instance type.
+ KeyName:
+ Description: The EC2 Key Pair to allow SSH access to the instance.
+ Type: AWS::EC2::KeyPair::KeyName
+ MinLength: 1
+ ConstraintDescription: must be the name of an existing EC2 KeyPair.
+ AllocatePublicAddress:
+ Description: Allocate an elastic IP for the Management.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ VolumeSize:
+ Type: Number
+ MinValue: 100
+ Default: 100
+ VolumeType:
+ Description: General Purpose SSD Volume Type
+ Type: String
+ Default: gp3
+ AllowedValues:
+ - gp3
+ - gp2
+ VolumeEncryption:
+ Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
+ Type: String
+ Default: alias/aws/ebs
+ EnableInstanceConnect:
+ Description: Enable SSH connection over AWS web console.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ TerminationProtection:
+ Description: Prevents an instance from accidental termination.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ MetaDataToken:
+ Description: Set true to deploy the instance with metadata v2 token required.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ ManagementPermissions:
+ Description: IAM role to attach to the instance profile.
+ Type: String
+ Default: Create with read permissions
+ AllowedValues:
+ - None (configure later)
+ - Use existing (specify an existing IAM role name)
+ - Create with assume role permissions (specify an STS role ARN)
+ - Create with read permissions
+ - Create with read-write permissions
+ ManagementPredefinedRole:
+ Description: A predefined IAM role to attach to the instance profile. Ignored.
+ if IAM role is not set to 'Use existing'
+ Type: String
+ Default: ''
+ ManagementSTSRoles:
+ Description: The IAM role will be able to assume these STS Roles (comma separated
+ list of ARNs, without spaces). Ignored if IAM role is set to 'None' or 'Use
+ existing'.
+ Type: CommaDelimitedList
+ Default: ''
+ ManagementVersion:
+ Description: The license to install on the Security Management Server.
+ Type: String
+ Default: R81-BYOL
+ AllowedValues:
+ - R81-BYOL
+ - R81-PAYG
+ Shell:
+ Description: Change the admin shell to enable advanced command line configuration.
+ Type: String
+ Default: /etc/cli.sh
+ AllowedValues:
+ - /etc/cli.sh
+ - /bin/bash
+ - /bin/csh
+ - /bin/tcsh
+ ManagementPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD"
+ to get the PASSWORD's hash). (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ ManagementMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ ManagementHostname:
+ Description: The name must not contain reserved words. For details, refer to sk40179. (optional)
+ Type: String
+ Default: mgmt-aws
+ AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$'
+ ConstraintDescription: A valid hostname label or an empty string.
+ ManagementInstallationType:
+ Description: Determines the Management Server installation type.
+ Type: String
+ Default: Primary management
+ AllowedValues:
+ - Primary management
+ - Secondary management
+ - Log Server
+ SICKey:
+ Description: >-
+ Mandatory only if deploying a secondary Management Server or Log Server, the Secure Internal
+ Communication key creates trusted connections between Check Point components.
+ Choose a random string consisting of at least 8 alphanumeric characters.
+ Type: String
+ Default: ''
+ AllowedPattern: '(|[a-zA-Z0-9]{8,})'
+ ConstraintDescription: Can be empty if this is a primary Management Server. Otherwise,
+ at least 8 alpha numeric characters.
+ NoEcho: true
+ AllowUploadDownload:
+ Description: Automatically download updates and share statistical data for product improvement purpose.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ AdminCIDR:
+ Description: Allow web, SSH, and graphical clients only from this network to communicate
+ with the Management Server.
+ Type: String
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+ GatewaysAddresses:
+ Description: Allow gateways only from this network to communicate with the Management
+ Server.
+ Type: String
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+ GatewayManagement:
+ Description: Select 'Over the internet' if any of the gateways you wish to manage
+ are not directly accessed via their private IP address.
+ Type: String
+ Default: Locally managed
+ AllowedValues:
+ - Locally managed
+ - Over the internet
+ ManagementBootstrapScript:
+ Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+ Type: String
+ Default: ''
+ NoEcho: true
+ NTPPrimary:
+ Description: (optional)
+ Type: String
+ Default: 169.254.169.123
+ AllowedPattern: '[\.a-zA-Z0-9\-]*'
+ NTPSecondary:
+ Description: (optional)
+ Type: String
+ Default: 0.pool.ntp.org
+ AllowedPattern: '[\.a-zA-Z0-9\-]*'
+Conditions:
+ EIP: !Equals [!Ref AllocatePublicAddress, true]
+ ManageOverInternet: !Equals [!Ref GatewayManagement, Over the internet]
+ ManageOverInternetAndEIP: !And [!Condition EIP, !Condition ManageOverInternet]
+ CreateRole: !Or
+ - !Equals [!Ref ManagementPermissions, Create with assume role permissions (specify an STS role ARN)]
+ - !Equals [!Ref ManagementPermissions, Create with read permissions]
+ - !Equals [!Ref ManagementPermissions, Create with read-write permissions]
+ EncryptedVolume: !Not [!Equals [!Ref VolumeEncryption, '']]
+ UseRole: !Not [!Equals [!Ref ManagementPermissions, None (configure later)]]
+ NoSIC: !Equals [!Ref SICKey, '']
+ PreRole: !And [!Condition UseRole, !Not [!Condition CreateRole]]
+ EnableMetaDataToken: !Equals [!Ref MetaDataToken, true]
+Resources:
+ AMI:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/utils/amis.yaml
+ Parameters:
+ Version: !Join ['-', [!Ref ManagementVersion, MGMT]]
+ ManagementReadyHandle:
+ Type: AWS::CloudFormation::WaitConditionHandle
+ Condition: EIP
+ Properties: {}
+ ManagementReadyCondition:
+ Type: AWS::CloudFormation::WaitCondition
+ Condition: EIP
+ DependsOn: ManagementInstance
+ Properties:
+ Handle: !Ref ManagementReadyHandle
+ Timeout: 1800
+ ManagementSecurityGroup:
+ Type: AWS::EC2::SecurityGroup
+ Properties:
+ GroupDescription: Management security group
+ VpcId: !Ref VPC
+ SecurityGroupIngress:
+ - CidrIp: !Ref GatewaysAddresses
+ IpProtocol: tcp
+ FromPort: 257
+ ToPort: 257
+ - CidrIp: !Ref GatewaysAddresses
+ IpProtocol: tcp
+ FromPort: 8211
+ ToPort: 8211
+ - CidrIp: !Ref GatewaysAddresses
+ IpProtocol: tcp
+ FromPort: 18191
+ ToPort: 18191
+ - CidrIp: !Ref GatewaysAddresses
+ IpProtocol: tcp
+ FromPort: 18192
+ ToPort: 18192
+ - CidrIp: !Ref GatewaysAddresses
+ IpProtocol: tcp
+ FromPort: 18208
+ ToPort: 18208
+ - CidrIp: !Ref GatewaysAddresses
+ IpProtocol: tcp
+ FromPort: 18210
+ ToPort: 18210
+ - CidrIp: !Ref GatewaysAddresses
+ IpProtocol: tcp
+ FromPort: 18211
+ ToPort: 18211
+ - CidrIp: !Ref GatewaysAddresses
+ IpProtocol: tcp
+ FromPort: 18221
+ ToPort: 18221
+ - CidrIp: !Ref GatewaysAddresses
+ IpProtocol: tcp
+ FromPort: 18264
+ ToPort: 18264
+ - CidrIp: !Ref AdminCIDR
+ IpProtocol: tcp
+ FromPort: 22
+ ToPort: 22
+ - CidrIp: !Ref AdminCIDR
+ IpProtocol: tcp
+ FromPort: 443
+ ToPort: 443
+ - CidrIp: !Ref AdminCIDR
+ IpProtocol: tcp
+ FromPort: 18190
+ ToPort: 18190
+ - CidrIp: !Ref AdminCIDR
+ IpProtocol: tcp
+ FromPort: 19009
+ ToPort: 19009
+ ManagementRoleStack:
+ Type: AWS::CloudFormation::Stack
+ Condition: CreateRole
+ Properties:
+ TemplateURL: __URL__/iam/cme-iam-role.yaml
+ Parameters:
+ Permissions: !Ref ManagementPermissions
+ STSRoles: !Join [',', !Ref ManagementSTSRoles]
+ InstanceProfile:
+ Type: AWS::IAM::InstanceProfile
+ Condition: PreRole
+ Properties:
+ Path: /
+ Roles:
+ - !Ref ManagementPredefinedRole
+ ManagementInstance:
+ Type: AWS::EC2::Instance
+ DependsOn: ManagementLaunchTemplate
+ Properties:
+ LaunchTemplate:
+ LaunchTemplateId: !Ref ManagementLaunchTemplate
+ Version: !GetAtt ManagementLaunchTemplate.LatestVersionNumber
+ DisableApiTermination: !Ref TerminationProtection
+ Tags:
+ - Key: Name
+ Value: !Ref ManagementName
+ NetworkInterfaces:
+ - DeviceIndex: 0
+ AssociatePublicIpAddress: false
+ Description: eth0
+ GroupSet:
+ - !Ref ManagementSecurityGroup
+ DeleteOnTermination: true
+ SubnetId: !Ref ManagementSubnet
+ ManagementLaunchTemplate:
+ Type: AWS::EC2::LaunchTemplate
+ Properties:
+ LaunchTemplateData:
+ KeyName: !Ref KeyName
+ ImageId: !GetAtt AMI.Outputs.ImageId
+ InstanceType: !Ref ManagementInstanceType
+ MetadataOptions:
+ HttpTokens: !If [EnableMetaDataToken, required, optional]
+ BlockDeviceMappings:
+ - DeviceName: '/dev/xvda'
+ Ebs:
+ Encrypted: !If [ EncryptedVolume, true, false ]
+ KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ]
+ VolumeType: !Ref VolumeType
+ VolumeSize: !Ref VolumeSize
+ IamInstanceProfile:
+ Name: !If [ UseRole, !If [ PreRole, !Ref InstanceProfile, !GetAtt ManagementRoleStack.Outputs.CMEIAMRole ], !Ref 'AWS::NoValue' ]
+ UserData:
+ 'Fn::Base64':
+ !Join
+ - |+
+
+ - - '#cloud-config'
+ - 'runcmd:'
+ - ' - |'
+ - ' set -e'
+ - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; hostname=${ManagementHostname} ; eic=${EnableInstanceConnect} ; admin_subnet=${AdminCIDR} ; eip=${AllocatePublicAddress} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; mgmt_install_type=''${ManagementInstallationType}'''
+ - !If [EIP, !Sub ' wait_handle=''${ManagementReadyHandle}''',!Ref 'AWS::NoValue']
+ - !If [NoSIC, ' sic=""', !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref SICKey, ')"']]]
+ - !If [ManageOverInternetAndEIP, ' pub_mgmt=true', ' pub_mgmt=false']
+ - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref ManagementBootstrapScript, ')"']]
+ - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref ManagementPasswordHash, ')"']]
+ - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref ManagementMaintenancePasswordHash, ')"']]
+ - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref ManagementVersion]]}]
+ - ' python3 /etc/cloud_config.py waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" installationType=\"management\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"management\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" "management_installation_type=\"${mgmt_install_type}\"" adminSubnet=\"${admin_subnet}\" allocatePublicAddress=\"${eip}\" overTheInternet=\"${pub_mgmt}\" bootstrapScript64=\"${bootstrap}\"'
+ VersionDescription: Initial template version
+ PublicAddress:
+ Type: AWS::EC2::EIP
+ Condition: EIP
+ Properties:
+ Domain: vpc
+ AddressAssoc:
+ Type: AWS::EC2::EIPAssociation
+ Condition: EIP
+ DependsOn: ManagementInstance
+ Properties:
+ InstanceId: !Ref ManagementInstance
+ AllocationId: !GetAtt PublicAddress.AllocationId
+Outputs:
+ PublicAddress:
+ Condition: EIP
+ Description: The public address of the Management Server.
+ Value: !Ref PublicAddress
+ SSH:
+ Condition: EIP
+ Description: SSH command.
+ Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref PublicAddress]]
+ URL:
+ Condition: EIP
+ Description: URL to the portal.
+ Value: !Join ['', ['https://', !Ref PublicAddress]]
diff --git a/deprecated/aws/templates/R81/management/mds.yaml b/deprecated/aws/templates/R81/management/mds.yaml
new file mode 100755
index 00000000..4a8d3e51
--- /dev/null
+++ b/deprecated/aws/templates/R81/management/mds.yaml
@@ -0,0 +1,529 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: Deploys a Check Point Multi-Domain Server (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: VPC Network Configuration
+ Parameters:
+ - VPC
+ - MDSSubnet
+ - Label:
+ default: EC2 Instance Configuration
+ Parameters:
+ - MDSName
+ - MDSInstanceType
+ - KeyName
+ - VolumeSize
+ - VolumeType
+ - VolumeEncryption
+ - EnableInstanceConnect
+ - TerminationProtection
+ - MetaDataToken
+ - Label:
+ default: IAM Permissions (ignored when the installation type is not Primary
+ Multi-Domain Server)
+ Parameters:
+ - MDSPermissions
+ - MDSPredefinedRole
+ - MDSSTSRoles
+ - Label:
+ default: Check Point Settings
+ Parameters:
+ - MDSVersion
+ - Shell
+ - MDSPasswordHash
+ - MDSMaintenancePasswordHash
+ - Label:
+ default: Multi-Domain Server Settings
+ Parameters:
+ - MDSHostname
+ - MDSInstallationType
+ - MDSSICKey
+ - AllowUploadDownload
+ - AdminCIDR
+ - GatewaysAddresses
+ - MDSBootstrapScript
+ - NTPPrimary
+ - NTPSecondary
+ ParameterLabels:
+ VPC:
+ default: VPC
+ MDSSubnet:
+ default: MDS subnet
+ MDSName:
+ default: MDS name
+ MDSInstanceType:
+ default: Instance type
+ KeyName:
+ default: Key name
+ VolumeSize:
+ default: Root volume size (GB)
+ VolumeType:
+ default: Volume Type
+ VolumeEncryption:
+ default: Volume encryption KMS key identifier
+ EnableInstanceConnect:
+ default: Enable AWS Instance Connect
+ TerminationProtection:
+ default: Termination Protection
+ MetaDataToken:
+ default: Metadata HTTP token
+ MDSPermissions:
+ default: IAM role
+ MDSPredefinedRole:
+ default: Existing IAM role name
+ MDSSTSRoles:
+ default: STS roles
+ MDSVersion:
+ default: Version & license
+ Shell:
+ default: Admin shell
+ MDSPasswordHash:
+ default: Password hash
+ MDSMaintenancePasswordHash:
+ default: MDS Maintenance Password hash
+ MDSHostname:
+ default: MDS hostname
+ MDSInstallationType:
+ default: MDS installation type
+ MDSSICKey:
+ default: SIC key
+ AllowUploadDownload:
+ default: Allow upload & download
+ AdminCIDR:
+ default: Administrator addresses
+ GatewaysAddresses:
+ default: Gateways addresses
+ MDSBootstrapScript:
+ default: MDS Bootstrap script
+ NTPPrimary:
+ default: Primary NTP server
+ NTPSecondary:
+ default: Secondary NTP server
+Parameters:
+ VPC:
+ Description: Select an existing VPC.
+ Type: AWS::EC2::VPC::Id
+ MinLength: 1
+ MDSSubnet:
+ Description: To access the instance from the internet, make sure the subnet has.
+ a route to the internet
+ Type: AWS::EC2::Subnet::Id
+ MinLength: 1
+ MDSName:
+ Description: The MDS name tag.
+ Type: String
+ Default: Check-Point-MDS
+ MDSInstanceType:
+ Description: The instance type of the Multi-Domain Server.
+ Type: String
+ Default: m5.2xlarge
+ AllowedValues:
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5.12xlarge
+ - c5.18xlarge
+ - c5.24xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c5n.18xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5d.12xlarge
+ - c5d.18xlarge
+ - c5d.24xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5.12xlarge
+ - m5.16xlarge
+ - m5.24xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - m6i.24xlarge
+ - m6i.32xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - c6i.32xlarge
+ - c6in.large
+ - c6in.xlarge
+ - c6in.2xlarge
+ - c6in.4xlarge
+ - c6in.8xlarge
+ - c6in.12xlarge
+ - c6in.16xlarge
+ - c6in.24xlarge
+ - c6in.32xlarge
+ - r5.large
+ - r5.xlarge
+ - r5.2xlarge
+ - r5.4xlarge
+ - r5.8xlarge
+ - r5.12xlarge
+ - r5.16xlarge
+ - r5.24xlarge
+ - r5a.large
+ - r5a.xlarge
+ - r5a.2xlarge
+ - r5a.4xlarge
+ - r5a.8xlarge
+ - r5a.12xlarge
+ - r5a.16xlarge
+ - r5a.24xlarge
+ - r5b.large
+ - r5b.xlarge
+ - r5b.2xlarge
+ - r5b.4xlarge
+ - r5b.8xlarge
+ - r5b.12xlarge
+ - r5b.16xlarge
+ - r5b.24xlarge
+ - r5n.large
+ - r5n.xlarge
+ - r5n.2xlarge
+ - r5n.4xlarge
+ - r5n.8xlarge
+ - r5n.12xlarge
+ - r5n.16xlarge
+ - r5n.24xlarge
+ - r6i.large
+ - r6i.xlarge
+ - r6i.2xlarge
+ - r6i.4xlarge
+ - r6i.8xlarge
+ - r6i.12xlarge
+ - r6i.16xlarge
+ - r6i.24xlarge
+ - r6i.32xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6a.24xlarge
+ - m6a.32xlarge
+ - m6a.48xlarge
+ ConstraintDescription: must be a valid EC2 instance type.
+ KeyName:
+ Description: The EC2 Key Pair to allow SSH access to the instance.
+ Type: AWS::EC2::KeyPair::KeyName
+ MinLength: 1
+ ConstraintDescription: must be the name of an existing EC2 KeyPair.
+ VolumeSize:
+ Type: Number
+ MinValue: 100
+ Default: 100
+ VolumeType:
+ Description: General Purpose SSD Volume Type
+ Type: String
+ Default: gp3
+ AllowedValues:
+ - gp3
+ - gp2
+ VolumeEncryption:
+ Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs').
+ Type: String
+ Default: alias/aws/ebs
+ EnableInstanceConnect:
+ Description: Enable SSH connection over AWS web console.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ TerminationProtection:
+ Description: Prevents an instance from accidental termination.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ MetaDataToken:
+ Description: Set true to deploy the instance with metadata v2 token required.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ MDSPermissions:
+ Description: IAM role to attach to the instance profile.
+ Type: String
+ Default: Create with read permissions
+ AllowedValues:
+ - None (configure later)
+ - Use existing (specify an existing IAM role name)
+ - Create with assume role permissions (specify an STS role ARN)
+ - Create with read permissions
+ - Create with read-write permissions
+ MDSPredefinedRole:
+ Description: A predefined IAM role to attach to the instance profile. Ignored
+ if IAM role is not set to 'Use existing'.
+ Type: String
+ Default: ''
+ MDSSTSRoles:
+ Description: The IAM role will be able to assume these STS Roles (comma separated
+ list of ARNs, without spaces). Ignored if IAM role is set to 'None' or 'Use
+ existing'.
+ Type: CommaDelimitedList
+ Default: ''
+ MDSVersion:
+ Description: The license to install on the Multi-Domain Server.
+ Type: String
+ Default: R81-BYOL
+ AllowedValues:
+ - R81-BYOL
+ Shell:
+ Description: Change the admin shell to enable advanced command line configuration.
+ Type: String
+ Default: /etc/cli.sh
+ AllowedValues:
+ - /etc/cli.sh
+ - /bin/bash
+ - /bin/csh
+ - /bin/tcsh
+ MDSPasswordHash:
+ Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD"
+ to get the PASSWORD's hash). (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ MDSMaintenancePasswordHash:
+ Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional)
+ Type: String
+ Default: ''
+ AllowedPattern: '[\$\./a-zA-Z0-9]*'
+ NoEcho: true
+ MDSHostname:
+ Description: The name must not contain reserved words. For details, refer to sk40179. (optional)
+ Type: String
+ Default: mds-aws
+ AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$'
+ ConstraintDescription: A valid hostname label or an empty string.
+ MDSInstallationType:
+ Description: Determines the Multi-Domain Server installation type.
+ Type: String
+ Default: Primary Multi-Domain Server
+ AllowedValues:
+ - Primary Multi-Domain Server
+ - Secondary Multi-Domain Server
+ - Multi-Domain Log Server
+ MDSSICKey:
+ Description: >-
+ Mandatory if deploying a Secondary Multi-Domain Server or Multi-Domain Log Server,
+ the Secure Internal Communication key creates trusted connections between Check
+ Point components. Choose a random string consisting of at least 8 alphanumeric
+ characters.
+ Type: String
+ Default: ''
+ AllowedPattern: '(|[a-zA-Z0-9]{8,})'
+ ConstraintDescription: Can be empty if this is a Primary Multi-Domain Server.
+ Otherwise, at least 8 alpha numeric characters.
+ NoEcho: true
+ AllowUploadDownload:
+ Description: Automatically download updates and share statistical data for product improvement purpose.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ AdminCIDR:
+ Description: Allow web, SSH, and graphical clients only from this network to communicate
+ with the Multi-Domain Server. The address should be either 0.0.0.0/0 (any address) or /32 (specific address)
+ Type: String
+ AllowedPattern: '^((0.0.0.0\/0)|)$|^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/32)$'
+ ConstraintDescription: Administrator address must be either 0.0.0.0/0 or /32
+ GatewaysAddresses:
+ Description: Allow gateways only from this network to communicate with the Multi-Domain.
+ Server
+ Type: String
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
+ MDSBootstrapScript:
+ Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional)
+ Type: String
+ Default: ''
+ NoEcho: true
+ NTPPrimary:
+ Description: (optional)
+ Type: String
+ Default: 169.254.169.123
+ AllowedPattern: '[\.a-zA-Z0-9\-]*'
+ NTPSecondary:
+ Description: (optional)
+ Type: String
+ Default: '0.pool.ntp.org'
+ AllowedPattern: '[\.a-zA-Z0-9\-]*'
+Conditions:
+ EncryptedVolume: !Not [!Equals [!Ref VolumeEncryption, '']]
+ CreateRole: !And
+ - !Or
+ - !Condition PrimaryMDS
+ - !Condition SecondaryMDS
+ - !Or
+ - !Equals [!Ref MDSPermissions, Create with assume role permissions (specify an STS role ARN)]
+ - !Equals [!Ref MDSPermissions, Create with read permissions]
+ - !Equals [!Ref MDSPermissions, Create with read-write permissions]
+ UseRole: !And [!Or [!Condition PrimaryMDS, !Condition SecondaryMDS], !Not [!Equals [!Ref MDSPermissions, None (configure later)]]]
+ PrimaryMDS: !Equals [!Ref MDSInstallationType, Primary Multi-Domain Server]
+ SecondaryMDS: !Equals [!Ref MDSInstallationType, Secondary Multi-Domain Server]
+ PreRole: !And [!Condition UseRole, !Not [!Condition CreateRole]]
+ EnableMetaDataToken: !Equals [!Ref MetaDataToken, true]
+Resources:
+ AMI:
+ Type: AWS::CloudFormation::Stack
+ Properties:
+ TemplateURL: __URL__/utils/amis.yaml
+ Parameters:
+ Version: !Join ['-', [!Ref MDSVersion, MGMT]]
+ MDSSecurityGroup:
+ Type: AWS::EC2::SecurityGroup
+ Properties:
+ GroupDescription: MDS security group
+ VpcId: !Ref VPC
+ SecurityGroupIngress:
+ - CidrIp: !Ref GatewaysAddresses
+ IpProtocol: tcp
+ FromPort: 257
+ ToPort: 257
+ - CidrIp: !Ref GatewaysAddresses
+ IpProtocol: tcp
+ FromPort: 8211
+ ToPort: 8211
+ - CidrIp: !Ref GatewaysAddresses
+ IpProtocol: tcp
+ FromPort: 18191
+ ToPort: 18191
+ - CidrIp: !Ref GatewaysAddresses
+ IpProtocol: tcp
+ FromPort: 18192
+ ToPort: 18192
+ - CidrIp: !Ref GatewaysAddresses
+ IpProtocol: tcp
+ FromPort: 18208
+ ToPort: 18208
+ - CidrIp: !Ref GatewaysAddresses
+ IpProtocol: tcp
+ FromPort: 18210
+ ToPort: 18210
+ - CidrIp: !Ref GatewaysAddresses
+ IpProtocol: tcp
+ FromPort: 18211
+ ToPort: 18211
+ - CidrIp: !Ref GatewaysAddresses
+ IpProtocol: tcp
+ FromPort: 18221
+ ToPort: 18221
+ - CidrIp: !Ref GatewaysAddresses
+ IpProtocol: tcp
+ FromPort: 18264
+ ToPort: 18264
+ - CidrIp: !Ref AdminCIDR
+ IpProtocol: tcp
+ FromPort: 22
+ ToPort: 22
+ - CidrIp: !Ref AdminCIDR
+ IpProtocol: tcp
+ FromPort: 443
+ ToPort: 443
+ - CidrIp: !Ref AdminCIDR
+ IpProtocol: tcp
+ FromPort: 18190
+ ToPort: 18190
+ - CidrIp: !Ref AdminCIDR
+ IpProtocol: tcp
+ FromPort: 19009
+ ToPort: 19009
+ MDSRoleStack:
+ Type: AWS::CloudFormation::Stack
+ Condition: CreateRole
+ Properties:
+ TemplateURL: __URL__/iam/cme-iam-role.yaml
+ Parameters:
+ Permissions: !Ref MDSPermissions
+ STSRoles: !Join [',', !Ref MDSSTSRoles]
+ InstanceProfile:
+ Type: AWS::IAM::InstanceProfile
+ Condition: PreRole
+ Properties:
+ Path: /
+ Roles:
+ - !Ref MDSPredefinedRole
+ MDSInstance:
+ Type: AWS::EC2::Instance
+ DependsOn: [MDSSecurityGroup, MDSLaunchTemplate]
+ Properties:
+ LaunchTemplate:
+ LaunchTemplateId: !Ref MDSLaunchTemplate
+ Version: !GetAtt MDSLaunchTemplate.LatestVersionNumber
+ DisableApiTermination: !Ref TerminationProtection
+ Tags:
+ - Key: Name
+ Value: !Ref MDSName
+ NetworkInterfaces:
+ - DeviceIndex: 0
+ AssociatePublicIpAddress: false
+ Description: eth0
+ GroupSet:
+ - !Ref MDSSecurityGroup
+ DeleteOnTermination: true
+ SubnetId: !Ref MDSSubnet
+ MDSLaunchTemplate:
+ Type: AWS::EC2::LaunchTemplate
+ Properties:
+ LaunchTemplateData:
+ KeyName: !Ref KeyName
+ ImageId: !GetAtt AMI.Outputs.ImageId
+ InstanceType: !Ref MDSInstanceType
+ MetadataOptions:
+ HttpTokens: !If [EnableMetaDataToken, required, optional]
+ BlockDeviceMappings:
+ - DeviceName: '/dev/xvda'
+ Ebs:
+ Encrypted: !If [ EncryptedVolume, true, false ]
+ KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ]
+ VolumeType: !Ref VolumeType
+ VolumeSize: !Ref VolumeSize
+ IamInstanceProfile:
+ Name: !If [ UseRole, !If [ PreRole, !Ref InstanceProfile, !GetAtt MDSRoleStack.Outputs.CMEIAMRole ], !Ref 'AWS::NoValue' ]
+ UserData: !Base64
+ Fn::Join:
+ - |+
+
+ - - '#cloud-config'
+ - 'runcmd:'
+ - ' - |'
+ - ' set -e'
+ - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; hostname=${MDSHostname} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; admin_subnet=${AdminCIDR}'
+ - !If [PrimaryMDS, ' primary=true ; secondary=false', !If [SecondaryMDS, ' primary=false ; secondary=true', ' primary=false ; secondary=false']]
+ - !If [PrimaryMDS, ' sic=notused', !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref MDSSICKey, ')"']]]
+ - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref MDSBootstrapScript, ')"']]
+ - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref MDSPasswordHash, ')"']]
+ - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref MDSMaintenancePasswordHash, ')"']]
+ - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref MDSVersion]]}]
+ - ' python3 /etc/cloud_config.py sicKey=\"${sic}\" installationType=\"mds\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"mds\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" primary=\"${primary}\" secondary=\"${secondary}\" adminSubnet=\"${admin_subnet}\" bootstrapScript64=\"${bootstrap}\"'
+ VersionDescription: Initial template version
\ No newline at end of file
diff --git a/deprecated/aws/templates/R81/utils/copy-lambda-zip.yaml b/deprecated/aws/templates/R81/utils/copy-lambda-zip.yaml
new file mode 100755
index 00000000..f5cdcfd2
--- /dev/null
+++ b/deprecated/aws/templates/R81/utils/copy-lambda-zip.yaml
@@ -0,0 +1,138 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Create an S3 bucket in the same region as the stack, and copy a zip of a Lambda from remote bucket to it (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: Lambda zip location
+ Parameters:
+ - SourceBucketName
+ - FolderName
+ - LambdaPathObjects
+ ParameterLabels:
+ SourceBucketName:
+ default: Source Bucket Name
+ FolderName:
+ default: Folder Name
+ LambdaPathObjects:
+ default: Lambda Path
+Parameters:
+ SourceBucketName:
+ Description: The source bucket (e.g. lambda-bucket ).
+ Type: String
+ MinLength: 1
+ FolderName:
+ Description: The source folder (e.g. lambda-prefix/ ).
+ Type: String
+ AllowedPattern: '^[0-9a-zA-Z-_/]*/$'
+ LambdaPathObjects:
+ Description: A zip file (e.g. lambda.zip).
+ Type: String
+ AllowedPattern: '.*\.zip'
+Resources:
+ LambdaZipBucket:
+ Type: AWS::S3::Bucket
+ CopyZips:
+ Type: Custom::CopyZips
+ Properties:
+ ServiceToken: !GetAtt CopyZipsFunction.Arn
+ SourceBucket: !Ref SourceBucketName
+ DestBucket: !Ref LambdaZipBucket
+ Prefix: !Ref FolderName
+ Objects:
+ - !Ref LambdaPathObjects
+ CopyZipsRole:
+ Type: AWS::IAM::Role
+ Properties:
+ AssumeRolePolicyDocument:
+ Version: 2012-10-17
+ Statement:
+ - Effect: Allow
+ Principal:
+ Service: lambda.amazonaws.com
+ Action: sts:AssumeRole
+ Path: /
+ Policies:
+ - PolicyName: !Sub lambda-copier-${LambdaZipBucket}
+ PolicyDocument:
+ Version: 2012-10-17
+ Statement:
+ - Effect: Allow
+ Action:
+ - s3:GetObject
+ Resource:
+ - !Sub arn:aws:s3:::${SourceBucketName}/${FolderName}*
+ - Effect: Allow
+ Action:
+ - s3:PutObject
+ - s3:DeleteObject
+ Resource:
+ - !Sub arn:aws:s3:::${LambdaZipBucket}/${FolderName}*
+ CopyZipsFunction:
+ Type: AWS::Lambda::Function
+ Properties:
+ Description: Copies objects from a source S3 bucket to a destination.
+ Handler: index.handler
+ Runtime: python3.7
+ Role: !GetAtt CopyZipsRole.Arn
+ Timeout: 240
+ Code:
+ ZipFile: |
+ import json
+ import logging
+ import threading
+ import boto3
+ import cfnresponse
+
+
+ def copy_objects(source_bucket, dest_bucket, prefix, objects):
+ s3 = boto3.client('s3')
+ for o in objects:
+ key = prefix + o
+ copy_source = {'Bucket': source_bucket, 'Key': key }
+ print(f'copy_source: {copy_source}')
+ print(f'dest_bucket = {dest_bucket}')
+ print(f'key = {key}')
+ s3.copy_object(CopySource=copy_source, Bucket=dest_bucket, Key=key)
+
+
+ def delete_objects(bucket, prefix, objects):
+ s3 = boto3.client('s3')
+ objects = {'Objects': [{'Key': prefix + o} for o in objects]}
+ s3.delete_objects(Bucket=bucket, Delete=objects)
+
+
+ def timeout(event, context):
+ logging.error('Execution is about to time out, sending failure'
+ ' response to CloudFormation')
+ cfnresponse.send(event, context, cfnresponse.FAILED, {}, None)
+
+
+ def handler(event, context):
+ # make sure we send a failure to CloudFormation if the function
+ # is going to timeout
+ timer = threading.Timer((context.get_remaining_time_in_millis()
+ / 1000.00) - 0.5, timeout, args=[event, context])
+ timer.start()
+
+ print(f'Received event: {json.dumps(event)}')
+ status = cfnresponse.SUCCESS
+ try:
+ source_bucket = event['ResourceProperties']['SourceBucket']
+ dest_bucket = event['ResourceProperties']['DestBucket']
+ prefix = event['ResourceProperties']['Prefix']
+ objects = event['ResourceProperties']['Objects']
+ if event['RequestType'] == 'Delete':
+ delete_objects(dest_bucket, prefix, objects)
+ else:
+ copy_objects(source_bucket, dest_bucket, prefix, objects)
+ except Exception as e:
+ logging.error('Exception: %s' % e, exc_info=True)
+ status = cfnresponse.FAILED
+ finally:
+ timer.cancel()
+ cfnresponse.send(event, context, status, {}, None)
+Outputs:
+ LambdaZipBucket:
+ Description: The new S3 bucket in the local region.
+ Value: !Ref LambdaZipBucket
\ No newline at end of file
diff --git a/deprecated/aws/templates/R81/utils/tap-target-and-filter.yaml b/deprecated/aws/templates/R81/utils/tap-target-and-filter.yaml
new file mode 100755
index 00000000..89c60ac5
--- /dev/null
+++ b/deprecated/aws/templates/R81/utils/tap-target-and-filter.yaml
@@ -0,0 +1,68 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Deploy a traffic-mirror-filter and traffic-mirror-target (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: General Settings
+ Parameters:
+ - MirroringNetworkInterfaceId
+ - EnvironmentPrefix
+ ParameterLabels:
+ MirroringNetworkInterfaceId:
+ default: Mirroring target network interface id
+ EnvironmentPrefix:
+ default: Environment prefix for created resources
+Parameters:
+ MirroringNetworkInterfaceId:
+ Description: The network interface ID to which all the traffic will be mirrored.
+ Type: String
+ AllowedPattern: '^eni-[a-z0-9]+$'
+ EnvironmentPrefix:
+ Description: The environment prefix for created resources. (optional)
+ Type: String
+ AllowedPattern: '[a-zA-Z0-9-_]*'
+ Default: cp-tap
+Resources:
+ TrafficMirrorFilter:
+ Type: AWS::EC2::TrafficMirrorFilter
+ Properties:
+ Description: Traffic mirror filter.
+ Tags:
+ - Key: Name
+ Value: !Join ['-', [!Ref EnvironmentPrefix, traffic-filter]]
+ TrafficMirrorFilterRuleIngress:
+ Type: AWS::EC2::TrafficMirrorFilterRule
+ Properties:
+ Description: Traffic mirror filter rule - ingress.
+ DestinationCidrBlock: 0.0.0.0/0
+ RuleAction: accept
+ RuleNumber: 100
+ SourceCidrBlock: 0.0.0.0/0
+ TrafficDirection: ingress
+ TrafficMirrorFilterId: !Ref TrafficMirrorFilter
+ TrafficMirrorFilterRuleEgress:
+ Type: AWS::EC2::TrafficMirrorFilterRule
+ Properties:
+ Description: Traffic mirror filter rule - egress.
+ DestinationCidrBlock: 0.0.0.0/0
+ RuleAction: accept
+ RuleNumber: 100
+ SourceCidrBlock: 0.0.0.0/0
+ TrafficDirection: egress
+ TrafficMirrorFilterId: !Ref TrafficMirrorFilter
+ TrafficMirrorTarget:
+ Type: AWS::EC2::TrafficMirrorTarget
+ Properties:
+ Description: Traffic mirror target.
+ NetworkInterfaceId: !Ref MirroringNetworkInterfaceId
+ Tags:
+ - Key: Name
+ Value: !Join ['-', [!Ref EnvironmentPrefix, traffic-target]]
+Outputs:
+ TrafficMirrorTargetId:
+ Description: Traffic mirror target id.
+ Value: !Ref TrafficMirrorTarget
+ TrafficMirrorFilterId:
+ Description: Traffic mirror filter id.
+ Value: !Ref TrafficMirrorFilter
\ No newline at end of file
diff --git a/deprecated/aws/templates/R81/utils/vpc.yaml b/deprecated/aws/templates/R81/utils/vpc.yaml
new file mode 100755
index 00000000..e04e0832
--- /dev/null
+++ b/deprecated/aws/templates/R81/utils/vpc.yaml
@@ -0,0 +1,571 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: This template creates a Multi-AZ, multi-subnet VPC infrastructure (__VERSION__)
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: Availability Zone Configuration
+ Parameters:
+ - AvailabilityZones
+ - NumberOfAZs
+ - Label:
+ default: Network Configuration
+ Parameters:
+ - VPCCIDR
+ - PublicSubnet1CIDR
+ - PublicSubnet2CIDR
+ - PublicSubnet3CIDR
+ - PublicSubnet4CIDR
+ - CreatePrivateSubnets
+ - PrivateSubnet1CIDR
+ - PrivateSubnet2CIDR
+ - PrivateSubnet3CIDR
+ - PrivateSubnet4CIDR
+ - CreateAttachmentSubnets
+ - AttachmentSubnet1CIDR
+ - AttachmentSubnet2CIDR
+ - AttachmentSubnet3CIDR
+ - AttachmentSubnet4CIDR
+ ParameterLabels:
+ AvailabilityZones:
+ default: Availability Zones
+ NumberOfAZs:
+ default: Number of Availability Zones
+ VPCCIDR:
+ default: VPC CIDR
+ PublicSubnet1CIDR:
+ default: Public subnet 1 CIDR
+ PublicSubnet2CIDR:
+ default: Public subnet 2 CIDR
+ PublicSubnet3CIDR:
+ default: Public subnet 3 CIDR
+ PublicSubnet4CIDR:
+ default: Public subnet 4 CIDR
+ CreatePrivateSubnets:
+ default: Create private subnets
+ PrivateSubnet1CIDR:
+ default: Private subnet 1 CIDR
+ PrivateSubnet2CIDR:
+ default: Private subnet 2 CIDR
+ PrivateSubnet3CIDR:
+ default: Private subnet 3 CIDR
+ PrivateSubnet4CIDR:
+ default: Private subnet 4 CIDR
+ CreateAttachmentSubnets:
+ default: Create Attachment subnets
+ AttachmentSubnet1CIDR:
+ default: Attachment subnet 1 CIDR
+ AttachmentSubnet2CIDR:
+ default: Attachment subnet 2 CIDR
+ AttachmentSubnet3CIDR:
+ default: Attachment subnet 3 CIDR
+ AttachmentSubnet4CIDR:
+ default: Attachment subnet 4 CIDR
+Parameters:
+ AvailabilityZones:
+ Description: 'List of Availability Zones to use for the subnets in the VPC. Note: The logical order is preserved.'
+ Type: List
+ MinLength: 1
+ NumberOfAZs:
+ Description: Number of Availability Zones to use in the VPC. This must match your
+ selections in the list of Availability Zones parameter.
+ Type: Number
+ Default: 2
+ MinValue: 1
+ MaxValue: 4
+ VPCCIDR:
+ Description: CIDR block for the VPC.
+ Type: String
+ Default: 10.0.0.0/16
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PublicSubnet1CIDR:
+ Description: CIDR block for the public DMZ subnet 1 located in Availability Zone 1.
+ Type: String
+ Default: 10.0.10.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PublicSubnet2CIDR:
+ Description: CIDR block for the public DMZ subnet 2 located in Availability Zone 2.
+ Type: String
+ Default: 10.0.20.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PublicSubnet3CIDR:
+ Description: CIDR block for the public DMZ subnet 3 located in Availability Zone 3.
+ Type: String
+ Default: 10.0.30.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PublicSubnet4CIDR:
+ Description: CIDR block for the public DMZ subnet 4 located in Availability Zone 4.
+ Type: String
+ Default: 10.0.40.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ CreatePrivateSubnets:
+ Description: Set to false to create only public subnets. If false, the CIDR parameters.
+ for ALL private subnets will be ignored.
+ Type: String
+ Default: true
+ AllowedValues:
+ - true
+ - false
+ PrivateSubnet1CIDR:
+ Description: CIDR block for private subnet 1 located in Availability Zone 1.
+ Type: String
+ Default: 10.0.11.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PrivateSubnet2CIDR:
+ Description: CIDR block for private subnet 2 located in Availability Zone 2.
+ Type: String
+ Default: 10.0.21.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PrivateSubnet3CIDR:
+ Description: CIDR block for private subnet 3 located in Availability Zone 3.
+ Type: String
+ Default: 10.0.31.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ PrivateSubnet4CIDR:
+ Description: CIDR block for private subnet 4 located in Availability Zone 4.
+ Type: String
+ Default: 10.0.41.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ CreateAttachmentSubnets:
+ Description: Set true for creating designated subnets for VPC attachments. If false,
+ the CIDR parameters for the Attachment subnets will be ignored.
+ Type: String
+ Default: false
+ AllowedValues:
+ - true
+ - false
+ AttachmentSubnet1CIDR:
+ Description: CIDR block for Attachment subnet 1 located in Availability Zone 1.
+ Type: String
+ Default: 10.0.12.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ AttachmentSubnet2CIDR:
+ Description: CIDR block for Attachment subnet 2 located in Availability Zone 2.
+ Type: String
+ Default: 10.0.22.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ AttachmentSubnet3CIDR:
+ Description: CIDR block for Attachment subnet 3 located in Availability Zone 3.
+ Type: String
+ Default: 10.0.32.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+ AttachmentSubnet4CIDR:
+ Description: CIDR block for Attachment subnet 4 located in Availability Zone 4.
+ Type: String
+ Default: 10.0.42.0/24
+ AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$'
+ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28.
+Conditions:
+ 4AZs: !Equals [!Ref NumberOfAZs, 4]
+ 3AZs: !Or [!Equals [!Ref NumberOfAZs, 3], !Condition 4AZs]
+ 2AZs: !Or [!Equals [!Ref NumberOfAZs, 2], !Condition 3AZs]
+ PrivateSubnets: !Equals [!Ref CreatePrivateSubnets, true]
+ 2AZsPrivateSubnets: !And [!Condition PrivateSubnets, !Condition 2AZs]
+ 3AZsPrivateSubnets: !And [!Condition PrivateSubnets, !Condition 3AZs]
+ 4AZsPrivateSubnets: !And [!Condition PrivateSubnets, !Condition 4AZs]
+ AttachmentSubnets: !Equals [!Ref CreateAttachmentSubnets, true]
+ 2AZsAttachmentSubnets: !And [!Condition AttachmentSubnets, !Condition 2AZs]
+ 3AZsAttachmentSubnets: !And [!Condition AttachmentSubnets, !Condition 3AZs]
+ 4AZsAttachmentSubnets: !And [!Condition AttachmentSubnets, !Condition 4AZs]
+Resources:
+ VPC:
+ Type: AWS::EC2::VPC
+ Properties:
+ CidrBlock: !Ref VPCCIDR
+ EnableDnsSupport: true
+ EnableDnsHostnames: true
+ Tags:
+ - Key: Name
+ Value: !Ref 'AWS::StackName'
+ InternetGateway:
+ Type: AWS::EC2::InternetGateway
+ Properties:
+ Tags:
+ - Key: Name
+ Value: !Ref 'AWS::StackName'
+ - Key: Network
+ Value: Public
+ VPCGatewayAttachment:
+ Type: AWS::EC2::VPCGatewayAttachment
+ DependsOn: [VPC, InternetGateway]
+ Properties:
+ VpcId: !Ref VPC
+ InternetGatewayId: !Ref InternetGateway
+ PublicSubnet1:
+ Type: AWS::EC2::Subnet
+ DependsOn: VPC
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref PublicSubnet1CIDR
+ AvailabilityZone: !Select [0, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: Public subnet 1
+ - Key: Network
+ Value: Public
+ MapPublicIpOnLaunch: true
+ PublicSubnet2:
+ Condition: 2AZs
+ DependsOn: VPC
+ Type: AWS::EC2::Subnet
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref PublicSubnet2CIDR
+ AvailabilityZone: !Select [1, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: Public subnet 2
+ - Key: Network
+ Value: Public
+ MapPublicIpOnLaunch: true
+ PublicSubnet3:
+ Condition: 3AZs
+ DependsOn: VPC
+ Type: AWS::EC2::Subnet
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref PublicSubnet3CIDR
+ AvailabilityZone: !Select [2, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: Public subnet 3
+ - Key: Network
+ Value: Public
+ MapPublicIpOnLaunch: true
+ PublicSubnet4:
+ Condition: 4AZs
+ DependsOn: VPC
+ Type: AWS::EC2::Subnet
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref PublicSubnet4CIDR
+ AvailabilityZone: !Select [3, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: Public subnet 4
+ - Key: Network
+ Value: Public
+ MapPublicIpOnLaunch: true
+ PublicSubnetRouteTable:
+ Type: AWS::EC2::RouteTable
+ DependsOn: VPC
+ Properties:
+ VpcId: !Ref VPC
+ Tags:
+ - Key: Name
+ Value: Public Subnets Route Table
+ - Key: Network
+ Value: Public
+ PublicSubnetRoute:
+ DependsOn: [VPCGatewayAttachment, PublicSubnetRouteTable]
+ Type: AWS::EC2::Route
+ Properties:
+ RouteTableId: !Ref PublicSubnetRouteTable
+ DestinationCidrBlock: 0.0.0.0/0
+ GatewayId: !Ref InternetGateway
+ PublicSubnet1RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ DependsOn: [PublicSubnet1, PublicSubnetRouteTable]
+ Properties:
+ SubnetId: !Ref PublicSubnet1
+ RouteTableId: !Ref PublicSubnetRouteTable
+ PublicSubnet2RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Condition: 2AZs
+ DependsOn: [PublicSubnet2, PublicSubnetRouteTable]
+ Properties:
+ SubnetId: !Ref PublicSubnet2
+ RouteTableId: !Ref PublicSubnetRouteTable
+ PublicSubnet3RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Condition: 3AZs
+ DependsOn: [PublicSubnet3, PublicSubnetRouteTable]
+ Properties:
+ SubnetId: !Ref PublicSubnet3
+ RouteTableId: !Ref PublicSubnetRouteTable
+ PublicSubnet4RouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Condition: 4AZs
+ DependsOn: [PublicSubnet4, PublicSubnetRouteTable]
+ Properties:
+ SubnetId: !Ref PublicSubnet4
+ RouteTableId: !Ref PublicSubnetRouteTable
+ PrivateSubnet1:
+ Type: AWS::EC2::Subnet
+ Condition: PrivateSubnets
+ DependsOn: VPC
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref PrivateSubnet1CIDR
+ AvailabilityZone: !Select [0, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: Private subnet 1
+ - Key: Network
+ Value: Private
+ PrivateSubnet2:
+ Type: AWS::EC2::Subnet
+ Condition: 2AZsPrivateSubnets
+ DependsOn: VPC
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref PrivateSubnet2CIDR
+ AvailabilityZone: !Select [1, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: Private subnet 2
+ - Key: Network
+ Value: Private
+ PrivateSubnet3:
+ Type: AWS::EC2::Subnet
+ Condition: 3AZsPrivateSubnets
+ DependsOn: VPC
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref PrivateSubnet3CIDR
+ AvailabilityZone: !Select [2, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: Private subnet 3
+ - Key: Network
+ Value: Private
+ PrivateSubnet4:
+ Type: AWS::EC2::Subnet
+ Condition: 4AZsPrivateSubnets
+ DependsOn: VPC
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref PrivateSubnet4CIDR
+ AvailabilityZone: !Select [3, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: Private subnet 4
+ - Key: Network
+ Value: Private
+ AttachmentSubnet1:
+ Condition: AttachmentSubnets
+ DependsOn: VPC
+ Type: AWS::EC2::Subnet
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref AttachmentSubnet1CIDR
+ AvailabilityZone: !Select [0, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: Attachment subnet 1
+ - Key: Network
+ Value: Private
+ AttachmentSubnet2:
+ Condition: AttachmentSubnets
+ DependsOn: VPC
+ Type: AWS::EC2::Subnet
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref AttachmentSubnet2CIDR
+ AvailabilityZone: !Select [1, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: Attachment subnet 2
+ - Key: Network
+ Value: Private
+ AttachmentSubnet3:
+ Condition: 3AZsAttachmentSubnets
+ DependsOn: VPC
+ Type: AWS::EC2::Subnet
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref AttachmentSubnet3CIDR
+ AvailabilityZone: !Select [2, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: Attachment subnet 3
+ - Key: Network
+ Value: Private
+ AttachmentSubnet4:
+ Condition: 4AZsAttachmentSubnets
+ DependsOn: VPC
+ Type: AWS::EC2::Subnet
+ Properties:
+ VpcId: !Ref VPC
+ CidrBlock: !Ref AttachmentSubnet4CIDR
+ AvailabilityZone: !Select [3, !Ref AvailabilityZones]
+ Tags:
+ - Key: Name
+ Value: Attachment subnet 4
+ - Key: Network
+ Value: Private
+Outputs:
+ VPCID:
+ Value: !Ref VPC
+ Description: VPC ID.
+ Export:
+ Name: !Sub '${AWS::StackName}-VPCID'
+ VPCCIDR:
+ Value: !Ref VPCCIDR
+ Description: VPC CIDR
+ Export:
+ Name: !Sub '${AWS::StackName}-VPCCIDR'
+ PublicSubnet1CIDR:
+ Description: Public subnet 1 CIDR in Availability Zone 1.
+ Value: !Ref PublicSubnet1CIDR
+ Export:
+ Name: !Sub '${AWS::StackName}-PublicSubnet1CIDR'
+ PublicSubnet1ID:
+ Description: Public subnet 1 ID in Availability Zone 1.
+ Value: !Ref PublicSubnet1
+ Export:
+ Name: !Sub '${AWS::StackName}-PublicSubnet1ID'
+ PublicSubnet2CIDR:
+ Condition: 2AZs
+ Description: Public subnet 2 CIDR in Availability Zone 2.
+ Value: !Ref PublicSubnet2CIDR
+ Export:
+ Name: !Sub '${AWS::StackName}-PublicSubnet2CIDR'
+ PublicSubnet2ID:
+ Condition: 2AZs
+ Description: Public subnet 2 ID in Availability Zone 2.
+ Value: !Ref PublicSubnet2
+ Export:
+ Name: !Sub '${AWS::StackName}-PublicSubnet2ID'
+ PublicSubnet3CIDR:
+ Condition: 3AZs
+ Description: Public subnet 3 CIDR in Availability Zone 3.
+ Value: !Ref PublicSubnet3CIDR
+ Export:
+ Name: !Sub '${AWS::StackName}-PublicSubnet3CIDR'
+ PublicSubnet3ID:
+ Condition: 3AZs
+ Description: Public subnet 3 ID in Availability Zone 3.
+ Value: !Ref PublicSubnet3
+ Export:
+ Name: !Sub '${AWS::StackName}-PublicSubnet3ID'
+ PublicSubnet4CIDR:
+ Condition: 4AZs
+ Description: Public subnet 4 CIDR in Availability Zone 4.
+ Value: !Ref PublicSubnet4CIDR
+ Export:
+ Name: !Sub '${AWS::StackName}-PublicSubnet4CIDR'
+ PublicSubnet4ID:
+ Condition: 4AZs
+ Description: Public subnet 4 ID in Availability Zone 4.
+ Value: !Ref PublicSubnet4
+ Export:
+ Name: !Sub '${AWS::StackName}-PublicSubnet4ID'
+ PublicSubnetRouteTable:
+ Value: !Ref PublicSubnetRouteTable
+ Description: Public subnet route table.
+ Export:
+ Name: !Sub '${AWS::StackName}-PublicSubnetRouteTable'
+ PrivateSubnet1CIDR:
+ Condition: PrivateSubnets
+ Description: Private subnet 1 CIDR in Availability Zone 1.
+ Value: !Ref PrivateSubnet1CIDR
+ Export:
+ Name: !Sub '${AWS::StackName}-PrivateSubnet1CIDR'
+ PrivateSubnet1ID:
+ Condition: PrivateSubnets
+ Description: Private subnet 1 ID in Availability Zone 1.
+ Value: !Ref PrivateSubnet1
+ Export:
+ Name: !Sub '${AWS::StackName}-PrivateSubnet1ID'
+ PrivateSubnet2CIDR:
+ Condition: 2AZsPrivateSubnets
+ Description: Private subnet 2 CIDR in Availability Zone 2.
+ Value: !Ref PrivateSubnet2CIDR
+ Export:
+ Name: !Sub '${AWS::StackName}-PrivateSubnet2CIDR'
+ PrivateSubnet2ID:
+ Condition: 2AZsPrivateSubnets
+ Description: Private subnet 2 ID in Availability Zone 2.
+ Value: !Ref PrivateSubnet2
+ Export:
+ Name: !Sub '${AWS::StackName}-PrivateSubnet2ID'
+ PrivateSubnet3CIDR:
+ Condition: 3AZsPrivateSubnets
+ Description: Private subnet 3 CIDR in Availability Zone 3.
+ Value: !Ref PrivateSubnet3CIDR
+ Export:
+ Name: !Sub '${AWS::StackName}-PrivateSubnet3CIDR'
+ PrivateSubnet3ID:
+ Condition: 3AZsPrivateSubnets
+ Description: Private subnet 3 ID in Availability Zone 3.
+ Value: !Ref PrivateSubnet3
+ Export:
+ Name: !Sub '${AWS::StackName}-PrivateSubnet3ID'
+ PrivateSubnet4CIDR:
+ Condition: 4AZsPrivateSubnets
+ Description: Private subnet 4 CIDR in Availability Zone 4.
+ Value: !Ref PrivateSubnet4CIDR
+ Export:
+ Name: !Sub '${AWS::StackName}-PrivateSubnet4CIDR'
+ PrivateSubnet4ID:
+ Condition: 4AZsPrivateSubnets
+ Description: Private subnet 4 ID in Availability Zone 4.
+ Value: !Ref PrivateSubnet4
+ Export:
+ Name: !Sub '${AWS::StackName}-PrivateSubnet4ID'
+ AttachmentSubnet1CIDR:
+ Condition: AttachmentSubnets
+ Description: Attachment subnet 1 CIDR in Availability Zone 1.
+ Value: !Ref AttachmentSubnet1CIDR
+ Export:
+ Name: !Sub '${AWS::StackName}-AttachmentSubnet1CIDR'
+ AttachmentSubnet1ID:
+ Condition: AttachmentSubnets
+ Description: Attachment subnet 1 ID in Availability Zone 1.
+ Value: !Ref AttachmentSubnet1
+ Export:
+ Name: !Sub '${AWS::StackName}-AttachmentSubnet1ID'
+ AttachmentSubnet2CIDR:
+ Condition: 2AZsAttachmentSubnets
+ Description: Attachment subnet 2 CIDR in Availability Zone 2.
+ Value: !Ref AttachmentSubnet2CIDR
+ Export:
+ Name: !Sub '${AWS::StackName}-AttachmentSubnet2CIDR'
+ AttachmentSubnet2ID:
+ Condition: 2AZsAttachmentSubnets
+ Description: Attachment subnet 2 ID in Availability Zone 2.
+ Value: !Ref AttachmentSubnet2
+ Export:
+ Name: !Sub '${AWS::StackName}-AttachmentSubnet2ID'
+ AttachmentSubnet3CIDR:
+ Condition: 3AZsAttachmentSubnets
+ Description: Attachment subnet 3 CIDR in Availability Zone 3.
+ Value: !Ref AttachmentSubnet3CIDR
+ Export:
+ Name: !Sub '${AWS::StackName}-AttachmentSubnet3CIDR'
+ AttachmentSubnet3ID:
+ Condition: 3AZsAttachmentSubnets
+ Description: Attachment subnet 3 ID in Availability Zone 3.
+ Value: !Ref AttachmentSubnet3
+ Export:
+ Name: !Sub '${AWS::StackName}-AttachmentSubnet3ID'
+ AttachmentSubnet4CIDR:
+ Condition: 4AZsAttachmentSubnets
+ Description: Attachment subnet 4 CIDR in Availability Zone 4.
+ Value: !Ref AttachmentSubnet4CIDR
+ Export:
+ Name: !Sub '${AWS::StackName}-AttachmentSubnet4CIDR'
+ AttachmentSubnet4ID:
+ Condition: 4AZsAttachmentSubnets
+ Description: Attachment subnet 4 ID in Availability Zone 4.
+ Value: !Ref AttachmentSubnet4
+ Export:
+ Name: !Sub '${AWS::StackName}-AttachmentSubnet4ID'
+ IGWID:
+ Description: IGW ID.
+ Value: !Join ['', [!Ref InternetGateway]]
+ Export:
+ Name: !Sub '${AWS::StackName}-IGWID'
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/cluster-master/README.md b/deprecated/terraform/ali/R81/cluster-master/README.md
new file mode 100755
index 00000000..9ad12ed3
--- /dev/null
+++ b/deprecated/terraform/ali/R81/cluster-master/README.md
@@ -0,0 +1,174 @@
+# Check Point CloudGuard Network Security Cluster Master Terraform module for AliCloud
+
+Terraform module which deploys a Check Point CloudGuard Network Security Cluster into a new VPC.
+
+These types of Terraform resources are supported:
+* [Security group](https://www.terraform.io/docs/providers/alicloud/r/security_group.html)
+* [Network interface](https://www.terraform.io/docs/providers/alicloud/r/network_interface.html)
+* [EIP](https://www.terraform.io/docs/providers/alicloud/r/eip.html) - conditional creation
+* [Route_entry](https://www.terraform.io/docs/providers/alicloud/r/route_entry.html) - Internal default route: conditional creation
+* [Instance](https://www.terraform.io/docs/providers/alicloud/r/instance.html) - Gateway Instances
+* [RAM Role](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_role)
+
+## Note
+- Make sure your region and zone are supporting the gateway instance types in **modules/common/instance_type/main.tf**
+ [Alicloud Instance_By_Region](https://ecs-buy.aliyun.com/instanceTypes/?spm=a2c63.p38356.879954.139.1eeb2d44eZQw2m#/instanceTypeByRegion)
+
+## Configuration
+
+- Due to a terraform limitation, apply command is:
+```
+terraform apply -target=alicloud_route_table.private_vswitch_rt -auto-approve && terraform apply
+```
+>Once terraform is updated, we will update accordingly.
+
+- Best practice is to configure credentials in the Environment variables - [Alicloud provider](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs)
+```
+Configure environment variables in Linux:
+
+$ export ALICLOUD_ACCESS_KEY=anaccesskey
+$ export ALICLOUD_SECRET_KEY=asecretkey
+$ export ALICLOUD_REGION=cn-beijing
+
+Configure envrionment variables in Windows:
+ set ALICLOUD_ACCESS_KEY=anaccesskey
+ set ALICLOUD_SECRET_KEY=asecretkey
+ set ALICLOUD_REGION=cn-beijing
+
+```
+
+## Usage
+- Fill all variables in the cluster-master/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ terraform init
+- Create an execution plan:
+ terraform plan -target=alicloud_route_table.private_vswitch_rt -auto-approve && terraform plan
+- Create or modify the deployment:
+ terraform apply -target=alicloud_route_table.private_vswitch_rt -auto-approve && terraform apply
+
+### terraform.tfvars variables:
+
+| Name | Description | Type | Allowed values | Default | Required |
+|----------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------|----------|
+| vpc_name | (Optional) The name of the VPC | string | n/a | "cp-vpc" | no |
+| vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes |
+| cluster_vswitchs_map | A map of pairs {availability-zone = vswitch-suffix-number}. Each entry creates a vswitch. Minimum 1 pair. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes |
+| management_vswitchs_map | A map of pairs {availability-zone = vswitch-suffix-number}. Each entry creates a vswitch. Minimum 1 pair. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes |
+| private_vswitchs_map | A map of pairs {availability-zone = vswitch-suffix-number}. Each entry creates a vswitch. Minimum 1 pair. (e.g. {\"us-east-1a\" = 2} ) | map | n/a | n/a | yes |
+| vswitchs_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a vswitchs_bit_length value of 4, the resulting vswitch address will have length /20. | number | n/a | n/a | yes |
+| gateway_name | (optional) The name tag of the Cluster's Security Gateway instances | string | n/a | "Check-Point-Cluster-tf" | no |
+| gateway_instance_type | The instance type of the Security Gateways | string | - ecs.g5ne.large
- ecs.g5ne.xlarge
- ecs.g5ne.2xlarge
- ecs.g5ne.4xlarge
- ecs.g5ne.8xlarge
- ecs.g7ne.large
- ecs.g7ne.xlarge
- ecs.g7ne.2xlarge
- ecs.g7ne.4xlarge
- ecs.g7ne.8xlarge | "ecs.g5ne.xlarge" | no |
+| key_name | The ECS Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes |
+| allocate_and_associate_eip | If set to TRUE, an elastic IP will be allocated and associated with each cluster member, in addition to the cluster Elastic IP | bool | true/false | true | no |
+| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no |
+| disk_category | The ECS disk category | string | - cloud
- cloud_efficiency
- cloud_ssd,
- cloud_essd | "cloud_efficiency" | no |
+| ram_role_name | A predefined RAM role name to attach to the cluster's security gateway instances | string | n/a | "" | no |
+| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway ECS Instances | map(string) | n/a | {}} | no |
+| gateway_version | Gateway version and license | string | R81-BYOL | R81-BYOL | no |
+| admin_shell | Set the admin shell to enable advanced command line configuration. | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | "/etc/cli.sh" | no |
+| gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | n/a | yes |
+| gateway_password_hash | (optional) Admin user's password hash (use command \"openssl passwd -6 PASSWORD\" to get the PASSWORD's hash) | string | n/a | "" | no |
+| memberAToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no |
+| memberBToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no |
+| management_ip_address | (Optional) The Security Management IP address (public or private IP address). If provided, a static-route [management_ip --> via eth1] will be added to the Cluster's Security Gateway instances. If not provided, the static-route will need to be added manually post-deployment by user | string | n/a | "" | no |
+| resources_tag_name | (optional) Name tag prefix of the resources | string | n/a | "" | no |
+| gateway_hostname | (optional) The host name will be appended with member-a/b accordingly. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | n/a | true | no |
+| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no |
+| primary_ntp | (optional) | string | n/a | "ntp1.cloud.aliyuncs.com" | no |
+| secondary_ntp | (optional) | string | n/a | "ntp2.cloud.aliyuncs.com" | no |
+
+## Example for terraform.tfvars
+
+```
+// --- VPC Network Configuration ---
+vpc_name = "cp-vpc"
+vpc_cidr = "10.0.0.0/16"
+cluster_vswitchs_map = {
+ "us-east-1a" = 1
+}
+management_vswitchs_map = {
+ "us-east-1a" = 2
+}
+private_vswitchs_map = {
+ "us-east-1a" = 3
+}
+vswitchs_bit_length = 8
+
+// --- ECS Instance Configuration ---
+gateway_name = "Check-Point-Cluster-tf"
+gateway_instance_type = "ecs.g5ne.large"
+key_name = "publickey"
+allocate_and_associate_eip = true
+volume_size = 100
+disk_category = "cloud_efficiency"
+ram_role_name = ""
+instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+}
+
+// --- Check Point Settings ---
+gateway_version = "R81.20-BYOL"
+admin_shell = "/etc/cli.sh"
+gateway_SICKey = "12345678"
+gateway_password_hash = ""
+
+// --- Quick connect to Smart-1 Cloud (Recommended) ---
+memberAToken = ""
+memberBToken = ""
+
+// --- Advanced Settings ---
+management_ip_address = "1.2.3.4"
+resources_tag_name = "tag-name"
+gateway_hostname = "gw-hostname"
+allow_upload_download = true
+gateway_bootstrap_script = ""
+primary_ntp = "ntp1.cloud.aliyuncs.com"
+secondary_ntp = "ntp2.cloud.aliyuncs.com"
+```
+## Conditional creation
+- To create an Elastic IP for each Cluster member and associate it to the Security Gateway instances:
+```
+allocate_and_associate_eip = true
+```
+- To create a cluster RAM role for your Cluster instances with the required permissions for Cluster behavior, leave the ram_role_name variable empty:
+```
+ram_role_name = ""
+```
+
+## Outputs
+| Name | Description |
+|----------------------------------|------------------------------------------------|
+| vpc_id | The id of the deployed vpc |
+| internal_rt_id | The internal route table id id |
+| vpc_cluster_vswitchs_ids_list | A list of the cluster vswitchs ids |
+| vpc_management_vswitchs_ids_list | A list of the management vswitchs ids |
+| vpc_private_vswitchs_ids_list | A list of the private vswitchs ids |
+| image_id | The image id of the deployed Security Gateways |
+| cluster_primary_EIP | Cluster Primary EIP |
+| cluster_secondary_EIP | Cluster secondary EIP |
+| member_a_EIP | Member A instance EIP |
+| member_b_EIP | Member B instance EIP |
+| member_a_instance_id | Member A instance id |
+| member_b_instance_id | Member B instance id |
+| member_a_instance_name | Member A instance name |
+| member_b_instance_name | Member B instance name |
+| permissive_sg_id | The permissive security group id |
+| permissive_sg_name | The permissive security group name |
+
+## Revision History
+
+| Template Version | Description |
+|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 20230829 | Change default Check Point version to R81.20 |
+| 20230615 | - Improved userdata quality and stability by moving to cloud-config
- Define default primary and secondary NTP servers
- Improved deployment experience for gateways and clusters managed by Smart-1 Cloud |
+| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname |
+| 20230420 | Change alicloud terraform provider version to 1.203.0 |
+| 20230330 | - Added support of ECS disk category.
- Stability fixes. |
+| 20230329 | First release of R81.20 & R81.10 CloudGuard Gateway Terraform deployment in Alibaba Cloud and added support for g7ne instance type. |
+| 20211011 | First release of Check Point CloudGuard Cluster Terraform deployment into a new VPC in Alibaba cloud. |
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../../LICENSE) file for details
diff --git a/deprecated/terraform/ali/R81/cluster-master/locals.tf b/deprecated/terraform/ali/R81/cluster-master/locals.tf
new file mode 100755
index 00000000..58775cec
--- /dev/null
+++ b/deprecated/terraform/ali/R81/cluster-master/locals.tf
@@ -0,0 +1,28 @@
+locals {
+ admin_shell_allowed_values = [
+ "/etc/cli.sh",
+ "/bin/bash",
+ "/bin/csh",
+ "/bin/tcsh"]
+ // Will fail if var.admin_shell is invalid
+ validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell)
+
+ regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$"
+ // Will fail if var.gateway_SIC_Key is invalid
+ regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters"
+
+ is_both_tokens_used = length(var.memberAToken) > 0 == length(var.memberBToken) > 0
+ validation_message_both = "Smart-1 Cloud Tokens for member A and member B can not be empty."
+ //Will fail if var.memberAToken is empty and var.memberBToken isn't and vice versa
+ regex_s1c_validate = regex("^$", (local.is_both_tokens_used ? "" : local.validation_message_both))
+
+ is_tokens_used = length(var.memberAToken) > 0
+ is_both_tokens_the_same = var.memberAToken == var.memberBToken
+ validation_message_unique = "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+ //Will fail if both s1c tokens are the same
+ regex_s1c_unique = local.is_tokens_used ? regex("^$", (local.is_both_tokens_the_same ? local.validation_message_unique : "")) : ""
+
+ regex_valid_gateway_hostname = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$"
+ // Will fail if var.gateway_hostname is invalid
+ regex_gateway_hostname = regex(local.regex_valid_gateway_hostname, var.gateway_hostname) == var.gateway_hostname ? 0 : "Variable [gateway_hostname] must be a valid hostname label or an empty string"
+}
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/cluster-master/main.tf b/deprecated/terraform/ali/R81/cluster-master/main.tf
new file mode 100755
index 00000000..41bb165d
--- /dev/null
+++ b/deprecated/terraform/ali/R81/cluster-master/main.tf
@@ -0,0 +1,53 @@
+// --- VPC ---
+module "launch_vpc" {
+ source = "../modules/vpc"
+
+ vpc_name = var.vpc_name
+ vpc_cidr = var.vpc_cidr
+ public_vswitchs_map = var.cluster_vswitchs_map
+ management_vswitchs_map = var.management_vswitchs_map
+ private_vswitchs_map = var.private_vswitchs_map
+ vswitchs_bit_length = var.vswitchs_bit_length
+}
+
+resource "alicloud_route_table" "private_vswitch_rt" {
+ depends_on = [module.launch_vpc]
+ route_table_name = "Internal_Route_Table"
+ vpc_id = module.launch_vpc.vpc_id
+}
+resource "alicloud_route_table_attachment" "private_rt_to_private_vswitchs" {
+ depends_on = [module.launch_vpc, alicloud_route_table.private_vswitch_rt]
+ route_table_id = alicloud_route_table.private_vswitch_rt.id
+ vswitch_id = module.launch_vpc.private_vswitchs_ids_list[0]
+}
+
+module "launch_cluster_into_vpc" {
+ source = "../cluster"
+
+ vpc_id = module.launch_vpc.vpc_id
+ cluster_vswitch_id = module.launch_vpc.public_vswitchs_ids_list[0]
+ mgmt_vswitch_id = module.launch_vpc.management_vswitchs_ids_list[0]
+ private_vswitch_id = module.launch_vpc.private_vswitchs_ids_list[0]
+ private_route_table = alicloud_route_table.private_vswitch_rt.id
+ gateway_name = var.gateway_name
+ gateway_instance_type = var.gateway_instance_type
+ key_name = var.key_name
+ allocate_and_associate_eip = var.allocate_and_associate_eip
+ volume_size = var.volume_size
+ disk_category = var.disk_category
+ ram_role_name = var.ram_role_name
+ instance_tags = var.instance_tags
+ gateway_version = var.gateway_version
+ admin_shell = var.admin_shell
+ gateway_SICKey = var.gateway_SICKey
+ gateway_password_hash = var.gateway_password_hash
+ management_ip_address = var.management_ip_address
+ memberAToken = var.memberAToken
+ memberBToken = var.memberBToken
+ resources_tag_name = var.resources_tag_name
+ gateway_hostname = var.gateway_hostname
+ allow_upload_download = var.allow_upload_download
+ gateway_bootstrap_script = var.gateway_bootstrap_script
+ primary_ntp = var.primary_ntp
+ secondary_ntp = var.secondary_ntp
+}
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/cluster-master/output.tf b/deprecated/terraform/ali/R81/cluster-master/output.tf
new file mode 100755
index 00000000..25347ba0
--- /dev/null
+++ b/deprecated/terraform/ali/R81/cluster-master/output.tf
@@ -0,0 +1,48 @@
+output "vpc_id" {
+ value = module.launch_vpc.vpc_id
+}
+output "internal_rt_id" {
+ value = alicloud_route_table.private_vswitch_rt.id
+}
+output "vpc_cluster_vswitchs_ids_list" {
+ value = module.launch_vpc.public_vswitchs_ids_list
+}
+output "vpc_management_vswitchs_ids_list" {
+ value = module.launch_vpc.management_vswitchs_ids_list
+}
+output "vpc_private_vswitchs_ids_list" {
+ value = module.launch_vpc.private_vswitchs_ids_list
+}
+output "image_id" {
+ value = module.launch_cluster_into_vpc.image_id
+}
+output "cluster_primary_EIP" {
+ value = module.launch_cluster_into_vpc.cluster_primary_EIP
+}
+output "cluster_secondary_EIP" {
+ value = module.launch_cluster_into_vpc.cluster_secondary_EIP
+}
+output "member_a_EIP" {
+ value = module.launch_cluster_into_vpc.member_a_EIP
+}
+output "member_b_EIP" {
+ value = module.launch_cluster_into_vpc.member_b_EIP
+}
+output "member_a_instance_id" {
+ value = module.launch_cluster_into_vpc.member_a_instance_id
+}
+output "member_b_instance_id" {
+ value = module.launch_cluster_into_vpc.member_b_instance_id
+}
+output "member_a_instance_name" {
+ value = module.launch_cluster_into_vpc.member_a_instance_name
+}
+output "member_b_instance_name" {
+ value = module.launch_cluster_into_vpc.member_b_instance_name
+}
+output "permissive_sg_id" {
+ value = module.launch_cluster_into_vpc.permissive_sg_id
+}
+output "permissive_sg_name" {
+ value = module.launch_cluster_into_vpc.permissive_sg_name
+}
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/cluster-master/terraform.tfvars b/deprecated/terraform/ali/R81/cluster-master/terraform.tfvars
new file mode 100755
index 00000000..42dd5743
--- /dev/null
+++ b/deprecated/terraform/ali/R81/cluster-master/terraform.tfvars
@@ -0,0 +1,47 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- VPC Network Configuration ---
+vpc_name = "cp-vpc"
+vpc_cidr = "10.0.0.0/16"
+cluster_vswitchs_map = {
+ "us-east-1a" = 1
+}
+management_vswitchs_map = {
+ "us-east-1a" = 2
+}
+private_vswitchs_map = {
+ "us-east-1a" = 3
+}
+vswitchs_bit_length = 8
+
+// --- ECS Instance Configuration ---
+gateway_name = "Check-Point-Cluster-tf"
+gateway_instance_type = "ecs.g5ne.large"
+key_name = "publickey"
+allocate_and_associate_eip = true
+volume_size = 100
+disk_category = "cloud_efficiency"
+ram_role_name = ""
+instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+}
+
+// --- Check Point Settings ---
+gateway_version = "R81.20-BYOL"
+admin_shell = "/etc/cli.sh"
+gateway_SICKey = "12345678"
+gateway_password_hash = ""
+
+// --- Quick connect to Smart-1 Cloud (Recommended) ---
+memberAToken = ""
+memberBToken = ""
+
+// --- Advanced Settings ---
+management_ip_address = "1.2.3.4"
+resources_tag_name = "tag-name"
+gateway_hostname = "gw-hostname"
+allow_upload_download = true
+gateway_bootstrap_script = ""
+primary_ntp = "ntp1.cloud.aliyuncs.com"
+secondary_ntp = "ntp2.cloud.aliyuncs.com"
diff --git a/deprecated/terraform/ali/R81/cluster-master/variables.tf b/deprecated/terraform/ali/R81/cluster-master/variables.tf
new file mode 100755
index 00000000..c20366aa
--- /dev/null
+++ b/deprecated/terraform/ali/R81/cluster-master/variables.tf
@@ -0,0 +1,150 @@
+// --- VPC Network Configuration ---
+variable "vpc_name" {
+ type = string
+ description = "The name of the VPC"
+ default = "cp-vpc"
+}
+variable "vpc_cidr" {
+ type = string
+ description = "The CIDR block of the VPC"
+ default = "10.0.0.0/16"
+}
+variable "cluster_vswitchs_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = vswitch-suffix-number}. Each entry creates a vswitch. Minimum 1 pair. (e.g. {\"us-east-1a\" = 1} ) "
+}
+variable "management_vswitchs_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = vswitch-suffix-number}. Each entry creates a vswitch. Minimum 1 pair. (e.g. {\"us-east-1a\" = 2} ) "
+}
+variable "private_vswitchs_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = vswitch-suffix-number}. Each entry creates a vswitch. Minimum 1 pair. (e.g. {\"us-east-1a\" = 2} ) "
+}
+variable "vswitchs_bit_length" {
+ type = number
+ description = "Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a vswitchs_bit_length value is 4, the resulting vswitch address will have length /20"
+}
+
+// --- ECS Instance Configuration ---
+variable "gateway_name" {
+ type = string
+ description = "(Optional) The name tag of the Cluster's Security Gateway instances"
+ default = "Check-Point-Cluster-tf"
+}
+variable "gateway_instance_type" {
+ type = string
+ description = "The instance type of the Security Gateways"
+default = "ecs.g5ne.xlarge"
+}
+module "validate_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "gateway"
+ instance_type = var.gateway_instance_type
+}
+variable "key_name" {
+ type = string
+ description = "The ECS Key Pair name to allow SSH access to the instances"
+}
+variable "allocate_and_associate_eip" {
+ type = bool
+ description = "If set to TRUE, an elastic IP will be allocated and associated with each cluster member, in addition to the cluster Elastic IP"
+default = true
+}
+variable "volume_size" {
+ type = number
+ description = "Root volume size (GB) - minimum 100"
+default = 100
+}
+variable "disk_category" {
+ type = string
+ description = "(Optional) Category of the ECS disk"
+ default = "cloud_efficiency"
+}
+variable "ram_role_name" {
+ type = string
+ description = "A predefined RAM role name to attach to the cluster's security gateway instances"
+ default = ""
+}
+resource "null_resource" "volume_size_too_small" {
+ // Volume Size validation - resource will not be created if the volume size is smaller than 100
+ count = var.volume_size >= 100 ? 0 : "volume_size must be at least 100"
+}
+variable "instance_tags" {
+ type = map(string)
+ description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Gateway ECS Instances"
+default = {}
+}
+
+// --- Check Point Settings ---
+variable "gateway_version" {
+ type = string
+ description = "Gateway version and license"
+ default = "R81.20-BYOL"
+}
+module "validate_gateway_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "gateway"
+ version_license = var.gateway_version
+}
+variable "admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+default = "/etc/cli.sh"
+}
+variable "gateway_SICKey" {
+ type = string
+ description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters"
+}
+variable "gateway_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command \"openssl passwd -6 PASSWORD\" to get the PASSWORD's hash)"
+default = ""
+}
+// --- Quick connect to Smart-1 Cloud (Recommended) ---
+variable "memberAToken" {
+ type = string
+ description = "Follow the instructions in sk180501 to quickly connect this Single AZ Cluster to Smart-1 Cloud."
+}
+variable "memberBToken" {
+ type = string
+ description = "Follow the instructions in sk180501 to quickly connect this Single AZ Cluster to Smart-1 Cloud."
+}
+// --- Advanced Settings ---
+variable "management_ip_address" {
+ type = string
+ description = "(Optional) The Security Management IP address (public or private IP address). If provided, a static-route [management_ip --> via eth1] will be added to the Cluster's Security Gateway instances. If not provided, the static-route will need to be added manually post-deployment by user"
+ default = ""
+}
+variable "resources_tag_name" {
+ type = string
+ description = "(Optional) Name tag prefix of the resources"
+ default = ""
+}
+variable "gateway_hostname" {
+ type = string
+ description = "(Optional) The host name will be appended with member-a/b accordingly"
+ default = ""
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+default = true
+}
+variable "gateway_bootstrap_script" {
+ type = string
+ description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot"
+ default = ""
+}
+variable "primary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol primary server"
+ default = ""
+}
+variable "secondary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server"
+ default = ""
+}
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/cluster-master/versions.tf b/deprecated/terraform/ali/R81/cluster-master/versions.tf
new file mode 100755
index 00000000..71e9843e
--- /dev/null
+++ b/deprecated/terraform/ali/R81/cluster-master/versions.tf
@@ -0,0 +1,9 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ alicloud = {
+ source = "hashicorp/alicloud"
+ version = "1.203.0"
+ }
+ }
+}
diff --git a/deprecated/terraform/ali/R81/cluster/README.md b/deprecated/terraform/ali/R81/cluster/README.md
new file mode 100755
index 00000000..5523b388
--- /dev/null
+++ b/deprecated/terraform/ali/R81/cluster/README.md
@@ -0,0 +1,158 @@
+# Check Point CloudGuard Network Security Cluster Terraform module for AliCloud
+
+Terraform module which deploys a Check Point CloudGuard Network Security Cluster into an existing VPC.
+
+These types of Terraform resources are supported:
+* [Security group](https://www.terraform.io/docs/providers/alicloud/r/security_group.html)
+* [Network interface](https://www.terraform.io/docs/providers/alicloud/r/network_interface.html)
+* [EIP](https://www.terraform.io/docs/providers/alicloud/r/eip.html) - conditional creation
+* [Route_entry](https://www.terraform.io/docs/providers/alicloud/r/route_entry.html) - Internal default route: conditional creation
+* [Instance](https://www.terraform.io/docs/providers/alicloud/r/instance.html) - Gateway Instances
+* [RAM Role](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_role)
+
+## Note
+- Make sure your region and zone are supporting the gateway instance types in **modules/common/instance_type/main.tf**
+ [Alicloud Instance_By_Region](https://ecs-buy.aliyun.com/instanceTypes/?spm=a2c63.p38356.879954.139.1eeb2d44eZQw2m#/instanceTypeByRegion)
+
+## Configuration
+- Best practice is to configure credentials in the Environment variables - [Alicloud provider](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs)
+```
+Configure environment variables in Linux:
+
+$ export ALICLOUD_ACCESS_KEY=anaccesskey
+$ export ALICLOUD_SECRET_KEY=asecretkey
+$ export ALICLOUD_REGION=cn-beijing
+
+Configure envrionment variables in Windows:
+ set ALICLOUD_ACCESS_KEY=anaccesskey
+ set ALICLOUD_SECRET_KEY=asecretkey
+ set ALICLOUD_REGION=cn-beijing
+
+```
+
+## Usage
+- Fill all variables in the cluster/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ terraform init
+- Create an execution plan:
+ terraform plan
+- Create or modify the deployment:
+ terraform apply
+
+
+### terraform.tfvars variables:
+| Name | Description | Type | Allowed values | Default | Required |
+|----------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------|----------|
+| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes |
+| cluster_vswitch_id | The cluster vswitch of the security gateways | string | Subnet in the same availability zone with mgmt_vswitch_id and private_vswitch_id | n/a | yes |
+| mgmt_vswitch_id | The management vswitch of the security gateways Connect the Security Gateways to the Management Server with the ENI in this vswitch. | string | Subnet in the same availability zone with cluster_vswitch_id and private_vswitch_id | n/a | yes |
+| private_vswitch_id | The private vswitch of the security gateways | string | Subnet in the same availability zone with cluster_vswitch_id and mgmt_vswitch_id | n/a | yes |
+| private_route_table | (optional) Sets '0.0.0.0/0' route to the Active Cluster member instance in the specified route table (e.g. vtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route. If empty - traffic will not be routed through the Security Gateway, this requires manual configuration in the Route Table. | string | n/a | "" | no |
+| gateway_name | (optional) The name tag of the Cluster's Security Gateway instances | string | n/a | "Check-Point-Cluster-tf" | no |
+| gateway_instance_type | The instance type of the Security Gateways | string | - ecs.g5ne.large
- ecs.g5ne.xlarge
- ecs.g5ne.2xlarge
- ecs.g5ne.4xlarge
- ecs.g5ne.8xlarge
- ecs.g7ne.large
- ecs.g7ne.xlarge
- ecs.g7ne.2xlarge
- ecs.g7ne.4xlarge
- ecs.g7ne.8xlarge | "ecs.g5ne.xlarge" | no |
+| key_name | The ECS Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes |
+| allocate_and_associate_eip | If set to TRUE, an elastic IP will be allocated and associated with each cluster member, in addition to the cluster Elastic IP | bool | true/false | true | no |
+| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no |
+| disk_category | The ECS disk category | string | - cloud
- cloud_efficiency
- cloud_ssd,
- cloud_essd | "cloud_efficiency" | no |
+| ram_role_name | A predefined RAM role name to attach to the cluster's security gateway instances | string | n/a | "" | no |
+| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway ECS Instances | map(string) | n/a | {} | no |
+| gateway_version | Gateway version and license | string | R81-BYOL | R81-BYOL | no |
+| admin_shell | Set the admin shell to enable advanced command line configuration. | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | "/etc/cli.sh" | no |
+| gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | n/a | yes |
+| gateway_password_hash | (optional) Admin user's password hash (use command \"openssl passwd -6 PASSWORD\" to get the PASSWORD's hash) | string | n/a | "" | no |
+| memberAToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no |
+| memberBToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no |
+| management_ip_address | (Optional) The Security Management IP address (public or private IP address). If provided, a static-route [management_ip --> via eth1] will be added to the Cluster's Security Gateway instances. If not provided, the static-route will need to be added manually post-deployment by user | string | n/a | "" | no |
+| resources_tag_name | (optional) Name tag prefix of the resources | string | n/a | "" | no |
+| gateway_hostname | (optional) The host name will be appended with member-a/b accordingly | string | n/a | "" | no |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | n/a | true | no |
+| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no |
+| primary_ntp | (optional) | string | n/a | "ntp1.cloud.aliyuncs.com" | no |
+| secondary_ntp | (optional) | string | n/a | "ntp2.cloud.aliyuncs.com" | no |
+
+## Example for terraform.tfvars
+```
+// --- VPC Network Configuration ---
+vpc_id = "vpc-"
+cluster_vswitch_id = "vsw-"
+mgmt_vswitch_id = "vsw-"
+private_vswitch_id = "vsw-"
+private_route_table = "vtb-"
+
+// --- ECS Instance Configuration ---
+gateway_name = "Check-Point-Cluster-tf"
+gateway_instance_type = "ecs.g5ne.xlarge"
+key_name = "publickey"
+allocate_and_associate_eip = true
+volume_size = 100
+disk_category = "cloud_efficiency"
+ram_role_name = ""
+instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+}
+
+// --- Check Point Settings ---
+gateway_version = "R81.10-BYOL"
+admin_shell = "/etc/cli.sh"
+gateway_SICKey = "12345678"
+gateway_password_hash = ""
+
+// --- Quick connect to Smart-1 Cloud (Recommended) ---
+memberAToken = ""
+memberBToken = ""
+
+// --- Advanced Settings ---
+management_ip_address = "1.2.3.4"
+resources_tag_name = "tag-name"
+gateway_hostname = "gw-hostname"
+allow_upload_download = true
+gateway_bootstrap_script = ""
+primary_ntp = "ntp1.cloud.aliyuncs.com"
+secondary_ntp = "ntp2.cloud.aliyuncs.com"
+```
+
+## Conditional creation
+- To create an Elastic IP for each Cluster member and associate it to the Security Gateway instances:
+```
+allocate_and_associate_eip = true
+```
+- To create a default route to the Active Cluster member, fill the private_route_table variable:
+```
+private_route_table = "rtb-12345678"
+```
+- To create a cluster RAM role for your Cluster instances with the required permissions for Cluster behavior, leave the ram_role_name variable empty:
+```
+ram_role_name = ""
+```
+
+## Outputs
+| Name | Description |
+|------------------------|------------------------------------------------|
+| cluster_primary_EIP | Cluster Primary EIP |
+| cluster_secondary_EIP | Cluster secondary EIP |
+| image_id | The image id of the deployed Security Gateways |
+| member_a_EIP | Member A instance EIP |
+| member_b_EIP | Member B instance EIP |
+| member_a_instance_id | Member A instance id |
+| member_b_instance_id | Member B instance id |
+| member_a_instance_name | Member A instance name |
+| member_b_instance_name | Member B instance name |
+| permissive_sg_id | The permissive security group id |
+| permissive_sg_name | The permissive security group name |
+
+## Revision History
+
+| Template Version | Description |
+|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 20230829 | Change default version to R81.20 |
+| 20230615 | - Improved userdata quality and stability by moving to cloud-config
- Define default primary and secondary NTP servers
- Improved deployment experience for gateways and clusters managed by Smart-1 Cloud |
+| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname |
+| 20230420 | Change alicloud terraform provider version to 1.203.0 |
+| 20230330 | - Added support of ECS disk category.
- Stability fixes. |
+| 20230329 | First release of R81.20 & R81.10 CloudGuard Gateway Terraform deployment in Alibaba Cloud and added support for g7ne instance type. |
+| 20211011 | First release of Check Point CloudGuard Cluster Terraform deployment into an existing VPC in Alibaba cloud. |
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../../LICENSE) file for details
diff --git a/deprecated/terraform/ali/R81/cluster/cluster_member_a_userdata.yaml b/deprecated/terraform/ali/R81/cluster/cluster_member_a_userdata.yaml
new file mode 100755
index 00000000..06dcd99f
--- /dev/null
+++ b/deprecated/terraform/ali/R81/cluster/cluster_member_a_userdata.yaml
@@ -0,0 +1,4 @@
+#cloud-config
+runcmd:
+ - |
+ python3 /etc/cloud_config.py managementIpAddress=\"${ManagementIpAddress}\" sicKey=\"${SICKey}\" installationType=\"cluster\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20230615\" templateName=\"cluster\" templateType=\"terraform\" shell=\"${Shell}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" "smart1CloudToken=\"${TokenA}\"" bootstrapScript64=\"${GatewayBootstrapScript}\"
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/cluster/cluster_member_b_userdata.yaml b/deprecated/terraform/ali/R81/cluster/cluster_member_b_userdata.yaml
new file mode 100755
index 00000000..20cc6e30
--- /dev/null
+++ b/deprecated/terraform/ali/R81/cluster/cluster_member_b_userdata.yaml
@@ -0,0 +1,4 @@
+#cloud-config
+runcmd:
+ - |
+ python3 /etc/cloud_config.py managementIpAddress=\"${ManagementIpAddress}\" sicKey=\"${SICKey}\" installationType=\"cluster\" osVersion=\"{OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20230615\" templateName=\"cluster\" templateType=\"terraform\" shell=\"${Shell}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" "smart1CloudToken=\"${TokenB}\"" bootstrapScript64=\"${GatewayBootstrapScript}\"
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/cluster/locals.tf b/deprecated/terraform/ali/R81/cluster/locals.tf
new file mode 100755
index 00000000..89314651
--- /dev/null
+++ b/deprecated/terraform/ali/R81/cluster/locals.tf
@@ -0,0 +1,46 @@
+locals {
+ admin_shell_allowed_values = [
+ "/etc/cli.sh",
+ "/bin/bash",
+ "/bin/csh",
+ "/bin/tcsh"]
+ // Will fail if var.admin_shell is invalid
+ validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell)
+
+ regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$"
+ // Will fail if var.gateway_SIC_Key is invalid
+ regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters"
+
+ regex_token_valid = "(^https://(.+).checkpoint.com/app/maas/api/v1/tenant(.+)|^$)"
+ //TokenA: will fail if decode token should contain https:// and .checkpoint.com/app/maas/api/v1/tenant or empty string
+ split_tokenA = split(" ", var.memberAToken)
+ tokenA_decode = base64decode(element(local.split_tokenA, length(local.split_tokenA)-1))
+ regex_tokenA = regex(local.regex_token_valid, local.tokenA_decode) == local.tokenA_decode ? 0 : "Smart-1 Cloud token A is invalid format"
+
+ //TokenB: will fail if decode token should contain https:// and .checkpoint.com/app/maas/api/v1/tenant or empty string
+ split_tokenB = split(" ", var.memberBToken)
+ tokenB_decode = base64decode(element(local.split_tokenB, length(local.split_tokenB)-1))
+ regex_tokenB = regex(local.regex_token_valid, local.tokenB_decode) == local.tokenB_decode ? 0 : "Smart-1 Cloud token B is invalid format"
+
+ is_both_tokens_used = length(var.memberAToken) > 0 == length(var.memberBToken) > 0
+ validation_message_both = "Smart-1 Cloud Tokens for member A and member B can not be empty."
+ //Will fail if var.memberAToken is empty and var.memberBToken isn't and vice versa
+ regex_s1c_validate = regex("^$", (local.is_both_tokens_used ? "" : local.validation_message_both))
+
+ is_tokens_used = length(var.memberAToken) > 0
+ is_both_tokens_the_same = var.memberAToken == var.memberBToken
+ validation_message_unique = "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+ //Will fail if both s1c tokens are the same
+ regex_s1c_unique = local.is_tokens_used ? regex("^$", (local.is_both_tokens_the_same ? local.validation_message_unique : "")) : ""
+
+ regex_valid_gateway_hostname = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$"
+ // Will fail if var.gateway_hostname is invalid
+ regex_gateway_hostname = regex(local.regex_valid_gateway_hostname, var.gateway_hostname) == var.gateway_hostname ? 0 : "Variable [gateway_hostname] must be a valid hostname label or an empty string"
+
+ // Create RAM Role only if input variable ram_role_name was not provided
+ create_ram_role = var.ram_role_name == "" ? 1 : 0
+ version_split = element(split("-", var.gateway_version), 0)
+ gateway_bootstrap_script64 = base64encode(var.gateway_bootstrap_script)
+ gateway_SICkey_base64 = base64encode(var.gateway_SICKey)
+ gateway_password_hash_base64 = base64encode(var.gateway_password_hash)
+}
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/cluster/main.tf b/deprecated/terraform/ali/R81/cluster/main.tf
new file mode 100755
index 00000000..db2d9c93
--- /dev/null
+++ b/deprecated/terraform/ali/R81/cluster/main.tf
@@ -0,0 +1,178 @@
+module "images" {
+ source = "../modules/images"
+
+ version_license = var.gateway_version
+ chkp_type = "gateway"
+}
+
+module "common_permissive_sg" {
+ source = "../modules/common/permissive_sg"
+
+ vpc_id = var.vpc_id
+ resources_tag_name = var.resources_tag_name
+ gateway_name = var.gateway_name
+}
+
+// Instances
+resource "alicloud_instance" "member-a-instance" {
+ instance_name = format("%s-Member-A", var.gateway_name)
+ instance_type = var.gateway_instance_type
+ key_name = var.key_name
+ image_id = module.images.image_id
+ vswitch_id = var.cluster_vswitch_id
+ security_groups = [
+ module.common_permissive_sg.permissive_sg_id]
+ system_disk_size = var.volume_size
+ system_disk_category = var.disk_category
+
+ tags = merge({
+ Name = format("%s-Member-A", var.gateway_name)
+ }, var.instance_tags)
+
+ user_data = templatefile("${path.module}/cluster_member_a_userdata.yaml", {
+ // script's arguments
+ Hostname = format("%s-member-a", var.gateway_hostname),
+ PasswordHash = local.gateway_password_hash_base64,
+ AllowUploadDownload = var.allow_upload_download,
+ NTPPrimary = var.primary_ntp,
+ NTPSecondary = var.secondary_ntp,
+ Shell = var.admin_shell,
+ GatewayBootstrapScript = local.gateway_bootstrap_script64,
+ SICKey = local.gateway_SICkey_base64,
+ TokenA = var.memberAToken,
+ ManagementIpAddress = var.management_ip_address,
+ OsVersion = local.version_split
+ })
+}
+resource "alicloud_instance" "member-b-instance" {
+ instance_name = format("%s-Member-B", var.gateway_name)
+ instance_type = var.gateway_instance_type
+ key_name = var.key_name
+ image_id = module.images.image_id
+ vswitch_id = var.cluster_vswitch_id
+ security_groups = [
+ module.common_permissive_sg.permissive_sg_id]
+ system_disk_size = var.volume_size
+ system_disk_category = var.disk_category
+
+ tags = merge({
+ Name = format("%s-Member-B", var.gateway_name)
+ }, var.instance_tags)
+
+ user_data = templatefile("${path.module}/cluster_member_b_userdata.yaml", {
+ // script's arguments
+ Hostname = format("%s-member-b", var.gateway_hostname),
+ PasswordHash = local.gateway_password_hash_base64,
+ AllowUploadDownload = var.allow_upload_download,
+ NTPPrimary = var.primary_ntp,
+ NTPSecondary = var.secondary_ntp,
+ Shell = var.admin_shell,
+ GatewayBootstrapScript = local.gateway_bootstrap_script64,
+ SICKey = local.gateway_SICkey_base64,
+ TokenB = var.memberBToken,
+ ManagementIpAddress = var.management_ip_address,
+ OsVersion = local.version_split
+ })
+}
+
+// Management ENIs
+resource "alicloud_network_interface" "member_a_mgmt_eni" {
+ network_interface_name = format("%s-Member-A-management-eni", var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name)
+ vswitch_id = var.mgmt_vswitch_id
+ security_group_ids = [
+ module.common_permissive_sg.permissive_sg_id]
+ description = "eth2"
+}
+resource "alicloud_network_interface_attachment" "member_a_mgmt_eni_attachment" {
+ instance_id = alicloud_instance.member-a-instance.id
+ network_interface_id = alicloud_network_interface.member_a_mgmt_eni.id
+}
+resource "alicloud_network_interface" "member_b_mgmt_eni" {
+ network_interface_name = format("%s-Member-B-management-eni", var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name)
+ vswitch_id = var.mgmt_vswitch_id
+ security_group_ids = [
+ module.common_permissive_sg.permissive_sg_id]
+ description = "eth2"
+}
+resource "alicloud_network_interface_attachment" "member_b_mgmt_eni_attachment" {
+ instance_id = alicloud_instance.member-b-instance.id
+ network_interface_id = alicloud_network_interface.member_b_mgmt_eni.id
+}
+
+// Internal ENIs
+resource "alicloud_network_interface" "member_a_internal_eni" {
+ depends_on = [alicloud_network_interface_attachment.member_a_mgmt_eni_attachment]
+ network_interface_name = format("%s-Member-A-internal-eni", var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name)
+ vswitch_id = var.private_vswitch_id
+ security_group_ids = [
+ module.common_permissive_sg.permissive_sg_id]
+ description = "eth2"
+}
+resource "alicloud_network_interface_attachment" "member_a_internal_eni_attachment" {
+ instance_id = alicloud_instance.member-a-instance.id
+ network_interface_id = alicloud_network_interface.member_a_internal_eni.id
+}
+resource "alicloud_network_interface" "member_b_internal_eni" {
+ depends_on = [alicloud_network_interface_attachment.member_b_mgmt_eni_attachment]
+ network_interface_name = format("%s-Member-B-internal-eni", var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name)
+ vswitch_id = var.private_vswitch_id
+ security_group_ids = [
+ module.common_permissive_sg.permissive_sg_id]
+ description = "eth2"
+}
+resource "alicloud_network_interface_attachment" "member_b_internal_eni_attachment" {
+ instance_id = alicloud_instance.member-b-instance.id
+ network_interface_id = alicloud_network_interface.member_b_internal_eni.id
+}
+
+// EIPs
+module "common_cluster_primary_eip" {
+ source = "../modules/common/elastic_ip"
+
+ allocate_and_associate_eip = true
+ instance_id = alicloud_instance.member-a-instance.id
+ eip_name = format("%s-cluster-primary-eip", var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name)
+}
+module "common_cluster_secondary_eip" {
+ source = "../modules/common/elastic_ip"
+
+ allocate_and_associate_eip = true
+ instance_id = alicloud_instance.member-b-instance.id
+ eip_name = format("%s-cluster-secondary-eip", var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name)
+}
+module "common_member_a_mgmt_eip" {
+ source = "../modules/common/elastic_ip"
+
+ allocate_and_associate_eip = var.allocate_and_associate_eip
+ instance_id = alicloud_network_interface.member_a_mgmt_eni.id
+ association_instance_type = "NetworkInterface"
+ eip_name = format("%s-member-A-eip", var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name)
+}
+module "common_member_b_mgmt_eip" {
+ source = "../modules/common/elastic_ip"
+
+ allocate_and_associate_eip = var.allocate_and_associate_eip
+ instance_id = alicloud_network_interface.member_b_mgmt_eni.id
+ association_instance_type = "NetworkInterface"
+ eip_name = format("%s-member-B-eip", var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name)
+}
+
+module "common_internal_default_route" {
+ source = "../modules/common/internal_default_route"
+
+ private_route_table = var.private_route_table
+ internal_eni_id = alicloud_network_interface.member_a_internal_eni.id
+}
+
+module "cluster_ram_role" {
+ count = local.create_ram_role
+ source = "../modules/cluster-ram-role"
+
+ gateway_name = var.gateway_name
+}
+
+resource "alicloud_ram_role_attachment" "attach" {
+ depends_on = [alicloud_instance.member-a-instance, alicloud_instance.member-b-instance]
+ role_name = var.ram_role_name != "" ? var.ram_role_name : module.cluster_ram_role[0].cluster_ram_role_name
+ instance_ids = [alicloud_instance.member-a-instance.id, alicloud_instance.member-b-instance.id]
+}
diff --git a/deprecated/terraform/ali/R81/cluster/output.tf b/deprecated/terraform/ali/R81/cluster/output.tf
new file mode 100755
index 00000000..623cca8f
--- /dev/null
+++ b/deprecated/terraform/ali/R81/cluster/output.tf
@@ -0,0 +1,33 @@
+output "cluster_primary_EIP" {
+ value = module.common_cluster_primary_eip.instance_eip_public_ip[0]
+}
+output "cluster_secondary_EIP" {
+ value = module.common_cluster_secondary_eip.instance_eip_public_ip[0]
+}
+output "image_id" {
+ value = module.images.image_id
+}
+output "member_a_EIP" {
+ value = module.common_member_a_mgmt_eip.instance_eip_public_ip[0]
+}
+output "member_b_EIP" {
+ value = module.common_member_b_mgmt_eip.instance_eip_public_ip[0]
+}
+output "member_a_instance_id" {
+ value = alicloud_instance.member-a-instance.id
+}
+output "member_b_instance_id" {
+ value = alicloud_instance.member-b-instance.id
+}
+output "member_a_instance_name" {
+ value = alicloud_instance.member-a-instance.instance_name
+}
+output "member_b_instance_name" {
+ value = alicloud_instance.member-b-instance.instance_name
+}
+output "permissive_sg_id" {
+ value = module.common_permissive_sg.permissive_sg_id
+}
+output "permissive_sg_name" {
+ value = module.common_permissive_sg.permissive_sg_name
+}
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/cluster/terraform.tfvars b/deprecated/terraform/ali/R81/cluster/terraform.tfvars
new file mode 100755
index 00000000..35d0209a
--- /dev/null
+++ b/deprecated/terraform/ali/R81/cluster/terraform.tfvars
@@ -0,0 +1,40 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- VPC Network Configuration ---
+vpc_id = "vpc-"
+cluster_vswitch_id = "vsw-"
+mgmt_vswitch_id = "vsw-"
+private_vswitch_id = "vsw-"
+private_route_table = "vtb-"
+
+// --- ECS Instance Configuration ---
+gateway_name = "Check-Point-Cluster-tf"
+gateway_instance_type = "ecs.g5ne.xlarge"
+key_name = "publickey"
+allocate_and_associate_eip = true
+volume_size = 100
+disk_category = "cloud_efficiency"
+ram_role_name = ""
+instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+}
+
+// --- Check Point Settings ---
+gateway_version = "R81.20-BYOL"
+admin_shell = "/etc/cli.sh"
+gateway_SICKey = "12345678"
+gateway_password_hash = ""
+
+// --- Quick connect to Smart-1 Cloud (Recommended) ---
+memberAToken = ""
+memberBToken = ""
+
+// --- Advanced Settings ---
+management_ip_address = "1.2.3.4"
+resources_tag_name = "tag-name"
+gateway_hostname = "gw-hostname"
+allow_upload_download = true
+gateway_bootstrap_script = ""
+primary_ntp = "ntp1.cloud.aliyuncs.com"
+secondary_ntp = "ntp2.cloud.aliyuncs.com"
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/cluster/variables.tf b/deprecated/terraform/ali/R81/cluster/variables.tf
new file mode 100755
index 00000000..51042420
--- /dev/null
+++ b/deprecated/terraform/ali/R81/cluster/variables.tf
@@ -0,0 +1,144 @@
+// --- VPC Network Configuration ---
+variable "vpc_id" {
+ type = string
+}
+variable "cluster_vswitch_id" {
+ type = string
+ description = "The cluster vswitch of the security gateways"
+}
+variable "mgmt_vswitch_id" {
+ type = string
+ description = "The management vswitch of the security gateways"
+}
+variable "private_vswitch_id" {
+ type = string
+ description = "The private vswitch of the security gateways"
+}
+variable "private_route_table" {
+ type = string
+ description = "(Optional) Sets '0.0.0.0/0' route to the Active Cluster member instance in the specified route table (e.g. vtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route. If empty - traffic will not be routed through the Security Gateway, this requires manual configuration in the Route Table"
+ default=""
+}
+
+// --- ECS Instance Configuration ---
+variable "gateway_name" {
+ type = string
+ description = "(Optional) The name tag of the Cluster's Security Gateway instances"
+ default = "Check-Point-Cluster-tf"
+}
+variable "gateway_instance_type" {
+ type = string
+ description = "The instance type of the Security Gateways"
+ default = "ecs.g5ne.xlarge"
+}
+module "validate_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "gateway"
+ instance_type = var.gateway_instance_type
+}
+variable "key_name" {
+ type = string
+ description = "The ECS Key Pair name to allow SSH access to the instances"
+}
+variable "allocate_and_associate_eip" {
+ type = bool
+ description = "If set to TRUE, an elastic IP will be allocated and associated with each cluster member, in addition to the cluster Elastic IP"
+ default = true
+}
+variable "volume_size" {
+ type = number
+ description = "Root volume size (GB) - minimum 100"
+ default = 100
+}
+variable "disk_category" {
+ type = string
+ description = "(Optional) Category of the ECS disk"
+ default = "cloud_efficiency"
+}
+variable "ram_role_name" {
+ type = string
+ description = "A predefined RAM role name to attach to the cluster's security gateway instances"
+ default = ""
+}
+resource "null_resource" "volume_size_too_small" {
+ // Volume Size validation - resource will not be created if the volume size is smaller than 100
+ count = var.volume_size >= 100 ? 0 : "volume_size must be at least 100"
+}
+variable "instance_tags" {
+ type = map(string)
+ description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Gateway ECS Instances"
+ default = {}
+}
+
+// --- Check Point Settings ---
+variable "gateway_version" {
+ type = string
+ description = "Gateway version and license"
+ default = "R81.20-BYOL"
+}
+module "validate_gateway_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "gateway"
+ version_license = var.gateway_version
+}
+variable "admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+ default = "/etc/cli.sh"
+}
+variable "gateway_SICKey" {
+ type = string
+ description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters"
+}
+variable "gateway_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command \"openssl passwd -6 PASSWORD\" to get the PASSWORD's hash)"
+ default = ""
+}
+// --- Quick connect to Smart-1 Cloud (Recommended) ---
+variable "memberAToken" {
+ type = string
+ description = "Follow the instructions in sk180501 to quickly connect this Single AZ Cluster to Smart-1 Cloud."
+}
+variable "memberBToken" {
+ type = string
+ description = "Follow the instructions in sk180501 to quickly connect this Single AZ Cluster to Smart-1 Cloud."
+}
+// --- Advanced Settings ---
+variable "management_ip_address" {
+ type = string
+ description = "(Optional) The Security Management IP address (public or private IP address). If provided, a static-route [management_ip --> via eth1] will be added to the Cluster's Security Gateway instances. If not provided, the static-route will need to be added manually post-deployment by user"
+ default = ""
+}
+variable "resources_tag_name" {
+ type = string
+ description = "(Optional) Name tag prefix of the resources"
+ default = ""
+}
+variable "gateway_hostname" {
+ type = string
+ description = "(Optional) The host name will be appended with member-a/b accordingly"
+ default = ""
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+variable "gateway_bootstrap_script" {
+ type = string
+ description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot"
+ default = ""
+}
+variable "primary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol primary server"
+ default = ""
+}
+variable "secondary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server"
+ default = ""
+}
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/cluster/versions.tf b/deprecated/terraform/ali/R81/cluster/versions.tf
new file mode 100755
index 00000000..71e9843e
--- /dev/null
+++ b/deprecated/terraform/ali/R81/cluster/versions.tf
@@ -0,0 +1,9 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ alicloud = {
+ source = "hashicorp/alicloud"
+ version = "1.203.0"
+ }
+ }
+}
diff --git a/deprecated/terraform/ali/R81/gateway-master/README.md b/deprecated/terraform/ali/R81/gateway-master/README.md
new file mode 100755
index 00000000..97a9d95e
--- /dev/null
+++ b/deprecated/terraform/ali/R81/gateway-master/README.md
@@ -0,0 +1,155 @@
+# Check Point Gateway Master Terraform module for AliCloud
+
+Terraform module which deploys a Check Point Security Gateway into a new VPC on AliCloud.
+
+These types of Terraform resources are supported:
+* [Security group](https://www.terraform.io/docs/providers/alicloud/r/security_group.html)
+* [Network interface](https://www.terraform.io/docs/providers/alicloud/r/network_interface.html)
+* [EIP](https://www.terraform.io/docs/providers/alicloud/r/eip.html) - conditional creation
+* [Route_entry](https://www.terraform.io/docs/providers/alicloud/r/route_entry.html) - Internal default route: conditional creation
+* [Instance](https://www.terraform.io/docs/providers/alicloud/r/instance.html) - Gateway Instance
+
+## Note
+- Make sure your region and zone are supporting the gateway instance types in **modules/common/instance_type/main.tf**
+ [Alicloud Instance_By_Region](https://ecs-buy.aliyun.com/instanceTypes/?spm=a2c63.p38356.879954.139.1eeb2d44eZQw2m#/instanceTypeByRegion)
+
+## Configuration
+
+- Due to a terraform limitation, apply command is:
+```
+terraform apply -target=alicloud_route_table.private_vswitch_rt -auto-approve && terraform apply
+```
+>Once terraform is updated, we will update accordingly.
+
+- Best practice is to configure credentials in the Environment variables - [Alicloud provider](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs)
+```
+Configure environment variables in Linux:
+
+$ export ALICLOUD_ACCESS_KEY=anaccesskey
+$ export ALICLOUD_SECRET_KEY=asecretkey
+$ export ALICLOUD_REGION=cn-beijing
+
+Configure envrionment variables in Windows:
+ set ALICLOUD_ACCESS_KEY=anaccesskey
+ set ALICLOUD_SECRET_KEY=asecretkey
+ set ALICLOUD_REGION=cn-beijing
+
+```
+
+## Usage
+- Fill all variables in the gateway-master/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ terraform init
+- Create an execution plan:
+ terraform plan -target=alicloud_route_table.private_vswitch_rt -auto-approve && terraform plan
+- Create or modify the deployment:
+ terraform apply -target=alicloud_route_table.private_vswitch_rt -auto-approve && terraform apply
+
+### terraform.tfvars variables:
+
+| Name | Description | Type | Allowed values | Default | Required |
+|----------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------|----------|
+| vpc_name | (Optional) The name of the VPC | string | n/a | "cp-vpc" | no |
+| vpc_cidr | The CIDR block of the VPC. | string | n/a | n/a | yes |
+| public_vswitchs_map | A map of pairs {availability-zone = vswitch-suffix-number}. Each entry creates a vswitch. Minimum 1 pair. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes |
+| private_vswitchs_map | A map of pairs {availability-zone = vswitch-suffix-number}. Each entry creates a vswitch. Minimum 1 pair. (e.g. {\"us-east-1a\" = 2} ) | map | n/a | n/a | yes |
+| vswitchs_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a vswitchs_bit_length value of 4, the resulting vswitch address will have length /20. | number | n/a | n/a | yes |
+| gateway_name | The name tag of the Security Gateway instances (optional) | string | n/a | "Check-Point-Gateway-tf" | no |
+| gateway_instance_type | The instance type of the Security Gateways | string | - ecs.g5ne.large
- ecs.g5ne.xlarge
- ecs.g5ne.2xlarge
- ecs.g5ne.4xlarge
- ecs.g5ne.8xlarge
- ecs.g7ne.large
- ecs.g7ne.xlarge
- ecs.g7ne.2xlarge
- ecs.g7ne.4xlarge
- ecs.g7ne.8xlarge
- ecs.g7nene.large
- ecs.g7nene.xlarge
- ecs.g7nene.2xlarge
- ecs.g7nene.4xlarge
- ecs.g7nene.8xlarge | "ecs.g5ne.xlarge" | no |
+| key_name | The ECS Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes |
+| allocate_and_associate_eip | If set to TRUE, an elastic IP will be allocated and associated with the launched instance | bool | true/false | true | no |
+| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no |
+| disk_category | The ECS disk category | string | - cloud
- cloud_efficiency
- cloud_ssd,
- cloud_essd | "cloud_efficiency" | no |
+| ram_role_name | A predefined RAM role name to attach to the security gateway instance | string | n/a | "" | no |
+| gateway_version | Gateway version and license | string | R81-BYOL | R81-BYOL | no |
+| admin_shell | Set the admin shell to enable advanced command line configuration. | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | "/etc/cli.sh" | no |
+| gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | n/a | yes |
+| password_hash | Admin user's password hash (use command \"openssl passwd -6 PASSWORD\" to get the PASSWORD's hash) (optional) | string | n/a | "" | no |
+| gateway_TokenKey | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no |
+| resources_tag_name | (optional) | string | n/a | "" | no |
+| gateway_hostname | (optional) The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | n/a | true | no |
+| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no |
+| primary_ntp | (optional) | string | n/a | "ntp1.cloud.aliyuncs.com" | no |
+| secondary_ntp | (optional) | string | n/a | "ntp2.cloud.aliyuncs.com" | no |
+
+## Example for terraform.tfvars
+
+```
+// --- VPC Network Configuration ---
+vpc_name = "cp-vpc"
+vpc_cidr = "10.0.0.0/16"
+public_vswitchs_map = {
+ "us-east-1a" = 1
+}
+private_vswitchs_map = {
+ "us-east-1a" = 2
+}
+vswitchs_bit_length = 8
+
+// --- ECS Instance Configuration ---
+gateway_name = "Check-Point-Gateway-tf"
+gateway_instance_type = "ecs.g5ne.xlarge"
+key_name = "publickey"
+allocate_and_associate_eip = true
+volume_size = 100
+disk_category = "cloud_efficiency"
+ram_role_name = ""
+instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+}
+
+// --- Check Point Settings ---
+gateway_version = "R81.20-BYOL"
+admin_shell = "/etc/cli.sh"
+gateway_SICKey = "12345678"
+gateway_password_hash = ""
+
+// --- Quick connect to Smart-1 Cloud (Recommended) ---
+gateway_TokenKey = ""
+
+// --- Advanced Settings ---
+resources_tag_name = "tag-name"
+gateway_hostname = "gw-hostname"
+allow_upload_download = true
+gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/testfile.txt"
+primary_ntp = "ntp1.cloud.aliyuncs.com"
+secondary_ntp = "ntp2.cloud.aliyuncs.com"
+```
+## Conditional creation
+- To create an Elastic IP and associate it to the Gateway instance:
+```
+allocate_and_associate_eip = true
+```
+
+## Outputs
+| Name | Description |
+|-------------------------------|---------------------------------------------|
+| vpc_id | The id of the deployed vpc |
+| internal_rt_id | The internal route table id id |
+| vpc_public_vswitchs_ids_list | A list of the private vswitchs ids |
+| vpc_private_vswitchs_ids_list | A list of the private vswitchs ids |
+| image_id | The ami id of the deployed Security Gateway |
+| permissive_sg_id | The permissive security group id |
+| permissive_sg_name | The permissive security group id name |
+| gateway_eip_id | The id of the elastic IP |
+| gateway_eip_public_ip | The elastic pubic IP |
+| gateway_instance_id | The Security Gateway instance id |
+| gateway_instance_name | The deployed Gateway AliCloud instance name |
+
+## Revision History
+
+| Template Version | Description |
+|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 20230829 | Change default Check Point version to R81.20 |
+| 20230615 | - Improved userdata quality and stability by moving to cloud-config
- Define default primary and secondary NTP servers
- Improved deployment experience for gateways and clusters managed by Smart-1 Cloud |
+| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname |
+| 20230420 | Change alicloud terraform provider version to 1.203.0 |
+| 20230330 | - Added support of ECS disk category.
- Stability fixes. |
+| 20230329 | First release of R81.20 & R81.10 CloudGuard Gateway Terraform deployment in Alibaba Cloud and added support for g7ne instance type. |
+| 20211011 | First release of Check Point CloudGuard Gateway Terraform deployment into a new VPC in Alibaba cloud. |
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../../LICENSE) file for details
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/gateway-master/locals.tf b/deprecated/terraform/ali/R81/gateway-master/locals.tf
new file mode 100755
index 00000000..706b0458
--- /dev/null
+++ b/deprecated/terraform/ali/R81/gateway-master/locals.tf
@@ -0,0 +1,17 @@
+locals {
+ admin_shell_allowed_values = [
+ "/etc/cli.sh",
+ "/bin/bash",
+ "/bin/csh",
+ "/bin/tcsh"]
+ // Will fail if var.admin_shell is invalid
+ validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell)
+
+ regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$"
+ // Will fail if var.gateway_SIC_Key is invalid
+ regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters"
+
+ regex_valid_gateway_hostname = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$"
+ // Will fail if var.gateway_hostname is invalid
+ regex_gateway_hostname = regex(local.regex_valid_gateway_hostname, var.gateway_hostname) == var.gateway_hostname ? 0 : "Variable [gateway_hostname] must be a valid hostname label or an empty string"
+}
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/gateway-master/main.tf b/deprecated/terraform/ali/R81/gateway-master/main.tf
new file mode 100755
index 00000000..d2c35c1f
--- /dev/null
+++ b/deprecated/terraform/ali/R81/gateway-master/main.tf
@@ -0,0 +1,49 @@
+// --- VPC ---
+module "launch_vpc" {
+ source = "../modules/vpc"
+
+ vpc_name = var.vpc_name
+ vpc_cidr = var.vpc_cidr
+ public_vswitchs_map = var.public_vswitchs_map
+ private_vswitchs_map = var.private_vswitchs_map
+ vswitchs_bit_length = var.vswitchs_bit_length
+}
+
+resource "alicloud_route_table" "private_vswitch_rt" {
+ depends_on = [module.launch_vpc]
+ route_table_name = "Internal_Route_Table"
+ vpc_id = module.launch_vpc.vpc_id
+}
+resource "alicloud_route_table_attachment" "private_rt_to_private_vswitchs" {
+ depends_on = [module.launch_vpc, alicloud_route_table.private_vswitch_rt]
+ route_table_id = alicloud_route_table.private_vswitch_rt.id
+ vswitch_id = module.launch_vpc.private_vswitchs_ids_list[0]
+}
+
+module "launch_gateway_into_vpc" {
+ source = "../gateway"
+
+ vpc_id = module.launch_vpc.vpc_id
+ public_vswitch_id = module.launch_vpc.public_vswitchs_ids_list[0]
+ private_vswitch_id = module.launch_vpc.private_vswitchs_ids_list[0]
+ private_route_table = alicloud_route_table.private_vswitch_rt.id
+ resources_tag_name = var.resources_tag_name
+ gateway_name = var.gateway_name
+ gateway_instance_type = var.gateway_instance_type
+ key_name = var.key_name
+ allocate_and_associate_eip = var.allocate_and_associate_eip
+ volume_size = var.volume_size
+ disk_category = var.disk_category
+ ram_role_name = var.ram_role_name
+ instance_tags = var.instance_tags
+ gateway_version = var.gateway_version
+ admin_shell = var.admin_shell
+ gateway_SICKey = var.gateway_SICKey
+ gateway_password_hash = var.gateway_password_hash
+ gateway_TokenKey = var.gateway_TokenKey
+ gateway_hostname = var.gateway_hostname
+ allow_upload_download = var.allow_upload_download
+ gateway_bootstrap_script = var.gateway_bootstrap_script
+ primary_ntp = var.primary_ntp
+ secondary_ntp = var.secondary_ntp
+}
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/gateway-master/output.tf b/deprecated/terraform/ali/R81/gateway-master/output.tf
new file mode 100755
index 00000000..ed33d983
--- /dev/null
+++ b/deprecated/terraform/ali/R81/gateway-master/output.tf
@@ -0,0 +1,33 @@
+output "vpc_id" {
+ value = module.launch_vpc.vpc_id
+}
+output "internal_rt_id" {
+ value = alicloud_route_table.private_vswitch_rt.id
+}
+output "vpc_public_vswitchs_ids_list" {
+ value = module.launch_vpc.public_vswitchs_ids_list
+}
+output "vpc_private_vswitchs_ids_list" {
+ value = module.launch_vpc.private_vswitchs_ids_list
+}
+output "image_id" {
+ value = module.launch_gateway_into_vpc.image_id
+}
+output "permissive_sg_id" {
+ value = module.launch_gateway_into_vpc.permissive_sg_id
+}
+output "permissive_sg_name" {
+ value = module.launch_gateway_into_vpc.permissive_sg_name
+}
+output "gateway_eip_id" {
+ value = module.launch_gateway_into_vpc.gateway_eip_id
+}
+output "gateway_eip_public_ip" {
+ value = module.launch_gateway_into_vpc.gateway_eip_public_ip
+}
+output "gateway_instance_id" {
+ value = module.launch_gateway_into_vpc.gateway_instance_id
+}
+output "gateway_instance_name" {
+ value = module.launch_gateway_into_vpc.gateway_instance_name
+}
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/gateway-master/terraform.tfvars b/deprecated/terraform/ali/R81/gateway-master/terraform.tfvars
new file mode 100755
index 00000000..c43d3d8d
--- /dev/null
+++ b/deprecated/terraform/ali/R81/gateway-master/terraform.tfvars
@@ -0,0 +1,42 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- VPC Network Configuration ---
+vpc_name = "cp-vpc"
+vpc_cidr = "10.0.0.0/16"
+public_vswitchs_map = {
+ "us-east-1a" = 1
+}
+private_vswitchs_map = {
+ "us-east-1a" = 2
+}
+vswitchs_bit_length = 8
+
+// --- ECS Instance Configuration ---
+gateway_name = "Check-Point-Gateway-tf"
+gateway_instance_type = "ecs.g5ne.xlarge"
+key_name = "publickey"
+allocate_and_associate_eip = true
+volume_size = 100
+disk_category = "cloud_efficiency"
+ram_role_name = ""
+instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+}
+
+// --- Check Point Settings ---
+gateway_version = "R81.20-BYOL"
+admin_shell = "/etc/cli.sh"
+gateway_SICKey = "12345678"
+gateway_password_hash = ""
+
+// --- Quick connect to Smart-1 Cloud (Recommended) ---
+gateway_TokenKey = ""
+
+// --- Advanced Settings ---
+resources_tag_name = "tag-name"
+gateway_hostname = "gw-hostname"
+allow_upload_download = true
+gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/testfile.txt"
+primary_ntp = "ntp1.cloud.aliyuncs.com"
+secondary_ntp = "ntp2.cloud.aliyuncs.com"
diff --git a/deprecated/terraform/ali/R81/gateway-master/variables.tf b/deprecated/terraform/ali/R81/gateway-master/variables.tf
new file mode 100755
index 00000000..68b88ac6
--- /dev/null
+++ b/deprecated/terraform/ali/R81/gateway-master/variables.tf
@@ -0,0 +1,140 @@
+// --- VPC Network Configuration ---
+variable "vpc_name" {
+ type = string
+ description = "The name of the VPC"
+ default = "cp-vpc"
+}
+variable "vpc_cidr" {
+ type = string
+ description = "The CIDR block of the VPC"
+ default = "10.0.0.0/16"
+}
+variable "public_vswitchs_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = vswitch-suffix-number}. Each entry creates a vswitch. Minimum 1 pair. (e.g. {\"us-east-1a\" = 1} ) "
+}
+variable "private_vswitchs_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = vswitch-suffix-number}. Each entry creates a vswitch. Minimum 1 pair. (e.g. {\"us-east-1a\" = 2} ) "
+
+}
+variable "vswitchs_bit_length" {
+ type = number
+ description = "Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a vswitchs_bit_length value is 4, the resulting vswitch address will have length /20"
+}
+
+// --- ECS Instance Configuration ---
+variable "gateway_name" {
+ type = string
+ description = "(Optional) The name tag of the Security Gateway instances"
+default = "Check-Point-Gateway-tf"
+}
+variable "gateway_instance_type" {
+ type = string
+ description = "The instance type of the Secutiry Gateways"
+default = "ecs.g5ne.xlarge"
+}
+module "validate_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "gateway"
+ instance_type = var.gateway_instance_type
+}
+variable "key_name" {
+ type = string
+ description = "The ECS Key Pair name to allow SSH access to the instance"
+}
+variable "allocate_and_associate_eip" {
+ type = bool
+ description = "If set to TRUE, an elastic IP will be allocated and associated with the launched instance"
+default = true
+}
+variable "volume_size" {
+ type = number
+ description = "Root volume size (GB) - minimum 100"
+default = 100
+}
+variable "disk_category" {
+ type = string
+ description = "(Optional) Category of the ECS disk"
+ default = "cloud_efficiency"
+}
+variable "ram_role_name" {
+ type = string
+ description = "RAM role name to attach to the instance profile"
+ default = ""
+}
+resource "null_resource" "volume_size_too_small" {
+ // Volume Size validation - resource will not be created if the volume size is smaller than 100
+ count = var.volume_size >= 100 ? 0 : "volume_size must be at least 100"
+}
+variable "instance_tags" {
+ type = map(string)
+ description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Gateway ECS Instance"
+default = {}
+}
+
+// --- Check Point Settings ---
+variable "gateway_version" {
+ type = string
+ description = "Gateway version and license"
+ default = "R81.20-BYOL"
+}
+module "validate_gateway_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "gateway"
+ version_license = var.gateway_version
+}
+variable "admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+default = "/etc/cli.sh"
+}
+variable "gateway_SICKey" {
+ type = string
+ description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters"
+}
+variable "gateway_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command \"openssl passwd -6 PASSWORD\" to get the PASSWORD's hash)"
+default = ""
+}
+
+// --- Quick connect to Smart-1 Cloud (Recommended) ---
+variable "gateway_TokenKey" {
+ type = string
+ description = "Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud."
+}
+
+// --- Advanced Settings ---
+variable "resources_tag_name" {
+ type = string
+ description = "(Optional)"
+ default = ""
+}
+variable "gateway_hostname" {
+ type = string
+ description = "(Optional)"
+ default = ""
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+default = true
+}
+variable "gateway_bootstrap_script" {
+ type = string
+ description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot"
+ default = ""
+}
+variable "primary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol primary server"
+ default = ""
+}
+variable "secondary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server"
+ default = ""
+}
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/gateway-master/versions.tf b/deprecated/terraform/ali/R81/gateway-master/versions.tf
new file mode 100755
index 00000000..71e9843e
--- /dev/null
+++ b/deprecated/terraform/ali/R81/gateway-master/versions.tf
@@ -0,0 +1,9 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ alicloud = {
+ source = "hashicorp/alicloud"
+ version = "1.203.0"
+ }
+ }
+}
diff --git a/deprecated/terraform/ali/R81/gateway/README.md b/deprecated/terraform/ali/R81/gateway/README.md
new file mode 100755
index 00000000..0c4c79b1
--- /dev/null
+++ b/deprecated/terraform/ali/R81/gateway/README.md
@@ -0,0 +1,141 @@
+# Check Point Gateway Terraform module for AliCloud
+
+Terraform module which deploys a Check Point Security Gateway into an existing VPC.
+
+These types of Terraform resources are supported:
+* [Security group](https://www.terraform.io/docs/providers/alicloud/r/security_group.html)
+* [Network interface](https://www.terraform.io/docs/providers/alicloud/r/network_interface.html)
+* [EIP](https://www.terraform.io/docs/providers/alicloud/r/eip.html) - conditional creation
+* [Route_entry](https://www.terraform.io/docs/providers/alicloud/r/route_entry.html) - Internal default route: conditional creation
+* [Instance](https://www.terraform.io/docs/providers/alicloud/r/instance.html) - Gateway Instance
+
+## Note
+- Make sure your region and zone are supporting the gateway instance types in **modules/common/instance_type/main.tf**
+ [Alicloud Instance_By_Region](https://ecs-buy.aliyun.com/instanceTypes/?spm=a2c63.p38356.879954.139.1eeb2d44eZQw2m#/instanceTypeByRegion)
+
+## Configuration
+- Best practice is to configure credentials in the Environment variables - [Alicloud provider](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs)
+```
+Configure environment variables in Linux:
+
+$ export ALICLOUD_ACCESS_KEY=anaccesskey
+$ export ALICLOUD_SECRET_KEY=asecretkey
+$ export ALICLOUD_REGION=cn-beijing
+
+Configure envrionment variables in Windows:
+ set ALICLOUD_ACCESS_KEY=anaccesskey
+ set ALICLOUD_SECRET_KEY=asecretkey
+ set ALICLOUD_REGION=cn-beijing
+
+```
+
+## Usage
+- Fill all variables in the gateway/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ terraform init
+- Create an execution plan:
+ terraform plan
+- Create or modify the deployment:
+ terraform apply
+
+### terraform.tfvars variables:
+| Name | Description | Type | Allowed values | Default | Required |
+|----------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------|----------|
+| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes |
+| vpc_cidr | The CIDR block of the provided VPC | string | n/a | n/a | yes |
+| public_vswitch_id | The public vswitch of the security gateway | string | n/a | n/a | yes |
+| private_vswitch_id | The private vswitch of the security gateway | string | n/a | n/a | yes |
+| private_route_table | Sets '0.0.0.0/0' route to the Gateway instance in the specified route table (e.g. rtb-12a34567) | string | n/a | "" | no |
+| gateway_name | The name tag of the Security Gateway instances (optional) | string | n/a | "Check-Point-Gateway-tf" | no |
+| gateway_instance_type | The instance type of the Security Gateways | string | - ecs.g5ne.large
- ecs.g5ne.xlarge
- ecs.g5ne.2xlarge
- ecs.g5ne.4xlarge
- ecs.g5ne.8xlarge
- ecs.g7ne.large
- ecs.g7ne.xlarge
- ecs.g7ne.2xlarge
- ecs.g7ne.4xlarge
- ecs.g7ne.8xlarge | "ecs.g5ne.xlarge" | no |
+| key_name | The ECS Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes |
+| allocate_and_associate_eip | If set to TRUE, an elastic IP will be allocated and associated with the launched instance | bool | true/false | true | no |
+| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no |
+| disk_category | The ECS disk category | string | - cloud
- cloud_efficiency
- cloud_ssd,
- cloud_essd | "cloud_efficiency" | no |
+| ram_role_name | A predefined RAM role name to attach to the security gateway instance | string | n/a | "" | no |
+| gateway_version | Gateway version and license | string | R81-BYOL | R8-BYOL | no |
+| admin_shell | Set the admin shell to enable advanced command line configuration. | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | "/etc/cli.sh" | no |
+| gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | n/a | yes |
+| password_hash | Admin user's password hash (use command \"openssl passwd -6 PASSWORD\" to get the PASSWORD's hash) (optional) | string | n/a | "" | no |
+| gateway_TokenKey | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no |
+| resources_tag_name | (optional) | string | n/a | "" | no |
+| gateway_hostname | (optional) The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | n/a | true | no |
+| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no |
+| primary_ntp | (optional) | string | n/a | "ntp1.cloud.aliyuncs.com" | no |
+| secondary_ntp | (optional) | string | n/a | "ntp2.cloud.aliyuncs.com" | no |
+
+## Example for terraform.tfvars
+```
+// --- VPC Network Configuration ---
+vpc_id = "vpc-"
+public_vswitch_id = "vsw-"
+private_vswitch_id = "vsw-"
+private_route_table = "vtb-"
+
+// --- ECS Instance Configuration ---
+gateway_name = "Check-Point-Gateway-tf"
+gateway_instance_type = "ecs.g5ne.xlarge"
+key_name = "publickey"
+allocate_and_associate_eip = true
+volume_size = 100
+disk_category = "cloud_efficiency"
+ram_role_name = ""
+instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+}
+
+// --- Check Point Settings ---
+gateway_version = "R81.20-BYOL"
+admin_shell = "/etc/cli.sh"
+gateway_SICKey = "12345678"
+gateway_password_hash = ""
+
+// --- Quick connect to Smart-1 Cloud (Recommended) ---
+gateway_TokenKey = ""
+
+// --- Advanced Settings ---
+resources_tag_name = "tag-name"
+gateway_hostname = "gw-hostname"
+allow_upload_download = true
+gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/testfile.txt"
+primary_ntp = "ntp1.cloud.aliyuncs.com"
+secondary_ntp = "ntp2.cloud.aliyuncs.com"
+```
+## Conditional creation
+- To create an Elastic IP and associate it to the Gateway instance:
+```
+allocate_and_associate_eip = true
+```
+- To create a default route at the private route table:
+```
+private_route_table = "rtb-12345678"
+```
+
+## Outputs
+| Name | Description |
+|-----------------------|-----------------------------------------------|
+| image_id | The image id of the deployed Security Gateway |
+| permissive_sg_id | The permissive security group id |
+| permissive_sg_name | The permissive security group id name |
+| gateway_eip_id | The id of the elastic IP |
+| gateway_eip_public_ip | The elastic pubic IP |
+| gateway_instance_id | The Security Gateway instance id |
+| gateway_instance_name | The deployed Gateway AliCloud instance name |
+
+## Revision History
+
+| Template Version | Description |
+|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 20230829 | Change default Check Point version to R81.20 |
+| 20230615 | - Improved userdata quality and stability by moving to cloud-config
- Define default primary and secondary NTP servers
- Improved deployment experience for gateways and clusters managed by Smart-1 Cloud |
+| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname |
+| 20230420 | Change alicloud terraform provider version to 1.203.0 |
+| 20230330 | - Added support of ECS disk category.
- Stability fixes. |
+| 20230329 | First release of R81.20 & R81.10 CloudGuard Gateway Terraform deployment in Alibaba Cloud and added support for g7ne instance type. |
+| 20211011 | First release of Check Point CloudGaurd Gateway Terraform deployment into an existing VPC in Alibaba cloud. |
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../../LICENSE) file for details
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/gateway/locals.tf b/deprecated/terraform/ali/R81/gateway/locals.tf
new file mode 100755
index 00000000..7f880dea
--- /dev/null
+++ b/deprecated/terraform/ali/R81/gateway/locals.tf
@@ -0,0 +1,23 @@
+locals {
+ admin_shell_allowed_values = [
+ "/etc/cli.sh",
+ "/bin/bash",
+ "/bin/csh",
+ "/bin/tcsh"]
+ // Will fail if var.admin_shell is invalid
+ validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell)
+
+ regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$"
+ // Will fail if var.gateway_SIC_Key is invalid
+ regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters"
+
+ //will fail if decode token should contain https:// and .checkpoint.com/app/maas/api/v1/tenant or empty string
+ split_token = split(" ", var.gateway_TokenKey)
+ token_decode = base64decode(element(local.split_token, length(local.split_token)-1))
+ regex_token_valid = "(^https://(.+).checkpoint.com/app/maas/api/v1/tenant(.+)|^$)"
+ regex_token = regex(local.regex_token_valid, local.token_decode) == local.token_decode ? 0 : "Smart-1 Cloud token is invalid format"
+
+ regex_valid_gateway_hostname = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$"
+ // Will fail if var.gateway_hostname is invalid
+ regex_gateway_hostname = regex(local.regex_valid_gateway_hostname, var.gateway_hostname) == var.gateway_hostname ? 0 : "Variable [gateway_hostname] must be a valid hostname label or an empty string"
+}
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/gateway/main.tf b/deprecated/terraform/ali/R81/gateway/main.tf
new file mode 100755
index 00000000..93bfb0c1
--- /dev/null
+++ b/deprecated/terraform/ali/R81/gateway/main.tf
@@ -0,0 +1,70 @@
+module "images" {
+ source = "../modules/images"
+
+ version_license = var.gateway_version
+ chkp_type = "gateway"
+}
+
+module "common_permissive_sg" {
+ source = "../modules/common/permissive_sg"
+
+ vpc_id = var.vpc_id
+ resources_tag_name = var.resources_tag_name
+ gateway_name = var.gateway_name
+}
+
+module "common_gateway_instance" {
+ source = "../modules/common/gateway_instance"
+ security_groups = [
+ module.common_permissive_sg.permissive_sg_id]
+ gateway_name = var.gateway_name
+ volume_size = var.volume_size
+ disk_category = var.disk_category
+ vswitch_id = var.public_vswitch_id
+ gateway_instance_type = var.gateway_instance_type
+ instance_tags = var.instance_tags
+ key_name = var.key_name
+ image_id = module.images.image_id
+ gateway_password_hash = var.gateway_password_hash
+ admin_shell = var.admin_shell
+ gateway_SICKey = var.gateway_SICKey
+ gateway_TokenKey = var.gateway_TokenKey
+ gateway_bootstrap_script = var.gateway_bootstrap_script
+ gateway_hostname = var.gateway_hostname
+ allow_upload_download = var.allow_upload_download
+ primary_ntp = var.primary_ntp
+ secondary_ntp = var.secondary_ntp
+ gateway_version = var.gateway_version
+}
+
+resource "alicloud_network_interface" "internal_eni" {
+ network_interface_name = format("%s-internal-eni", var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name)
+ vswitch_id = var.private_vswitch_id
+ security_group_ids = [
+ module.common_permissive_sg.permissive_sg_id]
+ description = "eth1"
+}
+
+resource "alicloud_network_interface_attachment" "internal_eni_attachment" {
+ instance_id = module.common_gateway_instance.gateway_instance_id
+ network_interface_id = alicloud_network_interface.internal_eni.id
+}
+
+module "common_internal_default_route" {
+ source = "../modules/common/internal_default_route"
+
+ private_route_table = var.private_route_table
+ internal_eni_id = alicloud_network_interface.internal_eni.id
+}
+
+module "common_eip" {
+ source = "../modules/common/elastic_ip"
+ allocate_and_associate_eip = var.allocate_and_associate_eip
+ instance_id = module.common_gateway_instance.gateway_instance_id
+}
+
+resource "alicloud_ram_role_attachment" "attach" {
+ count = var.ram_role_name != "" ? 1 : 0
+ role_name = var.ram_role_name
+ instance_ids = [module.common_gateway_instance.gateway_instance_id]
+}
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/gateway/output.tf b/deprecated/terraform/ali/R81/gateway/output.tf
new file mode 100755
index 00000000..7f2e85c1
--- /dev/null
+++ b/deprecated/terraform/ali/R81/gateway/output.tf
@@ -0,0 +1,21 @@
+output "image_id" {
+ value = module.images.image_id
+}
+output "permissive_sg_id" {
+ value = module.common_permissive_sg.permissive_sg_id
+}
+output "permissive_sg_name" {
+ value = module.common_permissive_sg.permissive_sg_name
+}
+output "gateway_eip_id" {
+ value = module.common_eip.instance_eip_id
+}
+output "gateway_eip_public_ip" {
+ value = module.common_eip.instance_eip_public_ip
+}
+output "gateway_instance_id" {
+ value = module.common_gateway_instance.gateway_instance_id
+}
+output "gateway_instance_name" {
+ value = module.common_gateway_instance.gateway_instance_name
+}
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/gateway/terraform.tfvars b/deprecated/terraform/ali/R81/gateway/terraform.tfvars
new file mode 100755
index 00000000..4d02e623
--- /dev/null
+++ b/deprecated/terraform/ali/R81/gateway/terraform.tfvars
@@ -0,0 +1,37 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- VPC Network Configuration ---
+vpc_id = "vpc-"
+public_vswitch_id = "vsw-"
+private_vswitch_id = "vsw-"
+private_route_table = "vtb-"
+
+// --- ECS Instance Configuration ---
+gateway_name = "Check-Point-Gateway-tf"
+gateway_instance_type = "ecs.g5ne.xlarge"
+key_name = "publickey"
+allocate_and_associate_eip = true
+volume_size = 100
+disk_category = "cloud_efficiency"
+ram_role_name = ""
+instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+}
+
+// --- Check Point Settings ---
+gateway_version = "R81.20-BYOL"
+admin_shell = "/etc/cli.sh"
+gateway_SICKey = "12345678"
+gateway_password_hash = ""
+
+// --- Quick connect to Smart-1 Cloud (Recommended) ---
+gateway_TokenKey = ""
+
+// --- Advanced Settings ---
+resources_tag_name = "tag-name"
+gateway_hostname = "gw-hostname"
+allow_upload_download = true
+gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/testfile.txt"
+primary_ntp = "ntp1.cloud.aliyuncs.com"
+secondary_ntp = "ntp2.cloud.aliyuncs.com"
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/gateway/variables.tf b/deprecated/terraform/ali/R81/gateway/variables.tf
new file mode 100755
index 00000000..a141b140
--- /dev/null
+++ b/deprecated/terraform/ali/R81/gateway/variables.tf
@@ -0,0 +1,133 @@
+// --- VPC Network Configuration ---
+variable "vpc_id" {
+ type = string
+}
+variable "public_vswitch_id" {
+ type = string
+ description = "The public vswitch of the security gateway"
+}
+variable "private_vswitch_id" {
+ type = string
+ description = "The private vswitch of the security gateway"
+}
+variable "private_route_table" {
+ type = string
+ description = "Sets '0.0.0.0/0' route to the Gateway instance in the specified route table (e.g. vtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route. If empty - traffic will not be routed through the Security Gateway, this requires manual configuration in the Route Table"
+default=""
+}
+
+// --- ECS Instance Configuration ---
+variable "gateway_name" {
+ type = string
+ description = "(Optional) The name tag of the Security Gateway instances"
+ default = "Check-Point-Gateway-tf"
+}
+variable "gateway_instance_type" {
+ type = string
+ description = "The instance type of the Secutiry Gateways"
+ default = "ecs.g5ne.xlarge"
+}
+module "validate_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "gateway"
+ instance_type = var.gateway_instance_type
+}
+variable "key_name" {
+ type = string
+ description = "The ECS Key Pair name to allow SSH access to the instance"
+}
+variable "allocate_and_associate_eip" {
+ type = bool
+ description = "If set to TRUE, an elastic IP will be allocated and associated with the launched instance"
+ default = true
+}
+variable "volume_size" {
+ type = number
+ description = "Root volume size (GB) - minimum 100"
+ default = 100
+}
+variable "disk_category" {
+ type = string
+ description = "(Optional) Category of the ECS disk"
+ default = "cloud_efficiency"
+}
+variable "ram_role_name" {
+ type = string
+ description = "RAM role name to attach to the instance profile"
+ default = ""
+}
+resource "null_resource" "volume_size_too_small" {
+ // Volume Size validation - resource will not be created if the volume size is smaller than 100
+ count = var.volume_size >= 100 ? 0 : "volume_size must be at least 100"
+}
+variable "instance_tags" {
+ type = map(string)
+ description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Gateway ECS Instance"
+default = {}
+}
+
+// --- Check Point Settings ---
+variable "gateway_version" {
+ type = string
+ description = "Gateway version and license"
+ default = "R81.20-BYOL"
+}
+module "validate_gateway_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "gateway"
+ version_license = var.gateway_version
+}
+variable "admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+ default = "/etc/cli.sh"
+}
+variable "gateway_SICKey" {
+ type = string
+ description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters"
+}
+variable "gateway_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command \"openssl passwd -6 PASSWORD\" to get the PASSWORD's hash)"
+ default = ""
+}
+
+// --- Quick connect to Smart-1 Cloud (Recommended) ---
+variable "gateway_TokenKey" {
+ type = string
+ description = "Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud."
+}
+
+// --- Advanced Settings ---
+variable "resources_tag_name" {
+ type = string
+ description = "(Optional)"
+ default = ""
+}
+variable "gateway_hostname" {
+ type = string
+ description = "(Optional)"
+ default = ""
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+variable "gateway_bootstrap_script" {
+ type = string
+ description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot"
+ default = ""
+}
+variable "primary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol primary server"
+ default = ""
+}
+variable "secondary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server"
+ default = ""
+}
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/gateway/versions.tf b/deprecated/terraform/ali/R81/gateway/versions.tf
new file mode 100755
index 00000000..71e9843e
--- /dev/null
+++ b/deprecated/terraform/ali/R81/gateway/versions.tf
@@ -0,0 +1,9 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ alicloud = {
+ source = "hashicorp/alicloud"
+ version = "1.203.0"
+ }
+ }
+}
diff --git a/deprecated/terraform/ali/R81/management-master/README.md b/deprecated/terraform/ali/R81/management-master/README.md
new file mode 100755
index 00000000..d5cf23c9
--- /dev/null
+++ b/deprecated/terraform/ali/R81/management-master/README.md
@@ -0,0 +1,134 @@
+# Check Point Management master Server Terraform module for AliCloud
+
+Terraform module which deploys a Check Point Management Server into a new VPC on AliCloud.
+
+These types of Terraform resources are supported:
+* [Instance](https://www.terraform.io/docs/providers/alicloud/r/instance.html) - management Instance
+* [Security group](https://www.terraform.io/docs/providers/alicloud/r/security_group.html)
+
+
+## Note
+- Make sure your region and zone are supporting the management instance types in **modules/common/instance_type/main.tf**
+ [Alicloud Instance_By_Region](https://ecs-buy.aliyun.com/instanceTypes/?spm=a2c63.p38356.879954.139.1eeb2d44eZQw2m#/instanceTypeByRegion)
+
+## Configuration
+- Best practice is to configure credentials in the Environment variables - [Alicloud provider](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs)
+```
+Configure environment variables in Linux:
+
+$ export ALICLOUD_ACCESS_KEY=anaccesskey
+$ export ALICLOUD_SECRET_KEY=asecretkey
+$ export ALICLOUD_REGION=cn-beijing
+
+Configure envrionment variables in Windows:
+ set ALICLOUD_ACCESS_KEY=anaccesskey
+ set ALICLOUD_SECRET_KEY=asecretkey
+ set ALICLOUD_REGION=cn-beijing
+
+```
+## Usage
+- Fill all variables in the management-master/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ terraform init
+- Create an execution plan:
+ terraform plan
+- Create or modify the deployment:
+ terraform apply
+
+### terraform.tfvars variables:
+| Name | Description | Type | Allowed values | Default | Required |
+|-----------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|----------------------------------------------------------------------------------------------------------------|---------------------------|----------|
+| vpc_name | (Optional) The name of the VPC | string | n/a | "cp-vpc" | no |
+| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes |
+| vswitch_id | Vswitch id | string | n/a | n/a | yes |
+| instance_name | AliCloud instance name to launch | string | n/a | "CP-Management-tf" | no |
+| instance_type | AliCloud instance type | string | - ecs.g6e.large
- ecs.g6e.xlarge
- ecs.g6e.2xlarge
- ecs.g6e.4xlarge
- ecs.g6e.8xlarge | "ecs.g6e.xlarge" | no |
+| key_name | The ECS Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes |
+| eip | Allocate and associate an elastic IP with the launched instance | bool | true/false | true | no |
+| volume_size | Root volume size (GB) | number | n/a | 100 | no |
+| disk_category | The ECS disk category | string | - cloud
- cloud_efficiency
- cloud_ssd,
- cloud_essd | "cloud_essd" | no |
+| ram_role_name | RAM role name to attach to the instance profile, leave it empty for automatic creation | string | n/a | "" | no |
+| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Management ECS Instance | map(string) | n/a | {} | no |
+| version_license | Version and license of the Check Point Security Management | string | R81-BYOL | R81-BYOL | no |
+| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no |
+| password_hash | (Optional) Admin user's password hash (use command \"openssl passwd -6 PASSWORD\" to get the PASSWORD's hash) | string | n/a | "" | no |
+| hostname | (Optional) Management prompt hostname. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | n/a | no |
+| is_primary_management | Determines if this is the primary Management Server or not | bool | true/false | true | no |
+| SICKey | "Mandatory only when deploying a secondary Management Server, the Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "" | no |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | n/a | true | no |
+| gateway_management | Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address | string | - Locally managed
- Over the internet | Locally managed | no |
+| admin_cidr | (CIDR) Allow web, SSH, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR | 0.0.0.0/0 | no |
+| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | valid CIDR | 0.0.0.0/0 | no |
+| primary_ntp | (Optional) | string | n/a | "ntp1.cloud.aliyuncs.com" | no |
+| secondary_ntp | (Optional) | string | n/a | "ntp2.cloud.aliyuncs.com" | no |
+| bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no |
+
+## Example for terraform.tfvars
+```
+// --- VPC Network Configuration ---
+vpc_name = "cp-vpc"
+vpc_cidr = "10.0.0.0/16"
+public_vswitchs_map = {
+ "us-east-1a" = 1
+}
+vswitchs_bit_length = 8
+
+
+// --- ECS Instances Configuration ---
+instance_name = "CP-Management-tf"
+instance_type = "ecs.g6e.xlarge"
+key_name = "publickey"
+allocate_and_associate_eip = true
+volume_size = 100
+disk_category = "cloud_essd"
+ram_role_name = ""
+instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+}
+
+// --- Check Point Settings ---
+version_license = "R81.20-BYOL"
+admin_shell = "/etc/cli.sh"
+password_hash = ""
+hostname = "mgmt-tf"
+
+// --- Security Management Server Settings ---
+is_primary_management = "true"
+SICKey = ""
+allow_upload_download = "true"
+gateway_management = "Locally managed"
+admin_cidr = "0.0.0.0/0"
+gateway_addresses = "0.0.0.0/0"
+primary_ntp = "ntp1.cloud.aliyuncs.com"
+secondary_ntp = "ntp2.cloud.aliyuncs.com"
+bootstrap_script = "echo 'this is bootstrap script' > /home/admin/testfile.txt"
+```
+
+## Outputs
+| Name | Description |
+|-------------------------------|-------------------------------------------------|
+| vpc_id | The id of the deployed vpc |
+| vpc_public_vswitchs_ids_list | A list of the private vswitchs ids |
+| vpc_private_vswitchs_ids_list | A list of the private vswitchs ids |
+| image_id | The ami id of the deployed Security Gateway |
+| management_instance_id | The deployed Management AliCloud instance id |
+| management_instance_name | The deployed Management AliCloud instance name |
+| management_instance_tags | The deployed Management AliCloud tags |
+| management_public_ip | The deployed Management AliCloud public address |
+
+## Revision History
+
+| Template Version | Description |
+|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 20230829 | Change default Check Point version to R81.20 |
+| 20230615 | - Improved userdata quality and stability by moving to cloud-config
- Define default primary and secondary NTP servers
- Improved deployment experience for gateways and clusters managed by Smart-1 Cloud |
+| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname |
+| 20230420 | Change alicloud terraform provider version to 1.203.0 |
+| 20230330 | - Added support of ECS disk category.
- Stability fixes. |
+| 20230129 | First release of R81.20 CloudGuard Management Terraform deployment in Alibaba Cloud. |
+| 20211011 | First release of Check Point CloudGuard Management Terraform deployment into a new VPC in Alibaba cloud. |
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../../LICENSE) file for details
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/management-master/locals.tf b/deprecated/terraform/ali/R81/management-master/locals.tf
new file mode 100755
index 00000000..d64e0b51
--- /dev/null
+++ b/deprecated/terraform/ali/R81/management-master/locals.tf
@@ -0,0 +1,20 @@
+locals {
+ admin_shell_allowed_values = [
+ "/etc/cli.sh",
+ "/bin/bash",
+ "/bin/csh",
+ "/bin/tcsh"]
+ // Will fail if var.admin_shell is invalid
+ validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell)
+
+ gateway_management_allowed_values = [
+ "Locally managed",
+ "Over the internet"]
+ // Will fail if var.gateway_management is invalid
+ validate_gateway_management = index(local.gateway_management_allowed_values, var.gateway_management)
+
+ regex_valid_cidr_range = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))?$"
+ // Will fail if var.admin_cidr or var.gateway_addresses are invalid
+ mgmt_vswitch_regex_result = regex(local.regex_valid_cidr_range, var.admin_cidr) == var.admin_cidr ? 0 : "var.admin_cidr must be a valid CIDR range"
+ gw_addr_regex_result = regex(local.regex_valid_cidr_range, var.gateway_addresses) == var.gateway_addresses ? 0 : "var.gateway_addresses must be a valid CIDR range"
+}
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/management-master/main.tf b/deprecated/terraform/ali/R81/management-master/main.tf
new file mode 100755
index 00000000..1e47d448
--- /dev/null
+++ b/deprecated/terraform/ali/R81/management-master/main.tf
@@ -0,0 +1,40 @@
+// --- VPC ---
+module "launch_vpc" {
+ source = "../modules/vpc"
+
+ vpc_name = var.vpc_name
+ vpc_cidr = var.vpc_cidr
+ public_vswitchs_map = var.public_vswitchs_map
+ private_vswitchs_map = {}
+ vswitchs_bit_length = var.vswitchs_bit_length
+}
+
+module "launch_management_into_vpc" {
+ source = "../management"
+
+ vpc_id = module.launch_vpc.vpc_id
+ vswitch_id = module.launch_vpc.public_vswitchs_ids_list[0]
+ ram_role_name = var.ram_role_name
+
+ instance_name = var.instance_name
+ instance_type = var.instance_type
+ key_name = var.key_name
+
+ allocate_and_associate_eip = var.allocate_and_associate_eip
+ volume_size = var.volume_size
+ disk_category = var.disk_category
+ instance_tags = var.instance_tags
+ version_license = var.version_license
+ admin_shell = var.admin_shell
+ password_hash = var.password_hash
+ hostname = var.hostname
+ is_primary_management = var.is_primary_management
+ SICKey = var.SICKey
+ allow_upload_download = var.allow_upload_download
+ gateway_management = var.gateway_management
+ admin_cidr = var.admin_cidr
+ gateway_addresses = var.gateway_addresses
+ bootstrap_script = var.bootstrap_script
+ primary_ntp = var.primary_ntp
+ secondary_ntp = var.secondary_ntp
+}
diff --git a/deprecated/terraform/ali/R81/management-master/output.tf b/deprecated/terraform/ali/R81/management-master/output.tf
new file mode 100755
index 00000000..fa85cce2
--- /dev/null
+++ b/deprecated/terraform/ali/R81/management-master/output.tf
@@ -0,0 +1,25 @@
+output "Deployment" {
+ value = "Finalizing configuration may take up to 20 minutes after deployment is finished"
+}
+
+output "vpc_id" {
+ value = module.launch_vpc.vpc_id
+}
+output "vpc_public_vswitchs_ids_list" {
+ value = module.launch_vpc.public_vswitchs_ids_list
+}
+output "image_id" {
+ value = module.launch_management_into_vpc.image_id
+}
+output "management_instance_id" {
+ value = module.launch_management_into_vpc.management_instance_id
+}
+output "management_instance_name" {
+ value = module.launch_management_into_vpc.management_instance_name
+}
+output "management_instance_tags" {
+ value = module.launch_management_into_vpc.management_instance_tags
+}
+output "management_public_ip" {
+ value = module.launch_management_into_vpc.management_public_ip
+}
diff --git a/deprecated/terraform/ali/R81/management-master/terraform.tfvars b/deprecated/terraform/ali/R81/management-master/terraform.tfvars
new file mode 100755
index 00000000..bf6cb990
--- /dev/null
+++ b/deprecated/terraform/ali/R81/management-master/terraform.tfvars
@@ -0,0 +1,40 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- VPC Network Configuration ---
+vpc_name = "cp-vpc"
+vpc_cidr = "10.0.0.0/16"
+public_vswitchs_map = {
+ "us-east-1a" = 1
+}
+vswitchs_bit_length = 8
+
+
+// --- ECS Instances Configuration ---
+instance_name = "CP-Management-tf"
+instance_type = "ecs.g6e.xlarge"
+key_name = "publickey"
+allocate_and_associate_eip = true
+volume_size = 100
+disk_category = "cloud_essd"
+ram_role_name = ""
+instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+}
+
+// --- Check Point Settings ---
+version_license = "R81.20-BYOL"
+admin_shell = "/etc/cli.sh"
+password_hash = ""
+hostname = "mgmt-tf"
+
+// --- Security Management Server Settings ---
+is_primary_management = "true"
+SICKey = ""
+allow_upload_download = "true"
+gateway_management = "Locally managed"
+admin_cidr = "0.0.0.0/0"
+gateway_addresses = "0.0.0.0/0"
+primary_ntp = "ntp1.cloud.aliyuncs.com"
+secondary_ntp = "ntp2.cloud.aliyuncs.com"
+bootstrap_script = "echo 'this is bootstrap script' > /home/admin/testfile.txt"
diff --git a/deprecated/terraform/ali/R81/management-master/variables.tf b/deprecated/terraform/ali/R81/management-master/variables.tf
new file mode 100755
index 00000000..aa9954f7
--- /dev/null
+++ b/deprecated/terraform/ali/R81/management-master/variables.tf
@@ -0,0 +1,137 @@
+// --- VPC Network Configuration ---
+variable "vpc_name" {
+ type = string
+ description = "The name of the VPC"
+ default = "cp-vpc"
+}
+variable "vpc_cidr" {
+ type = string
+ description = "The CIDR block of the VPC"
+ default = "10.0.0.0/16"
+}
+variable "public_vswitchs_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = vswitch-suffix-number}. Each entry creates a vswitch. Minimum 1 pair. (e.g. {\"us-east-1a\" = 1} ) "
+}
+variable "vswitchs_bit_length" {
+ type = number
+ description = "Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a vswitchs_bit_length value is 4, the resulting vswitch address will have length /20"
+}
+// --- ECS Instance Configuration ---
+variable "instance_name" {
+ type = string
+ description = "AliCloud instance name to launch"
+ default = "CP-Management-tf"
+}
+variable "instance_type" {
+ type = string
+ description = ""
+ default ="ecs.g6e.xlarge"
+}
+module "validate_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "management"
+ instance_type = var.instance_type
+}
+variable "key_name" {
+ type = string
+ description = "The ECS Key Pair name to allow SSH access to the instances"
+}
+variable "allocate_and_associate_eip" {
+ type = bool
+ description = "When set to 'true', an elastic IP will be allocated and associated with the launched instance"
+ default = true
+}
+variable "volume_size" {
+ type = number
+ description = "Root volume size (GB) - minimum 100"
+ default = 100
+}
+variable "disk_category" {
+ type = string
+ description = "(Optional) Category of the ECS disk"
+ default = "cloud_essd"
+}
+variable "ram_role_name" {
+ type = string
+ description = "RAM role name to attach to the instance profile"
+ default = ""
+}
+variable "instance_tags" {
+ type = map(string)
+ description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Management ECS Instance"
+default = {}
+}
+// --- Check Point Settings ---
+variable "version_license" {
+ type = string
+ description = "version and license"
+ default = "R81.20-BYOL"
+}
+module "validate_management_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "management"
+ version_license = var.version_license
+}
+variable "admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+ default = "/etc/cli.sh"
+}
+variable "password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "hostname" {
+ type = string
+ description = "(Optional)"
+ default = ""
+}
+
+// --- Security Management Server Settings ---
+variable "is_primary_management" {
+ type = bool
+ description = "true/false. Determines if this is the primary management server or not"
+ default = true
+}
+variable "SICKey" {
+ type = string
+ description = "Mandatory only when deploying a secondary Management Server, the Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters"
+ default = ""
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+variable "gateway_management" {
+ type = string
+ description = "Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address"
+ default = "Locally managed"
+}
+variable "admin_cidr" {
+ type = string
+ description = "(CIDR) Allow web, SSH, and graphical clients only from this network to communicate with the Management Server"
+}
+variable "gateway_addresses" {
+ type = string
+ description = "(CIDR) Allow gateways only from this network to communicate with the Management Server"
+}
+variable "primary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol primary server"
+ default = ""
+}
+variable "secondary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server"
+ default = ""
+}
+variable "bootstrap_script" {
+ type = string
+ description = "(Optional) Semicolon (;) separated commands to run on the initial boot"
+ default = ""
+}
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/management-master/versions.tf b/deprecated/terraform/ali/R81/management-master/versions.tf
new file mode 100755
index 00000000..71e9843e
--- /dev/null
+++ b/deprecated/terraform/ali/R81/management-master/versions.tf
@@ -0,0 +1,9 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ alicloud = {
+ source = "hashicorp/alicloud"
+ version = "1.203.0"
+ }
+ }
+}
diff --git a/deprecated/terraform/ali/R81/management/README.md b/deprecated/terraform/ali/R81/management/README.md
new file mode 100755
index 00000000..9a46c521
--- /dev/null
+++ b/deprecated/terraform/ali/R81/management/README.md
@@ -0,0 +1,127 @@
+# Check Point Management Server Terraform module for AliCloud
+
+Terraform module which deploys a Check Point Management Server into an existing VPC on AliCloud.
+
+These types of Terraform resources are supported:
+* [Instance](https://www.terraform.io/docs/providers/alicloud/r/instance.html) - management Instance
+* [Security group](https://www.terraform.io/docs/providers/alicloud/r/security_group.html)
+
+
+## Note
+- Make sure your region and zone are supporting the management instance types in **modules/common/instance_type/main.tf**
+ [Alicloud Instance_By_Region](https://ecs-buy.aliyun.com/instanceTypes/?spm=a2c63.p38356.879954.139.1eeb2d44eZQw2m#/instanceTypeByRegion)
+
+## Configuration
+- Best practice is to configure credentials in the Environment variables - [Alicloud provider](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs)
+```
+Configure environment variables in Linux:
+
+$ export ALICLOUD_ACCESS_KEY=anaccesskey
+$ export ALICLOUD_SECRET_KEY=asecretkey
+$ export ALICLOUD_REGION=cn-beijing
+
+Configure envrionment variables in Windows:
+ set ALICLOUD_ACCESS_KEY=anaccesskey
+ set ALICLOUD_SECRET_KEY=asecretkey
+ set ALICLOUD_REGION=cn-beijing
+
+```
+
+## Usage
+- Fill all variables in the management/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ terraform init
+- Create an execution plan:
+ terraform plan
+- Create or modify the deployment:
+ terraform apply
+
+### terraform.tfvars variables:
+| Name | Description | Type | Allowed values | Default | Required |
+|-----------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|----------------------------------------------------------------------------------------------------------------|---------------------------|----------|
+| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes |
+| vswitch_id | Vswitch id | string | n/a | n/a | yes |
+| instance_name | AliCloud instance name to launch | string | n/a | "CP-Management-tf" | no |
+| instance_type | AliCloud instance type | string | - ecs.g6e.large
- ecs.g6e.xlarge
- ecs.g6e.2xlarge
- ecs.g6e.4xlarge
- ecs.g6e.8xlarge | "ecs.g6e.xlarge" | no |
+| key_name | The ECS Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes |
+| eip | Allocate and associate an elastic IP with the launched instance | bool | true/false | true | no |
+| volume_size | Root volume size (GB) | number | n/a | 100 | no |
+| disk_category | The ECS disk category | string | - cloud
- cloud_efficiency
- cloud_ssd,
- cloud_essd | "cloud_essd" | no |
+| ram_role_name | RAM role name to attach to the instance profile, leave it empty for automatic creation | string | n/a | "" | no |
+| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Management ECS Instance | map(string) | n/a | {} | no |
+| version_license | Version and license of the Check Point Security Management | string | R81-BYOL | R81-BYOL | no |
+| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no |
+| password_hash | (Optional) Admin user's password hash (use command \"openssl passwd -6 PASSWORD\" to get the PASSWORD's hash) | string | n/a | "" | no |
+| hostname | (Optional) Management prompt hostname. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | n/a | no |
+| is_primary_management | Determines if this is the primary Management Server or not | bool | true/false | true | no |
+| SICKey | "Mandatory only when deploying a secondary Management Server, the Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "" | no |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | n/a | true | no |
+| gateway_management | Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address | string | - Locally managed
- Over the internet | Locally managed | no |
+| admin_cidr | (CIDR) Allow web, SSH, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR | 0.0.0.0/0 | no |
+| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | valid CIDR | 0.0.0.0/0 | no |
+| primary_ntp | (Optional) | string | n/a | "ntp1.cloud.aliyuncs.com" | no |
+| secondary_ntp | (Optional) | string | n/a | "ntp2.cloud.aliyuncs.com" | no |
+| bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no |
+
+## Example for terraform.tfvars
+
+```
+// --- VPC Network Configuration ---
+vpc_id = "vpc-"
+vswitch_id = "vsw-"
+
+// --- ECS Instances Configuration ---
+instance_name = "CP-Management-tf"
+instance_type = "ecs.g6e.xlarge"
+key_name = "publickey"
+allocate_and_associate_eip = true
+volume_size = 100
+disk_category = "cloud_essd"
+ram_role_name = ""
+instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+}
+
+// --- Check Point Settings ---
+version_license = "R81.20-BYOL"
+admin_shell = "/etc/cli.sh"
+password_hash = ""
+hostname = "mgmt-tf"
+
+// --- Security Management Server Settings ---
+is_primary_management = "true"
+SICKey = ""
+allow_upload_download = "true"
+gateway_management = "Locally managed"
+admin_cidr = "0.0.0.0/0"
+gateway_addresses = "0.0.0.0/0"
+primary_ntp = "ntp1.cloud.aliyuncs.com"
+secondary_ntp = "ntp2.cloud.aliyuncs.com"
+bootstrap_script = "echo 'this is bootstrap script' > /home/admin/testfile.txt"
+```
+
+## Outputs
+| Name | Description |
+|--------------------------|-------------------------------------------------|
+| image_id | The ami id of the deployed Security Gateway |
+| management_instance_id | The deployed Management AliCloud instance id |
+| management_instance_name | The deployed Management AliCloud instance name |
+| management_instance_tags | The deployed Management AliCloud tags |
+| management_public_ip | The deployed Management AliCloud public address |
+
+## Revision History
+
+| Template Version | Description |
+|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 20230829 | Change default Check Point version to R81.20 |
+| 20230615 | - Improved userdata quality and stability by moving to cloud-config
- Define default primary and secondary NTP servers
- Improved deployment experience for gateways and clusters managed by Smart-1 Cloud |
+| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname |
+| 20230420 | Change alicloud terraform provider version to 1.203.0 |
+| 20230330 | - Added support of ECS disk category.
- Stability fixes. |
+| 20230129 | First release of R81.20 CloudGuard Management Terraform deployment in Alibaba Cloud. | | | |
+| 20211011 | First release of Check Point CloudGaurd Management Terraform deployment into an existing VPC in Alibaba cloud. |
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../../LICENSE) file for details
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/management/locals.tf b/deprecated/terraform/ali/R81/management/locals.tf
new file mode 100755
index 00000000..b6815a6f
--- /dev/null
+++ b/deprecated/terraform/ali/R81/management/locals.tf
@@ -0,0 +1,24 @@
+locals {
+ admin_shell_allowed_values = [
+ "/etc/cli.sh",
+ "/bin/bash",
+ "/bin/csh",
+ "/bin/tcsh"]
+ // Will fail if var.admin_shell is invalid
+ validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell)
+
+ gateway_management_allowed_values = [
+ "Locally managed",
+ "Over the internet"]
+ // Will fail if var.gateway_management is invalid
+ validate_gateway_management = index(local.gateway_management_allowed_values, var.gateway_management)
+
+ regex_valid_cidr_range = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))?$"
+ // Will fail if var.admin_cidr or var.gateway_addresses are invalid
+ mgmt_vswitch_regex_result = regex(local.regex_valid_cidr_range, var.admin_cidr) == var.admin_cidr ? 0 : "var.admin_cidr must be a valid CIDR range"
+ gw_addr_regex_result = regex(local.regex_valid_cidr_range, var.gateway_addresses) == var.gateway_addresses ? 0 : "var.gateway_addresses must be a valid CIDR range"
+ version_split = element(split("-", var.version_license), 0)
+ gateway_bootstrap_script64 = base64encode(var.bootstrap_script)
+ gateway_SICkey_base64 = base64encode(var.SICKey)
+ gateway_password_hash_base64 = base64encode(var.password_hash)
+}
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/management/main.tf b/deprecated/terraform/ali/R81/management/main.tf
new file mode 100755
index 00000000..33b6d436
--- /dev/null
+++ b/deprecated/terraform/ali/R81/management/main.tf
@@ -0,0 +1,177 @@
+module "images" {
+ source = "../modules/images"
+
+ version_license = var.version_license
+ chkp_type = "management"
+}
+
+resource "alicloud_security_group" "management_sg" {
+ name = format("%s-SecurityGroup", var.instance_name)
+ description = "TF Management security group"
+ vpc_id = var.vpc_id
+}
+
+resource "alicloud_security_group_rule" "permissive_egress" {
+ type = "egress"
+ ip_protocol = "all"
+ nic_type = "intranet"
+ policy = "accept"
+ port_range = "-1/-1"
+ priority = 1
+ security_group_id = alicloud_security_group.management_sg.id
+ cidr_ip = "0.0.0.0/0"
+}
+
+resource "alicloud_security_group_rule" "management_ingress-257" {
+ type = "ingress"
+ ip_protocol = "all"
+ nic_type = "intranet"
+ policy = "accept"
+ port_range = "257/257"
+ priority = 1
+ security_group_id = alicloud_security_group.management_sg.id
+ cidr_ip = var.gateway_addresses
+}
+
+resource "alicloud_security_group_rule" "management_ingress-8211" {
+ type = "ingress"
+ ip_protocol = "all"
+ nic_type = "intranet"
+ policy = "accept"
+ port_range = "8211/8211"
+ priority = 1
+ security_group_id = alicloud_security_group.management_sg.id
+ cidr_ip = var.gateway_addresses
+}
+
+resource "alicloud_security_group_rule" "management_ingress-18191-2" {
+ type = "ingress"
+ ip_protocol = "all"
+ nic_type = "intranet"
+ policy = "accept"
+ port_range = "18191/18192"
+ priority = 1
+ security_group_id = alicloud_security_group.management_sg.id
+ cidr_ip = var.gateway_addresses
+}
+
+resource "alicloud_security_group_rule" "management_ingress-18210-11" {
+ type = "ingress"
+ ip_protocol = "all"
+ nic_type = "intranet"
+ policy = "accept"
+ port_range = "18210/18211"
+ priority = 1
+ security_group_id = alicloud_security_group.management_sg.id
+ cidr_ip = var.gateway_addresses
+}
+
+resource "alicloud_security_group_rule" "management_ingress-18221" {
+ type = "ingress"
+ ip_protocol = "all"
+ nic_type = "intranet"
+ policy = "accept"
+ port_range = "18221/18221"
+ priority = 1
+ security_group_id = alicloud_security_group.management_sg.id
+ cidr_ip = var.gateway_addresses
+}
+
+resource "alicloud_security_group_rule" "management_ingress-18264" {
+ type = "ingress"
+ ip_protocol = "all"
+ nic_type = "intranet"
+ policy = "accept"
+ port_range = "18264/18264"
+ priority = 1
+ security_group_id = alicloud_security_group.management_sg.id
+ cidr_ip = var.gateway_addresses
+}
+
+resource "alicloud_security_group_rule" "management_ingress-22" {
+ type = "ingress"
+ ip_protocol = "all"
+ nic_type = "intranet"
+ policy = "accept"
+ port_range = "22/22"
+ priority = 1
+ security_group_id = alicloud_security_group.management_sg.id
+ cidr_ip = var.admin_cidr
+}
+
+resource "alicloud_security_group_rule" "management_ingress-433" {
+ type = "ingress"
+ ip_protocol = "all"
+ nic_type = "intranet"
+ policy = "accept"
+ port_range = "433/433"
+ priority = 1
+ security_group_id = alicloud_security_group.management_sg.id
+ cidr_ip = var.admin_cidr
+}
+
+resource "alicloud_security_group_rule" "management_ingress-18190" {
+ type = "ingress"
+ ip_protocol = "all"
+ nic_type = "intranet"
+ policy = "accept"
+ port_range = "18190/18190"
+ priority = 1
+ security_group_id = alicloud_security_group.management_sg.id
+ cidr_ip = var.admin_cidr
+}
+
+resource "alicloud_security_group_rule" "management_ingress-19009" {
+ type = "ingress"
+ ip_protocol = "all"
+ nic_type = "intranet"
+ policy = "accept"
+ port_range = "19009/19009"
+ priority = 1
+ security_group_id = alicloud_security_group.management_sg.id
+ cidr_ip = var.admin_cidr
+}
+
+resource "alicloud_instance" "management_instance" {
+ instance_name = var.instance_name
+ instance_type = var.instance_type
+ key_name = var.key_name
+ image_id = module.images.image_id
+ vswitch_id = var.vswitch_id
+ security_groups = [alicloud_security_group.management_sg.id]
+ system_disk_size = var.volume_size
+ system_disk_category = var.disk_category
+
+ tags = merge({
+ Name = var.instance_name
+ }, var.instance_tags)
+
+ user_data = templatefile("${path.module}/management_userdata.yaml", {
+ // script's arguments
+ Hostname = var.hostname,
+ PasswordHash = local.gateway_password_hash_base64,
+ AllowUploadDownload = var.allow_upload_download,
+ NTPPrimary = var.primary_ntp,
+ NTPSecondary = var.secondary_ntp,
+ Shell = var.admin_shell,
+ AdminSubnet = var.admin_cidr,
+ IsPrimary = var.is_primary_management,
+ SICKey = local.gateway_SICkey_base64,
+ AllocateElasticIP = var.allocate_and_associate_eip,
+ GatewayManagement = var.gateway_management,
+ BootstrapScript = local.gateway_bootstrap_script64,
+ OsVersion = local.version_split
+ })
+}
+
+module "common_eip" {
+ source = "../modules/common/elastic_ip"
+ allocate_and_associate_eip = var.allocate_and_associate_eip
+ instance_id = alicloud_instance.management_instance.id
+}
+
+resource "alicloud_ram_role_attachment" "attach" {
+ count = var.ram_role_name != "" ? 1 : 0
+ role_name = var.ram_role_name
+ instance_ids = alicloud_instance.management_instance.*.id
+}
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/management/management_userdata.yaml b/deprecated/terraform/ali/R81/management/management_userdata.yaml
new file mode 100755
index 00000000..f65a203e
--- /dev/null
+++ b/deprecated/terraform/ali/R81/management/management_userdata.yaml
@@ -0,0 +1,4 @@
+#cloud-config
+runcmd:
+ - |
+ python3 /etc/cloud_config.py sicKey=\"${SICKey}\" installationType=\"management\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20230615\" templateName=\"management\" templateType=\"terraform\" shell=\"${Shell}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" primary=\"${IsPrimary}\" adminSubnet=\"${AdminSubnet}\" allocatePublicAddress=\"${AllocateElasticIP}\" "overTheInternet=\"${GatewayManagement}\"" bootstrapScript64=\"${BootstrapScript}\"
diff --git a/deprecated/terraform/ali/R81/management/output.tf b/deprecated/terraform/ali/R81/management/output.tf
new file mode 100755
index 00000000..82e2f5fe
--- /dev/null
+++ b/deprecated/terraform/ali/R81/management/output.tf
@@ -0,0 +1,19 @@
+output "Deployment" {
+ value = "Finalizing configuration may take up to 20 minutes after deployment is finished"
+}
+
+output "image_id" {
+ value = module.images.image_id
+}
+output "management_instance_id" {
+ value = alicloud_instance.management_instance.id
+}
+output "management_instance_name" {
+ value = alicloud_instance.management_instance.tags["Name"]
+}
+output "management_instance_tags" {
+ value = alicloud_instance.management_instance.tags
+}
+output "management_public_ip" {
+ value = module.common_eip.instance_eip_public_ip
+}
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/management/terraform.tfvars b/deprecated/terraform/ali/R81/management/terraform.tfvars
new file mode 100755
index 00000000..9758387c
--- /dev/null
+++ b/deprecated/terraform/ali/R81/management/terraform.tfvars
@@ -0,0 +1,35 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- VPC Network Configuration ---
+vpc_id = "vpc-"
+vswitch_id = "vsw-"
+
+// --- ECS Instances Configuration ---
+instance_name = "CP-Management-tf"
+instance_type = "ecs.g6e.xlarge"
+key_name = "publickey"
+allocate_and_associate_eip = true
+volume_size = 100
+disk_category = "cloud_essd"
+ram_role_name = ""
+instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+}
+
+// --- Check Point Settings ---
+version_license = "R81.20-BYOL"
+admin_shell = "/etc/cli.sh"
+password_hash = ""
+hostname = "mgmt-tf"
+
+// --- Security Management Server Settings ---
+is_primary_management = "true"
+SICKey = ""
+allow_upload_download = "true"
+gateway_management = "Locally managed"
+admin_cidr = "0.0.0.0/0"
+gateway_addresses = "0.0.0.0/0"
+primary_ntp = "ntp1.cloud.aliyuncs.com"
+secondary_ntp = "ntp2.cloud.aliyuncs.com"
+bootstrap_script = "echo 'this is bootstrap script' > /home/admin/testfile.txt"
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/management/variables.tf b/deprecated/terraform/ali/R81/management/variables.tf
new file mode 100755
index 00000000..c91dd06e
--- /dev/null
+++ b/deprecated/terraform/ali/R81/management/variables.tf
@@ -0,0 +1,128 @@
+// --- VPC Network Configuration ---
+variable "vpc_id" {
+ type = string
+}
+variable "vswitch_id" {
+ type = string
+ description = "To access the instance from the internet, make sure the vswitch has a route to the internet"
+}
+
+// --- ECS Instance Configuration ---
+variable "instance_name" {
+ type = string
+ description = "AliCloud instance name to launch"
+ default = "CP-Management-tf"
+}
+variable "instance_type" {
+ type = string
+ description = ""
+ default ="ecs.g6e.xlarge"
+}
+module "validate_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "management"
+ instance_type = var.instance_type
+}
+variable "key_name" {
+ type = string
+ description = "The ECS Key Pair name to allow SSH access to the instances"
+}
+variable "allocate_and_associate_eip" {
+ type = bool
+ description = "When set to 'true', an elastic IP will be allocated and associated with the launched instance"
+ default = true
+}
+variable "volume_size" {
+ type = number
+ description = "Root volume size (GB) - minimum 100"
+ default = 100
+}
+variable "disk_category" {
+ type = string
+ description = "(Optional) Category of the ECS disk"
+ default = "cloud_essd"
+}
+variable "ram_role_name" {
+ type = string
+ description = "RAM role name to attach to the instance profile"
+ default = ""
+}
+variable "instance_tags" {
+ type = map(string)
+ description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Management ECS Instance"
+default = {}
+}
+
+// --- Check Point Settings ---
+variable "version_license" {
+ type = string
+ description = "version and license"
+ default = "R81.20-BYOL"
+}
+module "validate_management_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "management"
+ version_license = var.version_license
+}
+variable "admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+ default = "/etc/cli.sh"
+}
+variable "password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "hostname" {
+ type = string
+ description = "(Optional)"
+ default = ""
+}
+
+// --- Security Management Server Settings ---
+variable "is_primary_management" {
+ type = bool
+ description = "true/false. Determines if this is the primary management server or not"
+ default = true
+}
+variable "SICKey" {
+ type = string
+ description = "Mandatory only when deploying a secondary Management Server, the Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters"
+ default = ""
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+variable "gateway_management" {
+ type = string
+ description = "Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address"
+ default = "Locally managed"
+}
+variable "admin_cidr" {
+ type = string
+ description = "(CIDR) Allow web, SSH, and graphical clients only from this network to communicate with the Management Server"
+}
+variable "gateway_addresses" {
+ type = string
+ description = "(CIDR) Allow gateways only from this network to communicate with the Management Server"
+}
+variable "primary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol primary server"
+ default = ""
+}
+variable "secondary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server"
+ default = ""
+}
+variable "bootstrap_script" {
+ type = string
+ description = "(Optional) Semicolon (;) separated commands to run on the initial boot"
+ default = ""
+}
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/management/versions.tf b/deprecated/terraform/ali/R81/management/versions.tf
new file mode 100755
index 00000000..71e9843e
--- /dev/null
+++ b/deprecated/terraform/ali/R81/management/versions.tf
@@ -0,0 +1,9 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ alicloud = {
+ source = "hashicorp/alicloud"
+ version = "1.203.0"
+ }
+ }
+}
diff --git a/deprecated/terraform/ali/R81/modules/cluster-ram-role/locals.tf b/deprecated/terraform/ali/R81/modules/cluster-ram-role/locals.tf
new file mode 100755
index 00000000..395b7d40
--- /dev/null
+++ b/deprecated/terraform/ali/R81/modules/cluster-ram-role/locals.tf
@@ -0,0 +1,5 @@
+locals {
+ ram_role_name = format("%s-ram-role-%s", var.gateway_name, random_id.ram_uuid.hex)
+ ram_policy_name = format("%s-ram-policy-%s", var.gateway_name, random_id.ram_uuid.hex)
+
+}
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/modules/cluster-ram-role/main.tf b/deprecated/terraform/ali/R81/modules/cluster-ram-role/main.tf
new file mode 100755
index 00000000..95840d8b
--- /dev/null
+++ b/deprecated/terraform/ali/R81/modules/cluster-ram-role/main.tf
@@ -0,0 +1,54 @@
+resource "random_id" "ram_uuid" {
+ byte_length = 5
+}
+
+resource "alicloud_ram_role" "ram_role" {
+ name = local.ram_role_name
+ document = <= 100 ? 0 : "volume_size must be at least 100"
+}
+variable "disk_category" {
+ type = string
+ description = "(Optional) Category of the ECS disk"
+ default = "cloud_efficiency"
+}
+variable "gateway_version" {
+ type = string
+ description = "Gateway version and license"
+ default = "R81.20-BYOL"
+}
+variable "gateway_instance_type" {
+ type = string
+ description = "The instance type of the Security Gateway"
+ default = "ecs.c5.xlarge"
+}
+module "validate_instance_type" {
+ source = "../instance_type"
+
+ chkp_type = "gateway"
+ instance_type = var.gateway_instance_type
+}
+variable "instance_tags" {
+ type = map(string)
+ description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Gateway ECS Instance"
+ default = {}
+}
+variable "key_name" {
+ type = string
+ description = "The ECS Key Pair name to allow SSH access to the instance"
+}
+variable "image_id" {
+ type = string
+ description = "The image ID to use for the instance"
+}
+variable "security_groups" {
+ type = list(string)
+ description = "The security groups of the instance"
+}
+variable "gateway_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command \"openssl passwd -6 PASSWORD\" to get the PASSWORD's hash)"
+ default = ""
+}
+variable "admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+ default = "/etc/cli.sh"
+}
+variable "gateway_SICKey" {
+ type = string
+ description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters"
+}
+// --- Quick connect to Smart-1 Cloud (Recommended) ---
+variable "gateway_TokenKey" {
+ type = string
+ description = "Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud."
+}
+variable "gateway_bootstrap_script" {
+ type = string
+ description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot"
+ default = ""
+}
+variable "gateway_hostname" {
+ type = string
+ description = "(Optional)"
+ default = ""
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+variable "primary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol primary server"
+ default = ""
+}
+variable "secondary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server"
+ default = ""
+}
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/modules/common/gateway_instance/versions.tf b/deprecated/terraform/ali/R81/modules/common/gateway_instance/versions.tf
new file mode 100755
index 00000000..906a4df0
--- /dev/null
+++ b/deprecated/terraform/ali/R81/modules/common/gateway_instance/versions.tf
@@ -0,0 +1,9 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ alicloud = {
+ source = "hashicorp/alicloud"
+ version = "1.203.0"
+ }
+ }
+}
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/modules/common/instance_type/main.tf b/deprecated/terraform/ali/R81/modules/common/instance_type/main.tf
new file mode 100755
index 00000000..4a3d6ba1
--- /dev/null
+++ b/deprecated/terraform/ali/R81/modules/common/instance_type/main.tf
@@ -0,0 +1,28 @@
+locals {
+ gw_types = [
+ "ecs.g5ne.large",
+ "ecs.g5ne.xlarge",
+ "ecs.g5ne.2xlarge",
+ "ecs.g5ne.4xlarge",
+ "ecs.g5ne.8xlarge",
+ "ecs.g7ne.large",
+ "ecs.g7ne.xlarge",
+ "ecs.g7ne.2xlarge",
+ "ecs.g7ne.4xlarge",
+ "ecs.g7ne.8xlarge"
+ ]
+ mgmt_types = [
+ "ecs.g6e.large",
+ "ecs.g6e.xlarge",
+ "ecs.g6e.2xlarge",
+ "ecs.g6e.4xlarge",
+ "ecs.g6e.8xlarge"
+ ]
+}
+
+locals {
+ gw_values = var.chkp_type == "gateway" ? local.gw_types : []
+ mgmt_values = var.chkp_type == "management" ? local.mgmt_types : []
+ allowed_values = coalescelist(local.gw_values, local.mgmt_values)
+ is_allowed_type = index(local.allowed_values, var.instance_type)
+}
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/modules/common/instance_type/variables.tf b/deprecated/terraform/ali/R81/modules/common/instance_type/variables.tf
new file mode 100755
index 00000000..f114cf20
--- /dev/null
+++ b/deprecated/terraform/ali/R81/modules/common/instance_type/variables.tf
@@ -0,0 +1,20 @@
+variable "chkp_type" {
+ type = string
+ description = "The Check Point machine type"
+ default = "gateway"
+}
+locals {
+ type_allowed_values = [
+ "gateway",
+ "management"
+ //"server"
+ ]
+ // Will fail if var.chkp_type is invalid
+ validate_instance_type = index(local.type_allowed_values, var.chkp_type)
+}
+
+variable "instance_type" {
+ type = string
+ description = "Alicloud Instance type"
+}
+
diff --git a/deprecated/terraform/ali/R81/modules/common/instance_type/versions.tf b/deprecated/terraform/ali/R81/modules/common/instance_type/versions.tf
new file mode 100755
index 00000000..0ec4dcca
--- /dev/null
+++ b/deprecated/terraform/ali/R81/modules/common/instance_type/versions.tf
@@ -0,0 +1,3 @@
+terraform {
+ required_version = ">= 0.14.3"
+}
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/modules/common/internal_default_route/locals.tf b/deprecated/terraform/ali/R81/modules/common/internal_default_route/locals.tf
new file mode 100755
index 00000000..493c4d9a
--- /dev/null
+++ b/deprecated/terraform/ali/R81/modules/common/internal_default_route/locals.tf
@@ -0,0 +1,3 @@
+locals {
+ internal_route_table_condition = var.private_route_table != "" ? 1 : 0
+}
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/modules/common/internal_default_route/main.tf b/deprecated/terraform/ali/R81/modules/common/internal_default_route/main.tf
new file mode 100755
index 00000000..7290ad9e
--- /dev/null
+++ b/deprecated/terraform/ali/R81/modules/common/internal_default_route/main.tf
@@ -0,0 +1,7 @@
+resource "alicloud_route_entry" "internal_default_route" {
+ count = local.internal_route_table_condition
+ route_table_id = var.private_route_table
+ destination_cidrblock = "0.0.0.0/0"
+ nexthop_type = "NetworkInterface"
+ nexthop_id = var.internal_eni_id
+}
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/modules/common/internal_default_route/output.tf b/deprecated/terraform/ali/R81/modules/common/internal_default_route/output.tf
new file mode 100755
index 00000000..fde54050
--- /dev/null
+++ b/deprecated/terraform/ali/R81/modules/common/internal_default_route/output.tf
@@ -0,0 +1,3 @@
+output "internal_default_route_id" {
+ value = alicloud_route_entry.internal_default_route.*.id
+}
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/modules/common/internal_default_route/variables.tf b/deprecated/terraform/ali/R81/modules/common/internal_default_route/variables.tf
new file mode 100755
index 00000000..b8e2f458
--- /dev/null
+++ b/deprecated/terraform/ali/R81/modules/common/internal_default_route/variables.tf
@@ -0,0 +1,9 @@
+variable "private_route_table" {
+ type = string
+ description = "Sets '0.0.0.0/0' route to the Gateway instance in the specified route table (e.g. rtb-12a34567)"
+ default=""
+}
+variable "internal_eni_id" {
+ type = string
+ description = "The internal-eni of the security gateway"
+}
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/modules/common/internal_default_route/versions.tf b/deprecated/terraform/ali/R81/modules/common/internal_default_route/versions.tf
new file mode 100755
index 00000000..906a4df0
--- /dev/null
+++ b/deprecated/terraform/ali/R81/modules/common/internal_default_route/versions.tf
@@ -0,0 +1,9 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ alicloud = {
+ source = "hashicorp/alicloud"
+ version = "1.203.0"
+ }
+ }
+}
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/modules/common/permissive_sg/main.tf b/deprecated/terraform/ali/R81/modules/common/permissive_sg/main.tf
new file mode 100755
index 00000000..2ee7b17b
--- /dev/null
+++ b/deprecated/terraform/ali/R81/modules/common/permissive_sg/main.tf
@@ -0,0 +1,27 @@
+resource "alicloud_security_group" "permissive_sg" {
+ name = format("%s-PermissiveSecurityGroup", var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name)
+ description = "Permissive security group"
+ vpc_id = var.vpc_id
+}
+
+resource "alicloud_security_group_rule" "permissive_egress" {
+ type = "egress"
+ ip_protocol = "all"
+ nic_type = "intranet"
+ policy = "accept"
+ port_range = "-1/-1"
+ priority = 1
+ security_group_id = alicloud_security_group.permissive_sg.id
+ cidr_ip = "0.0.0.0/0"
+}
+
+resource "alicloud_security_group_rule" "permissive_ingress" {
+ type = "ingress"
+ ip_protocol = "all"
+ nic_type = "intranet"
+ policy = "accept"
+ port_range = "-1/-1"
+ priority = 1
+ security_group_id = alicloud_security_group.permissive_sg.id
+ cidr_ip = "0.0.0.0/0"
+}
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/modules/common/permissive_sg/output.tf b/deprecated/terraform/ali/R81/modules/common/permissive_sg/output.tf
new file mode 100755
index 00000000..d8b5df1e
--- /dev/null
+++ b/deprecated/terraform/ali/R81/modules/common/permissive_sg/output.tf
@@ -0,0 +1,6 @@
+output "permissive_sg_id" {
+ value = alicloud_security_group.permissive_sg.id
+}
+output "permissive_sg_name" {
+ value = alicloud_security_group.permissive_sg.name
+}
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/modules/common/permissive_sg/variables.tf b/deprecated/terraform/ali/R81/modules/common/permissive_sg/variables.tf
new file mode 100755
index 00000000..d2afaad2
--- /dev/null
+++ b/deprecated/terraform/ali/R81/modules/common/permissive_sg/variables.tf
@@ -0,0 +1,13 @@
+variable "vpc_id" {
+ type = string
+}
+variable "resources_tag_name" {
+ type = string
+ description = "(Optional)"
+ default = ""
+}
+variable "gateway_name" {
+ type = string
+ description = "(Optional) The name tag of the Security Gateway instances"
+ default = "Check-Point-Gateway-tf"
+}
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/modules/common/permissive_sg/versions.tf b/deprecated/terraform/ali/R81/modules/common/permissive_sg/versions.tf
new file mode 100755
index 00000000..906a4df0
--- /dev/null
+++ b/deprecated/terraform/ali/R81/modules/common/permissive_sg/versions.tf
@@ -0,0 +1,9 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ alicloud = {
+ source = "hashicorp/alicloud"
+ version = "1.203.0"
+ }
+ }
+}
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/modules/common/version_license/main.tf b/deprecated/terraform/ali/R81/modules/common/version_license/main.tf
new file mode 100755
index 00000000..94d144cd
--- /dev/null
+++ b/deprecated/terraform/ali/R81/modules/common/version_license/main.tf
@@ -0,0 +1,23 @@
+locals {
+ gw_versions = [
+ //"R81-PAYG-NGTP",
+ // "R81-PAYG-NGTX",
+ "R81-BYOL",
+ "R81.10-BYOL",
+ "R81.20-BYOL"
+ ]
+ mgmt_versions = [
+ //"R81-PAYG",
+ "R81-BYOL",
+ "R81.10-BYOL",
+ "R81.20-BYOL"
+ ]
+}
+
+locals {
+ gw_values = var.chkp_type == "gateway" ? local.gw_versions : []
+ mgmt_values = var.chkp_type == "management" ? local.mgmt_versions : []
+ // standalone_values = var.chkp_type == "standalone" ? local.standalone_versions : []
+ allowed_values = coalescelist(local.gw_values, local.mgmt_values)//, local.standalone_values)
+ is_allowed_type = index(local.allowed_values, var.version_license)
+}
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/modules/common/version_license/variables.tf b/deprecated/terraform/ali/R81/modules/common/version_license/variables.tf
new file mode 100755
index 00000000..9ecf1643
--- /dev/null
+++ b/deprecated/terraform/ali/R81/modules/common/version_license/variables.tf
@@ -0,0 +1,19 @@
+variable "chkp_type" {
+ type = string
+ description = "The Check Point machine type"
+ default = "gateway"
+}
+locals {
+ type_allowed_values = [
+ "gateway",
+ "management",
+ "standalone",]
+ // Will fail if var.chkp_type is invalid
+ validate_chkp_type = index(local.type_allowed_values, var.chkp_type)
+}
+
+variable "version_license" {
+ type = string
+ description = "AliCloud Version license"
+}
+
diff --git a/deprecated/terraform/ali/R81/modules/common/version_license/versions.tf b/deprecated/terraform/ali/R81/modules/common/version_license/versions.tf
new file mode 100755
index 00000000..906a4df0
--- /dev/null
+++ b/deprecated/terraform/ali/R81/modules/common/version_license/versions.tf
@@ -0,0 +1,9 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ alicloud = {
+ source = "hashicorp/alicloud"
+ version = "1.203.0"
+ }
+ }
+}
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/modules/images/images.yaml b/deprecated/terraform/ali/R81/modules/images/images.yaml
new file mode 100755
index 00000000..c2eb1d52
--- /dev/null
+++ b/deprecated/terraform/ali/R81/modules/images/images.yaml
@@ -0,0 +1,210 @@
+Description: Returns a Check Point AliCloud Machine ID (__VERSION__)
+Parameters:
+ Version:
+ Description: Security Gateway or Management Server version
+ Type: String
+ Default: R81.20-BYOL-GW
+ AllowedValues:
+ - R81-BYOL-GW
+ - R81-BYOL-MGMT
+ - R81.10-BYOL-GW
+ - R81.10-BYOL-MGMT
+ - R81.20-BYOL-GW
+ - R81.20-BYOL-MGMT
+Mappings:
+ ConverterMap:
+ R81-BYOL-GW:
+ Value: R81BYOLGW
+ R81-BYOL-MGMT:
+ Value: R81BYOLMGMT
+ R81.10-BYOL-GW:
+ Value: R8110BYOLGW
+ R81.10-BYOL-MGMT:
+ Value: R8110BYOLMGMT
+ R81.20-BYOL-GW:
+ Value: R8120BYOLGW
+ R81.20-BYOL-MGMT:
+ Value: R8120BYOLMGMT
+ RegionMap:
+ cn-hongkong:
+ R81BYOLMGMT: m-j6c55b1lpz95colzzz1y
+ R81BYOLGW: m-j6c3gd3gcahojs40842v
+ R8110BYOLMGMT: m-j6c5n6p0tkx8clx72qes
+ R8110BYOLGW: m-j6c0x6ugw2012axbdmkn
+ R8120BYOLMGMT: m-j6c2gv0tohwb5otjzbk4
+ R8120BYOLGW: m-j6cdnsm44k0csckg4cxa
+ ap-southeast-1:
+ R81BYOLMGMT: m-t4ngdphpnhzw065e30jt
+ R81BYOLGW: m-t4n99ag8zbinnc7n7xmw
+ R8110BYOLMGMT: m-t4n9x963l2fx13d4mzi8
+ R8110BYOLGW: m-t4ndsvficp1ukrcpt4as
+ R8120BYOLMGMT: m-t4n3m9t1icbv1ptf8b67
+ R8120BYOLGW: m-t4nj16t8nnlp7a70214i
+ us-west-1:
+ R81BYOLMGMT: m-rj95ffd9q3c8u7rpc7v5
+ R81BYOLGW: m-rj9eblv5oe0ypm77no86
+ R8110BYOLMGMT: m-rj9ebcmy6gxp3lzkjnrp
+ R8110BYOLGW: m-rj952h5pzgaecqhg9h6u
+ R8120BYOLMGMT: m-rj92n7t0j5uvmss2dak5
+ R8120BYOLGW: m-rj99hmyezcyqa0in2us9
+ us-east-1:
+ R81BYOLMGMT: m-0xi064illsngi8q7ejln
+ R81BYOLGW: m-0xiiv7m3m3ex8zai0lq4
+ R8110BYOLMGMT: m-0xie3j6n8rxa26v6abni
+ R8110BYOLGW: m-0xiebcmy6gxpiyg830vh
+ R8120BYOLMGMT: m-0xihsclzmkgsxpsmfil2
+ R8120BYOLGW: m-0xickak3e8yimpt90lh9
+ ap-southeast-2:
+ R81BYOLMGMT: m-p0w0pl2rajygi6otl2mh
+ R81BYOLGW: m-p0w78ynl3rpgo1yq43qf
+ R8110BYOLMGMT: m-p0w7z34zl8gl2nmgzo75
+ R8110BYOLGW: m-p0w2nhgtaqxil6bruwe2
+ R8120BYOLMGMT: m-p0w2mgbmrn1pq4973ncq
+ R8120BYOLGW: m-p0wd45q8v82grbipwqkw
+ ap-southeast-3:
+ R81BYOLMGMT: m-8psi42zrfpq57cibgu2b
+ R81BYOLGW: m-8ps8swns48itw97zsb2i
+ R8110BYOLMGMT: m-8psc710cdd9x9guiajuk
+ R8110BYOLGW: m-8ps6mel7llq3ffzc2txa
+ R8120BYOLMGMT: m-8psc710cdd9x6k9vbn5m
+ R8120BYOLGW: m-8psf1zkz08byz41qrt1r
+ ap-southeast-5:
+ R81BYOLMGMT: m-k1aajdkea2t5oyxicbu8
+ R81BYOLGW: m-k1afqua8zzbgdaosx7sf
+ R8110BYOLMGMT: m-k1ahug645c79svl6tgbp
+ R8110BYOLGW: m-k1a6n0hj1qidjiig80o0
+ R8120BYOLMGMT: m-k1ahgt585wlm71lmpmg1
+ R8120BYOLGW: m-k1a20f2u7nspfcja9mfc
+ ap-southeast-6:
+ R81BYOLMGMT: m-5ts832hgbk52wwnxzjlx
+ R81BYOLGW: m-5tsf5buudxrwbijypr0v
+ R8110BYOLMGMT: m-5tsa5qwchhf7q22qj685
+ R8110BYOLGW: m-5tsdw01mce246abvrnes
+ R8120BYOLMGMT: m-5ts5ukwjgsl6t34hx7po
+ R8120BYOLGW: m-5tsa5qwchhf7pw5n70as
+ ap-northeast-1:
+ R81BYOLMGMT: m-6we8l9kvu9shqf3j5v4e
+ R81BYOLGW: m-6we42rtltap69nckfynw
+ R8110BYOLMGMT: m-6we20qh4jffzabapyyle
+ R8110BYOLGW: m-6wefezctjbied9npzp1n
+ R8120BYOLMGMT: m-6weihbzpoyt5h6i2i42e
+ R8120BYOLGW: m-6we215381e51fkneyv5v
+ eu-central-1:
+ R81BYOLMGMT: m-gw81j322yjmx03hq26qt
+ R81BYOLGW: m-gw82fm7sbwj7x6fpj1mn
+ R8110BYOLMGMT: m-gw89gvg18gk6nzo3gxe1
+ R8110BYOLGW: m-gw8divjg7azjl2ndt34v
+ R8120BYOLMGMT: m-gw8csbodb1ntgbtu653c
+ R8120BYOLGW: m-gw83wxmsb5524ke9f6m7
+ eu-west-1:
+ R81BYOLMGMT: m-d7ocob57ud2nqiv9fk8w
+ R81BYOLGW: m-d7oez9xgn0qg5g815tip
+ R8110BYOLMGMT: m-d7o7nj4f81gs8cyo52jd
+ R8110BYOLGW: m-d7o7nj4f81gsnpfbofnh
+ R8120BYOLMGMT: m-d7o63e77fokjsv4aq4kt
+ R8120BYOLGW: m-d7oj29ec4xx04sr8h61z
+ me-east-1:
+ R81BYOLMGMT: m-eb35op3wyu89kabry2zw
+ R81BYOLGW: m-eb35op3wyu89iv0z0nmz
+ R8110BYOLMGMT: m-eb33tyrfiy726a0xlw6g
+ R8110BYOLGW: m-eb30m4ho9mkzfb3xi78i
+ R8120BYOLMGMT: m-eb3bbb1nen46tqmcujmn
+ R8120BYOLGW: m-eb3dphy5uzm33cduxr7i
+ ap-south-1:
+ R81BYOLMGMT: m-a2d16a0v0ms9mg5xh1nm
+ R81BYOLGW: m-a2didx39bhgf547thni0
+ R8110BYOLMGMT: m-a2d4ffz0q8dflg62j0zq
+ R8110BYOLGW: m-a2d9j14yemliag92m9d1
+ R8120BYOLMGMT: m-a2d1e5s7uy9vv5a6n9cn
+ R8120BYOLGW: m-a2d1e5s7uy9vxvxqa04e
+ ap-southeast-7:
+ R81BYOLMGMT: m-0jo742iyh0qbzg51b6fd
+ R81BYOLGW: m-0joian1mgt9qt2lpvfnk
+ R8110BYOLMGMT: m-0jo3qwrwsdx3663is0b4
+ R8110BYOLGW: m-0jogq1yzljp8ziw4caci
+ R8120BYOLMGMT: m-0jo67k42jvg301wis5ol
+ R8120BYOLGW: m-0jo5t1ypg4zy4h12i9c5
+ ap-northeast-2:
+ R81BYOLMGMT: m-mj75cxsn1dhdiqhfc3a0
+ R81BYOLGW: m-mj7bybnr5b9gebqrf3xt
+ R8110BYOLMGMT: m-mj7h0j7db1ryrwczg9ef
+ R8110BYOLGW: m-mj73osasl4gyi0zqscr5
+ R8120BYOLMGMT: m-mj7aktw6610pznjgb16z
+ R8120BYOLGW: m-mj79jylrqomj0fv99s3b
+ cn-qingdao:
+ R81BYOLMGMT: m-m5e1i33z6ohq98tllukn
+ R81BYOLGW: m-m5eb1zyo5cjbvte7ovay
+ R8110BYOLMGMT: m-m5eftm32pjq4ghtwcn25
+ R8110BYOLGW: m-m5ef0hxxec3ws2c2y26b
+ R8120BYOLMGMT: m-m5ebt96quorb2gj7dhku
+ R8120BYOLGW: m-m5eftm32pjq4g9xrwf5o
+ cn-beijing:
+ R81BYOLMGMT: m-2ze5d2jit72gotjw5d77
+ R81BYOLGW: m-2zec8i2qli4cnqfw9e3o
+ R8110BYOLMGMT: m-2zehvbpbae19t51owc0j
+ R8110BYOLGW: m-2zeiwvllkl9jybavtmey
+ R8120BYOLMGMT: m-2ze1781062lxfwe35d1p
+ R8120BYOLGW: m-2ze347cq3f6fg3udyb1p
+ cn-zhangjiakou:
+ R81BYOLMGMT: m-8vb1rjkshxdaynvqbexj
+ R81BYOLGW: m-8vb1rjkshxdax8kxdzkk
+ R8110BYOLMGMT: m-8vb83tbc4hwpesbvte9d
+ R8110BYOLGW: m-8vbblzj10mzvpnkzdint
+ R8120BYOLMGMT: m-8vbeoj3rrq2tm6o5bhaa
+ R8120BYOLGW: m-8vbd1bffbjhlxjkb0k4i
+ cn-huhehaote:
+ R81BYOLMGMT: m-hp309790we62uhpo5eed
+ R81BYOLGW: m-hp3ab2tvfxuar5snxu2r
+ R8110BYOLMGMT: m-hp3h3tzxij7kl9tdrqg2
+ R8110BYOLGW: m-hp325dwey9rn4tyiyuyu
+ R8120BYOLMGMT: m-hp31ci7e1eeaj062wki0
+ R8120BYOLGW: m-hp31ci7e1eealqtmjb9n
+ cn-wulanchabu:
+ R81BYOLMGMT: m-0jlhwuucdujv3wee7m96
+ R81BYOLGW: m-0jle5qxpr97s1c64e72k
+ R8110BYOLMGMT: m-0jl54w11sr4odheytky1
+ R8110BYOLGW: m-0jlbavg2r5fjc4jxypp7
+ R8120BYOLMGMT: m-0jl54w11sr4oakubuo94
+ R8120BYOLGW: m-0jlbavg2r5fiwm6736o3
+ cn-hangzhou:
+ R81BYOLMGMT: m-bp14kps2wrk6qquv5ok0
+ R81BYOLGW: m-bp1aa9u6zcazi4o1hnjh
+ R8110BYOLMGMT: m-bp1dz2nq9fqppcf8smpk
+ R8110BYOLGW: m-bp1hamqhfny1smyl8ql7
+ R8120BYOLMGMT: m-bp149dep83kgo5p0dw3l
+ R8120BYOLGW: m-bp1gvq0d0413vbnakoqj
+ cn-shanghai:
+ R81BYOLMGMT: m-uf6cj9tqmxx1bsfmbu45
+ R81BYOLGW: m-uf63qkdigbprn96zy3vm
+ R8110BYOLMGMT: m-uf655j7a9r7otwa2xemv
+ R8110BYOLGW: m-uf6idj2b3zt57omxvzbr
+ R8120BYOLMGMT: m-uf62vrhc5bapfoy9lw7n
+ R8120BYOLGW: m-uf6c9vxp1n58y56ep033
+ cn-shenzhen:
+ R81BYOLMGMT: m-wz9d9s75jsh11z089uuj
+ R81BYOLGW: m-wz9czejz43gyhdztsjnr
+ R8110BYOLMGMT: m-wz95gswem9lea2z0d9se
+ R8110BYOLGW: m-wz93e5pwshkmiv35y9ii
+ R8120BYOLMGMT: m-wz9am290ax9js6dfdt5o
+ R8120BYOLGW: m-wz94fs2enyvm6qhx3ged
+ cn-heyuan:
+ R81BYOLMGMT: m-f8z61z784gwfm1fhxgre
+ R81BYOLGW: m-f8z7wvp6hhvsvevtpb0j
+ R8110BYOLMGMT: m-f8z5o7741si10yq0piws
+ R8110BYOLGW: m-f8z985hmyc9d8951pr76
+ R8120BYOLMGMT: m-f8zj0s3cyg3glnlz414g
+ R8120BYOLGW: m-f8z5o7741si10ssxdczf
+ cn-guangzhou:
+ R81BYOLMGMT: m-7xv95xjo0yd0lg4y1z9p
+ R81BYOLGW: m-7xv95xjo0yd0k0u54jwr
+ R8110BYOLMGMT: m-7xv4bih29ge5i2je9amd
+ R8110BYOLGW: m-7xv7i7fhzogppdgxa2cc
+ R8120BYOLMGMT: m-7xv3lyr4gpzmp8ei0qgi
+ R8120BYOLGW: m-7xv7i7fhzogp9v36ejbr
+ cn-chengdu:
+ R81BYOLMGMT: m-2vcho1h20xnncjlroavq
+ R81BYOLGW: m-2vc0m9vq9oty74yz83d4
+ R8110BYOLMGMT: m-2vc13w2rjk7p9o285gtj
+ R8110BYOLGW: m-2vc13w2rjk7pp0ivotxs
+ R8120BYOLMGMT: m-2vc0nlbyccv29t5ql0oh
+ R8120BYOLGW: m-2vcd6ume44qej9ffhaxg
diff --git a/deprecated/terraform/ali/R81/modules/images/main.tf b/deprecated/terraform/ali/R81/modules/images/main.tf
new file mode 100755
index 00000000..86231617
--- /dev/null
+++ b/deprecated/terraform/ali/R81/modules/images/main.tf
@@ -0,0 +1,20 @@
+locals {
+ images_yaml_regionMap = yamldecode(split("Resources", file("${path.module}/images.yaml"))[0]).Mappings.RegionMap
+ images_yaml_converterMap = yamldecode(split("Resources", file("${path.module}/images.yaml"))[0]).Mappings.ConverterMap
+
+
+ // Variables example:
+ // version_license = "R81.20-BYOL"
+ // RESULT:
+ // version_license_key = "R81.20-BYOL-GW"
+ // version_license_value = "R8120BYOLGW"
+
+ version_license_key = format("%s%s", var.version_license, var.chkp_type == "gateway" ? "-GW" : var.chkp_type == "management" ? "-MGMT" : "")
+ version_license_value = local.images_yaml_converterMap[local.version_license_key]["Value"]
+
+ // Variables example:
+ // region = "us-east-1"
+ // version_license_key - see above
+ // RESULT: local.image_id = "m-1234567"
+ image_id = local.images_yaml_regionMap[local.region][local.version_license_value]
+}
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/modules/images/output.tf b/deprecated/terraform/ali/R81/modules/images/output.tf
new file mode 100755
index 00000000..a4611551
--- /dev/null
+++ b/deprecated/terraform/ali/R81/modules/images/output.tf
@@ -0,0 +1,6 @@
+output "image_id" {
+ value = local.image_id
+}
+output "version_license_with_sufix" {
+ value = local.version_license_key
+}
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/modules/images/variables.tf b/deprecated/terraform/ali/R81/modules/images/variables.tf
new file mode 100755
index 00000000..0c646605
--- /dev/null
+++ b/deprecated/terraform/ali/R81/modules/images/variables.tf
@@ -0,0 +1,20 @@
+data "alicloud_regions" "current" {
+ current = true
+}
+locals {
+ region = data.alicloud_regions.current.regions.0.id
+}
+
+// --- Version and license ---
+variable "chkp_type" {
+ type = string
+ description = "The Check Point machine type"
+ default = "gateway"
+}
+
+variable "version_license" {
+ type = string
+ description = "Version and license"
+ default = "R81.20-BYOL"
+}
+
diff --git a/deprecated/terraform/ali/R81/modules/images/versions.tf b/deprecated/terraform/ali/R81/modules/images/versions.tf
new file mode 100755
index 00000000..0ec4dcca
--- /dev/null
+++ b/deprecated/terraform/ali/R81/modules/images/versions.tf
@@ -0,0 +1,3 @@
+terraform {
+ required_version = ">= 0.14.3"
+}
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/modules/vpc/locals.tf b/deprecated/terraform/ali/R81/modules/vpc/locals.tf
new file mode 100755
index 00000000..1e3622f2
--- /dev/null
+++ b/deprecated/terraform/ali/R81/modules/vpc/locals.tf
@@ -0,0 +1,6 @@
+locals {
+ regex_valid_cidr = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$"
+
+ // Will fail if var.vpc_cidr is invalid
+ regex_vpc_cidr = regex(local.regex_valid_cidr, var.vpc_cidr) == var.vpc_cidr ? 0 : "Variable [vpc_cidr] must be a valid vpc cidr"
+}
\ No newline at end of file
diff --git a/deprecated/terraform/ali/R81/modules/vpc/main.tf b/deprecated/terraform/ali/R81/modules/vpc/main.tf
new file mode 100755
index 00000000..55ae14a9
--- /dev/null
+++ b/deprecated/terraform/ali/R81/modules/vpc/main.tf
@@ -0,0 +1,38 @@
+// --- VPC ---
+resource "alicloud_vpc" "vpc" {
+ cidr_block = var.vpc_cidr
+ vpc_name = var.vpc_name
+}
+
+// --- Public Vswitch ---
+resource "alicloud_vswitch" "publicVsw" {
+ for_each = var.public_vswitchs_map
+
+ vpc_id = alicloud_vpc.vpc.id
+ zone_id = each.key
+ cidr_block = cidrsubnet(alicloud_vpc.vpc.cidr_block, var.vswitchs_bit_length, each.value)
+ vswitch_name = format("Public-vswitch-%s", each.value)
+ tags = {}
+}
+
+// --- Management Vswitch ---
+resource "alicloud_vswitch" "managementVsw" {
+ for_each = var.management_vswitchs_map
+
+ vpc_id = alicloud_vpc.vpc.id
+ zone_id = each.key
+ cidr_block = cidrsubnet(alicloud_vpc.vpc.cidr_block, var.vswitchs_bit_length, each.value)
+ vswitch_name = format("Management-vswitch-%s", each.value)
+ tags = {}
+}
+
+// --- Private Vswitch ---
+resource "alicloud_vswitch" "privateVsw" {
+ for_each = var.private_vswitchs_map
+
+ vpc_id = alicloud_vpc.vpc.id
+ zone_id = each.key
+ cidr_block = cidrsubnet(alicloud_vpc.vpc.cidr_block, var.vswitchs_bit_length, each.value)
+ vswitch_name = format("Private-vswitch-%s", each.value)
+ tags = {}
+}
diff --git a/deprecated/terraform/ali/R81/modules/vpc/output.tf b/deprecated/terraform/ali/R81/modules/vpc/output.tf
new file mode 100755
index 00000000..ce218660
--- /dev/null
+++ b/deprecated/terraform/ali/R81/modules/vpc/output.tf
@@ -0,0 +1,15 @@
+output "vpc_id" {
+ value = alicloud_vpc.vpc.id
+}
+output "vpc_name" {
+ value = alicloud_vpc.vpc.name
+}
+output "public_vswitchs_ids_list" {
+ value = [for public_vswitch in alicloud_vswitch.publicVsw : public_vswitch.id ]
+}
+output "management_vswitchs_ids_list" {
+ value = [for management_vswitch in alicloud_vswitch.managementVsw : management_vswitch.id ]
+}
+output "private_vswitchs_ids_list" {
+ value = [for private_vswitch in alicloud_vswitch.privateVsw : private_vswitch.id]
+}
diff --git a/deprecated/terraform/ali/R81/modules/vpc/variables.tf b/deprecated/terraform/ali/R81/modules/vpc/variables.tf
new file mode 100755
index 00000000..bb0807f5
--- /dev/null
+++ b/deprecated/terraform/ali/R81/modules/vpc/variables.tf
@@ -0,0 +1,23 @@
+variable "vpc_cidr" {
+ type = string
+}
+variable "vpc_name" {
+ type = string
+}
+variable "public_vswitchs_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = vswitch-suffix-number}. Each entry creates a vswitch. Minimum 1 pair. (e.g. {\"cn-hangzhou-e\" = 1} ) "
+}
+variable "management_vswitchs_map" {
+ type = map(string)
+ description = "(Optional) A map of pairs {availability-zone = vswitch-suffix-number}. Each entry creates a vswitch. Minimum 1 pair. (e.g. {\"cn-hangzhou-e\" = 3} ) "
+ default = {}
+}
+variable "private_vswitchs_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = vswitch-suffix-number}. Each entry creates a vswitch. Minimum 1 pair. (e.g. {\"cn-hangzhou-f\" = 3} ) "
+}
+variable "vswitchs_bit_length" {
+ type = number
+ description = "Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a vswitchs_bit_length value is 4, the resulting vswitch address will have length /20"
+}
diff --git a/deprecated/terraform/ali/R81/modules/vpc/versions.tf b/deprecated/terraform/ali/R81/modules/vpc/versions.tf
new file mode 100755
index 00000000..906a4df0
--- /dev/null
+++ b/deprecated/terraform/ali/R81/modules/vpc/versions.tf
@@ -0,0 +1,9 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ alicloud = {
+ source = "hashicorp/alicloud"
+ version = "1.203.0"
+ }
+ }
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/autoscale-gwlb/README.md b/deprecated/terraform/aws/R80.40/autoscale-gwlb/README.md
new file mode 100755
index 00000000..0e04c944
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/autoscale-gwlb/README.md
@@ -0,0 +1,185 @@
+# Check Point CloudGuard Network Auto Scaling GWLB Terraform module for AWS
+
+Terraform module which deploys an Auto Scaling Group of Check Point Security Gateways into an existing VPC.
+
+These types of Terraform resources are supported:
+* [Launch template](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template)
+* [Auto Scaling Group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group)
+* [Security group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group)
+* [CloudWatch Metric Alarm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm)
+
+
+See the [CloudGuard Auto Scaling for AWS](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CloudGuard_Network_for_AWS_AutoScaling_DeploymentGuide/Topics-AWS-AutoScale-DG/Check-Point-CloudGuard-Network-for-AWS.htm) for additional information
+
+This solution uses the following modules:
+- /terraform/aws/modules/amis
+
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.aws_access_key_ID
+ secret_key = var.aws_secret_access_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/autoscale/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.aws_access_key_ID
+ // secret_key = var.aws_secret_access_key
+ }
+ ```
+
+## Usage
+- Fill all variables in the /terraform/aws/autoscale/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+- Create or modify the deployment:
+ ```
+ terraform apply
+ ```
+
+- Variables are configured in /terraform/aws/autoscale/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+ // --- Environment ---
+ prefix = "env1"
+ asg_name = "autoscaling_group"
+
+ // --- VPC Network Configuration ---
+ vpc_id = "vpc-12345678"
+ subnet_ids = ["subnet-abc123", "subnet-def456"]
+
+ // --- Automatic Provisioning with Security Management Server Settings ---
+ gateways_provision_address_type = "private"
+ allocate_public_IP = false
+ management_server = "mgmt_env1"
+ configuration_template = "tmpl_env1"
+
+ // --- EC2 Instances Configuration ---
+ gateway_name = "asg_gateway"
+ gateway_instance_type = "c5.xlarge"
+ key_name = "publickey"
+ instances_tags = {
+ key1 = "value1"
+ key2 = "value2"
+ }
+
+ // --- Auto Scaling Configuration ---
+ minimum_group_size = 2
+ maximum_group_size = 10
+ target_groups = ["arn:aws:tg1/abc123", "arn:aws:tg2/def456"]
+
+ // --- Check Point Settings ---
+ gateway_version = "R81.20-BYOL"
+ admin_shell = "/etc/cli.sh"
+ gateway_password_hash = ""
+ gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+ gateway_SICKey = "12345678"
+ enable_instance_connect = false
+ allow_upload_download = true
+ enable_cloudwatch = false
+ gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+
+
+
+- Conditional creation
+ - To enable cloudwatch for ASG:
+ ```
+ enable_cloudwatch = true
+ ```
+ Note: enabling cloudwatch will automatically create IAM role with cloudwatch:PutMetricData permission
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+
+
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|----------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------|----------|
+| prefix | (Optional) Instances name prefix | string | n/a | "" | no |
+| asg_name | Autoscaling Group name | string | n/a | Check-Point-ASG-tf | no |
+| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes |
+| subnet_ids | List of public subnet IDs to launch resources into. Recommended at least 2 | list(string) | n/a | n/a | yes |
+| gateways_provision_address_type | Determines if the gateways are provisioned using their private or public address. | string | - private
- public | private | no |
+| allocate_public_IP | Allocate a Public IP for gateway members. | bool | true/false | false | no |
+| management_server | The name that represents the Security Management Server in the CME configuration | string | n/a | n/a | yes |
+| configuration_template | Name of the provisioning template in the CME configuration | string | n/a | n/a | yes |
+| gateway_name | The name tag of the Security Gateways instances | string | n/a | Check-Point-ASG-gateway-tf | no |
+| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no |
+| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes |
+| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no |
+| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no |
+| instances_tags | (Optional) A map of tags as key=value pairs. All tags will be added on all AutoScaling Group instances | map(string) | n/a | {} | no |
+| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes |
+| minimum_group_size | The minimum number of instances in the Auto Scaling group | number | n/a | 2 | no |
+| maximum_group_size | The maximum number of instances in the Auto Scaling group | number | n/a | 10 | no |
+| target_groups | (Optional) List of Target Group ARNs to associate with the Auto Scaling group | list(string) | n/a | [] | no |
+| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no |
+| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no |
+| gateway_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no |
+| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components (at least 8 alphanumeric characters) | string | n/a | "12345678" | yes |
+| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no |
+| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no |
+| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no |
+| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no |
+| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here). | string | n/a | "" | no |
+
+## Outputs
+| Name | Description |
+|------------------------------------------------|-------------------------------------------------------------------|
+| autoscale_autoscaling_group_name | The name of the deployed AutoScaling Group |
+| autoscale_autoscaling_group_arn | The ARN for the deployed AutoScaling Group |
+| autoscale_autoscaling_group_availability_zones | The AZs on which the Autoscaling Group is configured |
+| autoscale_autoscaling_group_desired_capacity | The deployed AutoScaling Group's desired capacity of instances |
+| autoscale_autoscaling_group_min_size | The deployed AutoScaling Group's minimum number of instances |
+| autoscale_autoscaling_group_max_size | The deployed AutoScaling Group's maximum number of instances |
+| autoscale_autoscaling_group_target_group_arns | The deployed AutoScaling Group's configured target groups |
+| autoscale_autoscaling_group_subnets | The subnets on which the deployed AutoScaling Group is configured |
+| autoscale_launch_template_id | The id of the Launch Template |
+| autoscale_autoscale_security_group_id | The deployed AutoScaling Group's security group id |
+| autoscale_iam_role_name | The deployed AutoScaling Group's IAM role name (if created) |
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 20240417 | - Add support for Elastic Load Balancer Health Checks.
- EC2 Auto Scaling will start to detect and act on health checks performed by Elastic Load Balancing. |
+| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20231012 | Update AWS Terraform provider version to 5.20.1 |
+| 20230923 | Add support for C5d instance type |
+| 20230914 | Add support for maintenance mode password |
+| 20230829 | Change default Check Point version to R81.20 |
+| 20230806 | Add support for c6in instance type |
+| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname |
+| 20221226 | Support ASG Launch Template instead of Launch Configuration |
+| 20221123 | R81.20 version support |
+| 20220606 | New instance type support |
+| 20220414 | First release of Check Point Auto Scaling GWLB Terraform module for AWS |
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details
diff --git a/deprecated/terraform/aws/R80.40/autoscale-gwlb/asg_userdata.yaml b/deprecated/terraform/aws/R80.40/autoscale-gwlb/asg_userdata.yaml
new file mode 100755
index 00000000..bb095c01
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/autoscale-gwlb/asg_userdata.yaml
@@ -0,0 +1,29 @@
+#cloud-config
+network:
+ version: 1
+ config:
+ - type: bridge
+ name: br0
+ mtu: *eth0-mtu
+ subnets:
+ - address: *eth0-private
+ type: static
+ gateway: *default-gateway
+ dns_nameservers:
+ - *eth0-dns1
+ bridge_interfaces:
+ - eth0
+kernel_parameters:
+ sim:
+ - sim_geneve_enabled=1
+ - sim_geneve_br_dev=br0
+ fw:
+
+ - fwtls_bridge_mode_inspection=1
+ - fw_geneve_enabled=1
+bootcmd:
+ - echo "brctl hairpin br0 eth0 on" >> /etc/rc.local
+ - echo "cpprod_util CPPROD_SetValue \"fw1\" \"AwsGwlb\" 4 1 1" >> /etc/rc.local
+runcmd:
+ - |
+ python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" installationType=\"autoscale\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"autoscale_gwlb\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" bootstrapScript64=\"${BootstrapScript}\"
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/autoscale-gwlb/locals.tf b/deprecated/terraform/aws/R80.40/autoscale-gwlb/locals.tf
new file mode 100755
index 00000000..ef1abdf2
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/autoscale-gwlb/locals.tf
@@ -0,0 +1,56 @@
+locals {
+ asg_name = format("%s%s", var.prefix != "" ? format("%s-", var.prefix) : "", var.asg_name)
+ create_iam_role = var.enable_cloudwatch ? 1 : 0
+
+ gateways_provision_address_type_allowed_values = [
+ "public",
+ "private"
+ ]
+ // Will fail if var.gateways_provision_address_type is invalid
+ validate_gateways_provision_address_type = index(local.gateways_provision_address_type_allowed_values, var.gateways_provision_address_type)
+
+ admin_shell_allowed_values = [
+ "/etc/cli.sh",
+ "/bin/bash",
+ "/bin/csh",
+ "/bin/tcsh"
+ ]
+ // Will fail if var.admin_shell is invalid
+ validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell)
+
+ regex_valid_key_name = "[\\S\\s]+[\\S]+"
+ // will fail if var.key_name is invalid
+ regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string"
+
+ regex_valid_sic_key = "^[a-zA-Z0-9]{8,}$"
+ // Will fail if var.gateway_SICKey is invalid
+ regex_sic_result = regex(local.regex_valid_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SICKey] must be at least 8 alphanumeric characters"
+
+ regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.gateway_password_hash is invalid
+ regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+ regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
+
+ regex_valid_cidr_range = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))?$"
+
+ tags_asg_format = null_resource.tags_as_list_of_maps.*.triggers
+
+ //Splits the version and licence and returns the os version
+ version_split = element(split("-", var.gateway_version), 0)
+
+ gateway_bootstrap_script64 = base64encode(var.gateway_bootstrap_script)
+ gateway_SICkey_base64 = base64encode(var.gateway_SICKey)
+ gateway_password_hash_base64 = base64encode(var.gateway_password_hash)
+ maintenance_mode_password_hash_base64 = base64encode(var.gateway_maintenance_mode_password_hash)
+ is_gwlb_ami = length(regexall(".*R80.40.*", var.gateway_version)) > 0
+
+}
+resource "null_resource" "tags_as_list_of_maps" {
+ count = length(keys(var.instances_tags))
+
+ triggers = {
+ "key" = keys(var.instances_tags)[count.index]
+ "value" = values(var.instances_tags)[count.index]
+ "propagate_at_launch" = "true"
+ }
+}
diff --git a/deprecated/terraform/aws/R80.40/autoscale-gwlb/main.tf b/deprecated/terraform/aws/R80.40/autoscale-gwlb/main.tf
new file mode 100755
index 00000000..6a43b892
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/autoscale-gwlb/main.tf
@@ -0,0 +1,202 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+module "amis" {
+ source = "../modules/amis"
+ version_license = var.gateway_version
+ amis_url = local.is_gwlb_ami == true ? "https://cgi-cfts-staging.s3.amazonaws.com/gwlb/amis-gwlb.yaml" : "https://cgi-cfts-staging.s3.amazonaws.com/utils/amis.yaml"
+
+}
+
+resource "aws_security_group" "permissive_sg" {
+ name_prefix = format("%s_PermissiveSecurityGroup", local.asg_name)
+ description = "Permissive security group"
+ vpc_id = var.vpc_id
+ egress {
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+ ingress {
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+ tags = {
+ Name = format("%s_PermissiveSecurityGroup", local.asg_name)
+ }
+}
+
+resource "aws_launch_template" "asg_launch_template" {
+ name_prefix = local.asg_name
+ image_id = module.amis.ami_id
+ instance_type = var.gateway_instance_type
+ key_name = var.key_name
+ network_interfaces {
+ associate_public_ip_address = var.allocate_public_IP
+ security_groups = [aws_security_group.permissive_sg.id]
+ }
+ metadata_options {
+ http_tokens = var.metadata_imdsv2_required ? "required" : "optional"
+ }
+
+ iam_instance_profile {
+ name = ( var.enable_cloudwatch ? aws_iam_instance_profile.instance_profile[0].name : "")
+ }
+
+ monitoring {
+ enabled = true
+ }
+
+ block_device_mappings {
+ device_name = "/dev/xvda"
+ ebs {
+ volume_type = var.volume_type
+ volume_size = var.volume_size
+ encrypted = var.enable_volume_encryption
+ }
+ }
+
+ description = "Initial template version"
+
+ user_data = base64encode(templatefile("${path.module}/asg_userdata.yaml", {
+ // script's arguments
+ PasswordHash = local.gateway_password_hash_base64,
+ MaintenanceModePassword = local.maintenance_mode_password_hash_base64,
+ EnableCloudWatch = var.enable_cloudwatch,
+ EnableInstanceConnect = var.enable_instance_connect,
+ Shell = var.admin_shell,
+ SICKey = local.gateway_SICkey_base64,
+ AllowUploadDownload = var.allow_upload_download,
+ BootstrapScript = local.gateway_bootstrap_script64,
+ OsVersion = local.version_split
+ }))
+}
+resource "aws_autoscaling_group" "asg" {
+ name_prefix = local.asg_name
+ launch_template {
+ id = aws_launch_template.asg_launch_template.id
+ version = aws_launch_template.asg_launch_template.latest_version
+ }
+ min_size = var.minimum_group_size
+ max_size = var.maximum_group_size
+ target_group_arns = var.target_groups
+ vpc_zone_identifier = var.subnet_ids
+ health_check_grace_period = 3600
+ health_check_type = "ELB"
+
+ tag {
+ key = "Name"
+ value = format("%s%s", var.prefix != "" ? format("%s-", var.prefix) : "", var.gateway_name)
+ propagate_at_launch = true
+ }
+
+ tag {
+ key = "x-chkp-tags"
+ value = format("management=%s:template=%s:ip-address=%s", var.management_server, var.configuration_template, var.gateways_provision_address_type)
+ propagate_at_launch = true
+ }
+
+ tag {
+ key = "x-chkp-topology"
+ value = "internal"
+ propagate_at_launch = true
+ }
+
+ tag {
+ key = "x-chkp-solution"
+ value = "autoscale_gwlb"
+ propagate_at_launch = true
+ }
+
+ dynamic "tag" {
+ for_each = var.instances_tags
+ content {
+ key = tag.key
+ value = tag.value
+ propagate_at_launch = true
+ }
+ }
+}
+
+data "aws_iam_policy_document" "assume_role_policy_document" {
+ version = "2012-10-17"
+ statement {
+ actions = ["sts:AssumeRole"]
+ principals {
+ type = "Service"
+ identifiers = ["ec2.amazonaws.com"]
+ }
+ effect = "Allow"
+ }
+}
+
+resource "aws_iam_role" "role" {
+ count = local.create_iam_role
+ name_prefix = format("%s-iam_role", local.asg_name)
+ assume_role_policy = data.aws_iam_policy_document.assume_role_policy_document.json
+ path = "/"
+}
+module "attach_cloudwatch_policy" {
+ source = "../modules/cloudwatch-policy"
+ count = local.create_iam_role
+ role = aws_iam_role.role[count.index].name
+ tag_name = local.asg_name
+}
+resource "aws_iam_instance_profile" "instance_profile" {
+ count = local.create_iam_role
+ name_prefix = format("%s-iam_instance_profile", local.asg_name)
+ path = "/"
+ role = aws_iam_role.role[count.index].name
+}
+
+// Scaling metrics
+resource "aws_cloudwatch_metric_alarm" "cpu_alarm_low" {
+ alarm_name = format("%s_alarm_low", aws_autoscaling_group.asg.name)
+ metric_name = "CPUUtilization"
+ alarm_description = "Scale-down if CPU < 60% for 10 minutes"
+ namespace = "AWS/EC2"
+ statistic = "Average"
+ period = 300
+ evaluation_periods = 2
+ threshold = 60
+ alarm_actions = [aws_autoscaling_policy.scale_down_policy.arn]
+ dimensions = {
+ AutoScalingGroupName = aws_autoscaling_group.asg.name
+ }
+ comparison_operator = "LessThanThreshold"
+}
+resource "aws_autoscaling_policy" "scale_down_policy" {
+ autoscaling_group_name = aws_autoscaling_group.asg.name
+ name = format("%s_scale_down", aws_autoscaling_group.asg.name)
+ adjustment_type = "ChangeInCapacity"
+ cooldown = 300
+ scaling_adjustment = -1
+}
+resource "aws_cloudwatch_metric_alarm" "cpu_alarm_high" {
+ alarm_name = format("%s_alarm_high", aws_autoscaling_group.asg.name)
+ metric_name = "CPUUtilization"
+ alarm_description = "Scale-up if CPU > 80% for 10 minutes"
+ namespace = "AWS/EC2"
+ statistic = "Average"
+ period = 300
+ evaluation_periods = 2
+ threshold = 80
+ alarm_actions = [aws_autoscaling_policy.scale_up_policy.arn]
+ dimensions = {
+ AutoScalingGroupName = aws_autoscaling_group.asg.name
+ }
+ comparison_operator = "GreaterThanThreshold"
+}
+resource "aws_autoscaling_policy" "scale_up_policy" {
+ autoscaling_group_name = aws_autoscaling_group.asg.name
+ name = format("%s_scale_up", aws_autoscaling_group.asg.name)
+ adjustment_type = "ChangeInCapacity"
+ cooldown = 300
+ scaling_adjustment = 1
+}
diff --git a/deprecated/terraform/aws/R80.40/autoscale-gwlb/output.tf b/deprecated/terraform/aws/R80.40/autoscale-gwlb/output.tf
new file mode 100755
index 00000000..ce5f76ce
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/autoscale-gwlb/output.tf
@@ -0,0 +1,41 @@
+output "Deployment" {
+ value = "Finalizing instances configuration may take up to 20 minutes after deployment is finished."
+}
+
+output "autoscale_autoscaling_group_name" {
+ value = aws_autoscaling_group.asg.name
+}
+output "autoscale_autoscaling_group_arn" {
+ value = aws_autoscaling_group.asg.arn
+}
+output "autoscale_autoscaling_group_availability_zones" {
+ value = aws_autoscaling_group.asg.availability_zones
+}
+output "autoscale_autoscaling_group_desired_capacity" {
+ value = aws_autoscaling_group.asg.desired_capacity
+}
+output "autoscale_autoscaling_group_min_size" {
+ value = aws_autoscaling_group.asg.min_size
+}
+output "autoscale_autoscaling_group_max_size" {
+ value = aws_autoscaling_group.asg.max_size
+}
+output "autoscale_autoscaling_group_target_group_arns" {
+ value = aws_autoscaling_group.asg.target_group_arns
+}
+output "autoscale_autoscaling_group_subnets" {
+ value = aws_autoscaling_group.asg.vpc_zone_identifier
+}
+
+output "autoscale_launch_template_id" {
+ value = aws_launch_template.asg_launch_template.id
+}
+
+output "autoscale_security_group_id" {
+ value = aws_security_group.permissive_sg.id
+}
+
+output "autoscale_iam_role_name" {
+ value = aws_iam_role.role.*.name
+}
+
diff --git a/deprecated/terraform/aws/R80.40/autoscale-gwlb/terraform.tfvars b/deprecated/terraform/aws/R80.40/autoscale-gwlb/terraform.tfvars
new file mode 100755
index 00000000..4cced958
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/autoscale-gwlb/terraform.tfvars
@@ -0,0 +1,42 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- Environment ---
+prefix = "env1"
+asg_name = "autoscaling_group"
+
+// --- VPC Network Configuration ---
+vpc_id = "vpc-12345678"
+subnet_ids = ["subnet-abc123", "subnet-def456"]
+
+// --- Automatic Provisioning with Security Management Server Settings ---
+gateways_provision_address_type = "private"
+allocate_public_IP = false
+management_server = "mgmt_env1"
+configuration_template = "tmpl_env1"
+
+// --- EC2 Instances Configuration ---
+gateway_name = "asg_gateway"
+gateway_instance_type = "c5.xlarge"
+key_name = "publickey"
+instances_tags = {
+ key1 = "value1"
+ key2 = "value2"
+}
+metadata_imdsv2_required = true
+
+// --- Auto Scaling Configuration ---
+minimum_group_size = 2
+maximum_group_size = 10
+target_groups = ["arn:aws:tg1/abc123", "arn:aws:tg2/def456"]
+
+// --- Check Point Settings ---
+gateway_version = "R81.20-BYOL"
+admin_shell = "/etc/cli.sh"
+gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+gateway_SICKey = "12345678"
+enable_instance_connect = false
+allow_upload_download = true
+enable_cloudwatch = false
+gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+
diff --git a/deprecated/terraform/aws/R80.40/autoscale-gwlb/variables.tf b/deprecated/terraform/aws/R80.40/autoscale-gwlb/variables.tf
new file mode 100755
index 00000000..cb1a985c
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/autoscale-gwlb/variables.tf
@@ -0,0 +1,191 @@
+// Module: Check Point CloudGuard Network Auto Scaling Group into an existing VPC
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+// --- Environment ---
+variable "prefix" {
+ type = string
+ description = "(Optional) Instances name prefix"
+ default = ""
+}
+variable "asg_name" {
+ type = string
+ description = "Autoscaling Group name"
+ default = "Check-Point-ASG-tf"
+}
+
+// --- VPC Network Configuration ---
+variable "vpc_id" {
+ type = string
+}
+variable "subnet_ids" {
+ type = list(string)
+ description = "List of public subnet IDs to launch resources into. Recommended at least 2"
+}
+
+// --- Automatic Provisioning with Security Management Server Settings ---
+variable "gateways_provision_address_type" {
+ type = string
+ description = "Determines if the gateways are provisioned using their private or public address"
+ default = "private"
+}
+
+variable "allocate_public_IP" {
+ type = bool
+ description = "Allocate an Elastic IP for security gateway."
+ default = false
+}
+
+resource "null_resource" "invalid_allocation" {
+ // Will fail if var.gateways_provision_address_type is public and var.allocate_public_IP is false
+ count = var.gateways_provision_address_type != "public" ? 0 : var.allocate_public_IP == true ? 0 : "Gateway's selected to be provisioned by public IP, but [allocate_public_IP] parameter is false"
+}
+
+variable "management_server" {
+ type = string
+ description = "The name that represents the Security Management Server in the CME configuration"
+}
+variable "configuration_template" {
+ type = string
+ description = "Name of the provisioning template in the CME configuration"
+ validation {
+ condition = length(var.configuration_template) < 31
+ error_message = "The configuration_template name can not exceed 30 characters."
+ }
+}
+
+// --- EC2 Instances Configuration ---
+variable "gateway_name" {
+ type = string
+ description = "The name tag of the Security Gateways instances"
+ default = "Check-Point-ASG-gateway-tf"
+}
+variable "gateway_instance_type" {
+ type = string
+ description = "The instance type of the Security Gateways"
+ default = "c5.xlarge"
+}
+module "validate_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "gateway"
+ instance_type = var.gateway_instance_type
+}
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instances"
+}
+variable "volume_size" {
+ type = number
+ description = "Root volume size (GB) - minimum 100"
+ default = 100
+}
+resource "null_resource" "volume_size_too_small" {
+ // Will fail if var.volume_size is less than 100
+ count = var.volume_size >= 100 ? 0 : "variable volume_size must be at least 100"
+}
+variable "enable_volume_encryption" {
+ type = bool
+ description = "Encrypt Environment instances volume with default AWS KMS key"
+ default = true
+}
+variable "instances_tags" {
+ type = map(string)
+ description = "(Optional) A map of tags as key=value pairs. All tags will be added on all AutoScaling Group instances"
+ default = {}
+}
+variable "metadata_imdsv2_required" {
+ type = bool
+ description = "Set true to deploy the instance with metadata v2 token required"
+ default = true
+}
+
+// --- Auto Scaling Configuration ---
+variable "minimum_group_size" {
+ type = number
+ description = "The minimum number of instances in the Auto Scaling group"
+ default = 2
+}
+variable "maximum_group_size" {
+ type = number
+ description = "The maximum number of instances in the Auto Scaling group"
+ default = 10
+}
+variable "target_groups" {
+ type = list(string)
+ description = "(Optional) List of Target Group ARNs to associate with the Auto Scaling group"
+ default = []
+}
+
+// --- Check Point Settings ---
+variable "gateway_version" {
+ type = string
+ description = "Gateway version and license"
+ default = "R81.20-BYOL"
+}
+module "validate_gateway_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "gwlb_gw"
+ version_license = var.gateway_version
+}
+variable "admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+ default = "/etc/cli.sh"
+}
+variable "gateway_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "gateway_maintenance_mode_password_hash" {
+ description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+ type = string
+ default = ""
+}
+variable "gateway_SICKey" {
+ type = string
+ description = "The Secure Internal Communication key for trusted connection between Check Point components (at least 8 alphanumeric characters)"
+}
+variable "enable_instance_connect" {
+ type = bool
+ description = "Enable SSH connection over AWS web console"
+ default = false
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+variable "enable_cloudwatch" {
+ type = bool
+ description = "Report Check Point specific CloudWatch metrics"
+ default = false
+}
+variable "gateway_bootstrap_script" {
+ type = string
+ description = "(Optional) Semicolon (;) separated commands to run on the initial boot"
+ default = ""
+}
+
+variable "volume_type" {
+ type = string
+ description = "General Purpose SSD Volume Type"
+ default = "gp3"
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/autoscale-gwlb/versions.tf b/deprecated/terraform/aws/R80.40/autoscale-gwlb/versions.tf
new file mode 100755
index 00000000..dbebf275
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/autoscale-gwlb/versions.tf
@@ -0,0 +1,15 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ http = {
+ version = "~> 3.4.0"
+ }
+ random = {
+ version = "~> 3.5.1"
+ }
+ }
+}
diff --git a/deprecated/terraform/aws/R80.40/autoscale/README.md b/deprecated/terraform/aws/R80.40/autoscale/README.md
new file mode 100755
index 00000000..44bf6125
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/autoscale/README.md
@@ -0,0 +1,199 @@
+# Check Point CloudGuard Network Auto Scaling Terraform module for AWS
+
+Terraform module which deploys an Auto Scaling Group of Check Point Security Gateways into an existing VPC.
+
+These types of Terraform resources are supported:
+* [Launch template](https://www.terraform.io/docs/providers/aws/r/launch_template.html)
+* [Auto Scaling Group](https://www.terraform.io/docs/providers/aws/r/autoscaling_group.html)
+* [Security group](https://www.terraform.io/docs/providers/aws/r/security_group.html)
+* [CloudWatch Metric Alarm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm)
+* [IAM Role](https://www.terraform.io/docs/providers/aws/r/iam_role.html) - conditional creation
+* [Proxy Elastic Load Balancer](https://www.terraform.io/docs/providers/aws/r/elb.html) - conditional creation
+
+
+See the [CloudGuard Auto Scaling for AWS](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CloudGuard_Network_for_AWS_AutoScaling_DeploymentGuide/Default.htm) for additional information
+
+This solution uses the following modules:
+- /terraform/aws/modules/amis
+
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.aws_access_key_ID
+ secret_key = var.aws_secret_access_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/autoscale/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.aws_access_key_ID
+ // secret_key = var.aws_secret_access_key
+ }
+ ```
+
+## Usage
+- Fill all variables in the /terraform/aws/autoscale/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+- Create or modify the deployment:
+ ```
+ terraform apply
+ ```
+
+- Variables are configured in /terraform/aws/autoscale/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+ // --- Environment ---
+ prefix = "env1"
+ asg_name = "autoscaling_group"
+
+ // --- VPC Network Configuration ---
+ vpc_id = "vpc-12345678"
+ subnet_ids = ["subnet-abc123", "subnet-def456"]
+
+ // --- Automatic Provisioning with Security Management Server Settings ---
+ gateways_provision_address_type = "private"
+ management_server = "mgmt_env1"
+ configuration_template = "tmpl_env1"
+
+ // --- EC2 Instances Configuration ---
+ gateway_name = "asg_gateway"
+ gateway_instance_type = "c5.xlarge"
+ key_name = "publickey"
+ instances_tags = {
+ key1 = "value1"
+ key2 = "value2"
+ }
+
+ // --- Auto Scaling Configuration ---
+ minimum_group_size = 2
+ maximum_group_size = 10
+ target_groups = ["arn:aws:tg1/abc123", "arn:aws:tg2/def456"]
+
+ // --- Check Point Settings ---
+ gateway_version = "R81.20-BYOL"
+ admin_shell = "/etc/cli.sh"
+ gateway_password_hash = ""
+ gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+ gateway_SICKey = "12345678"
+ enable_instance_connect = false
+ allow_upload_download = true
+ enable_cloudwatch = false
+ gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+
+ // --- Outbound Proxy Configuration (optional) ---
+ proxy_elb_type = "internet-facing"
+ proxy_elb_clients = "0.0.0.0/0"
+ proxy_elb_port = 8080
+ ```
+
+- Conditional creation
+ - To enable cloudwatch for ASG:
+ ```
+ enable_cloudwatch = true
+ ```
+ Note: enabling cloudwatch will automatically create IAM role with cloudwatch:PutMetricData permission
+ - To create an ASG configuration without a proxy ELB:
+ ```
+ proxy_elb_type= "none"
+ ```
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+
+
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|----------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------|----------|
+| prefix | (Optional) Instances name prefix | string | n/a | "" | no |
+| asg_name | Autoscaling Group name | string | n/a | Check-Point-ASG-tf | no |
+| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes |
+| subnet_ids | List of public subnet IDs to launch resources into. Recommended at least 2 | list(string) | n/a | n/a | yes |
+| gateways_provision_address_type | Determines if the gateways are provisioned using their private or public address. | string | - private
- public | private | no |
+| management_server | The name that represents the Security Management Server in the CME configuration | string | n/a | n/a | yes |
+| configuration_template | Name of the provisioning template in the CME configuration | string | n/a | n/a | yes |
+| gateway_name | The name tag of the Security Gateways instances | string | n/a | Check-Point-ASG-gateway-tf | no |
+| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no |
+| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes |
+| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no |
+| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no |
+| instances_tags | (Optional) A map of tags as key=value pairs. All tags will be added on all AutoScaling Group instances | map(string) | n/a | {} | no |
+| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes |
+| minimum_group_size | The minimum number of instances in the Auto Scaling group | number | n/a | 2 | no |
+| maximum_group_size | The maximum number of instances in the Auto Scaling group | number | n/a | 10 | no |
+| target_groups | (Optional) List of Target Group ARNs to associate with the Auto Scaling group | list(string) | n/a | [] | no |
+| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81-BYOL
- R81-PAYG-NGTP
- R81-PAYG-NGTX
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no |
+| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no |
+| gateway_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no |
+| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components (at least 8 alphanumeric characters) | string | n/a | "12345678" | yes |
+| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no |
+| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no |
+| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no |
+| proxy_elb_type | Type of ELB to create as an HTTP/HTTPS outbound proxy | string | - none
- internal
- internet-facing | none | no |
+| proxy_elb_port | The TCP port on which the proxy will be listening | number | n/a | 8080 | no |
+| proxy_elb_clients | The CIDR range of the clients of the proxy | string | n/a | 0.0.0.0/0 | no |
+| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here). | string | n/a | "" | no |
+
+
+## Outputs
+| Name | Description |
+|------------------------------------------------|-------------------------------------------------------------------|
+| autoscale_autoscaling_group_name | The name of the deployed AutoScaling Group |
+| autoscale_autoscaling_group_arn | The ARN for the deployed AutoScaling Group |
+| autoscale_autoscaling_group_availability_zones | The AZs on which the Autoscaling Group is configured |
+| autoscale_autoscaling_group_desired_capacity | The deployed AutoScaling Group's desired capacity of instances |
+| autoscale_autoscaling_group_min_size | The deployed AutoScaling Group's minimum number of instances |
+| autoscale_autoscaling_group_max_size | The deployed AutoScaling Group's maximum number of instances |
+| autoscale_autoscaling_group_load_balancers | The deployed AutoScaling Group's configured load balancers |
+| autoscale_autoscaling_group_target_group_arns | The deployed AutoScaling Group's configured target groups |
+| autoscale_autoscaling_group_subnets | The subnets on which the deployed AutoScaling Group is configured |
+| autoscale_launch_template_id | The id of the Launch Template |
+| autoscale_autoscale_security_group_id | The deployed AutoScaling Group's security group id |
+| autoscale_iam_role_name | The deployed AutoScaling Group's IAM role name (if created) |
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 20240417 | - Add support for Elastic Load Balancer Health Checks.
- EC2 Auto Scaling will start to detect and act on health checks performed by Elastic Load Balancing. |
+| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20231012 | Update AWS Terraform provider version to 5.20.1 |
+| 20230923 | Add support for C5d instance type |
+| 20230914 | Add support for maintenance mode password |
+| 20230829 | Change default Check Point version to R81.20 |
+| 20230806 | Add support for c6in instance type |
+| 20230521 | Change default shell for the admin user to /etc/cli.sh |
+| 20221226 | Support ASG Launch Template instead of Launch Configuration |
+| 20221123 | R81.20 version support |
+| 20220606 | New instance type support |
+| 20210329 | Stability fixes |
+| 20210309 | AWS Terraform modules refactor |
+| 20200318 | First release of Check Point Auto Scaling Terraform module for AWS |
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details
diff --git a/deprecated/terraform/aws/R80.40/autoscale/asg_userdata.yaml b/deprecated/terraform/aws/R80.40/autoscale/asg_userdata.yaml
new file mode 100755
index 00000000..ea6de749
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/autoscale/asg_userdata.yaml
@@ -0,0 +1,4 @@
+#cloud-config
+runcmd:
+ - |
+ python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" installationType=\"autoscale\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"autoscale\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" bootstrapScript64=\"${BootstrapScript}\"
diff --git a/deprecated/terraform/aws/R80.40/autoscale/locals.tf b/deprecated/terraform/aws/R80.40/autoscale/locals.tf
new file mode 100755
index 00000000..72fa5951
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/autoscale/locals.tf
@@ -0,0 +1,62 @@
+locals {
+ asg_name = format("%s%s", var.prefix != "" ? format("%s-", var.prefix) : "", var.asg_name)
+ create_iam_role = var.enable_cloudwatch ? 1 : 0
+
+ gateways_provision_address_type_allowed_values = [
+ "public",
+ "private"
+ ]
+ // Will fail if var.gateways_provision_address_type is invalid
+ validate_gateways_provision_address_type = index(local.gateways_provision_address_type_allowed_values, var.gateways_provision_address_type)
+
+ admin_shell_allowed_values = [
+ "/etc/cli.sh",
+ "/bin/bash",
+ "/bin/csh",
+ "/bin/tcsh"
+ ]
+ // Will fail if var.admin_shell is invalid
+ validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell)
+
+ regex_valid_key_name = "[\\S\\s]+[\\S]+"
+ // will fail if var.key_name is invalid
+ regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string"
+ regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.gateway_password_hash is invalid
+ regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+ regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
+
+ regex_valid_sic_key = "^[a-zA-Z0-9]{8,}$"
+ // Will fail if var.gateway_SICKey is invalid
+ regex_sic_result = regex(local.regex_valid_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SICKey] must be at least 8 alphanumeric characters"
+
+ proxy_elb_type_allowed_values = [
+ "none",
+ "internal",
+ "internet-facing"
+ ]
+ // Will fail if var.proxy_elb_type is invalid
+ validate_proxy_elb_type = index(local.proxy_elb_type_allowed_values, var.proxy_elb_type)
+
+ regex_valid_cidr_range = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))?$"
+ // Will fail if var.proxy_elb_clients is invalid
+ regex_cidr_result = regex(local.regex_valid_cidr_range, var.proxy_elb_clients) == var.proxy_elb_clients ? 0 : "Variable [proxy_elb_clients] must be a valid CIDR range"
+
+ tags_asg_format = null_resource.tags_as_list_of_maps.*.triggers
+
+ //Splits the version and licence and returns the os version
+ version_split = element(split("-", var.gateway_version), 0)
+ gateway_bootstrap_script64 = base64encode(var.gateway_bootstrap_script)
+ gateway_password_hash_base64 = base64encode(var.gateway_password_hash)
+ maintenance_mode_password_hash_base64 = base64encode(var.gateway_maintenance_mode_password_hash)
+ gateway_SICkey_base64 = base64encode(var.gateway_SICKey)
+}
+resource "null_resource" "tags_as_list_of_maps" {
+ count = length(keys(var.instances_tags))
+
+ triggers = {
+ "key" = keys(var.instances_tags)[count.index]
+ "value" = values(var.instances_tags)[count.index]
+ "propagate_at_launch" = "true"
+ }
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/autoscale/main.tf b/deprecated/terraform/aws/R80.40/autoscale/main.tf
new file mode 100755
index 00000000..68abbfe0
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/autoscale/main.tf
@@ -0,0 +1,248 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+module "amis" {
+ source = "../modules/amis"
+
+ version_license = var.gateway_version
+}
+
+resource "aws_security_group" "permissive_sg" {
+ name_prefix = format("%s_PermissiveSecurityGroup", local.asg_name)
+ description = "Permissive security group"
+ vpc_id = var.vpc_id
+ egress {
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+ ingress {
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+ tags = {
+ Name = format("%s_PermissiveSecurityGroup", local.asg_name)
+ }
+}
+
+resource "aws_launch_template" "asg_launch_template" {
+ name_prefix = local.asg_name
+ image_id = module.amis.ami_id
+ instance_type = var.gateway_instance_type
+ key_name = var.key_name
+ network_interfaces {
+ associate_public_ip_address = true
+ security_groups = [aws_security_group.permissive_sg.id]
+ }
+
+ metadata_options {
+ http_tokens = var.metadata_imdsv2_required ? "required" : "optional"
+ }
+
+ iam_instance_profile {
+ name = ( var.enable_cloudwatch ? aws_iam_instance_profile.instance_profile[0].name : "")
+ }
+ monitoring {
+ enabled = true
+ }
+
+ block_device_mappings {
+ device_name = "/dev/xvda"
+ ebs {
+ volume_type = "gp3"
+ volume_size = var.volume_size
+ encrypted = var.enable_volume_encryption
+ }
+ }
+ description = "Initial template version"
+
+
+ user_data = base64encode(templatefile("${path.module}/asg_userdata.yaml", {
+ // script's arguments
+ PasswordHash = local.gateway_password_hash_base64,
+ MaintenanceModePassword = local.maintenance_mode_password_hash_base64
+ EnableCloudWatch = var.enable_cloudwatch,
+ EnableInstanceConnect = var.enable_instance_connect,
+ Shell = var.admin_shell,
+ SICKey = local.gateway_SICkey_base64,
+ AllowUploadDownload = var.allow_upload_download,
+ BootstrapScript = local.gateway_bootstrap_script64,
+ OsVersion = local.version_split
+ }))
+}
+resource "aws_autoscaling_group" "asg" {
+ name_prefix = local.asg_name
+ launch_template {
+ id = aws_launch_template.asg_launch_template.id
+ version = aws_launch_template.asg_launch_template.latest_version
+ }
+ min_size = var.minimum_group_size
+ max_size = var.maximum_group_size
+ load_balancers = aws_elb.proxy_elb.*.name
+ target_group_arns = var.target_groups
+ vpc_zone_identifier = var.subnet_ids
+ health_check_grace_period = 3600
+ health_check_type = "ELB"
+
+ tag {
+ key = "Name"
+ value = format("%s%s", var.prefix != "" ? format("%s-", var.prefix) : "", var.gateway_name)
+ propagate_at_launch = true
+ }
+
+ tag {
+ key = "x-chkp-tags"
+ value = format("management=%s:template=%s:ip-address=%s", var.management_server, var.configuration_template, var.gateways_provision_address_type)
+ propagate_at_launch = true
+ }
+
+ dynamic "tag" {
+ for_each = var.instances_tags
+ content {
+ key = tag.key
+ value = tag.value
+ propagate_at_launch = true
+ }
+ }
+}
+
+data "aws_iam_policy_document" "assume_role_policy_document" {
+ version = "2012-10-17"
+ statement {
+ actions = ["sts:AssumeRole"]
+ principals {
+ type = "Service"
+ identifiers = ["ec2.amazonaws.com"]
+ }
+ effect = "Allow"
+ }
+}
+
+resource "aws_iam_role" "role" {
+ count = local.create_iam_role
+ name_prefix = format("%s-iam_role", local.asg_name)
+ assume_role_policy = data.aws_iam_policy_document.assume_role_policy_document.json
+ path = "/"
+}
+module "attach_cloudwatch_policy" {
+ source = "../modules/cloudwatch-policy"
+ count = local.create_iam_role
+ role = aws_iam_role.role[count.index].name
+ tag_name = local.asg_name
+}
+
+resource "aws_iam_instance_profile" "instance_profile" {
+ count = local.create_iam_role
+ name_prefix = format("%s-iam_instance_profile", local.asg_name)
+ path = "/"
+ role = aws_iam_role.role[count.index].name
+}
+
+// Proxy ELB
+locals {
+ proxy_elb_condition = var.proxy_elb_type != "none" ? 1 : 0
+}
+resource "random_id" "proxy_elb_uuid" {
+ byte_length = 5
+}
+resource "aws_elb" "proxy_elb" {
+ count = local.proxy_elb_condition
+ name = format("%s-proxy-elb-%s", var.prefix, random_id.proxy_elb_uuid.hex)
+ internal = var.proxy_elb_type == "internal"
+ cross_zone_load_balancing = true
+ listener {
+ instance_port = var.proxy_elb_port
+ instance_protocol = "TCP"
+ lb_port = var.proxy_elb_port
+ lb_protocol = "TCP"
+ }
+ health_check {
+ target = format("TCP:%s", var.proxy_elb_port)
+ healthy_threshold = 3
+ unhealthy_threshold = 5
+ interval = 30
+ timeout = 5
+ }
+ subnets = var.subnet_ids
+ security_groups = [aws_security_group.elb_security_group[count.index].id]
+}
+resource "aws_load_balancer_policy" "proxy_elb_policy" {
+ count = local.proxy_elb_condition
+ load_balancer_name = aws_elb.proxy_elb[count.index].name
+ policy_name = "EnableProxyProtocol"
+ policy_type_name = "ProxyProtocolPolicyType"
+
+ policy_attribute {
+ name = "ProxyProtocol"
+ value = "true"
+ }
+}
+resource "aws_security_group" "elb_security_group" {
+ count = local.proxy_elb_condition
+ description = "ELB security group"
+ vpc_id = var.vpc_id
+ egress {
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+ ingress {
+ protocol = "tcp"
+ cidr_blocks = [var.proxy_elb_clients]
+ from_port = var.proxy_elb_port
+ to_port = var.proxy_elb_port
+ }
+}
+
+// Scaling metrics
+resource "aws_cloudwatch_metric_alarm" "cpu_alarm_low" {
+ alarm_name = format("%s_alarm_low", aws_autoscaling_group.asg.name)
+ metric_name = "CPUUtilization"
+ alarm_description = "Scale-down if CPU < 60% for 10 minutes"
+ namespace = "AWS/EC2"
+ statistic = "Average"
+ period = 300
+ evaluation_periods = 2
+ threshold = 60
+ alarm_actions = [aws_autoscaling_policy.scale_down_policy.arn]
+ dimensions = {
+ AutoScalingGroupName = aws_autoscaling_group.asg.name
+ }
+ comparison_operator = "LessThanThreshold"
+}
+resource "aws_autoscaling_policy" "scale_down_policy" {
+ autoscaling_group_name = aws_autoscaling_group.asg.name
+ name = format("%s_scale_down", aws_autoscaling_group.asg.name)
+ adjustment_type = "ChangeInCapacity"
+ cooldown = 300
+ scaling_adjustment = -1
+}
+resource "aws_cloudwatch_metric_alarm" "cpu_alarm_high" {
+ alarm_name = format("%s_alarm_high", aws_autoscaling_group.asg.name)
+ metric_name = "CPUUtilization"
+ alarm_description = "Scale-up if CPU > 80% for 10 minutes"
+ namespace = "AWS/EC2"
+ statistic = "Average"
+ period = 300
+ evaluation_periods = 2
+ threshold = 80
+ alarm_actions = [aws_autoscaling_policy.scale_up_policy.arn]
+ dimensions = {
+ AutoScalingGroupName = aws_autoscaling_group.asg.name
+ }
+ comparison_operator = "GreaterThanThreshold"
+}
+resource "aws_autoscaling_policy" "scale_up_policy" {
+ autoscaling_group_name = aws_autoscaling_group.asg.name
+ name = format("%s_scale_up", aws_autoscaling_group.asg.name)
+ adjustment_type = "ChangeInCapacity"
+ cooldown = 300
+ scaling_adjustment = 1
+}
diff --git a/deprecated/terraform/aws/R80.40/autoscale/output.tf b/deprecated/terraform/aws/R80.40/autoscale/output.tf
new file mode 100755
index 00000000..152bb744
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/autoscale/output.tf
@@ -0,0 +1,43 @@
+output "Deployment" {
+ value = "Finalizing instances configuration may take up to 20 minutes after deployment is finished."
+}
+
+output "autoscale_autoscaling_group_name" {
+ value = aws_autoscaling_group.asg.name
+}
+output "autoscale_autoscaling_group_arn" {
+ value = aws_autoscaling_group.asg.arn
+}
+output "autoscale_autoscaling_group_availability_zones" {
+ value = aws_autoscaling_group.asg.availability_zones
+}
+output "autoscale_autoscaling_group_desired_capacity" {
+ value = aws_autoscaling_group.asg.desired_capacity
+}
+output "autoscale_autoscaling_group_min_size" {
+ value = aws_autoscaling_group.asg.min_size
+}
+output "autoscale_autoscaling_group_max_size" {
+ value = aws_autoscaling_group.asg.max_size
+}
+output "autoscale_autoscaling_group_load_balancers" {
+ value = aws_autoscaling_group.asg.load_balancers
+}
+output "autoscale_autoscaling_group_target_group_arns" {
+ value = aws_autoscaling_group.asg.target_group_arns
+}
+output "autoscale_autoscaling_group_subnets" {
+ value = aws_autoscaling_group.asg.vpc_zone_identifier
+}
+output "autoscale_launch_template_id" {
+ value = aws_launch_template.asg_launch_template.id
+}
+
+output "autoscale_security_group_id" {
+ value = aws_security_group.permissive_sg.id
+}
+
+output "autoscale_iam_role_name" {
+ value = aws_iam_role.role.*.name
+}
+
diff --git a/deprecated/terraform/aws/R80.40/autoscale/terraform.tfvars b/deprecated/terraform/aws/R80.40/autoscale/terraform.tfvars
new file mode 100755
index 00000000..d513fcd5
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/autoscale/terraform.tfvars
@@ -0,0 +1,45 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- Environment ---
+prefix = "env1"
+asg_name = "autoscaling_group"
+
+// --- VPC Network Configuration ---
+vpc_id = "vpc-12345678"
+subnet_ids = ["subnet-abc123", "subnet-def456"]
+
+// --- Automatic Provisioning with Security Management Server Settings ---
+gateways_provision_address_type = "private"
+management_server = "mgmt_env1"
+configuration_template = "tmpl_env1"
+
+// --- EC2 Instances Configuration ---
+gateway_name = "asg_gateway"
+gateway_instance_type = "c5.xlarge"
+key_name = "publickey"
+instances_tags = {
+ key1 = "value1"
+ key2 = "value2"
+}
+metadata_imdsv2_required = true
+
+// --- Auto Scaling Configuration ---
+minimum_group_size = 2
+maximum_group_size = 10
+target_groups = ["arn:aws:tg1/abc123", "arn:aws:tg2/def456"]
+
+// --- Check Point Settings ---
+gateway_version = "R81.20-BYOL"
+admin_shell = "/etc/cli.sh"
+gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+gateway_SICKey = "12345678"
+enable_instance_connect = false
+allow_upload_download = true
+enable_cloudwatch = false
+gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+
+// --- Outbound Proxy Configuration (optional) ---
+proxy_elb_type = "internet-facing"
+proxy_elb_clients = "0.0.0.0/0"
+proxy_elb_port = 8080
diff --git a/deprecated/terraform/aws/R80.40/autoscale/variables.tf b/deprecated/terraform/aws/R80.40/autoscale/variables.tf
new file mode 100755
index 00000000..81d256ab
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/autoscale/variables.tf
@@ -0,0 +1,190 @@
+// Module: Check Point CloudGuard Network Auto Scaling Group into an existing VPC
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+// --- Environment ---
+variable "prefix" {
+ type = string
+ description = "(Optional) Instances name prefix"
+ default = ""
+}
+variable "asg_name" {
+ type = string
+ description = "Autoscaling Group name"
+ default = "Check-Point-ASG-tf"
+}
+
+// --- VPC Network Configuration ---
+variable "vpc_id" {
+ type = string
+}
+variable "subnet_ids" {
+ type = list(string)
+ description = "List of public subnet IDs to launch resources into. Recommended at least 2"
+}
+
+// --- Automatic Provisioning with Security Management Server Settings ---
+variable "gateways_provision_address_type" {
+ type = string
+ description = "Determines if the gateways are provisioned using their private or public address"
+ default = "private"
+}
+variable "management_server" {
+ type = string
+ description = "The name that represents the Security Management Server in the CME configuration"
+}
+variable "configuration_template" {
+ type = string
+ description = "Name of the provisioning template in the CME configuration"
+ validation {
+ condition = length(var.configuration_template) < 31
+ error_message = "The configuration_template name can not exceed 30 characters."
+ }
+}
+
+// --- EC2 Instances Configuration ---
+variable "gateway_name" {
+ type = string
+ description = "The name tag of the Security Gateways instances"
+ default = "Check-Point-ASG-gateway-tf"
+}
+variable "gateway_instance_type" {
+ type = string
+ description = "The instance type of the Security Gateways"
+ default = "c5.xlarge"
+}
+module "validate_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "gateway"
+ instance_type = var.gateway_instance_type
+}
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instances"
+}
+variable "volume_size" {
+ type = number
+ description = "Root volume size (GB) - minimum 100"
+ default = 100
+}
+resource "null_resource" "volume_size_too_small" {
+ // Will fail if var.volume_size is less than 100
+ count = var.volume_size >= 100 ? 0 : "variable volume_size must be at least 100"
+}
+variable "enable_volume_encryption" {
+ type = bool
+ description = "Encrypt Environment instances volume with default AWS KMS key"
+ default = true
+}
+variable "instances_tags" {
+ type = map(string)
+ description = "(Optional) A map of tags as key=value pairs. All tags will be added on all AutoScaling Group instances"
+ default = {}
+}
+variable "metadata_imdsv2_required" {
+ type = bool
+ description = "Set true to deploy the instance with metadata v2 token required"
+ default = true
+}
+
+// --- Auto Scaling Configuration ---
+variable "minimum_group_size" {
+ type = number
+ description = "The minimum number of instances in the Auto Scaling group"
+ default = 2
+}
+variable "maximum_group_size" {
+ type = number
+ description = "The maximum number of instances in the Auto Scaling group"
+ default = 10
+}
+variable "target_groups" {
+ type = list(string)
+ description = "(Optional) List of Target Group ARNs to associate with the Auto Scaling group"
+ default = []
+}
+
+// --- Check Point Settings ---
+variable "gateway_version" {
+ type = string
+ description = "Gateway version and license"
+ default = "R81.20-BYOL"
+}
+module "validate_gateway_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "gateway"
+ version_license = var.gateway_version
+}
+variable "admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+ default = "/etc/cli.sh"
+}
+variable "gateway_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "gateway_maintenance_mode_password_hash" {
+ description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+ type = string
+ default = ""
+}
+variable "gateway_SICKey" {
+ type = string
+ description = "The Secure Internal Communication key for trusted connection between Check Point components (at least 8 alphanumeric characters)"
+}
+variable "enable_instance_connect" {
+ type = bool
+ description = "Enable SSH connection over AWS web console"
+ default = false
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+variable "enable_cloudwatch" {
+ type = bool
+ description = "Report Check Point specific CloudWatch metrics"
+ default = false
+}
+variable "gateway_bootstrap_script" {
+ type = string
+ description = "(Optional) Semicolon (;) separated commands to run on the initial boot"
+ default = ""
+}
+
+// --- (Optional) Outbound Proxy Configuration ---
+variable "proxy_elb_type" {
+ type = string
+ description = "Type of ELB to create as an HTTP/HTTPS outbound proxy"
+ default = "none"
+}
+variable "proxy_elb_port" {
+ type = number
+ description = "The TCP port on which the proxy will be listening"
+ default = 8080
+}
+variable "proxy_elb_clients" {
+ type = string
+ description = "The CIDR range of the clients of the proxy"
+ default = "0.0.0.0/0"
+}
diff --git a/deprecated/terraform/aws/R80.40/autoscale/versions.tf b/deprecated/terraform/aws/R80.40/autoscale/versions.tf
new file mode 100755
index 00000000..dbebf275
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/autoscale/versions.tf
@@ -0,0 +1,15 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ http = {
+ version = "~> 3.4.0"
+ }
+ random = {
+ version = "~> 3.5.1"
+ }
+ }
+}
diff --git a/deprecated/terraform/aws/R80.40/cluster-master/README.md b/deprecated/terraform/aws/R80.40/cluster-master/README.md
new file mode 100755
index 00000000..ece3775c
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/cluster-master/README.md
@@ -0,0 +1,221 @@
+# Check Point CloudGuard Network Security Cluster Master Terraform module for AWS
+
+Terraform module which deploys a Check Point CloudGuard Network Security Cluster into a new VPC.
+
+These types of Terraform resources are supported:
+* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html)
+* [VPC](https://www.terraform.io/docs/providers/aws/r/vpc.html)
+* [Security Group](https://www.terraform.io/docs/providers/aws/r/security_group.html)
+* [Network interface](https://www.terraform.io/docs/providers/aws/r/network_interface.html)
+* [Route](https://www.terraform.io/docs/providers/aws/r/route.html)
+* [EIP](https://www.terraform.io/docs/providers/aws/r/eip.html) - conditional creation
+* [IAM Role](https://www.terraform.io/docs/providers/aws/r/iam_role.html) - conditional creation
+
+See the [Deploying a Check Point Cluster in AWS (Amazon Web Services)](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk104418) for additional information
+
+This solution uses the following modules:
+- /terraform/aws/cluster
+- /terraform/aws/modules/amis
+- /terraform/aws/modules/vpc
+- /terraform/aws/modules/cluster-iam-role
+
+
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/cluster-master/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Static credentials are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-module /terraform/aws/cluster:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+ b. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-module /terraform/aws/cluster:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+
+## Usage
+- Fill all variables in the /terraform/aws/cluster-master/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+- Create or modify the deployment:
+ - Due to terraform limitation, the apply command is:
+ ```
+ terraform apply -target=aws_route_table.private_subnet_rtb -auto-approve && terraform apply
+ ```
+ >Once terraform is updated, we will update accordingly.
+
+- Variables are configured in /terraform/aws/cluster-master/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+ // --- VPC Network Configuration ---
+ vpc_cidr = "10.0.0.0/16"
+ public_subnets_map = {
+ "us-east-1a" = 1
+ }
+ private_subnets_map = {
+ "us-east-1a" = 2
+ }
+ subnets_bit_length = 8
+
+ // --- EC2 Instance Configuration ---
+ gateway_name = "Check-Point-Cluster-tf"
+ gateway_instance_type = "c5.xlarge"
+ key_name = "publickey"
+ allocate_and_associate_eip = true
+ volume_size = 100
+ volume_encryption = "alias/aws/ebs"
+ enable_instance_connect = false
+ disable_instance_termination = false
+ instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+ }
+ predefined_role = ""
+
+ // --- Check Point Settings ---
+ gateway_version = "R81.20-BYOL"
+ admin_shell = "/etc/cli.sh"
+ gateway_SICKey = "12345678"
+ gateway_password_hash = ""
+ gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+
+ // --- Quick connect to Smart-1 Cloud (Recommended) ---
+ memberAToken = ""
+ memberBToken = ""
+
+ // --- Advanced Settings ---
+ resources_tag_name = "tag-name"
+ gateway_hostname = "gw-hostname"
+ allow_upload_download = true
+ enable_cloudwatch = false
+ gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+ primary_ntp = ""
+ secondary_ntp = ""
+ ```
+
+- Conditional creation
+ - To create an Elastic IP and associate it to each cluster member instance:
+ ```
+ allocate_and_associate_eip = "true"
+ ```
+ - To create IAM Role:
+ ```
+ predefined_role = ""
+ ```
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+ ### Optional re-deploy of cluster member:
+ In case of re-deploying one cluster member, make sure that it's in STANDBY state, and the second member is the ACTIVE one.
+ Follow the commands below in order to re-deploy (replace MEMBER with a or b):
+ - terraform taint module.launch_cluster_into_vpc.aws_instance.member-MEMBER-instance
+ - terraform plan (review the changes)
+ - terraform apply
+ - In Smart Console: reset SIC with the re-deployed member and install policy
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|----------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|----------|
+| vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes |
+| public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pairs. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes |
+| private_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pairs. (e.g. {\"us-east-1a\" = 2} ) | map | n/a | n/a | yes |
+| subnets_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20 | number | n/a | n/a | yes |
+| gateway_name | (Optional) The name tag of the Security Gateway instances | string | n/a | Check-Point-Cluster-tf | no |
+| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no |
+| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes |
+| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with each cluster member, in addition to the shared cluster Elastic IP | bool | true/false | true | no |
+| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no |
+| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no |
+| enable_instance_connect | Enable AWS Instance Connect. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no |
+| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no |
+| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes |
+| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances | map(string) | n/a | {} | no |
+| predefined_role | (Optional) A predefined IAM role to attach to the cluster profile | string | n/a | "" | no |
+| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81-BYOL
- R81-PAYG-NGTP
- R81-PAYG-NGTX
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no |
+| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no |
+| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes |
+| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| memberAToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no |
+| memberBToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no |
+| resources_tag_name | (Optional) Name tag prefix of the resources | string | n/a | "" | no |
+| gateway_hostname | (Optional) The host name will be appended with member-a/b accordingly. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no |
+| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no |
+| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no |
+| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no |
+| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no |
+| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here). | string | n/a | "" | no |
+
+## Outputs
+| Name | Description |
+|--------------------|-----------------------------------------------------|
+| ami_id | The ami id of the deployed Security Cluster members |
+| cluster_public_ip | The public address of the cluster |
+| member_a_public_ip | The public address of member A |
+| member_b_public_ip | The public address of member B |
+| member_a_ssh | SSH command to member A |
+| member_b_ssh | SSH command to member B |
+| member_a_url | URL to the member A portal |
+| member_b_url | URL to the member B portal |
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|---------------------------------------------------------------------------------------------------------------|
+| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20231012 | Update AWS Terraform provider version to 5.20.1 |
+| 20230923 | Add support for C5d instance type |
+| 20230914 | Add support for maintenance mode password |
+| 20230829 | Change default Check Point version to R81.20 |
+| 20230806 | Add support for c6in instance type |
+| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname |
+| 20230503 | Smart-1 Cloud token validation |
+| 20230411 | Improved deployment experience for gateways and clusters managed by Smart-1 Cloud |
+| 20221123 | R81.20 version support |
+| 20220606 | New instance type support |
+| 20210309 | First release of Check Point Security Cluster Master Terraform module for AWS |
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details
diff --git a/deprecated/terraform/aws/R80.40/cluster-master/locals.tf b/deprecated/terraform/aws/R80.40/cluster-master/locals.tf
new file mode 100755
index 00000000..b77484fe
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/cluster-master/locals.tf
@@ -0,0 +1,52 @@
+locals {
+ regex_valid_vpc_cidr = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$"
+ // Will fail if var.vpc_cidr is invalid
+ regex_vpc_cidr = regex(local.regex_valid_vpc_cidr, var.vpc_cidr) == var.vpc_cidr ? 0 : "Variable [vpc_cidr] must be a valid vpc cidr"
+
+ admin_shell_allowed_values = [
+ "/etc/cli.sh",
+ "/bin/bash",
+ "/bin/csh",
+ "/bin/tcsh"]
+ // Will fail if var.admin_shell is invalid
+ validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell)
+
+ create_iam_role = var.predefined_role == "" ? 1 : 0
+
+ regex_valid_key_name = "[\\S\\s]+[\\S]+"
+ // will fail if var.key_name is invalid
+ regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string"
+
+ regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$"
+ // Will fail if var.gateway_SIC_Key is invalid
+ regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters"
+
+ is_both_tokens_used = length(var.memberAToken) > 0 == length(var.memberBToken) > 0
+ validation_message_both = "Smart-1 Cloud Tokens for member A and member B can not be empty."
+ //Will fail if var.memberAToken is empty and var.memberBToken isn't and vice versa
+ regex_s1c_validate = regex("^$", (local.is_both_tokens_used ? "" : local.validation_message_both))
+
+ is_tokens_used = length(var.memberAToken) > 0
+ is_both_tokens_the_same = var.memberAToken == var.memberBToken
+ validation_message_unique = "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+ //Will fail if both s1c tokens are the same
+ regex_s1c_unique = local.is_tokens_used ? regex("^$", (local.is_both_tokens_the_same ? local.validation_message_unique : "")) : ""
+
+ regex_valid_gateway_hostname = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$"
+ // Will fail if var.gateway_hostname is invalid
+ regex_gateway_hostname = regex(local.regex_valid_gateway_hostname, var.gateway_hostname) == var.gateway_hostname ? 0 : "Variable [gateway_hostname] must be a valid hostname label or an empty string"
+ volume_encryption_condition = var.volume_encryption != "" ? true : false
+
+ regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.gateway_password_hash is invalid
+ regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+ regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
+
+ regex_valid_primary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.primary_ntp is invalid
+ regex_primary_ntp = regex(local.regex_valid_primary_ntp, var.primary_ntp) == var.primary_ntp ? 0 : "Variable [primary_ntp] must be a valid ntp"
+
+ regex_valid_secondary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.secondary_ntp is invalid
+ regex_secondary_ntp = regex(local.regex_valid_secondary_ntp, var.secondary_ntp) == var.secondary_ntp ? 0 : "Variable [secondary_ntp] must be a valid ntp"
+}
diff --git a/deprecated/terraform/aws/R80.40/cluster-master/main.tf b/deprecated/terraform/aws/R80.40/cluster-master/main.tf
new file mode 100755
index 00000000..29746863
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/cluster-master/main.tf
@@ -0,0 +1,64 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+// --- VPC ---
+module "launch_vpc" {
+ source = "../modules/vpc"
+
+ vpc_cidr = var.vpc_cidr
+ public_subnets_map = var.public_subnets_map
+ private_subnets_map = var.private_subnets_map
+ subnets_bit_length = var.subnets_bit_length
+}
+
+resource "aws_route_table" "private_subnet_rtb" {
+ depends_on = [module.launch_vpc]
+ vpc_id = module.launch_vpc.vpc_id
+ tags = {
+ Name = "Private Subnets Route Table"
+ }
+}
+resource "aws_route_table_association" "private_rtb_to_private_subnets" {
+ depends_on = [module.launch_vpc, aws_route_table.private_subnet_rtb]
+ route_table_id = aws_route_table.private_subnet_rtb.id
+ subnet_id = module.launch_vpc.private_subnets_ids_list[0]
+}
+module "launch_cluster_into_vpc" {
+ source = "../cluster"
+ providers = {
+ aws = aws
+ }
+
+ vpc_id = module.launch_vpc.vpc_id
+ public_subnet_id = module.launch_vpc.public_subnets_ids_list[0]
+ private_subnet_id = module.launch_vpc.private_subnets_ids_list[0]
+ private_route_table = aws_route_table.private_subnet_rtb.id
+ gateway_name = var.gateway_name
+ gateway_instance_type = var.gateway_instance_type
+ key_name = var.key_name
+ allocate_and_associate_eip = var.allocate_and_associate_eip
+ volume_size = var.volume_size
+ volume_encryption = var.volume_encryption
+ enable_instance_connect = var.enable_instance_connect
+ disable_instance_termination = var.disable_instance_termination
+ metadata_imdsv2_required = var.metadata_imdsv2_required
+ instance_tags = var.instance_tags
+ predefined_role = var.predefined_role
+ gateway_version = var.gateway_version
+ admin_shell = var.admin_shell
+ gateway_SICKey = var.gateway_SICKey
+ gateway_password_hash = var.gateway_password_hash
+ gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash
+ memberAToken = var.memberAToken
+ memberBToken = var.memberBToken
+ resources_tag_name = var.resources_tag_name
+ gateway_hostname = var.gateway_hostname
+ allow_upload_download = var.allow_upload_download
+ enable_cloudwatch = var.enable_cloudwatch
+ gateway_bootstrap_script = var.gateway_bootstrap_script
+ primary_ntp = var.primary_ntp
+ secondary_ntp = var.secondary_ntp
+}
diff --git a/deprecated/terraform/aws/R80.40/cluster-master/output.tf b/deprecated/terraform/aws/R80.40/cluster-master/output.tf
new file mode 100755
index 00000000..c1f47385
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/cluster-master/output.tf
@@ -0,0 +1,24 @@
+output "ami_id" {
+ value = module.launch_cluster_into_vpc.ami_id
+}
+output "cluster_public_ip" {
+ value = module.launch_cluster_into_vpc.cluster_public_ip
+}
+output "member_a_public_ip" {
+ value = module.launch_cluster_into_vpc.member_a_public_ip
+}
+output "member_b_public_ip" {
+ value = module.launch_cluster_into_vpc.member_b_public_ip
+}
+output "member_a_ssh" {
+ value = module.launch_cluster_into_vpc.member_a_ssh
+}
+output "member_b_ssh" {
+ value = module.launch_cluster_into_vpc.member_b_ssh
+}
+output "member_a_url" {
+ value = module.launch_cluster_into_vpc.member_a_url
+}
+output "member_b_url" {
+ value = module.launch_cluster_into_vpc.member_b_url
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/cluster-master/terraform.tfvars b/deprecated/terraform/aws/R80.40/cluster-master/terraform.tfvars
new file mode 100755
index 00000000..1e7b2c78
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/cluster-master/terraform.tfvars
@@ -0,0 +1,47 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- VPC Network Configuration ---
+vpc_cidr = "10.0.0.0/16"
+public_subnets_map = {
+ "us-east-1a" = 1
+}
+private_subnets_map = {
+ "us-east-1a" = 2
+}
+subnets_bit_length = 8
+
+// --- EC2 Instance Configuration ---
+gateway_name = "Check-Point-Cluster-tf"
+gateway_instance_type = "c5.xlarge"
+key_name = "publickey"
+allocate_and_associate_eip = true
+volume_size = 100
+volume_encryption = "alias/aws/ebs"
+enable_instance_connect = false
+disable_instance_termination = false
+metadata_imdsv2_required = true
+instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+}
+predefined_role = ""
+
+// --- Check Point Settings ---
+gateway_version = "R81.20-BYOL"
+admin_shell = "/etc/cli.sh"
+gateway_SICKey = "12345678"
+gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+
+// --- Quick connect to Smart-1 Cloud (Recommended) ---
+memberAToken = ""
+memberBToken = ""
+
+// --- Advanced Settings ---
+resources_tag_name = "tag-name"
+gateway_hostname = "gw-hostname"
+allow_upload_download = true
+enable_cloudwatch = false
+gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+primary_ntp = ""
+secondary_ntp = ""
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/cluster-master/variables.tf b/deprecated/terraform/aws/R80.40/cluster-master/variables.tf
new file mode 100755
index 00000000..d1faf72c
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/cluster-master/variables.tf
@@ -0,0 +1,183 @@
+// Module: Check Point CloudGuard Network Security Cluster into a new VPC
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+// --- VPC Network Configuration ---
+variable "vpc_cidr" {
+ type = string
+ description = "The CIDR block of the VPC"
+ default = "10.0.0.0/16"
+}
+variable "public_subnets_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pairs. (e.g. {\"us-east-1a\" = 1} ) "
+}
+variable "private_subnets_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pairs. (e.g. {\"us-east-1a\" = 2} ) "
+
+}
+variable "subnets_bit_length" {
+ type = number
+ description = "Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20"
+}
+
+// --- EC2 Instance Configuration ---
+variable "gateway_name" {
+ type = string
+ description = "(Optional) The name tag of the Security Gateway instances"
+ default = "Check-Point-Cluster-tf"
+}
+variable "gateway_instance_type" {
+ type = string
+ description = "The instance type of the Security Gateways"
+ default = "c5.xlarge"
+}
+module "validate_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "gateway"
+ instance_type = var.gateway_instance_type
+}
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instance"
+}
+variable "allocate_and_associate_eip" {
+ type = bool
+ description = "If set to true, an elastic IP will be allocated and associated with each cluster member, in addition to the shared cluster Elastic IP"
+ default = true
+}
+variable "volume_size" {
+ type = number
+ description = "Root volume size (GB) - minimum 100"
+ default = 100
+}
+resource "null_resource" "volume_size_too_small" {
+ // Volume Size validation - resource will not be created if the volume size is smaller than 100
+ count = var.volume_size >= 100 ? 0 : "volume_size must be at least 100"
+}
+variable "volume_encryption" {
+ type = string
+ description = "KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs')"
+ default = "alias/aws/ebs"
+}
+variable "enable_instance_connect" {
+ type = bool
+ description = "Enable SSH connection over AWS web console"
+ default = false
+}
+variable "disable_instance_termination" {
+ type = bool
+ description = "Prevents an instance from accidental termination"
+ default = false
+}
+variable "metadata_imdsv2_required" {
+ type = bool
+ description = "Set true to deploy the instance with metadata v2 token required"
+ default = true
+}
+variable "instance_tags" {
+ type = map(string)
+ description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instance"
+ default = {}
+}
+variable "predefined_role" {
+ type = string
+ description = "(Optional) A predefined IAM role to attach to the cluster profile"
+ default = ""
+}
+
+// --- Check Point Settings ---
+variable "gateway_version" {
+ type = string
+ description = "Gateway version and license"
+ default = "R81.20-BYOL"
+}
+module "validate_gateway_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "gateway"
+ version_license = var.gateway_version
+}
+variable "admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+ default = "/etc/cli.sh"
+}
+variable "gateway_SICKey" {
+ type = string
+ description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters"
+}
+variable "gateway_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "gateway_maintenance_mode_password_hash" {
+ description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+ type = string
+ default = ""
+}
+
+// --- Quick connect to Smart-1 Cloud (Recommended) ---
+variable "memberAToken" {
+ type = string
+ description = "Follow the instructions in sk180501 to quickly connect this Single AZ Cluster to Smart-1 Cloud."
+}
+variable "memberBToken" {
+ type = string
+ description = "Follow the instructions in sk180501 to quickly connect this Single AZ Cluster to Smart-1 Cloud."
+}
+
+// --- Advanced Settings ---
+variable "resources_tag_name" {
+ type = string
+ description = "(Optional) Name tag prefix of the resources"
+ default = ""
+}
+variable "gateway_hostname" {
+ type = string
+ description = "(Optional) The host name will be appended with member-a/b accordingly"
+ default = ""
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+variable "enable_cloudwatch" {
+ type = bool
+ description = "Report Check Point specific CloudWatch metrics"
+ default = false
+}
+variable "gateway_bootstrap_script" {
+ type = string
+ description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot"
+ default = ""
+}
+variable "primary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol primary server"
+ default = "169.254.169.123"
+}
+variable "secondary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server"
+ default = "0.pool.ntp.org"
+}
diff --git a/deprecated/terraform/aws/R80.40/cluster-master/versions.tf b/deprecated/terraform/aws/R80.40/cluster-master/versions.tf
new file mode 100755
index 00000000..c138bbb3
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/cluster-master/versions.tf
@@ -0,0 +1,12 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ http = {
+ version = "~> 3.4.0"
+ }
+ }
+}
diff --git a/deprecated/terraform/aws/R80.40/cluster/README.md b/deprecated/terraform/aws/R80.40/cluster/README.md
new file mode 100755
index 00000000..2290fdb7
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/cluster/README.md
@@ -0,0 +1,201 @@
+# Check Point CloudGuard Network Security Cluster Terraform module for AWS
+
+Terraform module which deploys a Check Point CloudGuard Network Security Cluster into an existing VPC on AWS.
+
+These types of Terraform resources are supported:
+* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html)
+* [Security Group](https://www.terraform.io/docs/providers/aws/r/security_group.html)
+* [Network interface](https://www.terraform.io/docs/providers/aws/r/network_interface.html)
+* [EIP](https://www.terraform.io/docs/providers/aws/r/eip.html) - conditional creation
+* [Route](https://www.terraform.io/docs/providers/aws/r/route.html) - conditional creation
+* [IAM Role](https://www.terraform.io/docs/providers/aws/r/iam_role.html) - conditional creation
+
+See the [Deploying a Check Point Cluster in AWS (Amazon Web Services)](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk104418) for additional information
+
+This solution uses the following modules:
+- /terraform/aws/modules/amis
+- /terraform/aws/modules/cluster-iam-role
+
+
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/cluster/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+
+## Usage
+- Fill all variables in the /terraform/aws/cluster/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+- Create or modify the deployment:
+ ```
+ terraform apply
+ ```
+
+- Variables are configured in /terraform/aws/cluster/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+ // --- VPC Network Configuration ---
+ vpc_id = "vpc-12345678"
+ public_subnet_id = "subnet-123456"
+ private_subnet_id = "subnet-345678"
+ private_route_table = "rtb-12345678"
+
+ // --- EC2 Instance Configuration ---
+ gateway_name = "Check-Point-Cluster-tf"
+ gateway_instance_type = "c5.xlarge"
+ key_name = "publickey"
+ allocate_and_associate_eip = true
+ volume_size = 100
+ volume_encryption = "alias/aws/ebs"
+ enable_instance_connect = false
+ disable_instance_termination = false
+ instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+ }
+ predefined_role = ""
+
+ // --- Check Point Settings ---
+ gateway_version = "R81.20-BYOL"
+ admin_shell = "/etc/cli.sh"
+ gateway_SICKey = "12345678"
+ gateway_password_hash = ""
+ gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+
+ // --- Quick connect to Smart-1 Cloud (Recommended) ---
+ memberAToken = ""
+ memberBToken = ""
+
+ // --- Advanced Settings ---
+ resources_tag_name = "tag-name"
+ gateway_hostname = "gw-hostname"
+ allow_upload_download = true
+ enable_cloudwatch = false
+ gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+ primary_ntp = ""
+ secondary_ntp = ""
+ ```
+
+- Conditional creation
+ - To create an Elastic IP and associate it to each cluster member instance:
+ ```
+ allocate_and_associate_eip = "true"
+ ```
+ - To create IAM Role:
+ ```
+ predefined_role = ""
+ ```
+ - To create route from '0.0.0.0/0' to the Active Cluster member instance, please provide route table:
+ ```
+ private_route_table = "rtb-12345678"
+ ```
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+ ### Optional re-deploy of cluster member:
+ In case of re-deploying one cluster member, make sure that it's in STANDBY state, and the second member is the ACTIVE one.
+ Follow the commands below in order to re-deploy (replace MEMBER with a or b):
+ - terraform taint aws_instance.member-MEMBER-instance
+ - terraform plan (review the changes)
+ - terraform apply
+ - In Smart Console: reset SIC with the re-deployed member and install policy
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|----------|
+| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes |
+| public_subnet_id | The public subnet of the cluster. The cluster's public IPs will be generated from this subnet | string | n/a | n/a | yes |
+| private_subnet_id | The private subnet of the cluster. The cluster's private IPs will be generated from this subnet | string | n/a | n/a | yes |
+| private_route_table | (Optional) Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route | string | n/a | "" | no |
+| gateway_name | (Optional) The name tag of the Security Gateway instances | string | n/a | Check-Point-Cluster-tf | no |
+| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no |
+| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes |
+| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with each cluster member, in addition to the shared cluster Elastic IP | bool | true/false | true | no |
+| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no |
+| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no |
+| enable_instance_connect | Enable AWS Instance Connect. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no |
+| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no |
+| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes |
+| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances | map(string) | n/a | {} | no |
+| predefined_role | (Optional) A predefined IAM role to attach to the cluster profile | string | n/a | "" | no |
+| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81-BYOL
- R81-PAYG-NGTP
- R81-PAYG-NGTX
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no |
+| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no |
+| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | no |
+| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| memberAToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no |
+| memberBToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no |
+| resources_tag_name | (Optional) Name tag prefix of the resources | string | n/a | "" | no |
+| gateway_hostname | (Optional) The host name will be appended with member-a/b accordingly. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no |
+| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no |
+| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no |
+| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no |
+| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no |
+| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here). | string | n/a | "" | no |
+
+## Outputs
+| Name | Description |
+|--------------------|-----------------------------------------------------|
+| ami_id | The ami id of the deployed Security Cluster members |
+| cluster_public_ip | The public address of the cluster |
+| member_a_public_ip | The public address of member A |
+| member_b_public_ip | The public address of member B |
+| member_a_ssh | SSH command to member A |
+| member_b_ssh | SSH command to member B |
+| member_a_url | URL to the member A portal |
+| member_b_url | URL to the member B portal |
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|---------------------------------------------------------------------------------------------------------------|
+| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20240304 | Add x-chkp-cluster-ips, x-chkp-member-ips tags to cluster members |
+| 20231012 | Update AWS Terraform provider version to 5.20.1 |
+| 20230923 | Add support for C5d instance type |
+| 20230914 | Add support for maintenance mode password |
+| 20230829 | Change default Check Point version to R81.20 |
+| 20230806 | Add support for c6in instance type |
+| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname |
+| 20230503 | Smart-1 Cloud token validation |
+| 20230411 | Improved deployment experience for gateways and clusters managed by Smart-1 Cloud |
+| 20221123 | R81.20 version support |
+| 20220606 | New instance type support |
+| 20210309 | First release of Check Point Security Cluster Terraform module for AWS |
+
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details
diff --git a/deprecated/terraform/aws/R80.40/cluster/cluster_member_a_userdata.yaml b/deprecated/terraform/aws/R80.40/cluster/cluster_member_a_userdata.yaml
new file mode 100755
index 00000000..6329e2cf
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/cluster/cluster_member_a_userdata.yaml
@@ -0,0 +1,4 @@
+#cloud-config
+runcmd:
+ - |
+ python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenA}\"" installationType=\"cluster\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" elasticIp=\"${MemberAPublicAddress}\" templateVersion=\"20231012\" templateName=\"cluster\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" allocatePublicAddress=\"${AllocateAddress}\" bootstrapScript64=\"${GatewayBootstrapScript}\"
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/cluster/cluster_member_b_userdata.yaml b/deprecated/terraform/aws/R80.40/cluster/cluster_member_b_userdata.yaml
new file mode 100755
index 00000000..36d29dc5
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/cluster/cluster_member_b_userdata.yaml
@@ -0,0 +1,4 @@
+#cloud-config
+runcmd:
+ - |
+ python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenB}\"" installationType=\"cluster\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" elasticIp=\"${MemberBPublicAddress}\" templateVersion=\"20231012\" templateName=\"cluster\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" allocatePublicAddress=\"${AllocateAddress}\" bootstrapScript64=\"${GatewayBootstrapScript}\"
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/cluster/locals.tf b/deprecated/terraform/aws/R80.40/cluster/locals.tf
new file mode 100755
index 00000000..d64b39e7
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/cluster/locals.tf
@@ -0,0 +1,69 @@
+locals {
+ admin_shell_allowed_values = [
+ "/etc/cli.sh",
+ "/bin/bash",
+ "/bin/csh",
+ "/bin/tcsh"]
+ // Will fail if var.admin_shell is invalid
+ validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell)
+
+ enable_cloudwatch_policy = var.enable_cloudwatch ? 1 : 0
+ create_iam_role = var.predefined_role == "" ? 1 : 0
+ provided_roue_table = var.private_route_table == "" ? 0 : 1
+ internal_route_table_condition = var.private_route_table != "" ? 1 : 0
+
+ regex_valid_key_name = "[\\S\\s]+[\\S]+"
+ // will fail if var.key_name is invalid
+ regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string"
+
+ regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$"
+ // Will fail if var.gateway_SIC_Key is invalid
+ regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters"
+
+ regex_token_valid = "(^https://(.+).checkpoint.com/app/maas/api/v1/tenant(.+)|^$)"
+ //TokenA: will fail if decode token should contain https:// and .checkpoint.com/app/maas/api/v1/tenant or empty string
+ split_tokenA = split(" ", var.memberAToken)
+ tokenA_decode = base64decode(element(local.split_tokenA, length(local.split_tokenA)-1))
+ regex_tokenA = regex(local.regex_token_valid, local.tokenA_decode) == local.tokenA_decode ? 0 : "Smart-1 Cloud token A is invalid format"
+
+ //TokenB: will fail if decode token should contain https:// and .checkpoint.com/app/maas/api/v1/tenant or empty string
+ split_tokenB = split(" ", var.memberBToken)
+ tokenB_decode = base64decode(element(local.split_tokenB, length(local.split_tokenB)-1))
+ regex_tokenB = regex(local.regex_token_valid, local.tokenB_decode) == local.tokenB_decode ? 0 : "Smart-1 Cloud token B is invalid format"
+
+ is_both_tokens_used = length(var.memberAToken) > 0 == length(var.memberBToken) > 0
+ validation_message_both = "Smart-1 Cloud Tokens for member A and member B can not be empty."
+ //Will fail if var.memberAToken is empty and var.memberBToken isn't and vice versa
+ regex_s1c_validate = regex("^$", (local.is_both_tokens_used ? "" : local.validation_message_both))
+
+ is_tokens_used = length(var.memberAToken) > 0
+ is_both_tokens_the_same = var.memberAToken == var.memberBToken
+ validation_message_unique = "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+ //Will fail if both s1c tokens are the same
+ regex_s1c_unique = local.is_tokens_used ? regex("^$", (local.is_both_tokens_the_same ? local.validation_message_unique : "")) : ""
+
+ regex_valid_gateway_hostname = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$"
+ // Will fail if var.gateway_hostname is invalid
+ regex_gateway_hostname = regex(local.regex_valid_gateway_hostname, var.gateway_hostname) == var.gateway_hostname ? 0 : "Variable [gateway_hostname] must be a valid hostname label or an empty string"
+ volume_encryption_condition = var.volume_encryption != "" ? true : false
+
+ regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.gateway_password_hash is invalid
+ regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+ regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
+
+ regex_valid_primary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.primary_ntp is invalid
+ regex_primary_ntp = regex(local.regex_valid_primary_ntp, var.primary_ntp) == var.primary_ntp ? 0 : "Variable [primary_ntp] must be a valid ntp"
+
+ regex_valid_secondary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.secondary_ntp is invalid
+ regex_secondary_ntp = regex(local.regex_valid_secondary_ntp, var.secondary_ntp) == var.secondary_ntp ? 0 : "Variable [secondary_ntp] must be a valid ntp"
+ //Splits the version and licence and returns the os version
+ version_split = element(split("-", var.gateway_version), 0)
+
+ gateway_bootstrap_script64 = base64encode(var.gateway_bootstrap_script)
+ gateway_SICkey_base64 = base64encode(var.gateway_SICKey)
+ gateway_password_hash_base64=base64encode(var.gateway_password_hash)
+ maintenance_mode_password_hash_base64 = base64encode(var.gateway_maintenance_mode_password_hash)
+}
diff --git a/deprecated/terraform/aws/R80.40/cluster/main.tf b/deprecated/terraform/aws/R80.40/cluster/main.tf
new file mode 100755
index 00000000..8282b24b
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/cluster/main.tf
@@ -0,0 +1,291 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+module "amis" {
+ source = "../modules/amis"
+
+ version_license = var.gateway_version
+ chkp_type = "gateway"
+}
+
+module "common_permissive_sg" {
+ source = "../modules/common/permissive_sg"
+
+ vpc_id = var.vpc_id
+ resources_tag_name = var.resources_tag_name
+ gateway_name = var.gateway_name
+}
+
+resource "aws_iam_instance_profile" "cluster_instance_profile" {
+ path = "/"
+ role = local.create_iam_role == 1 ? join("", module.cluster_iam_role.*.cluster_iam_role_name) : var.predefined_role
+}
+
+module "cluster_iam_role" {
+ source = "../modules/cluster-iam-role"
+ count = local.create_iam_role
+}
+
+module "attach_cloudwatch_policy" {
+ source = "../modules/cloudwatch-policy"
+ count = local.enable_cloudwatch_policy
+ role = aws_iam_instance_profile.cluster_instance_profile.role
+ tag_name = var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name
+}
+
+resource "aws_network_interface" "member_a_external_eni" {
+ subnet_id = var.public_subnet_id
+ security_groups = [module.common_permissive_sg.permissive_sg_id]
+ description = "Member A external"
+ source_dest_check = false
+ lifecycle {
+ ignore_changes = [private_ips_count,]
+ }
+ private_ips_count = 1
+ tags = {
+ Name = format("%s-Member_A_ExternalInterface", var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name) }
+}
+
+resource "aws_network_interface" "member_b_external_eni" {
+ subnet_id = var.public_subnet_id
+ security_groups = [module.common_permissive_sg.permissive_sg_id]
+ description = "Member B external"
+ source_dest_check = false
+ tags = {
+ Name = format("%s-Member_B_ExternalInterface", var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name) }
+}
+
+resource "aws_network_interface" "member_a_internal_eni" {
+ subnet_id = var.private_subnet_id
+ security_groups = [module.common_permissive_sg.permissive_sg_id]
+ description = "Member A internal"
+ source_dest_check = false
+ lifecycle {
+ ignore_changes = [private_ips_count,]
+ }
+ private_ips_count = 1
+ tags = {
+ Name = format("%s-Member_A_InternalInterface", var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name) }
+}
+
+resource "aws_network_interface" "member_b_internal_eni" {
+ subnet_id = var.private_subnet_id
+ security_groups = [module.common_permissive_sg.permissive_sg_id]
+ description = "Member B internal"
+ source_dest_check = false
+ tags = {
+ Name = format("%s-Member_B_InternalInterface", var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name) }
+}
+
+resource "aws_route" "internal_default_route" {
+ count = local.internal_route_table_condition
+ route_table_id = var.private_route_table
+ lifecycle {
+ ignore_changes = [network_interface_id,]
+ }
+ destination_cidr_block = "0.0.0.0/0"
+ network_interface_id = aws_network_interface.member_a_internal_eni.id
+}
+
+resource "aws_route_table_association" "private_rtb_to_private_subnet" {
+ count = var.private_route_table == "" ? 0 : 1
+ route_table_id = var.private_route_table
+ subnet_id = var.private_subnet_id
+}
+
+resource "aws_launch_template" "member_a_launch_template" {
+ instance_type = var.gateway_instance_type
+ key_name = var.key_name
+ image_id = module.amis.ami_id
+ description = "Initial launch template version"
+
+ iam_instance_profile {
+ name = aws_iam_instance_profile.cluster_instance_profile.id
+ }
+
+ metadata_options {
+ http_tokens = var.metadata_imdsv2_required ? "required" : "optional"
+ }
+
+ network_interfaces {
+ network_interface_id = aws_network_interface.member_a_external_eni.id
+ device_index = 0
+ }
+ network_interfaces {
+ network_interface_id = aws_network_interface.member_a_internal_eni.id
+ device_index = 1
+ }
+}
+
+resource "aws_launch_template" "member_b_launch_template" {
+ instance_type = var.gateway_instance_type
+ key_name = var.key_name
+ image_id = module.amis.ami_id
+ description = "Initial launch template version"
+
+ iam_instance_profile {
+ name = aws_iam_instance_profile.cluster_instance_profile.id
+ }
+
+ metadata_options {
+ http_tokens = var.metadata_imdsv2_required ? "required" : "optional"
+ }
+
+ network_interfaces {
+ network_interface_id = aws_network_interface.member_b_external_eni.id
+ device_index = 0
+ }
+ network_interfaces {
+ network_interface_id = aws_network_interface.member_b_internal_eni.id
+ device_index = 1
+ }
+}
+
+resource "aws_instance" "member-a-instance" {
+ depends_on = [
+ aws_network_interface.member_a_external_eni,
+ aws_network_interface.member_a_internal_eni
+ ]
+
+ launch_template {
+ id = aws_launch_template.member_a_launch_template.id
+ version = "$Latest"
+ }
+
+ disable_api_termination = var.disable_instance_termination
+
+ tags = merge({
+ Name = format("%s-Member-A",var.gateway_name),
+ x-chkp-member-ips = format("public-ip=%s:external-private-ip=%s:internal-private-ip=%s",
+ var.allocate_and_associate_eip ? aws_eip.member_a_eip[0].public_ip : "", aws_network_interface.member_a_external_eni.private_ip,aws_network_interface.member_a_internal_eni.private_ip),
+ x-chkp-cluster-ips = format("cluster-ip=%s:cluster-eth0-private-ip=%s:cluster-eth1-private-ip=%s",
+ aws_eip.cluster_eip.public_ip, element(tolist(setsubtract(tolist(aws_network_interface.member_a_external_eni.private_ips), [aws_network_interface.member_a_external_eni.private_ip])), 0),
+ element(tolist(setsubtract(tolist(aws_network_interface.member_a_internal_eni.private_ips), [aws_network_interface.member_a_internal_eni.private_ip])), 0))
+ }, var.instance_tags)
+
+ ebs_block_device {
+ device_name = "/dev/xvda"
+ volume_type = "gp2"
+ volume_size = var.volume_size
+ encrypted = local.volume_encryption_condition
+ kms_key_id = local.volume_encryption_condition ? var.volume_encryption : ""
+ }
+
+ lifecycle {
+ ignore_changes = [ebs_block_device,]
+ }
+
+ user_data = templatefile("${path.module}/cluster_member_a_userdata.yaml", {
+ // script's arguments
+ Hostname = var.gateway_hostname,
+ PasswordHash = local.gateway_password_hash_base64,
+ MaintenanceModePassword = local.maintenance_mode_password_hash_base64,
+ AllowUploadDownload = var.allow_upload_download,
+ EnableCloudWatch = var.enable_cloudwatch,
+ NTPPrimary = var.primary_ntp,
+ NTPSecondary = var.secondary_ntp,
+ Shell = var.admin_shell,
+ EnableInstanceConnect = var.enable_instance_connect,
+ GatewayBootstrapScript = local.gateway_bootstrap_script64,
+ SICKey = local.gateway_SICkey_base64,
+ TokenA = var.memberAToken,
+ MemberAPublicAddress = var.allocate_and_associate_eip ? aws_eip.member_a_eip[0].public_ip : "",
+ AllocateAddress = var.allocate_and_associate_eip,
+ OsVersion = local.version_split
+ })
+}
+
+resource "aws_instance" "member-b-instance" {
+ depends_on = [
+ aws_network_interface.member_b_external_eni,
+ aws_network_interface.member_b_internal_eni
+ ]
+
+ launch_template {
+ id = aws_launch_template.member_b_launch_template.id
+ version = "$Latest"
+ }
+
+ disable_api_termination = var.disable_instance_termination
+
+ tags = merge({
+ Name = format("%s-Member-B",var.gateway_name),
+ x-chkp-member-ips = format("public-ip=%s:external-private-ip=%s:internal-private-ip=%s",
+ var.allocate_and_associate_eip ? aws_eip.member_b_eip[0].public_ip : "", aws_network_interface.member_b_external_eni.private_ip,aws_network_interface.member_b_internal_eni.private_ip),
+ x-chkp-cluster-ips = format("cluster-ip=%s:cluster-eth0-private-ip=%s:cluster-eth1-private-ip=%s",
+ aws_eip.cluster_eip.public_ip, element(tolist(setsubtract(tolist(aws_network_interface.member_a_external_eni.private_ips), [aws_network_interface.member_a_external_eni.private_ip])), 0),
+ element(tolist(setsubtract(tolist(aws_network_interface.member_a_internal_eni.private_ips), [aws_network_interface.member_a_internal_eni.private_ip])), 0))
+ }, var.instance_tags)
+
+ ebs_block_device {
+ device_name = "/dev/xvda"
+ volume_type = "gp2"
+ volume_size = var.volume_size
+ encrypted = local.volume_encryption_condition
+ kms_key_id = local.volume_encryption_condition ? var.volume_encryption : ""
+ }
+
+ lifecycle {
+ ignore_changes = [ebs_block_device,]
+ }
+
+ user_data = templatefile("${path.module}/cluster_member_b_userdata.yaml", {
+ // script's arguments
+ Hostname = var.gateway_hostname,
+ PasswordHash = local.gateway_password_hash_base64,
+ MaintenanceModePassword = local.maintenance_mode_password_hash_base64,
+ AllowUploadDownload = var.allow_upload_download,
+ EnableCloudWatch = var.enable_cloudwatch,
+ NTPPrimary = var.primary_ntp,
+ NTPSecondary = var.secondary_ntp,
+ Shell = var.admin_shell,
+ EnableInstanceConnect = var.enable_instance_connect,
+ GatewayBootstrapScript = local.gateway_bootstrap_script64,
+ SICKey = local.gateway_SICkey_base64,
+ TokenB = var.memberBToken,
+ MemberBPublicAddress = var.allocate_and_associate_eip ? aws_eip.member_b_eip[0].public_ip : "",
+ AllocateAddress = var.allocate_and_associate_eip,
+ OsVersion = local.version_split
+ })
+}
+
+resource "aws_eip" "cluster_eip" {
+}
+
+resource "aws_eip" "member_a_eip" {
+ count = var.allocate_and_associate_eip ? 1 : 0
+}
+
+resource "aws_eip" "member_b_eip" {
+ count = var.allocate_and_associate_eip ? 1 : 0
+}
+
+resource "aws_eip_association" "cluster_address_assoc" {
+ depends_on = [aws_instance.member-a-instance]
+ allocation_id = aws_eip.cluster_eip.id
+ lifecycle {
+ ignore_changes = [
+ network_interface_id, private_ip_address
+ ]
+ }
+ network_interface_id = aws_network_interface.member_a_external_eni.id
+ private_ip_address = length(tolist(aws_network_interface.member_a_external_eni.private_ips)) > 1 ? element(tolist(setsubtract(tolist(aws_network_interface.member_a_external_eni.private_ips), [aws_network_interface.member_a_external_eni.private_ip])), 0) : ""//extracting member's secondary ip which represent the cluster ip
+}
+resource "aws_eip_association" "member_a_address_assoc" {
+ depends_on = [aws_instance.member-a-instance]
+ count = var.allocate_and_associate_eip ? 1 : 0
+ allocation_id = aws_eip.member_a_eip[0].id
+ network_interface_id = aws_network_interface.member_a_external_eni.id
+ private_ip_address = aws_network_interface.member_a_external_eni.private_ip //primary
+}
+resource "aws_eip_association" "member_b_address_assoc" {
+ depends_on = [aws_instance.member-b-instance]
+ count = var.allocate_and_associate_eip ? 1 : 0
+ allocation_id = aws_eip.member_b_eip[0].id
+ network_interface_id = aws_network_interface.member_b_external_eni.id
+ private_ip_address = aws_network_interface.member_b_external_eni.private_ip //primary
+}
+
diff --git a/deprecated/terraform/aws/R80.40/cluster/output.tf b/deprecated/terraform/aws/R80.40/cluster/output.tf
new file mode 100755
index 00000000..6e8f5cbf
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/cluster/output.tf
@@ -0,0 +1,24 @@
+output "ami_id" {
+ value = module.amis.ami_id
+}
+output "cluster_public_ip" {
+ value = aws_eip.cluster_eip.*.public_ip
+}
+output "member_a_public_ip" {
+ value = aws_eip.member_a_eip.*.public_ip
+}
+output "member_b_public_ip" {
+ value = aws_eip.member_b_eip.*.public_ip
+}
+output "member_a_ssh" {
+ value = var.allocate_and_associate_eip ? format("ssh -i %s admin@%s", var.key_name, aws_eip.member_a_eip[0].public_ip) : ""
+}
+output "member_b_ssh" {
+ value = var.allocate_and_associate_eip ? format("ssh -i %s admin@%s", var.key_name, aws_eip.member_b_eip[0].public_ip) : ""
+}
+output "member_a_url" {
+ value = var.allocate_and_associate_eip ? format("https://%s", aws_eip.member_a_eip[0].public_ip) : ""
+}
+output "member_b_url" {
+ value = var.allocate_and_associate_eip ? format("https://%s", aws_eip.member_b_eip[0].public_ip) : ""
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/cluster/terraform.tfvars b/deprecated/terraform/aws/R80.40/cluster/terraform.tfvars
new file mode 100755
index 00000000..179fe10b
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/cluster/terraform.tfvars
@@ -0,0 +1,43 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- VPC Network Configuration ---
+vpc_id = "vpc-12345678"
+public_subnet_id = "subnet-123456"
+private_subnet_id = "subnet-345678"
+private_route_table = "rtb-12345678"
+
+// --- EC2 Instance Configuration ---
+gateway_name = "Check-Point-Cluster-tf"
+gateway_instance_type = "c5.xlarge"
+key_name = "publickey"
+allocate_and_associate_eip = true
+volume_size = 100
+volume_encryption = "alias/aws/ebs"
+enable_instance_connect = false
+disable_instance_termination = false
+metadata_imdsv2_required = true
+instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+}
+predefined_role = ""
+
+// --- Check Point Settings ---
+gateway_version = "R81.20-BYOL"
+admin_shell = "/etc/cli.sh"
+gateway_SICKey = "12345678"
+gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+
+// --- Quick connect to Smart-1 Cloud (Recommended) ---
+memberAToken = ""
+memberBToken = ""
+
+// --- Advanced Settings ---
+resources_tag_name = "tag-name"
+gateway_hostname = "gw-hostname"
+allow_upload_download = true
+enable_cloudwatch = false
+gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+primary_ntp = ""
+secondary_ntp = ""
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/cluster/variables.tf b/deprecated/terraform/aws/R80.40/cluster/variables.tf
new file mode 100755
index 00000000..1b515744
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/cluster/variables.tf
@@ -0,0 +1,181 @@
+// Module: Check Point CloudGuard Network Security Cluster into an existing VPC
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+// --- VPC Network Configuration ---
+variable "vpc_id" {
+ type = string
+}
+variable "public_subnet_id" {
+ type = string
+ description = "The public subnet of the cluster. The cluster's public IPs will be generated from this subnet"
+}
+variable "private_subnet_id" {
+ type = string
+ description = "The private subnet of the cluster. The cluster's private IPs will be generated from this subnet"
+}
+variable "private_route_table" {
+ type = string
+ description = "(Optional) Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route"
+ default= ""
+}
+
+// --- EC2 Instance Configuration ---
+variable "gateway_name" {
+ type = string
+ description = "(Optional) The name tag of the Security Gateway instances"
+ default = "Check-Point-Cluster-tf"
+}
+variable "gateway_instance_type" {
+ type = string
+ description = "The instance type of the Security Gateways"
+ default = "c5.xlarge"
+}
+module "validate_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "gateway"
+ instance_type = var.gateway_instance_type
+}
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instance"
+}
+variable "allocate_and_associate_eip" {
+ type = bool
+ description = "If set to true, an elastic IP will be allocated and associated with each cluster member, in addition to the shared cluster Elastic IP"
+ default = true
+}
+variable "volume_size" {
+ type = number
+ description = "Root volume size (GB) - minimum 100"
+ default = 100
+}
+resource "null_resource" "volume_size_too_small" {
+ // Volume Size validation - resource will not be created if the volume size is smaller than 100
+ count = var.volume_size >= 100 ? 0 : "volume_size must be at least 100"
+}
+variable "volume_encryption" {
+ type = string
+ description = "KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs')"
+ default = "alias/aws/ebs"
+}
+variable "enable_instance_connect" {
+ type = bool
+ description = "Enable SSH connection over AWS web console"
+ default = false
+}
+variable "disable_instance_termination" {
+ type = bool
+ description = "Prevents an instance from accidental termination"
+ default = false
+}
+variable "metadata_imdsv2_required" {
+ type = bool
+ description = "Set true to deploy the instance with metadata v2 token required"
+ default = true
+}
+variable "instance_tags" {
+ type = map(string)
+ description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances"
+ default = {}
+}
+variable "predefined_role" {
+ type = string
+ description = "(Optional) A predefined IAM role to attach to the cluster profile"
+ default = ""
+}
+
+// --- Check Point Settings ---
+variable "gateway_version" {
+ type = string
+ description = "Gateway version and license"
+ default = "R81.20-BYOL"
+}
+module "validate_gateway_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "gateway"
+ version_license = var.gateway_version
+}
+variable "admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+ default = "/etc/cli.sh"
+}
+variable "gateway_SICKey" {
+ type = string
+ description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters"
+}
+variable "gateway_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "gateway_maintenance_mode_password_hash" {
+ description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+ type = string
+ default = ""
+}
+
+// --- Quick connect to Smart-1 Cloud (Recommended) ---
+variable "memberAToken" {
+ type = string
+ description = "Follow the instructions in sk180501 to quickly connect this Single AZ Cluster to Smart-1 Cloud."
+}
+variable "memberBToken" {
+ type = string
+ description = "Follow the instructions in sk180501 to quickly connect this Single AZ Cluster to Smart-1 Cloud."
+}
+
+// --- Advanced Settings ---
+variable "resources_tag_name" {
+ type = string
+ description = "(Optional) Name tag prefix of the resources"
+ default = ""
+}
+variable "gateway_hostname" {
+ type = string
+ description = "(Optional) The host name will be appended with member-a/b accordingly"
+ default = ""
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+variable "enable_cloudwatch" {
+ type = bool
+ description = "Report Check Point specific CloudWatch metrics"
+ default = false
+}
+variable "gateway_bootstrap_script" {
+ type = string
+ description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot"
+ default = ""
+}
+variable "primary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol primary server"
+ default = "169.254.169.123"
+}
+variable "secondary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server"
+ default = "0.pool.ntp.org"
+}
diff --git a/deprecated/terraform/aws/R80.40/cluster/versions.tf b/deprecated/terraform/aws/R80.40/cluster/versions.tf
new file mode 100755
index 00000000..c138bbb3
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/cluster/versions.tf
@@ -0,0 +1,12 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ http = {
+ version = "~> 3.4.0"
+ }
+ }
+}
diff --git a/deprecated/terraform/aws/R80.40/cme-iam-role-gwlb/README.md b/deprecated/terraform/aws/R80.40/cme-iam-role-gwlb/README.md
new file mode 100755
index 00000000..ae261614
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/cme-iam-role-gwlb/README.md
@@ -0,0 +1,100 @@
+# AWS IAM Role for Cloud Management Extension (CME) manages Gateway Load Balancer Auto Scale Group Terraform module
+
+Terraform module which creates an AWS IAM Role for Cloud Management Extension (CME) manages Gateway Load Balancer Auto Scale Group on Security Management Server.
+
+These types of Terraform resources are supported:
+* [AWS IAM role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role)
+* [AWS IAM policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy)
+* [AWS IAM policy attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment)
+
+This type of Terraform data source is supported:
+* [AWS IAM policy document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document)
+
+See the [Creating an AWS IAM Role for Security Management Server](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122074) for additional information
+
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/cme-iam-role-gwlb/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+
+## Usage
+- Fill all variables in the /terraform/aws/cme-iam-role-gwlb/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+- Create or modify the deployment:
+ ```
+ terraform apply
+ ```
+
+- Variables are configured in /terraform/aws/cme-iam-role-gwlb/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+ permissions = "Create with read permissions"
+ sts_roles = ['arn:aws:iam::111111111111:role/role_name']
+ trusted_account = ""
+ ```
+
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|-----------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|-------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------|----------|
+| permissions | The IAM role permissions | string | - Create with assume role permissions (specify an STS role ARN)
- Create with read permissions
- Create with read-write permissions | Create with read permissions | no |
+| sts_roles | The IAM role will be able to assume these STS Roles (map of string ARNs) | list(string) | n/a | [] | no |
+| trusted_account | A 12 digits number that represents the ID of a trusted account. IAM users in this account will be able assume the IAM role and receive the permissions attached to it | string | n/a | "" | no |
+
+
+## Outputs
+| Name | Description |
+|----------------------|---------------------------------------|
+| cme_iam_role_arn | The created AWS IAM Role arn |
+| cme_iam_role_name | The created AWS IAM Role name |
+| cme_iam_profile_name | The created AWS instance profile name |
+| cme_iam_profile_arn | The created AWS instance profile arn |
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|--------------------------------------------------------------------|
+| 20240507 | Add ec2:DescribeRegions read permission to the IAM role policy |
+| 20231012 | Update AWS Terraform provider version to 5.20.1 |
+| 20230926 | CME instance profile for IAM Role |
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details
diff --git a/deprecated/terraform/aws/R80.40/cme-iam-role-gwlb/main.tf b/deprecated/terraform/aws/R80.40/cme-iam-role-gwlb/main.tf
new file mode 100755
index 00000000..33ea37ab
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/cme-iam-role-gwlb/main.tf
@@ -0,0 +1,110 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+resource "aws_iam_role" "cme_iam_role_gwlb" {
+ assume_role_policy = data.aws_iam_policy_document.cme_role_assume_policy_document.json
+ path = "/"
+}
+
+data "aws_iam_policy_document" "cme_role_assume_policy_document" {
+ version = "2012-10-17"
+ statement {
+ effect = "Allow"
+ actions = ["sts:AssumeRole"]
+ principals {
+ type = var.trusted_account == "" ? "Service" : "AWS"
+ identifiers = var.trusted_account == "" ? ["ec2.amazonaws.com"] : [var.trusted_account]
+ }
+ }
+}
+
+locals {
+ provided_sts_roles = length(var.sts_roles) == 0 ? 0 : 1
+ allow_read_permissions = var.permissions == "Create with read-write permissions" || var.permissions == "Create with read permissions" ? 1 : 0
+ allow_write_permissions = var.permissions == "Create with read-write permissions" ? 1 : 0
+}
+
+data "aws_iam_policy_document" "cme_role_sts_policy_doc" {
+ version = "2012-10-17"
+ statement {
+ effect = "Allow"
+ actions = ["sts:AssumeRole"]
+ resources = var.sts_roles
+ }
+}
+resource "aws_iam_policy" "cme_role_sts_policy" {
+ count = local.provided_sts_roles
+ policy = data.aws_iam_policy_document.cme_role_sts_policy_doc.json
+
+}
+resource "aws_iam_role_policy_attachment" "attach_sts_policy" {
+ count = local.provided_sts_roles
+ policy_arn = aws_iam_policy.cme_role_sts_policy[0].arn
+ role = aws_iam_role.cme_iam_role_gwlb.id
+}
+
+data "aws_iam_policy_document" "cme_role_read_policy_doc" {
+ version = "2012-10-17"
+ statement {
+ effect = "Allow"
+ actions = [
+ "autoscaling:DescribeAutoScalingGroups",
+ "ec2:DescribeRegions",
+ "ec2:DescribeInstances",
+ "ec2:DescribeNetworkInterfaces",
+ "ec2:DescribeRouteTables",
+ "ec2:DescribeSecurityGroups",
+ "ec2:DescribeSubnets",
+ "ec2:DescribeVpcs",
+ "ec2:DescribeInternetGateways",
+ "ec2:DescribeVpcEndpoints",
+ "ec2:DescribeVpcEndpointServiceConfigurations",
+ "elasticloadbalancing:DescribeLoadBalancers",
+ "elasticloadbalancing:DescribeTags",
+ "elasticloadbalancing:DescribeListeners",
+ "elasticloadbalancing:DescribeTargetGroups",
+ "elasticloadbalancing:DescribeRules",
+ "elasticloadbalancing:DescribeTargetHealth"]
+ resources = ["*"]
+ }
+}
+resource "aws_iam_policy" "cme_role_read_policy" {
+ count = local.allow_read_permissions
+ policy = data.aws_iam_policy_document.cme_role_read_policy_doc.json
+}
+resource "aws_iam_role_policy_attachment" "attach_read_policy" {
+ count = local.allow_read_permissions
+ policy_arn = aws_iam_policy.cme_role_read_policy[0].arn
+ role = aws_iam_role.cme_iam_role_gwlb.id
+}
+
+data "aws_iam_policy_document" "cme_role_write_policy_doc" {
+ version = "2012-10-17"
+ statement {
+ effect = "Allow"
+ actions = [
+ "ec2:CreateRoute",
+ "ec2:ReplaceRoute",
+ "ec2:DeleteRoute",
+ "ec2:CreateRouteTable",
+ "ec2:AssociateRouteTable",
+ "ec2:CreateTags"
+]
+ resources = ["*"]
+ }
+}
+resource "aws_iam_policy" "cme_role_write_policy" {
+ count = local.allow_write_permissions
+ policy = data.aws_iam_policy_document.cme_role_write_policy_doc.json
+}
+resource "aws_iam_role_policy_attachment" "attach_write_policy" {
+ count = local.allow_write_permissions
+ policy_arn = aws_iam_policy.cme_role_write_policy[0].arn
+ role = aws_iam_role.cme_iam_role_gwlb.id
+}
+resource "aws_iam_instance_profile" "iam_instance_profile" {
+ role = aws_iam_role.cme_iam_role_gwlb.id
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/cme-iam-role-gwlb/output.tf b/deprecated/terraform/aws/R80.40/cme-iam-role-gwlb/output.tf
new file mode 100755
index 00000000..8c86901a
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/cme-iam-role-gwlb/output.tf
@@ -0,0 +1,13 @@
+output "cme_iam_role_arn" {
+ value = aws_iam_role.cme_iam_role_gwlb.arn
+}
+output "cme_iam_role_name" {
+ value = aws_iam_role.cme_iam_role_gwlb.name
+}
+output "cme_iam_profile_name" {
+ value = aws_iam_instance_profile.iam_instance_profile.name
+}
+output "cme_iam_profile_arn" {
+ value = aws_iam_instance_profile.iam_instance_profile.arn
+}
+
diff --git a/deprecated/terraform/aws/R80.40/cme-iam-role-gwlb/terraform.tfvars b/deprecated/terraform/aws/R80.40/cme-iam-role-gwlb/terraform.tfvars
new file mode 100755
index 00000000..9914eae9
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/cme-iam-role-gwlb/terraform.tfvars
@@ -0,0 +1,5 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+permissions = "Create with read permissions"
+sts_roles = []
+trusted_account = ""
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/cme-iam-role-gwlb/variables.tf b/deprecated/terraform/aws/R80.40/cme-iam-role-gwlb/variables.tf
new file mode 100755
index 00000000..3a0fe740
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/cme-iam-role-gwlb/variables.tf
@@ -0,0 +1,42 @@
+// Module: IAM role for selected permissions
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+variable "permissions" {
+ type = string
+ description = "The IAM role permissions"
+ default = "Create with read permissions"
+}
+locals {
+ permissions_allowed_values = [
+ "Create with assume role permissions (specify an STS role ARN)",
+ "Create with read permissions",
+ "Create with read-write permissions"]
+ // Will fail if var.permissions is invalid
+ validate_permissions = index(local.permissions_allowed_values, var.permissions)
+}
+variable "sts_roles" {
+ type = list(string)
+ description = "The IAM role will be able to assume these STS Roles (map of string ARNs)"
+ default = []
+}
+variable "trusted_account" {
+ type = string
+ description = "A 12 digits number that represents the ID of a trusted account. IAM users in this account will be able assume the IAM role and receive the permissions attached to it"
+ default = ""
+}
diff --git a/deprecated/terraform/aws/R80.40/cme-iam-role-gwlb/versions.tf b/deprecated/terraform/aws/R80.40/cme-iam-role-gwlb/versions.tf
new file mode 100755
index 00000000..b3e24059
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/cme-iam-role-gwlb/versions.tf
@@ -0,0 +1,9 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ }
+}
diff --git a/deprecated/terraform/aws/R80.40/cme-iam-role/README.md b/deprecated/terraform/aws/R80.40/cme-iam-role/README.md
new file mode 100755
index 00000000..5aa02a68
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/cme-iam-role/README.md
@@ -0,0 +1,102 @@
+# AWS IAM Role for Cloud Management Extension (CME) Terraform module
+
+Terraform module which creates an AWS IAM Role for Cloud Management Extension (CME) on Security Management Server.
+
+These types of Terraform resources are supported:
+* [AWS IAM role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role)
+* [AWS IAM policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy)
+* [AWS IAM policy attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment)
+
+This type of Terraform data source is supported:
+* [AWS IAM policy document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document)
+
+See the [Creating an AWS IAM Role for Security Management Server](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122074) for additional information
+
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/cme-iam-role/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+
+## Usage
+- Fill all variables in the /terraform/aws/cme-iam-role/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+- Create or modify the deployment:
+ ```
+ terraform apply
+ ```
+
+- Variables are configured in /terraform/aws/cme-iam-role/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+ permissions = "Create with read permissions"
+ sts_roles = ['arn:aws:iam::111111111111:role/role_name']
+ trusted_account = ""
+ ```
+
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|-----------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|-------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------|----------|
+| permissions | The IAM role permissions | string | - Create with assume role permissions (specify an STS role ARN)
- Create with read permissions
- Create with read-write permissions | Create with read permissions | no |
+| sts_roles | The IAM role will be able to assume these STS Roles (map of string ARNs) | list(string) | n/a | [] | no |
+| trusted_account | A 12 digits number that represents the ID of a trusted account. IAM users in this account will be able assume the IAM role and receive the permissions attached to it | string | n/a | "" | no |
+
+
+## Outputs
+| Name | Description |
+|----------------------|---------------------------------------|
+| cme_iam_role_arn | The created AWS IAM Role arn |
+| cme_iam_role_name | The created AWS IAM Role name |
+| cme_iam_profile_name | The created AWS instance profile name |
+| cme_iam_profile_arn | The created AWS instance profile arn |
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|--------------------------------------------------------------------|
+| 20240507 | Add ec2:DescribeRegions read permission to the IAM role policy |
+| 20231012 | Update AWS Terraform provider version to 5.20.1 |
+| 20230514 | CME instance profile for IAM Role |
+| 20210309 | First release of Check Point CME IAM Role Terraform module for AWS |
+
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details
diff --git a/deprecated/terraform/aws/R80.40/cme-iam-role/main.tf b/deprecated/terraform/aws/R80.40/cme-iam-role/main.tf
new file mode 100755
index 00000000..817e3b90
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/cme-iam-role/main.tf
@@ -0,0 +1,136 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+resource "aws_iam_role" "cme_iam_role" {
+ assume_role_policy = data.aws_iam_policy_document.cme_role_assume_policy_document.json
+ path = "/"
+}
+
+data "aws_iam_policy_document" "cme_role_assume_policy_document" {
+ version = "2012-10-17"
+ statement {
+ effect = "Allow"
+ actions = ["sts:AssumeRole"]
+ principals {
+ type = var.trusted_account == "" ? "Service" : "AWS"
+ identifiers = var.trusted_account == "" ? ["ec2.amazonaws.com"] : [var.trusted_account]
+ }
+ }
+}
+
+locals {
+ provided_sts_roles = length(var.sts_roles) == 0 ? 0 : 1
+ allow_read_permissions = var.permissions == "Create with read-write permissions" || var.permissions == "Create with read permissions" ? 1 : 0
+ allow_write_permissions = var.permissions == "Create with read-write permissions" ? 1 : 0
+}
+
+data "aws_iam_policy_document" "cme_role_sts_policy_doc" {
+ version = "2012-10-17"
+ statement {
+ effect = "Allow"
+ actions = ["sts:AssumeRole"]
+ resources = var.sts_roles
+ }
+}
+resource "aws_iam_policy" "cme_role_sts_policy" {
+ count = local.provided_sts_roles
+ policy = data.aws_iam_policy_document.cme_role_sts_policy_doc.json
+
+}
+resource "aws_iam_role_policy_attachment" "attach_sts_policy" {
+ count = local.provided_sts_roles
+ policy_arn = aws_iam_policy.cme_role_sts_policy[0].arn
+ role = aws_iam_role.cme_iam_role.id
+}
+
+data "aws_iam_policy_document" "cme_role_read_policy_doc" {
+ version = "2012-10-17"
+ statement {
+ effect = "Allow"
+ actions = [
+ "autoscaling:DescribeAutoScalingGroups",
+ "ec2:DescribeRegions",
+ "ec2:DescribeCustomerGateways",
+ "ec2:DescribeInstances",
+ "ec2:DescribeNetworkInterfaces",
+ "ec2:DescribeRouteTables",
+ "ec2:DescribeSecurityGroups",
+ "ec2:DescribeSubnets",
+ "ec2:DescribeTransitGateways",
+ "ec2:DescribeTransitGatewayAttachments",
+ "ec2:DescribeTransitGatewayRouteTables",
+ "ec2:DescribeVpcs",
+ "ec2:DescribeVpnGateways",
+ "ec2:DescribeVpnConnections",
+ "ec2:GetTransitGatewayAttachmentPropagations",
+ "elasticloadbalancing:DescribeLoadBalancers",
+ "elasticloadbalancing:DescribeTags",
+ "elasticloadbalancing:DescribeListeners",
+ "elasticloadbalancing:DescribeTargetGroups",
+ "elasticloadbalancing:DescribeRules",
+ "elasticloadbalancing:DescribeTargetHealth"]
+ resources = ["*"]
+ }
+}
+resource "aws_iam_policy" "cme_role_read_policy" {
+ count = local.allow_read_permissions
+ policy = data.aws_iam_policy_document.cme_role_read_policy_doc.json
+}
+resource "aws_iam_role_policy_attachment" "attach_read_policy" {
+ count = local.allow_read_permissions
+ policy_arn = aws_iam_policy.cme_role_read_policy[0].arn
+ role = aws_iam_role.cme_iam_role.id
+}
+
+data "aws_iam_policy_document" "cme_role_write_policy_doc" {
+ version = "2012-10-17"
+ statement {
+ effect = "Allow"
+ actions = [
+ "ec2:AssociateTransitGatewayRouteTable",
+ "ec2:AttachVpnGateway",
+ "ec2:CreateCustomerGateway",
+ "ec2:CreateVpnConnection",
+ "ec2:CreateVpnGateway",
+ "ec2:DeleteCustomerGateway",
+ "ec2:DeleteVpnConnection",
+ "ec2:DeleteVpnGateway",
+ "ec2:DetachVpnGateway",
+ "ec2:DisableTransitGatewayRouteTablePropagation",
+ "ec2:DisableVgwRoutePropagation",
+ "ec2:DisassociateTransitGatewayRouteTable",
+ "ec2:EnableTransitGatewayRouteTablePropagation",
+ "ec2:EnableVgwRoutePropagation"]
+ resources = ["*"]
+ }
+ statement {
+ effect = "Allow"
+ actions = [
+ "cloudformation:DescribeStacks",
+ "cloudformation:DescribeStackResources",
+ "cloudformation:ListStacks"]
+ resources = ["*"]
+ }
+ statement {
+ effect = "Allow"
+ actions = [
+ "cloudformation:CreateStack",
+ "cloudformation:DeleteStack"]
+ resources = ["arn:aws:cloudformation:*:*:stack/vpn-by-tag--*/*"]
+ }
+}
+resource "aws_iam_policy" "cme_role_write_policy" {
+ count = local.allow_write_permissions
+ policy = data.aws_iam_policy_document.cme_role_write_policy_doc.json
+}
+resource "aws_iam_role_policy_attachment" "attach_write_policy" {
+ count = local.allow_write_permissions
+ policy_arn = aws_iam_policy.cme_role_write_policy[0].arn
+ role = aws_iam_role.cme_iam_role.id
+}
+resource "aws_iam_instance_profile" "iam_instance_profile" {
+ role = aws_iam_role.cme_iam_role.id
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/cme-iam-role/output.tf b/deprecated/terraform/aws/R80.40/cme-iam-role/output.tf
new file mode 100755
index 00000000..cad35709
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/cme-iam-role/output.tf
@@ -0,0 +1,12 @@
+output "cme_iam_role_arn" {
+ value = aws_iam_role.cme_iam_role.arn
+}
+output "cme_iam_role_name" {
+ value = aws_iam_role.cme_iam_role.name
+}
+output "cme_iam_profile_name" {
+ value = aws_iam_instance_profile.iam_instance_profile.name
+}
+output "cme_iam_profile_arn" {
+ value = aws_iam_instance_profile.iam_instance_profile.arn
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/cme-iam-role/terraform.tfvars b/deprecated/terraform/aws/R80.40/cme-iam-role/terraform.tfvars
new file mode 100755
index 00000000..9914eae9
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/cme-iam-role/terraform.tfvars
@@ -0,0 +1,5 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+permissions = "Create with read permissions"
+sts_roles = []
+trusted_account = ""
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/cme-iam-role/variables.tf b/deprecated/terraform/aws/R80.40/cme-iam-role/variables.tf
new file mode 100755
index 00000000..3a0fe740
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/cme-iam-role/variables.tf
@@ -0,0 +1,42 @@
+// Module: IAM role for selected permissions
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+variable "permissions" {
+ type = string
+ description = "The IAM role permissions"
+ default = "Create with read permissions"
+}
+locals {
+ permissions_allowed_values = [
+ "Create with assume role permissions (specify an STS role ARN)",
+ "Create with read permissions",
+ "Create with read-write permissions"]
+ // Will fail if var.permissions is invalid
+ validate_permissions = index(local.permissions_allowed_values, var.permissions)
+}
+variable "sts_roles" {
+ type = list(string)
+ description = "The IAM role will be able to assume these STS Roles (map of string ARNs)"
+ default = []
+}
+variable "trusted_account" {
+ type = string
+ description = "A 12 digits number that represents the ID of a trusted account. IAM users in this account will be able assume the IAM role and receive the permissions attached to it"
+ default = ""
+}
diff --git a/deprecated/terraform/aws/R80.40/cme-iam-role/versions.tf b/deprecated/terraform/aws/R80.40/cme-iam-role/versions.tf
new file mode 100755
index 00000000..b3e24059
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/cme-iam-role/versions.tf
@@ -0,0 +1,9 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ }
+}
diff --git a/deprecated/terraform/aws/R80.40/cross-az-cluster-master/README.md b/deprecated/terraform/aws/R80.40/cross-az-cluster-master/README.md
new file mode 100755
index 00000000..1a27cedc
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/cross-az-cluster-master/README.md
@@ -0,0 +1,219 @@
+# Check Point CloudGuard Network Security Cross AZ Cluster Master Terraform module for AWS
+
+Terraform module which deploys a Check Point CloudGuard Network Security Cross AZ Cluster into into a new VPC.
+
+These types of Terraform resources are supported:
+* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html)
+* [VPC](https://www.terraform.io/docs/providers/aws/r/vpc.html)
+* [Security Group](https://www.terraform.io/docs/providers/aws/r/security_group.html)
+* [Network interface](https://www.terraform.io/docs/providers/aws/r/network_interface.html)
+* [Route](https://www.terraform.io/docs/providers/aws/r/route.html)
+* [EIP](https://www.terraform.io/docs/providers/aws/r/eip.html)
+* [IAM Role](https://www.terraform.io/docs/providers/aws/r/iam_role.html) - conditional creation
+
+See the [Deploying a Check Point Cluster in AWS (Amazon Web Services)](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Cross_AZ_Cluster/Default.htm) for additional information
+
+This solution uses the following modules:
+- /terraform/aws/cross-az-cluster
+- /terraform/aws/modules/amis
+- /terraform/aws/modules/vpc
+- /terraform/aws/modules/cluster-iam-role
+
+
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/cross-az-cluster-master/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Static credentials are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-module /terraform/aws/cross-az-cluster:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+ b. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-module /terraform/aws/cross-az-cluster:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+
+## Usage
+- Fill all variables in the /terraform/aws/cross-az-cluster-master/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+- Create or modify the deployment:
+ - Due to terraform limitation, the apply command is:
+ ```
+ terraform apply -target=aws_route_table.private_subnet_rtb -auto-approve && terraform apply
+ ```
+ >Once terraform is updated, we will update accordingly.
+
+- Variables are configured in /terraform/aws/cross-az-cluster-master/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+ // --- VPC Network Configuration ---
+ vpc_cidr = "10.0.0.0/16"
+ public_subnets_map = {
+ "us-east-1a" = 1
+ "us-east-1b" = 2
+ }
+ private_subnets_map = {
+ "us-east-1a" = 3
+ "us-east-1a" = 4
+ }
+ subnets_bit_length = 8
+
+
+
+ // --- EC2 Instance Configuration ---
+ gateway_name = "Check-Point-Cluster-tf"
+ gateway_instance_type = "c5.xlarge"
+ key_name = "publickey"
+ volume_size = 100
+ volume_encryption = "alias/aws/ebs"
+ enable_instance_connect = false
+ disable_instance_termination = false
+ instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+ }
+ predefined_role = ""
+
+ // --- Check Point Settings ---
+ gateway_version = "R81.20-BYOL"
+ admin_shell = "/etc/cli.sh"
+ gateway_SICKey = "12345678"
+ gateway_password_hash = ""
+ gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+
+ // --- Quick connect to Smart-1 Cloud (Recommended) ---
+ memberAToken = ""
+ memberBToken = ""
+
+ // --- Advanced Settings ---
+ resources_tag_name = "tag-name"
+ gateway_hostname = "gw-hostname"
+ allow_upload_download = true
+ enable_cloudwatch = false
+ gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+ primary_ntp = ""
+ secondary_ntp = ""
+ ```
+
+- Conditional creation
+ - To create IAM Role:
+ ```
+ predefined_role = ""
+ ```
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+ ### Optional re-deploy of cluster member:
+ In case of re-deploying one cluster member, make sure that it's in STANDBY state, and the second member is the ACTIVE one.
+ Follow the commands below in order to re-deploy (replace MEMBER with a or b):
+ - terraform taint module.launch_cluster_into_vpc.aws_instance.member-MEMBER-instance
+ - terraform plan (review the changes)
+ - terraform apply
+ - In Smart Console: reset SIC with the re-deployed member and install policy
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|----------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|----------|
+| vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes |
+| public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1 \"us-east-1b\" = 2} ) | map | n/a | n/a | yes |
+| private_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 3 \"us-east-1b\" = 4} ) | map | n/a | n/a | yes |
+| subnets_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20 | number | n/a | n/a | yes |
+| gateway_name | (Optional) The name tag of the Security Gateway instances | string | n/a | Check-Point-Cluster-tf | no |
+| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no |
+| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes |
+| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no |
+| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no |
+| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no |
+| enable_instance_connect | Enable AWS Instance Connect. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no |
+| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no |
+| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes |
+| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances | map(string) | n/a | {} | no |
+| predefined_role | (Optional) A predefined IAM role to attach to the cluster profile | string | n/a | "" | no |
+| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX - R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no |
+| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no |
+| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes |
+| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| memberAToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no |
+| memberBToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no |
+| resources_tag_name | (Optional) Name tag prefix of the resources | string | n/a | "" | no |
+| gateway_hostname | (Optional) The host name will be appended with member-a/b accordingly. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no |
+| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no |
+| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no |
+| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no |
+| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no |
+| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here). | string | n/a | "" | no |
+
+## Outputs
+| Name | Description |
+|--------------------|--------------------------------------------------------------|
+| ami_id | The ami id of the deployed Security Cross AZ Cluster members |
+| cluster_public_ip | The public address of the cluster |
+| member_a_public_ip | The public address of member A |
+| member_b_public_ip | The public address of member B |
+| member_a_ssh | SSH command to member A |
+| member_b_ssh | SSH command to member B |
+| member_a_url | URL to the member A portal |
+| member_b_url | URL to the member B portal |
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20231012 | Update AWS Terraform provider version to 5.20.1 |
+| 20230923 | Add support for C5d instance type |
+| 20230914 | Add support for maintenance mode password |
+| 20230806 | Add support for c6in instance type |
+| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname |
+| 20230503 | Smart-1 Cloud token validation |
+| 20230411 | - Improved deployment experience for gateways and clusters managed by Smart-1 Cloud
- Multiple VIPs support for Cross Availability Zone Cluster. For more details refer to the [Cross Availability Zone Cluster for AWS R81.20 Administration Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Cross_AZ_Cluster/Content/Topics-AWS-CrossAZ-Cluster-AG/Check-Point-CloudGuard-for-AWS.htm) -> "Deploying Cross AZ Cluster with multiple VIPs" section. |
+| 20221123 | R81.20 version support |
+| 20221123 | Changed default version and added instances types |
+| 20221123 | First release of Check Point Security Cross AZ Cluster Master Terraform module for AWS |
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../../cross-az/LICENSE) file for details
diff --git a/deprecated/terraform/aws/R80.40/cross-az-cluster-master/locals.tf b/deprecated/terraform/aws/R80.40/cross-az-cluster-master/locals.tf
new file mode 100755
index 00000000..68e4523f
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/cross-az-cluster-master/locals.tf
@@ -0,0 +1,58 @@
+locals {
+ regex_valid_vpc_cidr = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$"
+ // Will fail if var.vpc_cidr is invalid
+ regex_vpc_cidr = regex(local.regex_valid_vpc_cidr, var.vpc_cidr) == var.vpc_cidr ? 0 : "Variable [vpc_cidr] must be a valid vpc cidr"
+
+ admin_shell_allowed_values = [
+ "/etc/cli.sh",
+ "/bin/bash",
+ "/bin/csh",
+ "/bin/tcsh"]
+ // Will fail if var.admin_shell is invalid
+ validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell)
+
+ create_iam_role = var.predefined_role == "" ? 1 : 0
+
+ regex_valid_key_name = "[\\S\\s]+[\\S]+"
+ // will fail if var.key_name is invalid
+ regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string"
+
+ regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$"
+ // Will fail if var.gateway_SIC_Key is invalid
+ regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters"
+
+ is_both_tokens_used = length(var.memberAToken) > 0 == length(var.memberBToken) > 0
+ validation_message_both = "Smart-1 Cloud Tokens for member A and member B can not be empty."
+ //Will fail if var.memberAToken is empty and var.memberBToken isn't and vice versa
+ regex_s1c_validate = regex("^$", (local.is_both_tokens_used ? "" : local.validation_message_both))
+
+ is_tokens_used = length(var.memberAToken) > 0
+ is_both_tokens_the_same = var.memberAToken == var.memberBToken
+ validation_message_unique = "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+ //Will fail if both s1c tokens are the same
+ regex_s1c_unique = local.is_tokens_used ? regex("^$", (local.is_both_tokens_the_same ? local.validation_message_unique : "")) : ""
+
+ regex_valid_gateway_hostname = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$"
+ // Will fail if var.gateway_hostname is invalid
+ regex_gateway_hostname = regex(local.regex_valid_gateway_hostname, var.gateway_hostname) == var.gateway_hostname ? 0 : "Variable [gateway_hostname] must be a valid hostname label or an empty string"
+ volume_encryption_condition = var.volume_encryption != "" ? true : false
+
+ regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.gateway_password_hash is invalid
+ regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+ regex_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
+
+ regex_valid_primary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.primary_ntp is invalid
+ regex_primary_ntp = regex(local.regex_valid_primary_ntp, var.primary_ntp) == var.primary_ntp ? 0 : "Variable [primary_ntp] must be a valid ntp"
+
+ regex_valid_secondary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.secondary_ntp is invalid
+ regex_secondary_ntp = regex(local.regex_valid_secondary_ntp, var.secondary_ntp) == var.secondary_ntp ? 0 : "Variable [secondary_ntp] must be a valid ntp"
+
+ volume_type_allowed_values = [
+ "gp3",
+ "gp2"]
+ // will fail if [var.VolumeType] is invalid:
+ validate_volume_type = index(local.volume_type_allowed_values, var.volume_type)
+}
diff --git a/deprecated/terraform/aws/R80.40/cross-az-cluster-master/main.tf b/deprecated/terraform/aws/R80.40/cross-az-cluster-master/main.tf
new file mode 100755
index 00000000..f12ae536
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/cross-az-cluster-master/main.tf
@@ -0,0 +1,70 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+// --- VPC ---
+module "launch_vpc" {
+ source = "../modules/vpc"
+
+ vpc_cidr = var.vpc_cidr
+ public_subnets_map = var.public_subnets_map
+ private_subnets_map = var.private_subnets_map
+ subnets_bit_length = var.subnets_bit_length
+}
+
+resource "aws_route_table" "private_subnet_rtb" {
+ depends_on = [module.launch_vpc]
+ vpc_id = module.launch_vpc.vpc_id
+ tags = {
+ Name = "Private Subnets Route Table"
+ }
+}
+resource "aws_route_table_association" "private_rtb_to_private_subnets_a" {
+ depends_on = [module.launch_vpc, aws_route_table.private_subnet_rtb]
+ route_table_id = aws_route_table.private_subnet_rtb.id
+ subnet_id = module.launch_vpc.private_subnets_ids_list[0]
+}
+resource "aws_route_table_association" "private_rtb_to_private_subnets_b" {
+ depends_on = [module.launch_vpc, aws_route_table.private_subnet_rtb]
+ route_table_id = aws_route_table.private_subnet_rtb.id
+ subnet_id = module.launch_vpc.private_subnets_ids_list[1]
+}
+
+module "launch_cluster_into_vpc" {
+ source = "../cross-az-cluster"
+ providers = {
+ aws = aws
+ }
+
+ vpc_id = module.launch_vpc.vpc_id
+ public_subnet_ids = module.launch_vpc.public_subnets_ids_list
+ private_subnet_ids = module.launch_vpc.private_subnets_ids_list
+ private_route_table = aws_route_table.private_subnet_rtb.id
+ gateway_name = var.gateway_name
+ gateway_instance_type = var.gateway_instance_type
+ key_name = var.key_name
+ volume_size = var.volume_size
+ volume_encryption = var.volume_encryption
+ enable_instance_connect = var.enable_instance_connect
+ disable_instance_termination = var.disable_instance_termination
+ metadata_imdsv2_required = var.metadata_imdsv2_required
+ instance_tags = var.instance_tags
+ predefined_role = var.predefined_role
+ gateway_version = var.gateway_version
+ admin_shell = var.admin_shell
+ gateway_SICKey = var.gateway_SICKey
+ memberAToken = var.memberAToken
+ memberBToken = var.memberBToken
+ gateway_password_hash = var.gateway_password_hash
+ gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash
+ resources_tag_name = var.resources_tag_name
+ gateway_hostname = var.gateway_hostname
+ allow_upload_download = var.allow_upload_download
+ enable_cloudwatch = var.enable_cloudwatch
+ gateway_bootstrap_script = var.gateway_bootstrap_script
+ primary_ntp = var.primary_ntp
+ secondary_ntp = var.secondary_ntp
+ volume_type = var.volume_type
+}
diff --git a/deprecated/terraform/aws/R80.40/cross-az-cluster-master/output.tf b/deprecated/terraform/aws/R80.40/cross-az-cluster-master/output.tf
new file mode 100755
index 00000000..c1f47385
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/cross-az-cluster-master/output.tf
@@ -0,0 +1,24 @@
+output "ami_id" {
+ value = module.launch_cluster_into_vpc.ami_id
+}
+output "cluster_public_ip" {
+ value = module.launch_cluster_into_vpc.cluster_public_ip
+}
+output "member_a_public_ip" {
+ value = module.launch_cluster_into_vpc.member_a_public_ip
+}
+output "member_b_public_ip" {
+ value = module.launch_cluster_into_vpc.member_b_public_ip
+}
+output "member_a_ssh" {
+ value = module.launch_cluster_into_vpc.member_a_ssh
+}
+output "member_b_ssh" {
+ value = module.launch_cluster_into_vpc.member_b_ssh
+}
+output "member_a_url" {
+ value = module.launch_cluster_into_vpc.member_a_url
+}
+output "member_b_url" {
+ value = module.launch_cluster_into_vpc.member_b_url
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/cross-az-cluster-master/terraform.tfvars b/deprecated/terraform/aws/R80.40/cross-az-cluster-master/terraform.tfvars
new file mode 100755
index 00000000..28cb64a3
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/cross-az-cluster-master/terraform.tfvars
@@ -0,0 +1,48 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- VPC Network Configuration ---
+vpc_cidr = "10.0.0.0/16"
+public_subnets_map = {
+ "us-east-1a" = 1
+ "us-east-1b" = 2
+}
+private_subnets_map = {
+ "us-east-1a" = 3
+ "us-east-1b" = 4
+}
+subnets_bit_length = 8
+
+// --- EC2 Instance Configuration ---
+gateway_name = "Check-Point-Cluster-tf"
+gateway_instance_type = "c5.xlarge"
+key_name = "publickey"
+volume_size = 100
+volume_encryption = "alias/aws/ebs"
+enable_instance_connect = false
+disable_instance_termination = false
+metadata_imdsv2_required = true
+instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+}
+predefined_role = ""
+
+// --- Check Point Settings ---
+gateway_version = "R81.20-BYOL"
+admin_shell = "/etc/cli.sh"
+gateway_SICKey = "12345678"
+gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+
+// --- Quick connect to Smart-1 Cloud (Recommended) ---
+memberAToken = ""
+memberBToken = ""
+
+// --- Advanced Settings ---
+resources_tag_name = "tag-name"
+gateway_hostname = "gw-hostname"
+allow_upload_download = true
+enable_cloudwatch = false
+gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+primary_ntp = ""
+secondary_ntp = ""
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/cross-az-cluster-master/variables.tf b/deprecated/terraform/aws/R80.40/cross-az-cluster-master/variables.tf
new file mode 100755
index 00000000..d49cf50c
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/cross-az-cluster-master/variables.tf
@@ -0,0 +1,183 @@
+// Module: Check Point CloudGuard Network Security Cross AZ Cluster into a new VPC
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+// --- VPC Network Configuration ---
+variable "vpc_cidr" {
+ type = string
+ description = "The CIDR block of the VPC"
+ default = "10.0.0.0/16"
+}
+variable "public_subnets_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1 \"us-east-1b\" = 2} ) "
+}
+variable "private_subnets_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 3 \"us-east-1b\" = 4} ) "
+
+}
+variable "subnets_bit_length" {
+ type = number
+ description = "Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20"
+}
+
+// --- EC2 Instance Configuration ---
+variable "gateway_name" {
+ type = string
+ description = "(Optional) The name tag of the Security Gateway instances"
+ default = "Check-Point-Cluster-tf"
+}
+variable "gateway_instance_type" {
+ type = string
+ description = "The instance type of the Security Gateways"
+ default = "c5.xlarge"
+}
+module "validate_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "gateway"
+ instance_type = var.gateway_instance_type
+}
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instance"
+}
+variable "volume_size" {
+ type = number
+ description = "Root volume size (GB) - minimum 100"
+ default = 100
+}
+resource "null_resource" "volume_size_too_small" {
+ // Volume Size validation - resource will not be created if the volume size is smaller than 100
+ count = var.volume_size >= 100 ? 0 : "volume_size must be at least 100"
+}
+variable "volume_type" {
+ type = string
+ description = "General Purpose SSD Volume Type"
+ default = "gp3"
+}
+variable "volume_encryption" {
+ type = string
+ description = "KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs')"
+ default = "alias/aws/ebs"
+}
+variable "enable_instance_connect" {
+ type = bool
+ description = "Enable SSH connection over AWS web console"
+ default = false
+}
+variable "disable_instance_termination" {
+ type = bool
+ description = "Prevents an instance from accidental termination"
+ default = false
+}
+variable "metadata_imdsv2_required" {
+ type = bool
+ description = "Set true to deploy the instance with metadata v2 token required"
+ default = true
+}
+variable "instance_tags" {
+ type = map(string)
+ description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instance"
+ default = {}
+}
+variable "predefined_role" {
+ type = string
+ description = "(Optional) A predefined IAM role to attach to the cluster profile"
+ default = ""
+}
+
+// --- Check Point Settings ---
+variable "gateway_version" {
+ type = string
+ description = "Gateway version and license"
+ default = "R81.20-BYOL"
+}
+module "validate_gateway_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "gateway"
+ version_license = var.gateway_version
+}
+variable "admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+ default = "/etc/cli.sh"
+}
+variable "gateway_SICKey" {
+ type = string
+ description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters"
+}
+variable "gateway_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "gateway_maintenance_mode_password_hash" {
+ description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+ type = string
+ default = ""
+}
+
+// --- Quick connect to Smart-1 Cloud (Recommended) ---
+variable "memberAToken" {
+ type = string
+ description = "Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud."
+}
+variable "memberBToken" {
+ type = string
+ description = "Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud."
+}
+
+// --- Advanced Settings ---
+variable "resources_tag_name" {
+ type = string
+ description = "(Optional) Name tag prefix of the resources"
+ default = ""
+}
+variable "gateway_hostname" {
+ type = string
+ description = "(Optional) The host name will be appended with member-a/b accordingly"
+ default = ""
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+variable "enable_cloudwatch" {
+ type = bool
+ description = "Report Check Point specific CloudWatch metrics"
+ default = false
+}
+variable "gateway_bootstrap_script" {
+ type = string
+ description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot"
+ default = ""
+}
+variable "primary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol primary server"
+ default = "169.254.169.123"
+}
+variable "secondary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server"
+ default = "0.pool.ntp.org"
+}
diff --git a/deprecated/terraform/aws/R80.40/cross-az-cluster-master/versions.tf b/deprecated/terraform/aws/R80.40/cross-az-cluster-master/versions.tf
new file mode 100755
index 00000000..c138bbb3
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/cross-az-cluster-master/versions.tf
@@ -0,0 +1,12 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ http = {
+ version = "~> 3.4.0"
+ }
+ }
+}
diff --git a/deprecated/terraform/aws/R80.40/cross-az-cluster/README.md b/deprecated/terraform/aws/R80.40/cross-az-cluster/README.md
new file mode 100755
index 00000000..c070c984
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/cross-az-cluster/README.md
@@ -0,0 +1,196 @@
+# Check Point CloudGuard Network Security Cross AZ Cluster Terraform module for AWS
+
+Terraform module which deploys a Check Point CloudGuard Network Security Cross AZ Cluster into an existing VPC on AWS.
+
+These types of Terraform resources are supported:
+* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html)
+* [Security Group](https://www.terraform.io/docs/providers/aws/r/security_group.html)
+* [Network interface](https://www.terraform.io/docs/providers/aws/r/network_interface.html)
+* [EIP](https://www.terraform.io/docs/providers/aws/r/eip.html)
+* [Route](https://www.terraform.io/docs/providers/aws/r/route.html) - conditional creation
+* [IAM Role](https://www.terraform.io/docs/providers/aws/r/iam_role.html) - conditional creation
+
+See the [Deploying a Check Point Cluster in AWS (Amazon Web Services)](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Cross_AZ_Cluster/Default.htm) for additional information
+
+This solution uses the following modules:
+- /terraform/aws/modules/amis
+- /terraform/aws/modules/cluster-iam-role
+
+
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/cross-az-cluster/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+
+## Usage
+- Fill all variables in the /terraform/aws/cross-az-cluster/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+- Create or modify the deployment:
+ ```
+ terraform apply
+ ```
+
+- Variables are configured in /terraform/aws/cross-az-cluster/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+ // --- VPC Network Configuration ---
+ vpc_id = "vpc-12345678"
+ public_subnet_ids = ["subnet-abc123", "subnet-def456"]
+ private_subnet_ids = ["subnet-abc234", "subnet-def567"]
+ private_route_table = "rtb-12345678"
+
+
+ // --- EC2 Instance Configuration ---
+ gateway_name = "Check-Point-Cluster-tf"
+ gateway_instance_type = "c5.xlarge"
+ key_name = "publickey"
+ volume_size = 100
+ volume_encryption = "alias/aws/ebs"
+ enable_instance_connect = false
+ disable_instance_termination = false
+ instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+ }
+ predefined_role = ""
+
+ // --- Check Point Settings ---
+ gateway_version = "R81.20-BYOL"
+ admin_shell = "/etc/cli.sh"
+ gateway_SICKey = "12345678"
+ gateway_password_hash = ""
+
+ // --- Quick connect to Smart-1 Cloud (Recommended) ---
+ memberAToken = ""
+ memberBToken = ""
+ gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+
+ // --- Advanced Settings ---
+ resources_tag_name = "tag-name"
+ gateway_hostname = "gw-hostname"
+ allow_upload_download = true
+ enable_cloudwatch = false
+ gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+ primary_ntp = ""
+ secondary_ntp = ""
+ ```
+
+- Conditional creation
+ - To create IAM Role:
+ ```
+ predefined_role = ""
+ ```
+ - To create route from '0.0.0.0/0' to the Active Cluster member instance, please provide route table:
+ ```
+ private_route_table = "rtb-12345678"
+ ```
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+ ### Optional re-deploy of cluster member:
+ In case of re-deploying one cluster member, make sure that it's in STANDBY state, and the second member is the ACTIVE one.
+ Follow the commands below in order to re-deploy (replace MEMBER with a or b):
+ - terraform taint aws_instance.member-MEMBER-instance
+ - terraform plan (review the changes)
+ - terraform apply
+ - In Smart Console: reset SIC with the re-deployed member and install policy
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|----------|
+| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes |
+| public_subnet_ids | List of public subnet IDs to launch resources into. At least 2 | list(string) | n/a | n/a | yes |
+| private_subnet_ids | List of private subnet IDs to launch resources into. At least 2 | list(string) | n/a | n/a | yes | |
+| private_route_table | (Optional) Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route | string | n/a | "" | no |
+| gateway_name | (Optional) The name tag of the Security Gateway instances | string | n/a | Check-Point-Cluster-tf | no |
+| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no |
+| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes |
+| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no |
+| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no |
+| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no |
+| enable_instance_connect | Enable AWS Instance Connect. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no |
+| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no |
+| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes |
+| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances | map(string) | n/a | {} | no |
+| predefined_role | (Optional) A predefined IAM role to attach to the cluster profile | string | n/a | "" | no |
+| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX - R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no |
+| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no |
+| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes |
+| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| memberAToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no |
+| memberBToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no |
+| resources_tag_name | (Optional) Name tag prefix of the resources | string | n/a | "" | no |
+| gateway_hostname | (Optional) The host name will be appended with member-a/b accordingly. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no |
+| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no |
+| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no |
+| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no |
+| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no |
+| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here). | string | n/a | "" | no |
+
+
+## Outputs
+| Name | Description |
+|--------------------|--------------------------------------------------------------|
+| ami_id | The ami id of the deployed Security Cross AZ Cluster members |
+| cluster_public_ip | The public address of the cluster |
+| member_a_public_ip | The public address of member A |
+| member_b_public_ip | The public address of member B |
+| member_a_ssh | SSH command to member A |
+| member_b_ssh | SSH command to member B |
+| member_a_url | URL to the member A portal |
+| member_b_url | URL to the member B portal |
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20240304 | Add x-chkp-cluster-ips, x-chkp-member-ips tags to cluster members |
+| 20231012 | Update AWS Terraform provider version to 5.20.1 |
+| 20230923 | Add support for C5d instance type |
+| 20230914 | Add support for maintenance mode password |
+| 20230806 | Add support for c6in instance type |
+| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname |
+| 20230503 | Smart-1 Cloud token validation |
+| 20230411 | - Improved deployment experience for gateways and clusters managed by Smart-1 Cloud
- Multiple VIPs support for Cross Availability Zone Cluster. For more details refer to the [Cross Availability Zone Cluster for AWS R81.20 Administration Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Cross_AZ_Cluster/Content/Topics-AWS-CrossAZ-Cluster-AG/Check-Point-CloudGuard-for-AWS.htm) -> "Deploying Cross AZ Cluster with multiple VIPs" section. |
+| 20221123 | R81.20 version support |
+| 20221123 | Changed default version and added instances types |
+| 20221123 | First release of Check Point Security Cross AZ Cluster Terraform module for AWS |
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../../cross-az/LICENSE) file for details
diff --git a/deprecated/terraform/aws/R80.40/cross-az-cluster/cluster_member_a_userdata.yaml b/deprecated/terraform/aws/R80.40/cross-az-cluster/cluster_member_a_userdata.yaml
new file mode 100755
index 00000000..1a3095e2
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/cross-az-cluster/cluster_member_a_userdata.yaml
@@ -0,0 +1,4 @@
+#cloud-config
+runcmd:
+ - |
+ python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenA}\"" installationType=\"cross-az-cluster\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"cross_az_cluster\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" elasticIp=\"${MemberAPublicAddress}\" otherMemberIp=\"${MemberBPrivateAddressCluster}\" clusterIp=\"${PublicAddressCluster}\" secondaryIp=\"${MemberAPrivateAddressSecondary}\" otherMemberPrivateClusterIp=\"${MemberBPrivateAddressSecondary}\" bootstrapScript64=\"${GatewayBootstrapScript}\"
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/cross-az-cluster/cluster_member_b_userdata.yaml b/deprecated/terraform/aws/R80.40/cross-az-cluster/cluster_member_b_userdata.yaml
new file mode 100755
index 00000000..9ec9d23a
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/cross-az-cluster/cluster_member_b_userdata.yaml
@@ -0,0 +1,4 @@
+#cloud-config
+runcmd:
+ - |
+ python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenB}\"" installationType=\"cross-az-cluster\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"cross_az_cluster\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" elasticIp=\"${MemberBPublicAddress}\" otherMemberIp=\"${MemberAPrivateAddressCluster}\" clusterIp=\"${PublicAddressCluster}\" secondaryIp=\"${MemberBPrivateAddressSecondary}\" otherMemberPrivateClusterIp=\"${MemberAPrivateAddressSecondary}\" bootstrapScript64=\"${GatewayBootstrapScript}\"
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/cross-az-cluster/locals.tf b/deprecated/terraform/aws/R80.40/cross-az-cluster/locals.tf
new file mode 100755
index 00000000..19f67f30
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/cross-az-cluster/locals.tf
@@ -0,0 +1,75 @@
+locals {
+ admin_shell_allowed_values = [
+ "/etc/cli.sh",
+ "/bin/bash",
+ "/bin/csh",
+ "/bin/tcsh"]
+ // Will fail if var.admin_shell is invalid
+ validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell)
+
+ enable_cloudwatch_policy = var.enable_cloudwatch ? 1 : 0
+ create_iam_role = var.predefined_role == "" ? 1 : 0
+ provided_roue_table = var.private_route_table == "" ? 0 : 1
+ internal_route_table_condition = var.private_route_table != "" ? 1 : 0
+
+ regex_valid_key_name = "[\\S\\s]+[\\S]+"
+ // will fail if var.key_name is invalid
+ regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string"
+
+ regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$"
+ // Will fail if var.gateway_SIC_Key is invalid
+ regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters"
+
+ regex_token_valid = "(^https://(.+).checkpoint.com/app/maas/api/v1/tenant(.+)|^$)"
+ //TokenA: will fail if decode token should contain https:// and .checkpoint.com/app/maas/api/v1/tenant or empty string
+ split_tokenA = split(" ", var.memberAToken)
+ tokenA_decode = base64decode(element(local.split_tokenA, length(local.split_tokenA)-1))
+ regex_tokenA = regex(local.regex_token_valid, local.tokenA_decode) == local.tokenA_decode ? 0 : "Smart-1 Cloud token A is invalid format"
+
+ //TokenB: will fail if decode token should contain https:// and .checkpoint.com/app/maas/api/v1/tenant or empty string
+ split_tokenB = split(" ", var.memberBToken)
+ tokenB_decode = base64decode(element(local.split_tokenB, length(local.split_tokenB)-1))
+ regex_tokenB = regex(local.regex_token_valid, local.tokenB_decode) == local.tokenB_decode ? 0 : "Smart-1 Cloud token B is invalid format"
+
+ is_both_tokens_used = length(var.memberAToken) > 0 == length(var.memberBToken) > 0
+ validation_message_both = "Smart-1 Cloud Tokens for member A and member B can not be empty."
+ //Will fail if var.memberAToken is empty and var.memberBToken isn't and vice versa
+ regex_s1c_validate = regex("^$", (local.is_both_tokens_used ? "" : local.validation_message_both))
+
+ is_tokens_used = length(var.memberAToken) > 0
+ is_both_tokens_the_same = var.memberAToken == var.memberBToken
+ validation_message_unique = "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+ //Will fail if both s1c tokens are the same
+ regex_s1c_unique = local.is_tokens_used ? regex("^$", (local.is_both_tokens_the_same ? local.validation_message_unique : "")) : ""
+
+ regex_valid_gateway_hostname = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$"
+ // Will fail if var.gateway_hostname is invalid
+ regex_gateway_hostname = regex(local.regex_valid_gateway_hostname, var.gateway_hostname) == var.gateway_hostname ? 0 : "Variable [gateway_hostname] must be a valid hostname label or an empty string"
+ volume_encryption_condition = var.volume_encryption != "" ? true : false
+
+ regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.gateway_password_hash is invalid
+ regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+ regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
+
+ regex_valid_primary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.primary_ntp is invalid
+ regex_primary_ntp = regex(local.regex_valid_primary_ntp, var.primary_ntp) == var.primary_ntp ? 0 : "Variable [primary_ntp] must be a valid ntp"
+
+ regex_valid_secondary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.secondary_ntp is invalid
+ regex_secondary_ntp = regex(local.regex_valid_secondary_ntp, var.secondary_ntp) == var.secondary_ntp ? 0 : "Variable [secondary_ntp] must be a valid ntp"
+
+ gateway_bootstrap_script64 = base64encode(var.gateway_bootstrap_script)
+ gateway_SICkey_base64=base64encode(var.gateway_SICKey)
+ gateway_password_hash_base64=base64encode(var.gateway_password_hash)
+ maintenance_mode_password_hash_base64 = base64encode(var.gateway_maintenance_mode_password_hash)
+
+ //Splits the version and licence and returns the os version
+ version_split = element(split("-", var.gateway_version), 0)
+ volume_type_allowed_values = [
+ "gp3",
+ "gp2"]
+ // will fail if [var.VolumeType] is invalid:
+ validate_volume_type = index(local.volume_type_allowed_values, var.volume_type)
+}
diff --git a/deprecated/terraform/aws/R80.40/cross-az-cluster/main.tf b/deprecated/terraform/aws/R80.40/cross-az-cluster/main.tf
new file mode 100755
index 00000000..d6a3bda3
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/cross-az-cluster/main.tf
@@ -0,0 +1,294 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+module "amis" {
+ source = "../modules/amis"
+
+ version_license = var.gateway_version
+ chkp_type = "gateway"
+}
+
+module "common_permissive_sg" {
+ source = "../modules/common/permissive_sg"
+
+ vpc_id = var.vpc_id
+ resources_tag_name = var.resources_tag_name
+ gateway_name = var.gateway_name
+}
+
+resource "aws_iam_instance_profile" "cluster_instance_profile" {
+ path = "/"
+ role = local.create_iam_role == 1 ? join("", module.cluster_iam_role.*.cluster_iam_role_name) : var.predefined_role
+}
+
+module "cluster_iam_role" {
+ source = "../modules/cluster-iam-role"
+ count = local.create_iam_role
+}
+
+module "attach_cloudwatch_policy" {
+ source = "../modules/cloudwatch-policy"
+ count = local.enable_cloudwatch_policy
+ role = aws_iam_instance_profile.cluster_instance_profile.role
+ tag_name = var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name
+}
+
+resource "aws_network_interface" "member_a_external_eni" {
+ subnet_id = var.public_subnet_ids[0]
+ security_groups = [module.common_permissive_sg.permissive_sg_id]
+ description = "Member A external"
+ source_dest_check = false
+ private_ips_count = 1
+ tags = {
+ x-chkp-interface-type = "external" }
+}
+
+resource "aws_network_interface" "member_b_external_eni" {
+ subnet_id = var.public_subnet_ids[1]
+ security_groups = [module.common_permissive_sg.permissive_sg_id]
+ description = "Member B external"
+ source_dest_check = false
+ private_ips_count = 1
+ tags = {
+ x-chkp-interface-type = "external" }
+}
+
+resource "aws_network_interface" "member_a_internal_eni" {
+ subnet_id = var.private_subnet_ids[0]
+ security_groups = [module.common_permissive_sg.permissive_sg_id]
+ description = "Member A internal"
+ source_dest_check = false
+ tags = {
+ x-chkp-interface-type = "internal" }
+}
+
+resource "aws_network_interface" "member_b_internal_eni" {
+ subnet_id = var.private_subnet_ids[1]
+ security_groups = [module.common_permissive_sg.permissive_sg_id]
+ description = "Member B internal"
+ source_dest_check = false
+ tags = {
+ x-chkp-interface-type = "internal" }
+}
+
+resource "aws_route" "internal_default_route" {
+ count = local.internal_route_table_condition
+ route_table_id = var.private_route_table
+ lifecycle {
+ ignore_changes = [network_interface_id,]
+ }
+ destination_cidr_block = "0.0.0.0/0"
+ network_interface_id = aws_network_interface.member_a_internal_eni.id
+}
+
+resource "aws_route_table_association" "private_rtb_a" {
+ count = var.private_route_table == "" ? 0 : 1
+ route_table_id = var.private_route_table
+ subnet_id = var.private_subnet_ids[0]
+}
+resource "aws_route_table_association" "private_rtb_b" {
+ count = var.private_route_table == "" ? 0 : 1
+ route_table_id = var.private_route_table
+ subnet_id = var.private_subnet_ids[1]
+}
+
+resource "aws_launch_template" "member_a_launch_template" {
+ depends_on = [
+ aws_network_interface.member_a_external_eni,
+ aws_network_interface.member_a_internal_eni
+ ]
+ instance_type = var.gateway_instance_type
+ key_name = var.key_name
+ image_id = module.amis.ami_id
+ description = "Initial launch template version"
+
+ iam_instance_profile {
+ name = aws_iam_instance_profile.cluster_instance_profile.id
+ }
+
+ metadata_options {
+ http_tokens = var.metadata_imdsv2_required ? "required" : "optional"
+ }
+
+ network_interfaces {
+ network_interface_id = aws_network_interface.member_a_external_eni.id
+ device_index = 0
+ }
+ network_interfaces {
+ network_interface_id = aws_network_interface.member_a_internal_eni.id
+ device_index = 1
+ }
+}
+
+resource "aws_launch_template" "member_b_launch_template" {
+ depends_on = [
+ aws_network_interface.member_b_external_eni,
+ aws_network_interface.member_b_internal_eni
+ ]
+ instance_type = var.gateway_instance_type
+ key_name = var.key_name
+ image_id = module.amis.ami_id
+ description = "Initial launch template version"
+
+ iam_instance_profile {
+ name = aws_iam_instance_profile.cluster_instance_profile.id
+ }
+
+ metadata_options {
+ http_tokens = var.metadata_imdsv2_required ? "required" : "optional"
+ }
+
+ network_interfaces {
+ network_interface_id = aws_network_interface.member_b_external_eni.id
+ device_index = 0
+ }
+ network_interfaces {
+ network_interface_id = aws_network_interface.member_b_internal_eni.id
+ device_index = 1
+ }
+}
+
+resource "aws_instance" "member-a-instance" {
+ depends_on = [
+ aws_launch_template.member_a_launch_template
+ ]
+
+ launch_template {
+ id = aws_launch_template.member_a_launch_template.id
+ version = "$Latest"
+ }
+
+ disable_api_termination = var.disable_instance_termination
+
+ tags = merge({
+ Name = format("%s-Member-A",var.gateway_name),
+ x-chkp-member-ips = format("public-ip=%s:external-private-ip=%s:internal-private-ip=%s",
+ aws_eip.member_a_eip.public_ip, aws_network_interface.member_a_external_eni.private_ip,aws_network_interface.member_a_internal_eni.private_ip),
+ x-chkp-cluster-ips = format("cluster-ip=%s:secondary-external-private-ip=%s",
+ aws_eip.cluster_eip.public_ip, element(tolist(setsubtract(tolist(aws_network_interface.member_a_external_eni.private_ips), [aws_network_interface.member_a_external_eni.private_ip])), 0))
+ }, var.instance_tags)
+
+ ebs_block_device {
+ device_name = "/dev/xvda"
+ volume_type = "gp2"
+ volume_size = var.volume_size
+ encrypted = local.volume_encryption_condition
+ kms_key_id = local.volume_encryption_condition ? var.volume_encryption : ""
+ }
+
+ lifecycle {
+ ignore_changes = [ebs_block_device,]
+ }
+
+ user_data = templatefile("${path.module}/cluster_member_a_userdata.yaml", {
+ // script's arguments
+ Hostname = var.gateway_hostname,
+ PasswordHash = local.gateway_password_hash_base64,
+ MaintenanceModePassword = local.maintenance_mode_password_hash_base64
+ AllowUploadDownload = var.allow_upload_download,
+ EnableCloudWatch = var.enable_cloudwatch,
+ NTPPrimary = var.primary_ntp,
+ NTPSecondary = var.secondary_ntp,
+ Shell = var.admin_shell,
+ EnableInstanceConnect = var.enable_instance_connect,
+ GatewayBootstrapScript = local.gateway_bootstrap_script64,
+ SICKey = local.gateway_SICkey_base64,
+ TokenA = var.memberAToken,
+ MemberAPublicAddress = aws_eip.member_a_eip.public_ip,
+ PublicAddressCluster = aws_eip.cluster_eip.public_ip,
+ MemberAPrivateAddressSecondary = length(tolist(aws_network_interface.member_a_external_eni.private_ips)) > 1 ? element(tolist(setsubtract(tolist(aws_network_interface.member_a_external_eni.private_ips), [aws_network_interface.member_a_external_eni.private_ip])), 0) : "",//extracting member's secondary ip which represent the cluster ip
+ MemberBPrivateAddressCluster = aws_network_interface.member_b_internal_eni.private_ip,
+ MemberBPrivateAddressSecondary = length(tolist(aws_network_interface.member_b_external_eni.private_ips)) > 1 ? element(tolist(setsubtract(tolist(aws_network_interface.member_b_external_eni.private_ips), [aws_network_interface.member_b_external_eni.private_ip])), 0) : "",
+ AllocateAddress = true,
+ OsVersion = local.version_split
+ })
+}
+
+resource "aws_instance" "member-b-instance" {
+ depends_on = [
+ aws_launch_template.member_b_launch_template
+ ]
+
+ launch_template {
+ id = aws_launch_template.member_b_launch_template.id
+ version = "$Latest"
+ }
+
+ disable_api_termination = var.disable_instance_termination
+
+ tags = merge({
+ Name = format("%s-Member-B",var.gateway_name),
+ x-chkp-member-ips = format("public-ip=%s:external-private-ip=%s:internal-private-ip=%s",
+ aws_eip.member_b_eip.public_ip, aws_network_interface.member_b_external_eni.private_ip,aws_network_interface.member_b_internal_eni.private_ip),
+ x-chkp-cluster-ips = format("cluster-ip=%s:secondary-external-private-ip=%s",
+ aws_eip.cluster_eip.public_ip, element(tolist(setsubtract(tolist(aws_network_interface.member_b_external_eni.private_ips), [aws_network_interface.member_b_external_eni.private_ip])), 0))
+ }, var.instance_tags)
+
+ ebs_block_device {
+ device_name = "/dev/xvda"
+ volume_type = "gp2"
+ volume_size = var.volume_size
+ encrypted = local.volume_encryption_condition
+ kms_key_id = local.volume_encryption_condition ? var.volume_encryption : ""
+ }
+ lifecycle {
+ ignore_changes = [ebs_block_device,]
+ }
+
+ user_data = templatefile("${path.module}/cluster_member_b_userdata.yaml", {
+ // script's arguments
+ Hostname = var.gateway_hostname,
+ PasswordHash = local.gateway_password_hash_base64,
+ MaintenanceModePassword = local.maintenance_mode_password_hash_base64
+ AllowUploadDownload = var.allow_upload_download,
+ EnableCloudWatch = var.enable_cloudwatch,
+ NTPPrimary = var.primary_ntp,
+ NTPSecondary = var.secondary_ntp,
+ Shell = var.admin_shell,
+ EnableInstanceConnect = var.enable_instance_connect,
+ GatewayBootstrapScript = local.gateway_bootstrap_script64,
+ SICKey = local.gateway_SICkey_base64,
+ TokenB = var.memberBToken,
+ MemberBPublicAddress = aws_eip.member_b_eip.public_ip,
+ PublicAddressCluster=aws_eip.cluster_eip.public_ip,
+ MemberBPrivateAddressSecondary = length(tolist(aws_network_interface.member_b_external_eni.private_ips)) > 1 ? element(tolist(setsubtract(tolist(aws_network_interface.member_b_external_eni.private_ips), [aws_network_interface.member_b_external_eni.private_ip])), 0) : "", //extracting member's secondary ip which represent the member ip
+ MemberAPrivateAddressCluster=aws_network_interface.member_a_internal_eni.private_ip,
+ MemberAPrivateAddressSecondary = length(tolist(aws_network_interface.member_a_external_eni.private_ips)) > 1 ? element(tolist(setsubtract(tolist(aws_network_interface.member_a_external_eni.private_ips), [aws_network_interface.member_a_external_eni.private_ip])), 0) : "",
+ AllocateAddress = true,
+ OsVersion = local.version_split
+ })
+}
+
+resource "aws_eip" "cluster_eip" {
+}
+resource "aws_eip" "member_a_eip" {
+}
+resource "aws_eip" "member_b_eip" {
+}
+
+resource "aws_eip_association" "cluster_address_assoc" {
+ depends_on = [aws_instance.member-a-instance]
+ allocation_id = aws_eip.cluster_eip.id
+ lifecycle {
+ ignore_changes = [
+ network_interface_id, private_ip_address
+ ]
+ }
+ network_interface_id = aws_network_interface.member_a_external_eni.id
+ private_ip_address = length(tolist(aws_network_interface.member_a_external_eni.private_ips)) > 1 ? element(tolist(setsubtract(tolist(aws_network_interface.member_a_external_eni.private_ips), [aws_network_interface.member_a_external_eni.private_ip])), 0) : ""//extracting member's secondary ip which represent the cluster ip
+}
+resource "aws_eip_association" "member_a_address_assoc" {
+ depends_on = [aws_instance.member-a-instance]
+ allocation_id = aws_eip.member_a_eip.id
+ network_interface_id = aws_network_interface.member_a_external_eni.id
+ private_ip_address = aws_network_interface.member_a_external_eni.private_ip //primary
+}
+resource "aws_eip_association" "member_b_address_assoc" {
+ depends_on = [aws_instance.member-b-instance]
+ allocation_id = aws_eip.member_b_eip.id
+ network_interface_id = aws_network_interface.member_b_external_eni.id
+ private_ip_address = aws_network_interface.member_b_external_eni.private_ip //primary
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/cross-az-cluster/output.tf b/deprecated/terraform/aws/R80.40/cross-az-cluster/output.tf
new file mode 100755
index 00000000..e475a650
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/cross-az-cluster/output.tf
@@ -0,0 +1,30 @@
+output "ami_id" {
+ value = module.amis.ami_id
+}
+output "cluster_public_ip" {
+ value = aws_eip.cluster_eip.*.public_ip
+}
+output "member_a_public_ip" {
+ value = aws_eip.member_a_eip.*.public_ip
+}
+output "member_b_public_ip" {
+ value = aws_eip.member_b_eip.*.public_ip
+}
+output "member_a_eni" {
+ value = aws_network_interface.member_a_external_eni.id
+}
+output "member_a_ssh" {
+ value = format("ssh -i %s admin@%s", var.key_name, aws_eip.member_a_eip.public_ip)
+}
+output "member_b_ssh" {
+ value = format("ssh -i %s admin@%s", var.key_name, aws_eip.member_b_eip.public_ip)
+}
+output "member_a_url" {
+ value = format("https://%s", aws_eip.member_a_eip.public_ip)
+}
+output "member_b_url" {
+ value = format("https://%s", aws_eip.member_b_eip.public_ip)
+}
+output "member_b_eni" {
+ value = aws_network_interface.member_b_external_eni.id
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/cross-az-cluster/terraform.tfvars b/deprecated/terraform/aws/R80.40/cross-az-cluster/terraform.tfvars
new file mode 100755
index 00000000..8c6aff9b
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/cross-az-cluster/terraform.tfvars
@@ -0,0 +1,42 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- VPC Network Configuration ---
+vpc_id = "vpc-12345678"
+public_subnet_ids = ["subnet-abc123", "subnet-def456"]
+private_subnet_ids = ["subnet-abc234", "subnet-def567"]
+private_route_table = "rtb-12345678"
+
+// --- EC2 Instance Configuration ---
+gateway_name = "Check-Point-Cluster-tf"
+gateway_instance_type = "c5.xlarge"
+key_name = "publickey"
+volume_size = 100
+volume_encryption = "alias/aws/ebs"
+enable_instance_connect = false
+disable_instance_termination = false
+metadata_imdsv2_required = true
+instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+}
+predefined_role = ""
+
+// --- Check Point Settings ---
+gateway_version = "R81.20-BYOL"
+admin_shell = "/etc/cli.sh"
+gateway_SICKey = "12345678"
+gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+
+// --- Quick connect to Smart-1 Cloud (Recommended) ---
+memberAToken = ""
+memberBToken = ""
+
+// --- Advanced Settings ---
+resources_tag_name = "tag-name"
+gateway_hostname = "gw-hostname"
+allow_upload_download = true
+enable_cloudwatch = false
+gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+primary_ntp = ""
+secondary_ntp = ""
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/cross-az-cluster/variables.tf b/deprecated/terraform/aws/R80.40/cross-az-cluster/variables.tf
new file mode 100755
index 00000000..c2d66839
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/cross-az-cluster/variables.tf
@@ -0,0 +1,181 @@
+// Module: Check Point CloudGuard Network Security Cross AZ Cluster into an existing VPC
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+// --- VPC Network Configuration ---
+variable "vpc_id" {
+ type = string
+}
+variable "public_subnet_ids" {
+ type = list(string)
+ description = "List of public subnet IDs to launch resources into. At least 2"
+}
+variable "private_subnet_ids" {
+ type = list(string)
+ description = "List of public subnet IDs to launch resources into. At least 2"
+}
+variable "private_route_table" {
+ type = string
+ description = "(Optional) Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route"
+ default= ""
+}
+
+// --- EC2 Instance Configuration ---
+variable "gateway_name" {
+ type = string
+ description = "(Optional) The name tag of the Security Gateway instances"
+ default = "Check-Point-Cluster-tf"
+}
+variable "gateway_instance_type" {
+ type = string
+ description = "The instance type of the Security Gateways"
+ default = "c5.xlarge"
+}
+module "validate_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "gateway"
+ instance_type = var.gateway_instance_type
+}
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instance"
+}
+variable "volume_size" {
+ type = number
+ description = "Root volume size (GB) - minimum 100"
+ default = 100
+}
+resource "null_resource" "volume_size_too_small" {
+ // Volume Size validation - resource will not be created if the volume size is smaller than 100
+ count = var.volume_size >= 100 ? 0 : "volume_size must be at least 100"
+}
+variable "volume_type" {
+ type = string
+ description = "General Purpose SSD Volume Type"
+ default = "gp3"
+}
+variable "volume_encryption" {
+ type = string
+ description = "KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs')"
+ default = "alias/aws/ebs"
+}
+variable "enable_instance_connect" {
+ type = bool
+ description = "Enable SSH connection over AWS web console"
+ default = false
+}
+variable "disable_instance_termination" {
+ type = bool
+ description = "Prevents an instance from accidental termination"
+ default = false
+}
+variable "metadata_imdsv2_required" {
+ type = bool
+ description = "Set true to deploy the instance with metadata v2 token required"
+ default = true
+}
+variable "instance_tags" {
+ type = map(string)
+ description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances"
+ default = {}
+}
+variable "predefined_role" {
+ type = string
+ description = "(Optional) A predefined IAM role to attach to the cluster profile"
+ default = ""
+}
+
+// --- Check Point Settings ---
+variable "gateway_version" {
+ type = string
+ description = "Gateway version and license"
+ default = "R81.20-BYOL"
+}
+module "validate_gateway_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "gateway"
+ version_license = var.gateway_version
+}
+variable "admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+ default = "/etc/cli.sh"
+}
+variable "gateway_SICKey" {
+ type = string
+ description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters"
+}
+variable "gateway_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "gateway_maintenance_mode_password_hash" {
+ description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+ type = string
+ default = ""
+}
+
+// --- Quick connect to Smart-1 Cloud (Recommended) ---
+variable "memberAToken" {
+ type = string
+ description = "Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud."
+}
+variable "memberBToken" {
+ type = string
+ description = "Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud."
+}
+
+// --- Advanced Settings ---
+variable "resources_tag_name" {
+ type = string
+ description = "(Optional) Name tag prefix of the resources"
+ default = ""
+}
+variable "gateway_hostname" {
+ type = string
+ description = "(Optional) The host name will be appended with member-a/b accordingly"
+ default = ""
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+variable "enable_cloudwatch" {
+ type = bool
+ description = "Report Check Point specific CloudWatch metrics"
+ default = false
+}
+variable "gateway_bootstrap_script" {
+ type = string
+ description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot"
+ default = ""
+}
+variable "primary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol primary server"
+ default = "169.254.169.123"
+}
+variable "secondary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server"
+ default = "0.pool.ntp.org"
+}
diff --git a/deprecated/terraform/aws/R80.40/cross-az-cluster/versions.tf b/deprecated/terraform/aws/R80.40/cross-az-cluster/versions.tf
new file mode 100755
index 00000000..c138bbb3
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/cross-az-cluster/versions.tf
@@ -0,0 +1,12 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ http = {
+ version = "~> 3.4.0"
+ }
+ }
+}
diff --git a/deprecated/terraform/aws/R80.40/gateway-master/README.md b/deprecated/terraform/aws/R80.40/gateway-master/README.md
new file mode 100755
index 00000000..26913346
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/gateway-master/README.md
@@ -0,0 +1,216 @@
+# Check Point CloudGuard Network Security Gateway Master Terraform module for AWS
+
+Terraform module which deploys a Check Point CloudGuard Network Security Gateway into a new VPC.
+
+These types of Terraform resources are supported:
+* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html)
+* [VPC](https://www.terraform.io/docs/providers/aws/r/vpc.html)
+* [Security group](https://www.terraform.io/docs/providers/aws/r/security_group.html)
+* [Network interface](https://www.terraform.io/docs/providers/aws/r/network_interface.html)
+* [Route](https://www.terraform.io/docs/providers/aws/r/route.html)
+* [EIP](https://www.terraform.io/docs/providers/aws/r/eip.html) - conditional creation
+
+
+See the [Automatically Provision a CloudGuard Security Gateway in AWS](https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk131434) for additional information
+
+This solution uses the following modules:
+- /terraform/aws/gateway
+- /terraform/aws/modules/amis
+- /terraform/aws/modules/vpc
+
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/gateway-master/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Static credentials are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-module /terraform/aws/gateway:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+ b. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-module /terraform/aws/gateway:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+
+
+## Usage
+- Fill all variables in the /terraform/aws/gateway-master/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+- Create or modify the deployment:
+ - Due to terraform limitation, the apply command is:
+ ```
+ terraform apply -target=aws_route_table.private_subnet_rtb -auto-approve && terraform apply
+ ```
+ >Once terraform is updated, we will update accordingly.
+
+- Variables are configured in /terraform/aws/gateway-master/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+ // --- VPC Network Configuration ---
+ vpc_cidr = "10.0.0.0/16"
+ public_subnets_map = {
+ "us-east-1a" = 1
+ }
+ private_subnets_map = {
+ "us-east-1a" = 2
+ }
+ subnets_bit_length = 8
+
+ // --- EC2 Instance Configuration ---
+ gateway_name = "Check-Point-Gateway-tf"
+ gateway_instance_type = "c5.xlarge"
+ key_name = "publickey"
+ allocate_and_associate_eip = true
+ volume_size = 100
+ volume_encryption = ""
+ enable_instance_connect = false
+ disable_instance_termination = false
+ instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+ }
+
+ // --- Check Point Settings ---
+ gateway_version = "R81.20-BYOL"
+ admin_shell = "/etc/cli.sh"
+ gateway_SICKey = "12345678"
+ gateway_password_hash = ""
+ gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+ // --- Quick connect to Smart-1 Cloud (Recommended) ---
+ gateway_TokenKey = ""
+
+ // --- Advanced Settings ---
+ resources_tag_name = "tag-name"
+ gateway_hostname = "gw-hostname"
+ allow_upload_download = true
+ enable_cloudwatch = false
+ gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+ primary_ntp = ""
+ secondary_ntp = ""
+
+ // --- (Optional) Automatic Provisioning with Security Management Server Settings ---
+ control_gateway_over_public_or_private_address = "private"
+ management_server = ""
+ configuration_template = ""
+ ```
+
+- Conditional creation
+ - To create an Elastic IP and associate it to the Gateway instance:
+ ```
+ allocate_and_associate_eip = true
+ ```
+
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|----------|
+| vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes |
+| public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes |
+| private_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 2} ) | map | n/a | n/a | yes |
+| subnets_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20 | number | n/a | n/a | yes |
+| gateway_name | (Optional) The name tag of the Security Gateway instance | string | n/a | Check-Point-Gateway-tf | no |
+| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no |
+| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes |
+| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with the launched instance | bool | true/false | true | no |
+| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no |
+| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no |
+| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no |
+| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no |
+| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes |
+| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Security Gateway EC2 Instance | map(string) | n/a | {} | no |
+| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81-BYOL
- R81-PAYG-NGTP
- R81-PAYG-NGTX
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no |
+| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no |
+| gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes |
+| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| gateway_TokenKey | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no |
+| resources_tag_name | (optional) | string | n/a | "" | no |
+| gateway_hostname | (Optional) Security Gateway prompt hostname. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no |
+| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no |
+| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no |
+| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no |
+| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no |
+| control_gateway_over_public_or_private_address | Determines if the Security Gateway is provisioned using its private or public address | string | - public
- private | private | no |
+| management_server | (Optional) The name that represents the Security Management Server in the automatic provisioning configuration | string | n/a | "" | no |
+| configuration_template | (Optional) A name of a Security Gateway configuration template in the automatic provisioning configuration | string | n/a | "" | no |
+| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here). | string | n/a | "" | no |
+
+## Outputs
+| Name | Description |
+|------------------------------|----------------------------------------------------|
+| vpc_id | The id of the deployed vpc |
+| internal_rt_id | The internal route table id |
+| vpc_public_subnets_ids_list | A list of the public subnets ids |
+| vpc_private_subnets_ids_list | A list of the private subnets ids |
+| ami_id | The ami id of the deployed Security Gateway |
+| permissive_sg_id | The permissive security group id |
+| permissive_sg_name | The permissive security group id name |
+| gateway_url | URL to the portal of the deployed Security Gateway |
+| gateway_public_ip | The deployed Security Gateway Server AWS public ip |
+| gateway_instance_id | The deployed Security Gateway AWS instance id |
+| gateway_instance_name | The deployed Security Gateway AWS instance name |
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|---------------------------------------------------------------------------------------------------------------|
+| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20231012 | Update AWS Terraform provider version to 5.20.1 |
+| 20230923 | Add support for C5d instance type |
+| 20230914 | Add support for maintenance mode password |
+| 20230829 | Change default Check Point version to R81.20 |
+| 20230806 | Add support for c6in instance type |
+| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname |
+| 20230503 | Smart-1 Cloud token validation |
+| 20230411 | Improved deployment experience for gateways and clusters managed by Smart-1 Cloud |
+| 20221123 | R81.20 version support |
+| 20220606 | New instance type support |
+| 20210309 | First release of Check Point Security Gateway Master Terraform module for AWS |
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/gateway-master/locals.tf b/deprecated/terraform/aws/R80.40/gateway-master/locals.tf
new file mode 100755
index 00000000..0ca4134f
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/gateway-master/locals.tf
@@ -0,0 +1,48 @@
+locals {
+ regex_valid_vpc_cidr = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$"
+ // Will fail if var.vpc_cidr is invalid
+ regex_vpc_cidr = regex(local.regex_valid_vpc_cidr, var.vpc_cidr) == var.vpc_cidr ? 0 : "Variable [vpc_cidr] must be a valid vpc cidr"
+
+ admin_shell_allowed_values = [
+ "/etc/cli.sh",
+ "/bin/bash",
+ "/bin/csh",
+ "/bin/tcsh"]
+ // Will fail if var.admin_shell is invalid
+ validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell)
+
+ regex_valid_key_name = "[\\S\\s]+[\\S]+"
+ // will fail if var.key_name is invalid
+ regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string"
+
+ regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$"
+ // Will fail if var.gateway_SIC_Key is invalid
+ regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters."
+
+ regex_valid_gateway_hostname = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$"
+ // Will fail if var.gateway_hostname is invalid
+ regex_gateway_hostname = regex(local.regex_valid_gateway_hostname, var.gateway_hostname) == var.gateway_hostname ? 0 : "Variable [gateway_hostname] must be a valid hostname label or an empty string"
+
+ regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.gateway_password_hash is invalid
+ regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+ regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
+
+ control_over_public_or_private_allowed_values = [
+ "public",
+ "private"]
+ // will fail if [var.control_gateway_over_public_or_private_address] is invalid:
+ validate_control_over_public_or_private = index(local.control_over_public_or_private_allowed_values, var.control_gateway_over_public_or_private_address)
+
+ regex_valid_primary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.primary_ntp is invalid
+ regex_primary_ntp = regex(local.regex_valid_primary_ntp, var.primary_ntp) == var.primary_ntp ? 0 : "Variable [primary_ntp] must be a valid ntp"
+
+ regex_valid_secondary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.secondary_ntp is invalid
+ regex_secondary_ntp = regex(local.regex_valid_secondary_ntp, var.secondary_ntp) == var.secondary_ntp ? 0 : "Variable [secondary_ntp] must be a valid ntp"
+
+ regex_valid_sic_key = "^[a-zA-Z0-9]{8,}$"
+ // Will fail if var.gateway_SICKey is invalid
+ regex_sic_result = regex(local.regex_valid_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SICKey] must be at least 8 alphanumeric characters"
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/gateway-master/main.tf b/deprecated/terraform/aws/R80.40/gateway-master/main.tf
new file mode 100755
index 00000000..dd09ebb4
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/gateway-master/main.tf
@@ -0,0 +1,66 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+// --- VPC ---
+module "launch_vpc" {
+ source = "../modules/vpc"
+
+ vpc_cidr = var.vpc_cidr
+ public_subnets_map = var.public_subnets_map
+ private_subnets_map = var.private_subnets_map
+ subnets_bit_length = var.subnets_bit_length
+}
+
+resource "aws_route_table" "private_subnet_rtb" {
+ depends_on = [module.launch_vpc]
+ vpc_id = module.launch_vpc.vpc_id
+ tags = {
+ Name = "Private Subnets Route Table"
+ }
+}
+resource "aws_route_table_association" "private_rtb_to_private_subnets" {
+ depends_on = [module.launch_vpc, aws_route_table.private_subnet_rtb]
+ route_table_id = aws_route_table.private_subnet_rtb.id
+ subnet_id = module.launch_vpc.private_subnets_ids_list[0]
+}
+
+module "launch_gateway_into_vpc" {
+ source = "../gateway"
+ providers = {
+ aws = aws
+ }
+
+ vpc_id = module.launch_vpc.vpc_id
+ public_subnet_id = module.launch_vpc.public_subnets_ids_list[0]
+ private_subnet_id = module.launch_vpc.private_subnets_ids_list[0]
+ private_route_table = aws_route_table.private_subnet_rtb.id
+ resources_tag_name = var.resources_tag_name
+ gateway_name = var.gateway_name
+ gateway_instance_type = var.gateway_instance_type
+ key_name = var.key_name
+ allocate_and_associate_eip = var.allocate_and_associate_eip
+ volume_size = var.volume_size
+ volume_encryption = var.volume_encryption
+ enable_instance_connect = var.enable_instance_connect
+ disable_instance_termination = var.disable_instance_termination
+ metadata_imdsv2_required = var.metadata_imdsv2_required
+ instance_tags = var.instance_tags
+ gateway_version = var.gateway_version
+ admin_shell = var.admin_shell
+ gateway_SICKey = var.gateway_SICKey
+ gateway_password_hash = var.gateway_password_hash
+ gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash
+ gateway_TokenKey = var.gateway_TokenKey
+ gateway_hostname = var.gateway_hostname
+ allow_upload_download = var.allow_upload_download
+ enable_cloudwatch = var.enable_cloudwatch
+ gateway_bootstrap_script = var.gateway_bootstrap_script
+ primary_ntp = var.primary_ntp
+ secondary_ntp = var.secondary_ntp
+ control_gateway_over_public_or_private_address = var.control_gateway_over_public_or_private_address
+ management_server = var.management_server
+ configuration_template = var.configuration_template
+}
diff --git a/deprecated/terraform/aws/R80.40/gateway-master/output.tf b/deprecated/terraform/aws/R80.40/gateway-master/output.tf
new file mode 100755
index 00000000..2d8a716c
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/gateway-master/output.tf
@@ -0,0 +1,33 @@
+output "vpc_id" {
+ value = module.launch_vpc.vpc_id
+}
+output "internal_rtb_id" {
+ value = aws_route_table.private_subnet_rtb.id
+}
+output "vpc_public_subnets_ids_list" {
+ value = module.launch_vpc.public_subnets_ids_list
+}
+output "vpc_private_subnets_ids_list" {
+ value = module.launch_vpc.private_subnets_ids_list
+}
+output "ami_id" {
+ value = module.launch_gateway_into_vpc.ami_id
+}
+output "permissive_sg_id" {
+ value = module.launch_gateway_into_vpc.permissive_sg_id
+}
+output "permissive_sg_name" {
+ value = module.launch_gateway_into_vpc.permissive_sg_name
+}
+output "gateway_url" {
+ value = module.launch_gateway_into_vpc.gateway_url
+}
+output "gateway_public_ip" {
+ value = module.launch_gateway_into_vpc.gateway_public_ip
+}
+output "gateway_instance_id" {
+ value = module.launch_gateway_into_vpc.gateway_instance_id
+}
+output "gateway_instance_name" {
+ value = module.launch_gateway_into_vpc.gateway_instance_name
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/gateway-master/terraform.tfvars b/deprecated/terraform/aws/R80.40/gateway-master/terraform.tfvars
new file mode 100755
index 00000000..a8eb1d58
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/gateway-master/terraform.tfvars
@@ -0,0 +1,50 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- VPC Network Configuration ---
+vpc_cidr = "10.0.0.0/16"
+public_subnets_map = {
+ "us-east-1a" = 1
+}
+private_subnets_map = {
+ "us-east-1a" = 2
+}
+subnets_bit_length = 8
+
+// --- EC2 Instance Configuration ---
+gateway_name = "Check-Point-Gateway-tf"
+gateway_instance_type = "c5.xlarge"
+key_name = "publickey"
+allocate_and_associate_eip = true
+volume_size = 100
+volume_encryption = ""
+enable_instance_connect = false
+disable_instance_termination = false
+metadata_imdsv2_required = true
+instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+}
+
+// --- Check Point Settings ---
+gateway_version = "R81.20-BYOL"
+admin_shell = "/etc/cli.sh"
+gateway_SICKey = "12345678"
+gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+
+// --- Quick connect to Smart-1 Cloud (Recommended) ---
+gateway_TokenKey = ""
+
+// --- Advanced Settings ---
+resources_tag_name = "tag-name"
+gateway_hostname = "gw-hostname"
+allow_upload_download = true
+enable_cloudwatch = false
+gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+primary_ntp = ""
+secondary_ntp = ""
+
+// --- (Optional) Automatic Provisioning with Security Management Server Settings ---
+control_gateway_over_public_or_private_address = "private"
+management_server = ""
+configuration_template = ""
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/gateway-master/variables.tf b/deprecated/terraform/aws/R80.40/gateway-master/variables.tf
new file mode 100755
index 00000000..1c00c4f3
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/gateway-master/variables.tf
@@ -0,0 +1,195 @@
+// Module: Check Point CloudGuard Network Security Gateway into a new VPC
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+// --- VPC Network Configuration ---
+variable "vpc_cidr" {
+ type = string
+ description = "The CIDR block of the VPC"
+ default = "10.0.0.0/16"
+}
+variable "public_subnets_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 1} ) "
+}
+variable "private_subnets_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 2} ) "
+
+}
+variable "subnets_bit_length" {
+ type = number
+ description = "Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20."
+}
+
+// --- EC2 Instance Configuration ---
+variable "gateway_name" {
+ type = string
+ description = "(Optional) The name tag of the Security Gateway instance"
+ default = "Check-Point-Gateway-tf"
+}
+variable "gateway_instance_type" {
+ type = string
+ description = "The instance type of the Security Gateway"
+ default = "c5.xlarge"
+}
+module "validate_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "gateway"
+ instance_type = var.gateway_instance_type
+}
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instance"
+}
+variable "allocate_and_associate_eip" {
+ type = bool
+ description = "If set to true, an elastic IP will be allocated and associated with the launched instance"
+ default = true
+}
+variable "volume_size" {
+ type = number
+ description = "Root volume size (GB) - minimum 100"
+ default = 100
+}
+resource "null_resource" "volume_size_too_small" {
+ // Volume Size validation - resource will not be created if the volume size is smaller than 100
+ count = var.volume_size >= 100 ? 0 : "volume_size must be at least 100"
+}
+variable "volume_encryption" {
+ type = string
+ description = "KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs')"
+ default = "alias/aws/ebs"
+}
+variable "enable_instance_connect" {
+ type = bool
+ description = "Enable SSH connection over AWS web console"
+ default = false
+}
+variable "disable_instance_termination" {
+ type = bool
+ description = "Prevents an instance from accidental termination"
+ default = false
+}
+variable "metadata_imdsv2_required" {
+ type = bool
+ description = "Set true to deploy the instance with metadata v2 token required"
+ default = true
+}
+variable "instance_tags" {
+ type = map(string)
+ description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instance"
+ default = {}
+}
+
+// --- Check Point Settings ---
+variable "gateway_version" {
+ type = string
+ description = "Gateway version and license"
+ default = "R81.20-BYOL"
+}
+module "validate_gateway_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "gateway"
+ version_license = var.gateway_version
+}
+variable "admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+ default = "/etc/cli.sh"
+}
+variable "gateway_SICKey" {
+ type = string
+ description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters"
+}
+variable "gateway_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "gateway_maintenance_mode_password_hash" {
+ description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+ type = string
+ default = ""
+}
+
+// --- Quick connect to Smart-1 Cloud (Recommended) ---
+variable "gateway_TokenKey" {
+ type = string
+ description = "Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud."
+}
+
+// --- Advanced Settings ---
+variable "resources_tag_name" {
+ type = string
+ description = "(Optional)"
+ default = ""
+}
+variable "gateway_hostname" {
+ type = string
+ description = "(Optional) Security Gateway prompt hostname"
+ default = ""
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+variable "enable_cloudwatch" {
+ type = bool
+ description = "Report Check Point specific CloudWatch metrics"
+ default = false
+}
+variable "gateway_bootstrap_script" {
+ type = string
+ description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot"
+ default = ""
+}
+variable "primary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol primary server"
+ default = "169.254.169.123"
+}
+variable "secondary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server"
+ default = "0.pool.ntp.org"
+}
+
+// --- (Optional) Automatic Provisioning with Security Management Server Settings ---
+variable "control_gateway_over_public_or_private_address" {
+ type = string
+ description = "Determines if the Security Gateway is provisioned using its private or public address"
+ default = "private"
+}
+variable "management_server" {
+ type = string
+ description = "(Optional) The name that represents the Security Management Server in the automatic provisioning configuration"
+ default = ""
+}
+variable "configuration_template" {
+ type = string
+ description = "(Optional) A name of a Security Gateway configuration template in the automatic provisioning configuration"
+ default = ""
+ validation {
+ condition = length(var.configuration_template) < 31
+ error_message = "The configuration_template name can not exceed 30 characters."
+ }
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/gateway-master/versions.tf b/deprecated/terraform/aws/R80.40/gateway-master/versions.tf
new file mode 100755
index 00000000..c138bbb3
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/gateway-master/versions.tf
@@ -0,0 +1,12 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ http = {
+ version = "~> 3.4.0"
+ }
+ }
+}
diff --git a/deprecated/terraform/aws/R80.40/gateway/README.md b/deprecated/terraform/aws/R80.40/gateway/README.md
new file mode 100755
index 00000000..b6cb4edc
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/gateway/README.md
@@ -0,0 +1,191 @@
+# Check Point CloudGuard Network Security Gateway Terraform module for AWS
+
+Terraform module which deploys a Check Point CloudGuard Network Security Gateway into an existing VPC.
+
+These types of Terraform resources are supported:
+* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html)
+* [Security group](https://www.terraform.io/docs/providers/aws/r/security_group.html)
+* [Network interface](https://www.terraform.io/docs/providers/aws/r/network_interface.html)
+* [EIP](https://www.terraform.io/docs/providers/aws/r/eip.html) - conditional creation
+* [Route](https://www.terraform.io/docs/providers/aws/r/route.html) - conditional creation
+
+See the [Automatically Provision a CloudGuard Security Gateway in AWS](https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk131434) for additional information
+
+This solution uses the following modules:
+- /terraform/aws/modules/amis
+
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/gateway/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+
+## Usage
+- Fill all variables in the /terraform/aws/gateway/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+- Create or modify the deployment:
+ ```
+ terraform apply
+ ```
+
+- Variables are configured in /terraform/aws/gateway/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+ // --- VPC Network Configuration ---
+ vpc_id = "vpc-12345678"
+ public_subnet_id = "subnet-123456"
+ private_subnet_id = "subnet-345678"
+ private_route_table = "rtb-12345678"
+
+ // --- EC2 Instance Configuration ---
+ gateway_name = "Check-Point-Gateway-tf"
+ gateway_instance_type = "c5.xlarge"
+ key_name = "publickey"
+ allocate_and_associate_eip = true
+ volume_size = 100
+ volume_encryption = "alias/aws/ebs"
+ enable_instance_connect = false
+ disable_instance_termination = false
+ instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+ }
+
+ // --- Check Point Settings ---
+ gateway_version = "R81.20-BYOL"
+ admin_shell = "/etc/cli.sh"
+ gateway_SICKey = "12345678"
+ gateway_password_hash = ""
+ gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+
+ // --- Quick connect to Smart-1 Cloud (Recommended) ---
+ gateway_TokenKey = ""
+
+ // --- Advanced Settings ---
+ resources_tag_name = "tag-name"
+ gateway_hostname = "gw-hostname"
+ allow_upload_download = true
+ enable_cloudwatch = false
+ gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+ primary_ntp = ""
+ secondary_ntp = ""
+
+ // --- Automatic Provisioning with Security Management Server Settings (optional) ---
+ control_gateway_over_public_or_private_address = "private"
+ management_server = ""
+ configuration_template = ""
+ ```
+
+- Conditional creation
+ - To create an Elastic IP and associate it to the Gateway instance:
+ ```
+ allocate_and_associate_eip = true
+ ```
+ - To create route from '0.0.0.0/0' to the Security Gateway instance, please provide route table:
+ ```
+ private_route_table = "rtb-12345678"
+ ```
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+
+
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|----------|
+| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes |
+| public_subnet_id | The public subnet of the security gateway | string | n/a | n/a | yes |
+| private_subnet_id | The private subnet of the security gateway | string | n/a | n/a | yes |
+| private_route_table | Sets '0.0.0.0/0' route to the Gateway instance in the specified route table (e.g. rtb-12a34567) | string | n/a | "" | no |
+| gateway_name | (Optional) The name tag of the Security Gateway instance | string | n/a | Check-Point-Gateway-tf | no |
+| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no |
+| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes |
+| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with the launched instance | bool | true/false | true | no |
+| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no |
+| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no |
+| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no |
+| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no |
+| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes |
+| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Security Gateway EC2 Instance | map(string) | n/a | {} | no |
+| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81-BYOL
- R81-PAYG-NGTP
- R81-PAYG-NGTX
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no |
+| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no |
+| gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes |
+| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| gateway_TokenKey | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no |
+| resources_tag_name | (optional) | string | n/a | "" | no |
+| gateway_hostname | (Optional) Security Gateway prompt hostname. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no |
+| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no |
+| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no |
+| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no |
+| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no |
+| control_gateway_over_public_or_private_address | Determines if the Security Gateway is provisioned using its private or public address | string | - public
- private | private | no |
+| management_server | (Optional) The name that represents the Security Management Server in the automatic provisioning configuration | string | n/a | "" | no |
+| configuration_template | (Optional) A name of a Security Gateway configuration template in the automatic provisioning configuration | string | n/a | "" | no |
+| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here). | string | n/a | "" | no |
+
+
+## Outputs
+| Name | Description |
+|-----------------------|----------------------------------------------------|
+| ami_id | The ami id of the deployed Security Gateway |
+| permissive_sg_id | The permissive security group id |
+| permissive_sg_name | The permissive security group id name |
+| gateway_url | URL to the portal of the deployed Security Gateway |
+| gateway_public_ip | The deployed Security Gateway Server AWS public ip |
+| gateway_instance_id | The deployed Security Gateway AWS instance id |
+| gateway_instance_name | The deployed Security Gateway AWS instance name |
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|---------------------------------------------------------------------------------------------------------------|
+| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20231012 | Update AWS Terraform provider version to 5.20.1 |
+| 20230923 | Add support for C5d instance type |
+| 20230914 | Add support for maintenance mode password |
+| 20230829 | Change default Check Point version to R81.20 |
+| 20230806 | Add support for c6in instance type |
+| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname |
+| 20230503 | Smart-1 Cloud token validation |
+| 20230411 | Improved deployment experience for gateways and clusters managed by Smart-1 Cloud |
+| 20221123 | R81.20 version support |
+| 20220606 | New instance type support |
+| 20210309 | First release of Check Point Security Gateway Terraform module for AWS |
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/gateway/locals.tf b/deprecated/terraform/aws/R80.40/gateway/locals.tf
new file mode 100755
index 00000000..79c894db
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/gateway/locals.tf
@@ -0,0 +1,48 @@
+locals {
+ admin_shell_allowed_values = [
+ "/etc/cli.sh",
+ "/bin/bash",
+ "/bin/csh",
+ "/bin/tcsh"]
+ // Will fail if var.admin_shell is invalid
+ validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell)
+
+ enable_cloudwatch_policy = var.enable_cloudwatch ? 1 : 0
+
+ regex_valid_key_name = "[\\S\\s]+[\\S]+"
+ // will fail if var.key_name is invalid
+ regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string"
+
+ regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$"
+ // Will fail if var.gateway_SIC_Key is invalid
+ regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters"
+
+ //will fail if decode token should contain https:// and .checkpoint.com/app/maas/api/v1/tenant or empty string
+ split_token = split(" ", var.gateway_TokenKey)
+ token_decode = base64decode(element(local.split_token, length(local.split_token)-1))
+ regex_token_valid = "(^https://(.+).checkpoint.com/app/maas/api/v1/tenant(.+)|^$)"
+ regex_token = regex(local.regex_token_valid, local.token_decode) == local.token_decode ? 0 : "Smart-1 Cloud token is invalid format"
+
+ regex_valid_gateway_hostname = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$"
+ // Will fail if var.gateway_hostname is invalid
+ regex_gateway_hostname = regex(local.regex_valid_gateway_hostname, var.gateway_hostname) == var.gateway_hostname ? 0 : "Variable [gateway_hostname] must be a valid hostname label or an empty string"
+
+ regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.gateway_password_hash is invalid
+ regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+ regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
+
+ control_over_public_or_private_allowed_values = [
+ "public",
+ "private"]
+ // will fail if [var.control_gateway_over_public_or_private_address] is invalid:
+ validate_control_over_public_or_private = index(local.control_over_public_or_private_allowed_values, var.control_gateway_over_public_or_private_address)
+
+ regex_valid_primary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.primary_ntp is invalid
+ regex_primary_ntp = regex(local.regex_valid_primary_ntp, var.primary_ntp) == var.primary_ntp ? 0 : "Variable [primary_ntp] must be a valid ntp"
+
+ regex_valid_secondary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.secondary_ntp is invalid
+ regex_secondary_ntp = regex(local.regex_valid_secondary_ntp, var.secondary_ntp) == var.secondary_ntp ? 0 : "Variable [secondary_ntp] must be a valid ntp"
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/gateway/main.tf b/deprecated/terraform/aws/R80.40/gateway/main.tf
new file mode 100755
index 00000000..164d6bf0
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/gateway/main.tf
@@ -0,0 +1,119 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+module "amis" {
+ source = "../modules/amis"
+
+ version_license = var.gateway_version
+ chkp_type = "gateway"
+}
+
+module "common_permissive_sg" {
+ source = "../modules/common/permissive_sg"
+
+ vpc_id = var.vpc_id
+ resources_tag_name = var.resources_tag_name
+ gateway_name = var.gateway_name
+}
+
+resource "aws_iam_instance_profile" "gateway_instance_profile" {
+ count = local.enable_cloudwatch_policy
+ path = "/"
+ role = aws_iam_role.gateway_iam_role[count.index].name
+}
+
+resource "aws_iam_role" "gateway_iam_role" {
+ count = local.enable_cloudwatch_policy
+ assume_role_policy = data.aws_iam_policy_document.gateway_role_assume_policy_document.json
+ path = "/"
+}
+
+data "aws_iam_policy_document" "gateway_role_assume_policy_document" {
+ version = "2012-10-17"
+ statement {
+ effect = "Allow"
+ actions = ["sts:AssumeRole"]
+ principals {
+ type = "Service"
+ identifiers = ["ec2.amazonaws.com"]
+ }
+ }
+}
+
+module "attach_cloudwatch_policy" {
+ source = "../modules/cloudwatch-policy"
+ count = local.enable_cloudwatch_policy
+ role = aws_iam_role.gateway_iam_role[count.index].name
+ tag_name = var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name
+}
+
+resource "aws_network_interface" "public_eni" {
+ subnet_id = var.public_subnet_id
+ security_groups = [module.common_permissive_sg.permissive_sg_id]
+ description = "eth0"
+ source_dest_check = false
+ tags = {
+ Name = format("%s-external-eni", var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name) }
+}
+resource "aws_network_interface" "private_eni" {
+ subnet_id = var.private_subnet_id
+ security_groups = [module.common_permissive_sg.permissive_sg_id]
+ description = "eth1"
+ source_dest_check = false
+ tags = {
+ Name = format("%s-internal-eni", var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name) }
+}
+
+module "common_eip" {
+ source = "../modules/common/elastic_ip"
+ depends_on = [
+ module.common_gateway_instance
+ ]
+
+ allocate_and_associate_eip = var.allocate_and_associate_eip
+ external_eni_id = aws_network_interface.public_eni.id
+ private_ip_address = aws_network_interface.public_eni.private_ip
+}
+
+module "common_internal_default_route" {
+ source = "../modules/common/internal_default_route"
+
+ private_route_table = var.private_route_table
+ internal_eni_id = aws_network_interface.private_eni.id
+}
+
+module "common_gateway_instance" {
+ source = "../modules/common/gateway_instance"
+
+ external_eni_id = aws_network_interface.public_eni.id
+ internal_eni_id = aws_network_interface.private_eni.id
+ gateway_name = var.gateway_name
+ management_server = var.management_server
+ configuration_template = var.configuration_template
+ control_gateway_over_public_or_private_address = var.control_gateway_over_public_or_private_address
+ volume_size = var.volume_size
+ volume_encryption = var.volume_encryption
+ gateway_version = module.amis.version_license_with_suffix
+ gateway_instance_type = var.gateway_instance_type
+ instance_tags = var.instance_tags
+ key_name = var.key_name
+ iam_instance_profile_id = (local.enable_cloudwatch_policy == 1 ? aws_iam_instance_profile.gateway_instance_profile[0].id : "")
+ ami_id = module.amis.ami_id
+ gateway_password_hash = var.gateway_password_hash
+ gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash
+ admin_shell = var.admin_shell
+ gateway_SICKey = var.gateway_SICKey
+ gateway_TokenKey = var.gateway_TokenKey
+ gateway_bootstrap_script = var.gateway_bootstrap_script
+ gateway_hostname = var.gateway_hostname
+ allow_upload_download = var.allow_upload_download
+ enable_cloudwatch = var.enable_cloudwatch
+ primary_ntp = var.primary_ntp
+ secondary_ntp = var.secondary_ntp
+ enable_instance_connect = var.enable_instance_connect
+ disable_instance_termination = var.disable_instance_termination
+ metadata_imdsv2_required = var.metadata_imdsv2_required
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/gateway/output.tf b/deprecated/terraform/aws/R80.40/gateway/output.tf
new file mode 100755
index 00000000..ab3c934f
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/gateway/output.tf
@@ -0,0 +1,21 @@
+output "ami_id" {
+ value = module.amis.ami_id
+}
+output "permissive_sg_id" {
+ value = module.common_permissive_sg.permissive_sg_id
+}
+output "permissive_sg_name" {
+ value = module.common_permissive_sg.permissive_sg_name
+}
+output "gateway_url" {
+ value = format("https://%s", module.common_eip.gateway_eip_public_ip[0])
+}
+output "gateway_public_ip" {
+ value = module.common_eip.gateway_eip_public_ip
+}
+output "gateway_instance_id" {
+ value = module.common_gateway_instance.gateway_instance_id
+}
+output "gateway_instance_name" {
+ value = module.common_gateway_instance.gateway_instance_name
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/gateway/terraform.tfvars b/deprecated/terraform/aws/R80.40/gateway/terraform.tfvars
new file mode 100755
index 00000000..02b1f781
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/gateway/terraform.tfvars
@@ -0,0 +1,46 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- VPC Network Configuration ---
+vpc_id = "vpc-12345678"
+public_subnet_id = "subnet-123456"
+private_subnet_id = "subnet-345678"
+private_route_table = "rtb-12345678"
+
+// --- EC2 Instance Configuration ---
+gateway_name = "Check-Point-Gateway-tf"
+gateway_instance_type = "c5.xlarge"
+key_name = "publickey"
+allocate_and_associate_eip = true
+volume_size = 100
+volume_encryption = "alias/aws/ebs"
+enable_instance_connect = false
+disable_instance_termination = false
+metadata_imdsv2_required = true
+instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+}
+
+// --- Check Point Settings ---
+gateway_version = "R81.20-BYOL"
+admin_shell = "/etc/cli.sh"
+gateway_SICKey = "12345678"
+gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+
+// --- Quick connect to Smart-1 Cloud (Recommended) ---
+gateway_TokenKey = ""
+
+// --- Advanced Settings ---
+resources_tag_name = "tag-name"
+gateway_hostname = "gw-hostname"
+allow_upload_download = true
+enable_cloudwatch = false
+gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+primary_ntp = ""
+secondary_ntp = ""
+
+// --- Automatic Provisioning with Security Management Server Settings (optional) ---
+control_gateway_over_public_or_private_address = "private"
+management_server = ""
+configuration_template = ""
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/gateway/variables.tf b/deprecated/terraform/aws/R80.40/gateway/variables.tf
new file mode 100755
index 00000000..7d32ab1a
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/gateway/variables.tf
@@ -0,0 +1,192 @@
+// Module: Check Point CloudGuard Network Security Gateway into an existing VPC
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+// --- VPC Network Configuration ---
+variable "vpc_id" {
+ type = string
+}
+variable "public_subnet_id" {
+ type = string
+ description = "The public subnet of the security gateway"
+}
+variable "private_subnet_id" {
+ type = string
+ description = "The private subnet of the security gateway"
+}
+variable "private_route_table" {
+ type = string
+ description = "Sets '0.0.0.0/0' route to the Security Gateway instance in the specified route table (e.g. rtb-12a34567)"
+ default= ""
+}
+
+// --- EC2 Instance Configuration ---
+variable "gateway_name" {
+ type = string
+ description = "(Optional) The name tag of the Security Gateway instance"
+ default = "Check-Point-Gateway-tf"
+}
+variable "gateway_instance_type" {
+ type = string
+ description = "The instance type of the Security Gateway"
+ default = "c5.xlarge"
+}
+module "validate_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "gateway"
+ instance_type = var.gateway_instance_type
+}
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instance"
+}
+variable "allocate_and_associate_eip" {
+ type = bool
+ description = "If set to true, an elastic IP will be allocated and associated with the launched instance"
+ default = true
+}
+variable "volume_size" {
+ type = number
+ description = "Root volume size (GB) - minimum 100"
+ default = 100
+}
+resource "null_resource" "volume_size_too_small" {
+ // Volume Size validation - resource will not be created if the volume size is smaller than 100
+ count = var.volume_size >= 100 ? 0 : "volume_size must be at least 100"
+}
+variable "volume_encryption" {
+ type = string
+ description = "KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs')"
+ default = "alias/aws/ebs"
+}
+variable "enable_instance_connect" {
+ type = bool
+ description = "Enable SSH connection over AWS web console"
+ default = false
+}
+variable "disable_instance_termination" {
+ type = bool
+ description = "Prevents an instance from accidental termination"
+ default = false
+}
+variable "metadata_imdsv2_required" {
+ type = bool
+ description = "Set true to deploy the instance with metadata v2 token required"
+ default = true
+}
+variable "instance_tags" {
+ type = map(string)
+ description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Security Gateway EC2 Instance"
+ default = {}
+}
+
+// --- Check Point Settings ---
+variable "gateway_version" {
+ type = string
+ description = "Gateway version and license"
+ default = "R81.20-BYOL"
+}
+module "validate_gateway_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "gateway"
+ version_license = var.gateway_version
+}
+variable "admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+ default = "/etc/cli.sh"
+}
+variable "gateway_SICKey" {
+ type = string
+ description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters"
+}
+variable "gateway_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "gateway_maintenance_mode_password_hash" {
+ description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+ type = string
+ default = ""
+}
+// --- Quick connect to Smart-1 Cloud (Recommended) ---
+variable "gateway_TokenKey" {
+ type = string
+ description = "Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud."
+}
+
+// --- Advanced Settings ---
+variable "resources_tag_name" {
+ type = string
+ description = "(Optional)"
+ default = ""
+}
+variable "gateway_hostname" {
+ type = string
+ description = "(Optional) Security Gateway prompt hostname"
+ default = ""
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+variable "enable_cloudwatch" {
+ type = bool
+ description = "Report Check Point specific CloudWatch metrics"
+ default = false
+}
+variable "gateway_bootstrap_script" {
+ type = string
+ description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot"
+ default = ""
+}
+variable "primary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol primary server"
+ default = "169.254.169.123"
+}
+variable "secondary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server"
+ default = "0.pool.ntp.org"
+}
+
+// --- (Optional) Automatic Provisioning with Security Management Server Settings ---
+variable "control_gateway_over_public_or_private_address" {
+ type = string
+ description = "Determines if the Security Gateway is provisioned using its private or public address"
+ default = "private"
+}
+variable "management_server" {
+ type = string
+ description = "(Optional) The name that represents the Security Management Server in the automatic provisioning configuration"
+ default = ""
+}
+variable "configuration_template" {
+ type = string
+ description = "(Optional) A name of a Security Gateway configuration template in the automatic provisioning configuration"
+ default = ""
+ validation {
+ condition = length(var.configuration_template) < 31
+ error_message = "The configuration_template name can not exceed 30 characters."
+ }
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/gateway/versions.tf b/deprecated/terraform/aws/R80.40/gateway/versions.tf
new file mode 100755
index 00000000..c138bbb3
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/gateway/versions.tf
@@ -0,0 +1,12 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ http = {
+ version = "~> 3.4.0"
+ }
+ }
+}
diff --git a/deprecated/terraform/aws/R80.40/gwlb-master/README.md b/deprecated/terraform/aws/R80.40/gwlb-master/README.md
new file mode 100755
index 00000000..5d5957e6
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/gwlb-master/README.md
@@ -0,0 +1,235 @@
+# Check Point CloudGuard Network Gateway Load Balancer Master Terraform module for AWS
+
+Terraform module which deploys an AWS Auto Scaling group configured for Gateway Load Balancer into a new VPC.
+
+These types of Terraform resources are supported:
+* [AWS Instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance)
+* [VPC](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc)
+* [Security Group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group)
+* [Load Balancer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb)
+* [Load Balancer Target Group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group)
+* [Launch template](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template)
+* [Auto Scaling Group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group)
+* [IAM Role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) - conditional creation
+
+See the [Check Point CloudGuard Gateway Load Balancer on AWS](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_AWS_Centralized_Gateway_Load_Balancer/Content/Topics-AWS-GWLB-VPC-DG/Introduction.htm) for additional information
+
+This solution uses the following modules:
+- /terraform/aws/autoscale-gwlb
+- /terraform/aws/management
+- /terraform/aws/cme-iam-role-gwlb
+- /terraform/aws/modules/amis
+- /terraform/aws/modules/vpc
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.aws_access_key_ID
+ secret_key = var.aws_secret_access_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/qs-autoscale/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Static credentials are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/autoscale-gwlb, /terraform/aws/management and /terraform/aws/cme-iam-role-gwlb:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.aws_access_key_ID
+ // secret_key = var.aws_secret_access_key
+ }
+ ```
+ b. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/autoscale, /terraform/aws/management and /terraform/aws/cme-iam-role-gwlb:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.aws_access_key_ID
+ // secret_key = var.aws_secret_access_key
+ }
+ ```
+
+## Usage
+- Fill all variables in the /terraform/aws/gwlb/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+ - Create or modify the deployment:
+ ```
+ terraform apply
+ ```
+
+ - Variables are configured in /terraform/aws/qs-autoscale/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+
+ // --- Network Configuration ---
+ vpc_cidr = "10.0.0.0/16"
+ public_subnets_map = {
+ "us-east-1a" = 1
+ "us-east-1b" = 2
+ }
+ subnets_bit_length = 8
+
+ // --- General Settings ---
+ key_name = "publickey"
+ enable_volume_encryption = true
+ volume_size = 100
+ enable_instance_connect = false
+ disable_instance_termination = false
+ allow_upload_download = true
+ management_server = "CP-Management-gwlb-tf"
+ configuration_template = "gwlb-configuration"
+ admin_shell = "/etc/cli.sh"
+
+ // --- Gateway Load Balancer Configuration ---
+ gateway_load_balancer_name = "gwlb1"
+ target_group_name = "tg1"
+ connection_acceptance_required = "false"
+ enable_cross_zone_load_balancing = "true"
+
+ // --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration ---
+ gateway_name = "Check-Point-GW-tf"
+ gateway_instance_type = "c5.xlarge"
+ minimum_group_size = 2
+ maximum_group_size = 10
+ gateway_version = "R81.20-BYOL"
+ gateway_password_hash = ""
+ gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+ gateway_SICKey = "12345678"
+ gateways_provision_address_type = "private"
+ allocate_public_IP = false
+ enable_cloudwatch = false
+ gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+
+ // --- Check Point CloudGuard IaaS Security Management Server Configuration ---
+ management_deploy = true
+ management_instance_type = "m5.xlarge"
+ management_version = "R81.20-BYOL"
+ management_password_hash = ""
+ management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password.
+ gateways_policy = "Standard"
+ gateway_management = "Locally managed"
+ admin_cidr = ""
+ gateways_addresses = ""
+
+ // --- Other parameters ---
+ volume_type = "gp3"
+
+
+ ```
+
+- Conditional creation
+ - To enable cloudwatch for gwlb-master:
+ ```
+ enable_cloudwatch = true
+ ```
+ Note: enabling cloudwatch will automatically create IAM role with cloudwatch:PutMetricData permission
+ - To deploy Security Management Server:
+ ```
+ management_deploy = true
+ ```
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|----------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|----------|
+| vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes |
+| public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes |
+| subnets_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20 | number | n/a | n/a | yes |
+| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes |
+| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no |
+| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no |
+| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no |
+| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes |
+| volume_size | Instances volume size | number | n/a | 100 | no |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no |
+| management_server | The name that represents the Security Management Server in the automatic provisioning configuration. | string | n/a | CP-Management-gwlb-tf | yes |
+| configuration_template | The tag is used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each Quick Start deployment | string | n/a | gwlb-configuration | no |
+| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no |
+| gateway_load_balancer_name | Load Balancer name in AWS | string | n/a | gwlb1 | yes |
+| target_group_name | Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. | string | n/a | tg1 | yes |
+| connection_acceptance_required | Indicate whether requests from service consumers to create an endpoint to your service must be accepted. Default is set to false(acceptance not required). | bool | true/false | false | yes |
+| enable_cross_zone_load_balancing | Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges. | bool | true/false | true | yes |
+| gateway_name | The name tag of the Security Gateway instances. (optional) | string | n/a | Check-Point-GW-tf | yes |
+| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no |
+| gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no |
+| gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no |
+| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no |
+| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes |
+| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no |
+| gateway_bootstrap_script | (Optional) An optional script with semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no |
+| gateways_provision_address_type | Determines if the gateways are provisioned using their private or public address. | string | - private
- public | private | no |
+| allocate_public_IP | Allocate a Public IP for gateway members. | bool | true/false | false | no |
+| management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no |
+| management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no |
+| management_version | The license to install on the Security Management Server | string | - R80.40-BYOL
- R80.40-PAYG
- R81-BYOL
- R81-PAYG
- R81.10-BYOL
- R81.10-PAYG | R81.20-BYOL | no |
+| management_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no |
+| gateways_policy | The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group | string | n/a | Standard | no |
+| gateway_management | Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. | string | - Locally managed
- Over the internet | Locally managed | no |
+| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR | n/a | no |
+| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | valid CIDR | n/a | no |
+| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no |
+| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | ""| no |
+| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | ""| no |
+
+
+## Outputs
+| Name | Description |
+|---------------------|---------------------------------------------------------------------------------------|
+| managment_public_ip | The deployed Security Management AWS instance public IP |
+| load_balancer_url | The URL of the external Load Balancer |
+| template_name | Name of a gateway configuration template in the automatic provisioning configuration. |
+| controller_name | The controller name in CME. |
+| gwlb_name | The name of the deployed Gateway Load Balancer |
+| gwlb_service_name | The service name for the deployed Gateway Load Balancer |
+| gwlb_arn | The arn for the deployed Gateway Load Balancer |
+
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|---------------------------------------------------------------------------------------------|
+| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20231012 | Update AWS Terraform provider version to 5.20.1 |
+| 20230923 | Add support for C5d instance type |
+| 20230914 | Add support for maintenance mode password |
+| 20230910 | Add bootstrap script execution option for deployed gateways |
+| 20230829 | Change default Check Point version to R81.20 |
+| 20230806 | Add support for c6in instance type |
+| 20230521 | Change default shell for the admin user to /etc/cli.sh |
+| 20221215 | Support ASG Launch Template instead of Launch Configuration |
+| 20221123 | R81.20 version support |
+| 20220606 | New instance type support |
+| 20220414 | First release of Check Point CloudGuard Network Gateway Load Balancer master module for AWS |
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details
diff --git a/deprecated/terraform/aws/R80.40/gwlb-master/locals.tf b/deprecated/terraform/aws/R80.40/gwlb-master/locals.tf
new file mode 100755
index 00000000..29a557ee
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/gwlb-master/locals.tf
@@ -0,0 +1,61 @@
+locals {
+ regex_valid_vpc_cidr = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$"
+ // Will fail if var.vpc_cidr is invalid
+ regex_vpc_cidr = regex(local.regex_valid_vpc_cidr, var.vpc_cidr) == var.vpc_cidr ? 0 : "Variable [vpc_cidr] must be a valid vpc cidr"
+
+ regex_valid_key_name = "[\\S\\s]+[\\S]+"
+ // will fail if var.key_name is invalid
+ regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string"
+
+ regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$"
+ // Will fail if var.gateway_SIC_Key is invalid
+ regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters"
+
+ control_over_public_or_private_allowed_values = [
+ "public",
+ "private"]
+ // will fail if [var.control_gateway_over_public_or_private_address] is invalid:
+ validate_control_over_public_or_private = index(local.control_over_public_or_private_allowed_values, var.gateways_provision_address_type)
+
+ gateway_management_allowed_values = [
+ "Locally managed",
+ "Over the internet"]
+ // will fail if [var.gateway_management] is invalid:
+ validate_gateway_management = index(local.gateway_management_allowed_values, var.gateway_management)
+
+ regex_valid_management_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.management_password_hash is invalid
+ regex_management_password_hash = regex(local.regex_valid_management_password_hash, var.management_password_hash) == var.management_password_hash ? 0 : "Variable [management_password_hash] must be a valid password hash"
+ regex_management_maintenance_mode_password_hash = regex(local.regex_valid_management_password_hash, var.management_maintenance_mode_password_hash) == var.management_maintenance_mode_password_hash ? 0 : "Variable [management_maintenance_mode_password_hash] must be a valid password hash"
+
+ regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.gateway_password_hash is invalid
+ regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+ regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_management_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
+
+
+ regex_valid_admin_cidr = "^([0-9]{1,3}\\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$"
+ // Will fail if var.admin_cidr is invalid
+ regex_admin_cidr = regex(local.regex_valid_admin_cidr, var.admin_cidr) == var.admin_cidr ? 0 : "Variable [admin_cidr] must be a valid CIDR"
+
+ regex_valid_gateways_addresses = "^([0-9]{1,3}\\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$"
+ // Will fail if var.gateways_addresses is invalid
+ regex_gateways_addresses = regex(local.regex_valid_gateways_addresses, var.gateways_addresses) == var.gateways_addresses ? 0 : "Variable [gateways_addresses] must be a valid gateways addresses"
+
+ regex_valid_management_server = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$"
+ // Will fail if var.management_server is invalid
+ regex_management_server = regex(local.regex_valid_management_server, var.management_server) == var.management_server ? 0 : "Variable [management_server] can not be an empty string"
+
+ regex_valid_configuration_template = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$"
+ // Will fail if var.configuration_template is invalid
+ regex_configuration_template = regex(local.regex_valid_configuration_template, var.configuration_template) == var.configuration_template ? 0 : "Variable [configuration_template] can not be an empty string"
+
+ deploy_management_condition = var.management_deploy == true
+
+ volume_type_allowed_values = [
+ "gp3",
+ "gp2"]
+ // will fail if [var.VolumeType] is invalid:
+ validate_volume_type = index(local.volume_type_allowed_values, var.volume_type)
+
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/gwlb-master/main.tf b/deprecated/terraform/aws/R80.40/gwlb-master/main.tf
new file mode 100755
index 00000000..da8bf39c
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/gwlb-master/main.tf
@@ -0,0 +1,69 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+
+module "launch_vpc" {
+ source = "../modules/vpc"
+
+ vpc_cidr = var.vpc_cidr
+ public_subnets_map = var.public_subnets_map
+ private_subnets_map = {}
+ subnets_bit_length = var.subnets_bit_length
+}
+
+module "gwlb" {
+ source = "../gwlb"
+ providers = {
+ aws = aws
+ }
+ vpc_id = module.launch_vpc.vpc_id
+ subnet_ids = module.launch_vpc.public_subnets_ids_list
+
+ // --- General Settings ---
+ key_name = var.key_name
+ enable_volume_encryption = var.enable_volume_encryption
+ volume_size = var.volume_size
+ enable_instance_connect = var.enable_instance_connect
+ disable_instance_termination = var.disable_instance_termination
+ metadata_imdsv2_required = var.metadata_imdsv2_required
+ allow_upload_download = var.allow_upload_download
+ management_server = var.management_server
+ configuration_template = var.configuration_template
+ admin_shell = var.admin_shell
+
+ // --- Gateway Load Balancer Configuration ---
+ gateway_load_balancer_name = var.gateway_load_balancer_name
+ target_group_name = var.target_group_name
+ connection_acceptance_required = false
+ enable_cross_zone_load_balancing = var.enable_cross_zone_load_balancing
+
+ // --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration ---
+ gateway_name = var.gateway_name
+ gateway_instance_type = var.gateway_instance_type
+ minimum_group_size = var.minimum_group_size
+ maximum_group_size = var.maximum_group_size
+ gateway_version = var.gateway_version
+ gateway_password_hash = var.gateway_password_hash
+ gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash
+ gateway_SICKey = var.gateway_SICKey
+ gateways_provision_address_type = var.gateways_provision_address_type
+ allocate_public_IP = var.allocate_public_IP
+ enable_cloudwatch = var.enable_cloudwatch
+ gateway_bootstrap_script = var.gateway_bootstrap_script
+
+ // --- Check Point CloudGuard IaaS Security Management Server Configuration ---
+ management_deploy = var.management_deploy
+ management_instance_type = var.management_instance_type
+ management_version = var.management_version
+ management_password_hash = var.management_password_hash
+ management_maintenance_mode_password_hash = var.management_maintenance_mode_password_hash
+ gateways_policy = var.gateways_policy
+ gateway_management = var.gateway_management
+ admin_cidr = var.admin_cidr
+ gateways_addresses = var.gateways_addresses
+
+ volume_type = var.volume_type
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/gwlb-master/output.tf b/deprecated/terraform/aws/R80.40/gwlb-master/output.tf
new file mode 100755
index 00000000..15cb48a3
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/gwlb-master/output.tf
@@ -0,0 +1,24 @@
+output "Deployment" {
+ value = "Finalizing instances configuration may take up to 20 minutes after deployment is finished."
+}
+output "management_public_ip" {
+ depends_on = [module.gwlb]
+ value = module.gwlb[*].management_public_ip
+}
+output "gwlb_arn" {
+ depends_on = [module.gwlb]
+ value = module.gwlb[*].gwlb_arn
+}
+output "gwlb_service_name" {
+ depends_on = [module.gwlb]
+ value = module.gwlb[*].gwlb_service_name
+}
+output "gwlb_name" {
+ value = var.gateway_load_balancer_name
+}
+output "controller_name" {
+ value = "gwlb-controller"
+}
+output "template_name" {
+ value = var.configuration_template
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/gwlb-master/terraform.tfvars b/deprecated/terraform/aws/R80.40/gwlb-master/terraform.tfvars
new file mode 100755
index 00000000..f0f13c92
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/gwlb-master/terraform.tfvars
@@ -0,0 +1,56 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- Network Configuration ---
+vpc_cidr = "10.0.0.0/16"
+public_subnets_map = {
+ "us-east-1a" = 1
+ "us-east-1b" = 2
+}
+subnets_bit_length = 8
+
+// --- General Settings ---
+key_name = "publickey"
+enable_volume_encryption = true
+volume_size = 100
+enable_instance_connect = false
+disable_instance_termination = false
+metadata_imdsv2_required = true
+allow_upload_download = true
+management_server = "CP-Management-gwlb-tf"
+configuration_template = "gwlb-configuration"
+admin_shell = "/etc/cli.sh"
+
+// --- Gateway Load Balancer Configuration ---
+gateway_load_balancer_name = "gwlb1"
+target_group_name = "tg1"
+connection_acceptance_required = "false"
+enable_cross_zone_load_balancing = "true"
+
+// --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration ---
+gateway_name = "Check-Point-GW-tf"
+gateway_instance_type = "c5.xlarge"
+minimum_group_size = 2
+maximum_group_size = 10
+gateway_version = "R81.20-BYOL"
+gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+gateway_SICKey = "12345678"
+gateways_provision_address_type = "private"
+allocate_public_IP = false
+enable_cloudwatch = false
+gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+
+// --- Check Point CloudGuard IaaS Security Management Server Configuration ---
+management_deploy = true
+management_instance_type = "m5.xlarge"
+management_version = "R81.20-BYOL"
+management_password_hash = ""
+management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password.
+gateways_policy = "Standard"
+gateway_management = "Locally managed"
+admin_cidr = "0.0.0.0/0"
+gateways_addresses = "0.0.0.0/0"
+
+// --- Other parameters ---
+volume_type = "gp3"
+
diff --git a/deprecated/terraform/aws/R80.40/gwlb-master/variables.tf b/deprecated/terraform/aws/R80.40/gwlb-master/variables.tf
new file mode 100755
index 00000000..fd72c46c
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/gwlb-master/variables.tf
@@ -0,0 +1,274 @@
+// Module: Check Point CloudGuard Network Gateway Load Balancer into an existing VPC
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+// --- Network Configuration ---
+variable "number_of_AZs" {
+ type = number
+ description = "Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter"
+ default = 2
+}
+variable "vpc_cidr" {
+ type = string
+ description = "The CIDR block of the VPC"
+ default = "10.0.0.0/16"
+}
+variable "public_subnets_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1} ) "
+}
+variable "subnets_bit_length" {
+ type = number
+ description = "Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20"
+}
+
+// --- General Settings ---
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instances"
+}
+variable "enable_volume_encryption" {
+ type = bool
+ description = "Encrypt Environment instances volume with default AWS KMS key"
+ default = true
+}
+variable "volume_size" {
+ type = number
+ description = "Root volume size (GB) - minimum 100"
+ default = 100
+}
+resource "null_resource" "volume_size_too_small" {
+ // Will fail if var.volume_size is less than 100
+ count = var.volume_size >= 100 ? 0 : "variable volume_size must be at least 100"
+}
+variable "enable_instance_connect" {
+ type = bool
+ description = "Enable SSH connection over AWS web console"
+ default = false
+}
+variable "disable_instance_termination" {
+ type = bool
+ description = "Prevents an instance from accidental termination"
+ default = false
+}
+variable "metadata_imdsv2_required" {
+ type = bool
+ description = "Set true to deploy the instance with metadata v2 token required"
+ default = true
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+variable "management_server" {
+ type = string
+ description = "The name that represents the Security Management Server in the automatic provisioning configuration."
+}
+variable "configuration_template" {
+ type = string
+ description = "A name of a gateway configuration template in the automatic provisioning configuration."
+ validation {
+ condition = length(var.configuration_template) < 31
+ error_message = "The configuration_template name can not exceed 30 characters"
+ }
+}
+variable "admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+ default = "/etc/cli.sh"
+}
+
+// --- Gateway Load Balancer Configuration ---
+
+variable "gateway_load_balancer_name" {
+ type = string
+ description = "Gateway Load Balancer name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen."
+ default = "gwlb1"
+}
+resource "null_resource" "gateway_load_balancer_name_too_long" {
+ // Will fail if gateway_load_balancer_name more than 32
+ count = length(var.gateway_load_balancer_name) <= 32 ? 0 : "variable gateway_load_balancer_name must be at most 32"
+}
+variable "target_group_name" {
+ type = string
+ description = "Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen."
+ default = "tg1"
+}
+resource "null_resource" "target_group_name_too_long" {
+ // Will fail if target_group_name more than 32
+ count = length(var.target_group_name) <= 32 ? 0 : "variable target_group_name must be at most 32"
+}
+variable "connection_acceptance_required" {
+ type = bool
+ description = "Indicate whether requests from service consumers to create an endpoint to your service must be accepted. Default is set to false(acceptance not required)."
+ default = false
+}
+variable "enable_cross_zone_load_balancing" {
+ type = bool
+ description = "Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges."
+ default = true
+}
+
+// --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration ---
+
+variable "gateway_name" {
+ type = string
+ description = "The name tag of the Security Gateway instances. (optional)"
+ default = "Check-Point-Gateway-tf"
+}
+variable "gateway_instance_type" {
+ type = string
+ description = "The EC2 instance type for the Security Gateways."
+ default = "c5.xlarge"
+}
+module "validate_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "gateway"
+ instance_type = var.gateway_instance_type
+}
+variable "minimum_group_size" {
+ type = number
+ description = "The minimal number of Security Gateways."
+ default = 2
+}
+variable "maximum_group_size" {
+ type = number
+ description = "The maximal number of Security Gateways."
+ default = 10
+}
+variable "gateway_version" {
+ type = string
+ description = "The version and license to install on the Security Gateways."
+ default = "R81.20-BYOL"
+}
+module "validate_gateway_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "gwlb_gw"
+ version_license = var.gateway_version
+}
+variable "gateway_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "gateway_maintenance_mode_password_hash" {
+ description = "Maintenance mode password hash for the gateway instances, relevant only for R81.20 and higher versions"
+ type = string
+ default = ""
+}
+variable "gateway_SICKey" {
+ type = string
+ description = "The Secure Internal Communication key for trusted connection between Check Point components (at least 8 alphanumeric characters)"
+}
+
+variable "gateways_provision_address_type" {
+ type = string
+ description = "Determines if the gateways are provisioned using their private or public address"
+ default = "private"
+}
+
+variable "allocate_public_IP" {
+ type = bool
+ description = "Allocate an Elastic IP for security gateway."
+ default = false
+}
+
+resource "null_resource" "invalid_allocation" {
+ // Will fail if var.gateways_provision_address_type is public and var.allocate_public_IP is false
+ count = var.gateways_provision_address_type != "public" ? 0 : var.allocate_public_IP == true ? 0 : "Gateway's selected to be provisioned by public IP, but [allocate_public_IP] parameter is false"
+}
+
+variable "enable_cloudwatch" {
+ type = bool
+ description = "Report Check Point specific CloudWatch metrics."
+ default = false
+}
+
+variable "gateway_bootstrap_script" {
+ type = string
+ description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot"
+ default = ""
+}
+
+// --- Check Point CloudGuard IaaS Security Management Server Configuration ---
+
+variable "management_deploy" {
+ type = bool
+ description = "Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section"
+ default = true
+}
+variable "management_instance_type" {
+ type = string
+ description = "The EC2 instance type of the Security Management Server"
+ default = "m5.xlarge"
+}
+module "validate_management_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "management"
+ instance_type = var.management_instance_type
+}
+variable "management_version" {
+ type = string
+ description = "The license to install on the Security Management Server"
+ default = "R81.20-BYOL"
+}
+module "validate_management_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "management"
+ version_license = var.management_version
+}
+variable "management_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "management_maintenance_mode_password_hash" {
+ description = "Maintenance mode password hash for the management instance, relevant only for R81.20 and higher versions"
+ type = string
+ default = ""
+}
+variable "gateways_policy" {
+ type = string
+ description = "The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group"
+ default = "Standard"
+}
+variable "gateway_management" {
+ type = string
+ description = "Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address."
+ default = "Locally managed"
+}
+variable "admin_cidr" {
+ type = string
+ description = "Allow web, ssh, and graphical clients only from this network to communicate with the Security Management Server"
+}
+variable "gateways_addresses" {
+ type = string
+ description = "Allow gateways only from this network to communicate with the Security Management Server"
+}
+
+// --- Other parameters ---
+variable "volume_type" {
+ type = string
+ description = "General Purpose SSD Volume Type"
+ default = "gp3"
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/gwlb-master/versions.tf b/deprecated/terraform/aws/R80.40/gwlb-master/versions.tf
new file mode 100755
index 00000000..dbebf275
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/gwlb-master/versions.tf
@@ -0,0 +1,15 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ http = {
+ version = "~> 3.4.0"
+ }
+ random = {
+ version = "~> 3.5.1"
+ }
+ }
+}
diff --git a/deprecated/terraform/aws/R80.40/gwlb/README.md b/deprecated/terraform/aws/R80.40/gwlb/README.md
new file mode 100755
index 00000000..a5f990ce
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/gwlb/README.md
@@ -0,0 +1,228 @@
+# Check Point CloudGuard Network Gateway Load Balancer Terraform module for AWS
+
+Terraform module which deploys an AWS Auto Scaling group configured for Gateway Load Balancer into an existing VPC.
+
+These types of Terraform resources are supported:
+* [AWS Instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance)
+* [Security Group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group)
+* [Load Balancer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb)
+* [Load Balancer Target Group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group)
+* [Launch template](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template)
+* [Auto Scaling Group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group)
+* [IAM Role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) - conditional creation
+
+See the [Check Point CloudGuard Gateway Load Balancer on AWS](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_AWS_Centralized_Gateway_Load_Balancer/Content/Topics-AWS-GWLB-VPC-DG/Introduction.htm) for additional information
+
+This solution uses the following modules:
+- /terraform/aws/autoscale-gwlb
+- /terraform/aws/management
+- /terraform/aws/cme-iam-role-gwlb
+- /terraform/aws/modules/amis
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.aws_access_key_ID
+ secret_key = var.aws_secret_access_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/qs-autoscale/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Static credentials are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/autoscale-gwlb, /terraform/aws/management and /terraform/aws/cme-iam-role-gwlb:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.aws_access_key_ID
+ // secret_key = var.aws_secret_access_key
+ }
+ ```
+ b. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/autoscale, /terraform/aws/management and /terraform/aws/cme-iam-role-gwlb:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.aws_access_key_ID
+ // secret_key = var.aws_secret_access_key
+ }
+ ```
+
+## Usage
+- Fill all variables in the /terraform/aws/gwlb/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+- Create or modify the deployment:
+ ```
+ terraform apply
+ ```
+
+ - Variables are configured in /terraform/aws/qs-autoscale/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+ // --- VPC Network Configuration ---
+ vpc_id = "vpc-12345"
+ subnet_ids = ["subnet-123457", "subnet-123456"]
+
+ // --- General Settings ---
+ key_name = "publickey"
+ enable_volume_encryption = true
+ volume_size = 100
+ enable_instance_connect = false
+ disable_instance_termination = false
+ allow_upload_download = true
+ management_server = "CP-Management-gwlb-tf"
+ configuration_template = "gwlb-configuration"
+ admin_shell = "/etc/cli.sh"
+
+ // --- Gateway Load Balancer Configuration ---
+ gateway_load_balancer_name = "gwlb1"
+ target_group_name = "tg1"
+ connection_acceptance_required = "false"
+ enable_cross_zone_load_balancing = "true"
+
+ // --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration ---
+ gateway_name = "Check-Point-GW-tf"
+ gateway_instance_type = "c5.xlarge"
+ minimum_group_size = 2
+ maximum_group_size = 10
+ gateway_version = "R81.20-BYOL"
+ gateway_password_hash = ""
+ gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+ gateway_SICKey = "12345678"
+ gateways_provision_address_type = "private"
+ allocate_public_IP = false
+ enable_cloudwatch = false
+ gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+
+ // --- Check Point CloudGuard IaaS Security Management Server Configuration ---
+ management_deploy = true
+ management_instance_type = "m5.xlarge"
+ management_version = "R81.20-BYOL"
+ management_password_hash = ""
+ management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password.
+ gateways_policy = "Standard"
+ gateway_management = "Locally managed"
+ admin_cidr = ""
+ gateways_addresses = ""
+
+ // --- Other parameters ---
+ volume_type = "gp3"
+
+
+ ```
+
+- Conditional creation
+ - To enable cloudwatch for GWLB:
+ ```
+ enable_cloudwatch = true
+ ```
+ Note: enabling cloudwatch will automatically create IAM role with cloudwatch:PutMetricData permission
+ - To deploy Security Management Server:
+ ```
+ management_deploy = true
+ ```
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|----------|
+| vpc_id | Select an existing VPC | string | n/a | n/a | yes |
+| subnet_ids | The VPC subnets ID | string | n/a | n/a | yes |
+| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes |
+| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no |
+| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no |
+| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no |
+| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes |
+| volume_size | Instances volume size | number | n/a | 100 | no |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no |
+| management_server | The name that represents the Security Management Server in the automatic provisioning configuration. | string | n/a | CP-Management-gwlb-tf | yes |
+| configuration_template | The tag is used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each Quick Start deployment | string | n/a | gwlb-configuration | no |
+| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no |
+| gateway_load_balancer_name | Load Balancer name in AWS | string | n/a | gwlb1 | yes |
+| target_group_name | Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. | string | n/a | tg1 | yes |
+| connection_acceptance_required | Indicate whether requests from service consumers to create an endpoint to your service must be accepted. Default is set to false(acceptance not required). | bool | true/false | false | yes |
+| enable_cross_zone_load_balancing | Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges. | bool | true/false | true | yes |
+| gateway_name | The name tag of the Security Gateway instances. (optional) | string | n/a | Check-Point-GW-tf | yes |
+| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no |
+| gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no |
+| gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no |
+| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no |
+| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes |
+| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no |
+| gateway_bootstrap_script | (Optional) An optional script with semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no |
+| gateways_provision_address_type | Determines if the gateways are provisioned using their private or public address. | string | - private
- public | private | no |
+| allocate_public_IP | Allocate a Public IP for gateway members. | bool | true/false | false | no |
+| management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no |
+| management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no |
+| management_version | The license to install on the Security Management Server | string | - R80.40-BYOL
- R80.40-PAYG
- R81-BYOL
- R81-PAYG
- R81.10-BYOL
- R81.10-PAYG | R81.20-BYOL | no |
+| management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| gateways_policy | The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group | string | n/a | Standard | no |
+| gateway_management | Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. | string | - Locally managed
- Over the internet | Locally managed | no |
+| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR | n/a | no |
+| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | valid CIDR | n/a | no |
+| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no |
+| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no |
+| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no |
+
+## Outputs
+| Name | Description |
+|---------------------|---------------------------------------------------------------------------------------|
+| managment_public_ip | The deployed Security Management AWS instance public IP |
+| load_balancer_url | The URL of the external Load Balancer |
+| template_name | Name of a gateway configuration template in the automatic provisioning configuration. |
+| controller_name | The controller name in CME. |
+| gwlb_name | The name of the deployed Gateway Load Balancer |
+| gwlb_service_name | The service name for the deployed Gateway Load Balancer |
+| gwlb_arn | The arn for the deployed Gateway Load Balancer |
+
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|---------------------------------------------------------------------------------------|
+| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20231022 | Fixed template to populate x-chkp-tags correctly |
+| 20231012 | Update AWS Terraform provider version to 5.20.1 |
+| 20230923 | Add support for C5d instance type |
+| 20230914 | Add support for maintenance mode password |
+| 20230910 | Add bootstrap script execution option for deployed gateways |
+| 20230829 | Change default Check Point version to R81.20 |
+| 20230806 | Add support for c6in instance type |
+| 20230521 | Change default shell for the admin user to /etc/cli.sh |
+| 20221226 | Support ASG Launch Template instead of Launch Configuration |
+| 20221123 | R81.20 version support |
+| 20220606 | New instance type support |
+| 20220523 | Add support for cross zone load balancing |
+| 20220414 | First release of Check Point CloudGuard Network Gateway Load Balancer module for AWS |
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details
diff --git a/deprecated/terraform/aws/R80.40/gwlb/locals.tf b/deprecated/terraform/aws/R80.40/gwlb/locals.tf
new file mode 100755
index 00000000..44363311
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/gwlb/locals.tf
@@ -0,0 +1,55 @@
+locals {
+
+ regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$"
+ // Will fail if var.gateway_SIC_Key is invalid
+ regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters"
+
+ control_over_public_or_private_allowed_values = [
+ "public",
+ "private"]
+ // will fail if [var.control_gateway_over_public_or_private_address] is invalid:
+ validate_control_over_public_or_private = index(local.control_over_public_or_private_allowed_values, var.gateways_provision_address_type)
+
+ gateway_management_allowed_values = [
+ "Locally managed",
+ "Over the internet"]
+ // will fail if [var.gateway_management] is invalid:
+ validate_gateway_management = index(local.gateway_management_allowed_values, var.gateway_management)
+
+ regex_valid_key_name = "[\\S\\s]+[\\S]+"
+ // will fail if var.key_name is invalid
+ regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string"
+
+ regex_valid_management_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.management_password_hash is invalid
+ regex_management_password_hash = regex(local.regex_valid_management_password_hash, var.management_password_hash) == var.management_password_hash ? 0 : "Variable [management_password_hash] must be a valid password hash"
+ regex_management_maintenance_mode_password_hash = regex(local.regex_valid_management_password_hash, var.management_maintenance_mode_password_hash) == var.management_maintenance_mode_password_hash ? 0 : "Variable [management_maintenance_mode_password_hash] must be a valid password hash"
+ regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.gateway_password_hash is invalid
+ regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+ regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_management_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
+
+ regex_valid_admin_cidr = "^([0-9]{1,3}\\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$"
+ // Will fail if var.admin_cidr is invalid
+ regex_admin_cidr = regex(local.regex_valid_admin_cidr, var.admin_cidr) == var.admin_cidr ? 0 : "Variable [admin_cidr] must be a valid CIDR"
+
+ regex_valid_gateways_addresses = "^([0-9]{1,3}\\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$"
+ // Will fail if var.gateways_addresses is invalid
+ regex_gateways_addresses = regex(local.regex_valid_gateways_addresses, var.gateways_addresses) == var.gateways_addresses ? 0 : "Variable [gateways_addresses] must be a valid gateways addresses"
+
+ regex_valid_management_server = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$"
+ // Will fail if var.management_server is invalid
+ regex_management_server = regex(local.regex_valid_management_server, var.management_server) == var.management_server ? 0 : "Variable [management_server] can not be an empty string"
+
+ regex_valid_configuration_template = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$"
+ // Will fail if var.configuration_template is invalid
+ regex_configuration_template = regex(local.regex_valid_configuration_template, var.configuration_template) == var.configuration_template ? 0 : "Variable [configuration_template] can not be an empty string"
+
+ deploy_management_condition = var.management_deploy == true
+
+ volume_type_allowed_values = [
+ "gp3",
+ "gp2"]
+ // will fail if [var.VolumeType] is invalid:
+ validate_volume_type = index(local.volume_type_allowed_values, var.volume_type)
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/gwlb/main.tf b/deprecated/terraform/aws/R80.40/gwlb/main.tf
new file mode 100755
index 00000000..7c4e4616
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/gwlb/main.tf
@@ -0,0 +1,99 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+module "gateway_load_balancer" {
+ source = "../modules/common/load_balancer"
+
+ load_balancers_type = "gateway"
+ instances_subnets = var.subnet_ids
+ prefix_name = var.gateway_load_balancer_name
+ internal = true
+
+ security_groups = []
+ tags = {
+ x-chkp-management = var.management_server
+ x-chkp-template = var.configuration_template
+ }
+ vpc_id = var.vpc_id
+ load_balancer_protocol = "GENEVE"
+ target_group_port = 6081
+ listener_port = 6081
+ cross_zone_load_balancing = var.enable_cross_zone_load_balancing
+}
+
+resource "aws_vpc_endpoint_service" "gwlb_endpoint_service" {
+depends_on = [module.gateway_load_balancer]
+ gateway_load_balancer_arns = module.gateway_load_balancer[*].load_balancer_arn
+ acceptance_required = var.connection_acceptance_required
+
+ tags = {
+ "Name" = "gwlb-endpoint-service-${var.gateway_load_balancer_name}"
+ }
+}
+
+module "autoscale_gwlb" {
+ source = "../autoscale-gwlb"
+ providers = {
+ aws = aws
+ }
+ depends_on = [module.gateway_load_balancer]
+
+ target_groups = module.gateway_load_balancer[*].target_group_arn
+ vpc_id = var.vpc_id
+ subnet_ids = var.subnet_ids
+ gateway_name = var.gateway_name
+ gateway_instance_type = var.gateway_instance_type
+ key_name = var.key_name
+ enable_volume_encryption = var.enable_volume_encryption
+ enable_instance_connect = var.enable_instance_connect
+ metadata_imdsv2_required = var.metadata_imdsv2_required
+ minimum_group_size = var.minimum_group_size
+ maximum_group_size = var.maximum_group_size
+ gateway_version = var.gateway_version
+ gateway_password_hash = var.gateway_password_hash
+ gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash
+ gateway_SICKey = var.gateway_SICKey
+ allow_upload_download = var.allow_upload_download
+ enable_cloudwatch = var.enable_cloudwatch
+ gateway_bootstrap_script = var.gateway_bootstrap_script
+ admin_shell = var.admin_shell
+ gateways_provision_address_type = var.gateways_provision_address_type
+ allocate_public_IP = var.allocate_public_IP
+ management_server = var.management_server
+ configuration_template = var.configuration_template
+ volume_type = var.volume_type
+}
+
+data "aws_region" "current"{}
+
+module "management" {
+ providers = {
+ aws = aws
+ }
+ count = local.deploy_management_condition ? 1 : 0
+ source = "../management"
+
+ vpc_id = var.vpc_id
+ subnet_id = var.subnet_ids[0]
+ management_name = var.management_server
+ management_instance_type = var.management_instance_type
+ key_name = var.key_name
+ allocate_and_associate_eip = true
+ volume_encryption = var.enable_volume_encryption ? "alias/aws/ebs" : ""
+ enable_instance_connect = var.enable_instance_connect
+ disable_instance_termination = var.disable_instance_termination
+ metadata_imdsv2_required = var.metadata_imdsv2_required
+ management_version = var.management_version
+ management_password_hash = var.management_password_hash
+ management_maintenance_mode_password_hash = var.management_maintenance_mode_password_hash
+ allow_upload_download = var.allow_upload_download
+ admin_cidr = var.admin_cidr
+ admin_shell = var.admin_shell
+ gateway_addresses = var.gateways_addresses
+ gateway_management = var.gateway_management
+ management_bootstrap_script = "echo -e '\nStarting Bootstrap script\n'; cv_json_path='/etc/cloud-version.json'\n cv_json_path_tmp='/etc/cloud-version-tmp.json'\n if test -f \"$cv_json_path\"; then cat \"$cv_json_path\" | jq '.template_name = \"'\"management_gwlb\"'\"' > \"$cv_json_path_tmp\"; mv \"$cv_json_path_tmp\" \"$cv_json_path\"; fi; autoprov_cfg -f init AWS -mn ${var.management_server} -tn ${var.configuration_template} -cn gwlb-controller -po ${var.gateways_policy} -otp ${var.gateway_SICKey} -r ${data.aws_region.current.name} -ver ${split("-", var.gateway_version)[0]} -iam; echo -e '\nFinished Bootstrap script\n'"
+ volume_type = var.volume_type
+ is_gwlb_iam = true
+}
diff --git a/deprecated/terraform/aws/R80.40/gwlb/output.tf b/deprecated/terraform/aws/R80.40/gwlb/output.tf
new file mode 100755
index 00000000..3beba7ee
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/gwlb/output.tf
@@ -0,0 +1,22 @@
+output "Deployment" {
+ value = "Finalizing instances configuration may take up to 20 minutes after deployment is finished."
+}
+output "gwlb_arn" {
+ value = module.gateway_load_balancer.load_balancer_arn
+}
+output "gwlb_service_name" {
+ value = "com.amazonaws.vpce.${data.aws_region.current.name}.${aws_vpc_endpoint_service.gwlb_endpoint_service.id}"
+}
+output "management_public_ip" {
+ depends_on = [module.management]
+ value = module.management[*].management_public_ip
+}
+output "gwlb_name" {
+ value = var.gateway_load_balancer_name
+}
+output "controller_name" {
+ value = "gwlb-controller"
+}
+output "template_name" {
+ value = var.configuration_template
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/gwlb/terraform.tfvars b/deprecated/terraform/aws/R80.40/gwlb/terraform.tfvars
new file mode 100755
index 00000000..0e26ad11
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/gwlb/terraform.tfvars
@@ -0,0 +1,52 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- VPC Network Configuration ---
+vpc_id = "vpc-12345678"
+subnet_ids = ["subnet-123456", "subnet-345678"]
+
+// --- General Settings ---
+key_name = "publickey"
+enable_volume_encryption = true
+volume_size = 100
+enable_instance_connect = false
+disable_instance_termination = false
+metadata_imdsv2_required = true
+allow_upload_download = true
+management_server = "CP-Management-gwlb-tf"
+configuration_template = "gwlb-configuration"
+admin_shell = "/etc/cli.sh"
+
+// --- Gateway Load Balancer Configuration ---
+gateway_load_balancer_name = "gwlb1"
+target_group_name = "tg1"
+connection_acceptance_required = "false"
+enable_cross_zone_load_balancing = "true"
+
+// --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration ---
+gateway_name = "Check-Point-GW-tf"
+gateway_instance_type = "c5.xlarge"
+minimum_group_size = 2
+maximum_group_size = 10
+gateway_version = "R81.20-BYOL"
+gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+gateway_SICKey = "12345678"
+gateways_provision_address_type = "private"
+allocate_public_IP = false
+enable_cloudwatch = false
+gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+
+// --- Check Point CloudGuard IaaS Security Management Server Configuration ---
+management_deploy = true
+management_instance_type = "m5.xlarge"
+management_version = "R81.20-BYOL"
+management_password_hash = ""
+management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password.
+gateways_policy = "Standard"
+gateway_management = "Locally managed"
+admin_cidr = "0.0.0.0/0"
+gateways_addresses = "0.0.0.0/0"
+
+// --- Other parameters ---
+volume_type = "gp3"
+
diff --git a/deprecated/terraform/aws/R80.40/gwlb/variables.tf b/deprecated/terraform/aws/R80.40/gwlb/variables.tf
new file mode 100755
index 00000000..5f099c6c
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/gwlb/variables.tf
@@ -0,0 +1,263 @@
+// Module: Check Point CloudGuard Network Gateway Load Balancer into an existing VPC
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+// --- Network Configuration ---
+variable "vpc_id" {
+ type = string
+}
+variable "subnet_ids" {
+ type = list(string)
+ description = "List of public subnet IDs to launch resources into. Recommended at least 2"
+}
+
+// --- General Settings ---
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instances"
+}
+variable "enable_volume_encryption" {
+ type = bool
+ description = "Encrypt Environment instances volume with default AWS KMS key"
+ default = true
+}
+variable "volume_size" {
+ type = number
+ description = "Root volume size (GB) - minimum 100"
+ default = 100
+}
+resource "null_resource" "volume_size_too_small" {
+ // Will fail if var.volume_size is less than 100
+ count = var.volume_size >= 100 ? 0 : "variable volume_size must be at least 100"
+}
+variable "enable_instance_connect" {
+ type = bool
+ description = "Enable SSH connection over AWS web console"
+ default = false
+}
+variable "disable_instance_termination" {
+ type = bool
+ description = "Prevents an instance from accidental termination"
+ default = false
+}
+variable "metadata_imdsv2_required" {
+ type = bool
+ description = "Set true to deploy the instance with metadata v2 token required"
+ default = true
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+variable "management_server" {
+ type = string
+ description = "The name that represents the Security Management Server in the automatic provisioning configuration."
+}
+variable "configuration_template" {
+ type = string
+ description = "A name of a gateway configuration template in the automatic provisioning configuration."
+ validation {
+ condition = length(var.configuration_template) < 31
+ error_message = "The configuration_template name can not exceed 30 characters"
+ }
+}
+variable "admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+ default = "/etc/cli.sh"
+}
+
+// --- Gateway Load Balancer Configuration ---
+
+variable "gateway_load_balancer_name" {
+ type = string
+ description = "Gateway Load Balancer name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen."
+ default = "gwlb1"
+}
+resource "null_resource" "gateway_load_balancer_name_too_long" {
+ // Will fail if gateway_load_balancer_name more than 32
+ count = length(var.gateway_load_balancer_name) <= 32 ? 0 : "variable gateway_load_balancer_name must be at most 32"
+}
+variable "target_group_name" {
+ type = string
+ description = "Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen."
+ default = "tg1"
+}
+resource "null_resource" "target_group_name_too_long" {
+ // Will fail if target_group_name more than 32
+ count = length(var.target_group_name) <= 32 ? 0 : "variable target_group_name must be at most 32"
+}
+variable "connection_acceptance_required" {
+ type = bool
+ description = "Indicate whether requests from service consumers to create an endpoint to your service must be accepted. Default is set to false(acceptance not required)."
+ default = false
+}
+variable "enable_cross_zone_load_balancing" {
+ type = bool
+ description = "Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges."
+ default = true
+}
+
+// --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration ---
+
+variable "gateway_name" {
+ type = string
+ description = "The name tag of the Security Gateway instances. (optional)"
+ default = "Check-Point-Gateway-tf"
+}
+variable "gateway_instance_type" {
+ type = string
+ description = "The EC2 instance type for the Security Gateways."
+ default = "c5.xlarge"
+}
+module "validate_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "gateway"
+ instance_type = var.gateway_instance_type
+}
+variable "minimum_group_size" {
+ type = number
+ description = "The minimal number of Security Gateways."
+ default = 2
+}
+variable "maximum_group_size" {
+ type = number
+ description = "The maximal number of Security Gateways."
+ default = 10
+}
+variable "gateway_version" {
+ type = string
+ description = "The version and license to install on the Security Gateways."
+ default = "R81.20-BYOL"
+}
+module "validate_gateway_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "gwlb_gw"
+ version_license = var.gateway_version
+}
+variable "gateway_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "gateway_maintenance_mode_password_hash" {
+ description = "Maintenance mode password hash for the gateway instances, relevant only for R81.20 and higher versions"
+ type = string
+ default = ""
+}
+variable "gateway_SICKey" {
+ type = string
+ description = "The Secure Internal Communication key for trusted connection between Check Point components (at least 8 alphanumeric characters)"
+}
+
+variable "gateways_provision_address_type" {
+ type = string
+ description = "Determines if the gateways are provisioned using their private or public address"
+ default = "private"
+}
+
+variable "allocate_public_IP" {
+ type = bool
+ description = "Allocate an Elastic IP for security gateway."
+ default = false
+}
+
+resource "null_resource" "invalid_allocation" {
+ // Will fail if var.gateways_provision_address_type is public and var.allocate_public_IP is false
+ count = var.gateways_provision_address_type != "public" ? 0 : var.allocate_public_IP == true ? 0 : "Gateway's selected to be provisioned by public IP, but [allocate_public_IP] parameter is false"
+}
+
+variable "enable_cloudwatch" {
+ type = bool
+ description = "Report Check Point specific CloudWatch metrics."
+ default = false
+}
+
+variable "gateway_bootstrap_script" {
+ type = string
+ description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot"
+ default = ""
+}
+
+// --- Check Point CloudGuard IaaS Security Management Server Configuration ---
+
+variable "management_deploy" {
+ type = bool
+ description = "Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section"
+ default = true
+}
+variable "management_instance_type" {
+ type = string
+ description = "The EC2 instance type of the Security Management Server"
+ default = "m5.xlarge"
+}
+module "validate_management_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "management"
+ instance_type = var.management_instance_type
+}
+variable "management_version" {
+ type = string
+ description = "The license to install on the Security Management Server"
+ default = "R81.20-BYOL"
+}
+module "validate_management_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "management"
+ version_license = var.management_version
+}
+variable "management_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "management_maintenance_mode_password_hash" {
+ description = "Maintenance mode password hash for the management instance, relevant only for R81.20 and higher versions"
+ type = string
+ default = ""
+}
+variable "gateways_policy" {
+ type = string
+ description = "The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group"
+ default = "Standard"
+}
+variable "gateway_management" {
+ type = string
+ description = "Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address."
+ default = "Locally managed"
+}
+variable "admin_cidr" {
+ type = string
+ description = "Allow web, ssh, and graphical clients only from this network to communicate with the Security Management Server"
+}
+variable "gateways_addresses" {
+ type = string
+ description = "Allow gateways only from this network to communicate with the Security Management Server"
+}
+
+// --- Other parameters ---
+variable "volume_type" {
+ type = string
+ description = "General Purpose SSD Volume Type"
+ default = "gp3"
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/gwlb/versions.tf b/deprecated/terraform/aws/R80.40/gwlb/versions.tf
new file mode 100755
index 00000000..dbebf275
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/gwlb/versions.tf
@@ -0,0 +1,15 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ http = {
+ version = "~> 3.4.0"
+ }
+ random = {
+ version = "~> 3.5.1"
+ }
+ }
+}
diff --git a/deprecated/terraform/aws/R80.40/management/README.md b/deprecated/terraform/aws/R80.40/management/README.md
new file mode 100755
index 00000000..0acbdd0a
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/management/README.md
@@ -0,0 +1,200 @@
+# Check Point CloudGuard Network Security Management Server Terraform module for AWS
+
+Terraform module which deploys a Check Point CloudGuard Network Security Management Server into an existing VPC.
+
+These types of Terraform resources are supported:
+* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html)
+* [Security Group](https://www.terraform.io/docs/providers/aws/r/security_group.html)
+* [Network interface](https://www.terraform.io/docs/providers/aws/r/network_interface.html)
+* [EIP](https://www.terraform.io/docs/providers/aws/r/eip.html) - conditional creation
+* [IAM Role](https://www.terraform.io/docs/providers/aws/r/iam_role.html) - conditional creation
+
+See the [Security Management Server with CloudGuard for AWS](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk130372) for additional information
+
+This solution uses the following modules:
+- /terraform/aws/modules/amis
+- /terraform/aws/cme-iam-role
+
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/management/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Static credentials are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-module /terraform/aws/cme-iam-role:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+ b. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-module /terraform/aws/cme-iam-role:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+
+## Usage
+- Fill all variables in the /terraform/aws/management/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+- Create or modify the deployment:
+ ```
+ terraform apply
+ ```
+
+- Variables are configured in /terraform/aws/management/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+ // --- VPC Network Configuration ---
+ vpc_id = "vpc-12345678"
+ subnet_id = "subnet-abc123"
+
+ // --- EC2 Instances Configuration ---
+ management_name = "CP-Management-tf"
+ management_instance_type = "m5.xlarge"
+ key_name = "publickey"
+ allocate_and_associate_eip = true
+ volume_size = 100
+ volume_encryption = "alias/aws/ebs"
+ enable_instance_connect = false
+ disable_instance_termination = false
+ instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+ }
+
+ // --- IAM Permissions ---
+ iam_permissions = "Create with read permissions"
+ predefined_role = ""
+ sts_roles = []
+
+ // --- Check Point Settings ---
+ management_version = "R81.20-BYOL"
+ admin_shell = "/etc/cli.sh"
+ management_password_hash = ""
+ management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password.
+ // --- Security Management Server Settings ---
+ management_hostname = "mgmt-tf"
+ management_installation_type = "Primary management"
+ SICKey = ""
+ allow_upload_download = "true"
+ gateway_management = "Locally managed"
+ admin_cidr = "0.0.0.0/0"
+ gateway_addresses = "0.0.0.0/0"
+ primary_ntp = ""
+ secondary_ntp = ""
+ management_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+ ```
+
+- Conditional creation
+ - To create an Elastic IP and associate it to the Management instance:
+ ```
+ allocate_and_associate_eip = true
+ ```
+ - To create IAM Role:
+ ```
+ iam_permissions = "Create with read permissions" | "Create with read-write permissions" | "Create with assume role permissions (specify an STS role ARN)"
+ ```
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------|----------|
+| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes |
+| subnet_id | To access the instance from the internet, make sure the subnet has a route to the internet | string | n/a | n/a | yes |
+| management_name | (Optional) The name tag of the Security Management instance | string | n/a | Check-Point-Management-tf | no |
+| management_instance_type | The instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no |
+| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes |
+| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with the launched instance | bool | true/false | true | yes |
+| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no |
+| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no |
+| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no |
+| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no |
+| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes |
+| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Management EC2 Instance | map(string) | n/a | {} | no |
+| iam_permissions | IAM role to attach to the instance profile | string | - None (configure later)
- Use existing (specify an existing IAM role name)
- Create with assume role permissions (specify an STS role ARN)
- Create with read permissions
- Create with read-write permissions | Create with read permissions | no |
+| predefined_role | (Optional) A predefined IAM role to attach to the instance profile. Ignored if var.iam_permissions is not set to 'Use existing' | string | n/a | "" | no |
+| sts_roles | (Optional) The IAM role will be able to assume these STS Roles (list of ARNs). Ignored if var.iam_permissions is set to 'None' or 'Use existing' | list(string) | n/a | [] | no |
+| management_version | Management version and license | string | - R80.40-BYOL
- R80.40-PAYG
- R81-BYOL
- R81-PAYG
- R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG
- R82-BYOL
- R82-PAYG | R81.20-BYOL | no |
+| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no |
+| management_password_hash | (Optional) Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash) | string | n/a | "" | no |
+| management_hostname | (Optional) Security Management Server prompt hostname. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no |
+| management_installation_type | Determines if this is the primary management server, secondary management server or log server | string | - Primary management
- Secondary management
- Log Server | Primary management | yes |
+| SICKey | Mandatory only when deploying a secondary Management Server, the Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "" | no |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no |
+| gateway_management | Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address | string | - Locally managed
- Over the internet | Locally managed | no |
+| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Security Management Server | string | valid CIDR | 0.0.0.0/0 | no |
+| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Security Management Server | string | valid CIDR | 0.0.0.0/0 | no |
+| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no |
+| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no |
+| management_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no |
+| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no |
+
+
+## Outputs
+| Name | Description |
+|--------------------------|--------------------------------------------------------------|
+| management_instance_id | The deployed Security Management Server AWS instance id |
+| management_instance_name | The deployed Security Management AWS instance name |
+| management_instance_tags | The deployed Security Management Server AWS tags |
+| management_public_ip | The deployed Security Management Server AWS public ip |
+| management_url | URL to the portal of the deployed Security Management Server |
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|---------------------------------------------------------------------------------------------------------------|
+| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20240207 | Added Log Server installation support |
+| 20231012 | Update AWS Terraform provider version to 5.20.1 |
+| 20230923 | Add support for C5d instance type |
+| 20230914 | Add support for maintenance mode password |
+| 20230829 | Change default Check Point version to R81.20 |
+| 20230806 | Add support for c6in instance type |
+| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname |
+| 20221123 | R81.20 version support |
+| 20220606 | New instance type support |
+| 20210329 | Stability fixes |
+| 20210309 | First release of Check Point Security Management Server Terraform module for AWS |
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details
diff --git a/deprecated/terraform/aws/R80.40/management/locals.tf b/deprecated/terraform/aws/R80.40/management/locals.tf
new file mode 100755
index 00000000..896719ba
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/management/locals.tf
@@ -0,0 +1,76 @@
+locals {
+ permissions_allowed_values = [
+ "None (configure later)",
+ "Use existing (specify an existing IAM role name)",
+ "Create with assume role permissions (specify an STS role ARN)",
+ "Create with read permissions",
+ "Create with read-write permissions"]
+ // Will fail if var.permissions is invalid
+ validate_permissions = index(local.permissions_allowed_values, var.iam_permissions)
+
+ use_role = var.iam_permissions == "None (configure later)" ? 0 : 1
+ create_iam_role = var.iam_permissions == "Create with assume role permissions (specify an STS role ARN)" || var.iam_permissions == "Create with read permissions" || var.iam_permissions == "Create with read-write permissions"
+ pre_role = (local.use_role == 1 && local.create_iam_role == false) ? 1 : 0
+ new_instance_profile = (local.create_iam_role == true && local.use_role == 1) ? 1 : 0
+
+ new_instance_profile_general = local.new_instance_profile == 1 && var.is_gwlb_iam == false ? 1 : 0
+ new_instance_profile_gwlb = local.new_instance_profile == 1 && var.is_gwlb_iam ? 1 : 0
+
+ admin_shell_allowed_values = [
+ "/etc/cli.sh",
+ "/bin/bash",
+ "/bin/csh",
+ "/bin/tcsh"]
+ // Will fail if var.admin_shell is invalid
+ validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell)
+
+ regex_valid_key_name = "[\\S\\s]+[\\S]+"
+ // will fail if var.key_name is invalid
+ regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string"
+
+ gateway_management_allowed_values = [
+ "Locally managed",
+ "Over the internet"]
+ // Will fail if var.gateway_management is invalid
+ validate_gateway_management = index(local.gateway_management_allowed_values, var.gateway_management)
+
+ regex_valid_cidr_range = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))?$"
+ // Will fail if var.admin_subnet or var.gateway_addresses are invalid
+ mgmt_subnet_regex_result = regex(local.regex_valid_cidr_range, var.admin_cidr) == var.admin_cidr ? 0 : "var.admin_subnet must be a valid CIDR range"
+ gw_addr_regex_result = regex(local.regex_valid_cidr_range, var.gateway_addresses) == var.gateway_addresses ? 0 : "var.gateway_addresses must be a valid CIDR range"
+ volume_encryption_condition = var.volume_encryption != "" ? true : false
+
+ regex_valid_primary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.primary_ntp is invalid
+ regex_primary_ntp = regex(local.regex_valid_primary_ntp, var.primary_ntp) == var.primary_ntp ? 0 : "Variable [primary_ntp] must be a valid ntp"
+
+ regex_valid_secondary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.secondary_ntp is invalid
+ regex_secondary_ntp = regex(local.regex_valid_secondary_ntp, var.secondary_ntp) == var.secondary_ntp ? 0 : "Variable [secondary_ntp] must be a valid ntp"
+
+ regex_valid_management_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.management_password_hash is invalid
+ regex_management_password_hash = regex(local.regex_valid_management_password_hash, var.management_password_hash) == var.management_password_hash ? 0 : "Variable [management_password_hash] must be a valid password hash"
+ regex_maintenance_mode_password_hash = regex(local.regex_valid_management_password_hash, var.management_maintenance_mode_password_hash) == var.management_maintenance_mode_password_hash ? 0 : "Variable [management_maintenance_mode_password_hash] must be a valid password hash"
+ regex_valid_sic_key = "(|[a-zA-Z0-9]{8,})"
+ // Will fail if var.SICKey is invalid
+ regex_sic_result = regex(local.regex_valid_sic_key, var.SICKey) == var.SICKey ? 0 : "Variable [SICKey] must be at least 8 alphanumeric characters"
+
+ //Splits the version and licence and returns the os version
+ version_split = element(split("-", var.management_version), 0)
+
+ management_bootstrap_script64 = base64encode(var.management_bootstrap_script)
+ management_SICkey_base64=base64encode(var.SICKey)
+ management_password_hash_base64=base64encode(var.management_password_hash)
+ maintenance_mode_password_hash_base64=base64encode(var.management_maintenance_mode_password_hash)
+
+ manage_over_the_internet = var.gateway_management == "Over the internet" ? true : false
+ manage_over_internet_and_EIP = var.allocate_and_associate_eip && local.manage_over_the_internet ? true : false
+ pub_mgmt = local.manage_over_internet_and_EIP ? true : false
+
+ management_installation_type_allowed_values = [
+ "Primary management",
+ "Secondary management",
+ "Log Server"]
+ validate_management_installation_type = index(local.management_installation_type_allowed_values, var.management_installation_type)
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/management/main.tf b/deprecated/terraform/aws/R80.40/management/main.tf
new file mode 100755
index 00000000..3714dfa2
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/management/main.tf
@@ -0,0 +1,221 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+module "amis" {
+ source = "../modules/amis"
+
+ version_license = var.management_version
+ chkp_type = "management"
+}
+
+resource "aws_security_group" "management_sg" {
+ description = "terraform Management security group"
+ vpc_id = var.vpc_id
+ name_prefix = format("%s_SecurityGroup", var.management_name)
+ // Group name
+ tags = {
+ Name = format("%s_SecurityGroup", var.management_name)
+ // Resource name
+ }
+ ingress {
+ from_port = 257
+ to_port = 257
+ protocol = "tcp"
+ cidr_blocks = [var.gateway_addresses]
+ }
+ ingress {
+ from_port = 18191
+ to_port = 18191
+ protocol = "tcp"
+ cidr_blocks = [var.gateway_addresses]
+ }
+ ingress {
+ from_port = 18192
+ to_port = 18192
+ protocol = "tcp"
+ cidr_blocks = [var.gateway_addresses]
+ }
+ ingress {
+ from_port = 18208
+ to_port = 18208
+ protocol = "tcp"
+ cidr_blocks = [var.gateway_addresses]
+ }
+ ingress {
+ from_port = 18210
+ to_port = 18210
+ protocol = "tcp"
+ cidr_blocks = [var.gateway_addresses]
+ }
+ ingress {
+ from_port = 18211
+ to_port = 18211
+ protocol = "tcp"
+ cidr_blocks = [var.gateway_addresses]
+ }
+ ingress {
+ from_port = 18221
+ to_port = 18221
+ protocol = "tcp"
+ cidr_blocks = [var.gateway_addresses]
+ }
+ ingress {
+ from_port = 18264
+ to_port = 18264
+ protocol = "tcp"
+ cidr_blocks = [var.gateway_addresses]
+ }
+
+ ingress {
+ from_port = 22
+ to_port = 22
+ protocol = "tcp"
+ cidr_blocks = [var.admin_cidr]
+ }
+ ingress {
+ from_port = 443
+ to_port = 443
+ protocol = "tcp"
+ cidr_blocks = [var.admin_cidr]
+ }
+ ingress {
+ from_port = 18190
+ to_port = 18190
+ protocol = "tcp"
+ cidr_blocks = [var.admin_cidr]
+ }
+ ingress {
+ from_port = 19009
+ to_port = 19009
+ protocol = "tcp"
+ cidr_blocks = [var.admin_cidr]
+ }
+
+ egress {
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+}
+
+resource "aws_network_interface" "external-eni" {
+ subnet_id = var.subnet_id
+ security_groups = [aws_security_group.management_sg.id]
+ description = "eth0"
+ source_dest_check = true
+ tags = {
+ Name = format("%s-network_interface", var.management_name)
+ }
+}
+
+resource "aws_eip" "eip" {
+ count = var.allocate_and_associate_eip ? 1 : 0
+ network_interface = aws_network_interface.external-eni.id
+}
+
+resource "aws_iam_instance_profile" "management_instance_profile" {
+ count = local.pre_role
+ path = "/"
+ role = var.predefined_role
+}
+
+resource "aws_launch_template" "management_launch_template" {
+ depends_on = [
+ aws_network_interface.external-eni,
+ aws_eip.eip
+ ]
+
+ instance_type = var.management_instance_type
+ key_name = var.key_name
+ image_id = module.amis.ami_id
+ description = "Initial launch template version"
+
+ iam_instance_profile {
+ name = local.use_role == 1 ? (local.pre_role == 1 ? aws_iam_instance_profile.management_instance_profile[0].id : join("", (var.is_gwlb_iam == true ? module.cme_iam_role_gwlb.*.cme_iam_profile_name : module.cme_iam_role.*.cme_iam_profile_name))): ""
+ }
+
+ metadata_options {
+ http_tokens = var.metadata_imdsv2_required ? "required" : "optional"
+ }
+
+ network_interfaces {
+ network_interface_id = aws_network_interface.external-eni.id
+ device_index = 0
+ }
+}
+
+resource "aws_instance" "management-instance" {
+ depends_on = [
+ aws_launch_template.management_launch_template
+ ]
+
+ launch_template {
+ id = aws_launch_template.management_launch_template.id
+ version = "$Latest"
+ }
+
+ disable_api_termination = var.disable_instance_termination
+
+ tags = merge({
+ Name = var.management_name
+ }, var.instance_tags)
+
+ ebs_block_device {
+ device_name = "/dev/xvda"
+ volume_type = var.volume_type
+ volume_size = var.volume_size
+ encrypted = local.volume_encryption_condition
+ kms_key_id = local.volume_encryption_condition ? var.volume_encryption : ""
+ }
+
+ lifecycle {
+ ignore_changes = [ebs_block_device,]
+ }
+
+ user_data = templatefile("${path.module}/management_userdata.yaml", {
+ // script's arguments
+ Hostname = var.management_hostname,
+ PasswordHash = local.management_password_hash_base64,
+ MaintenanceModePassword = local.maintenance_mode_password_hash_base64,
+ AllowUploadDownload = var.allow_upload_download,
+ NTPPrimary = var.primary_ntp
+ NTPSecondary = var.secondary_ntp
+ Shell = var.admin_shell,
+ AdminSubnet = var.admin_cidr
+ ManagementInstallationType = var.management_installation_type
+ SICKey = local.management_SICkey_base64,
+ OsVersion = local.version_split
+ EnableInstanceConnect = var.enable_instance_connect
+ AllocateElasticIP = var.allocate_and_associate_eip
+ GatewayManagement = var.gateway_management
+ BootstrapScript = local.management_bootstrap_script64
+ PubMgmt = local.pub_mgmt
+
+ })
+}
+
+module "cme_iam_role" {
+ source = "../cme-iam-role"
+ providers = {
+ aws = aws
+ }
+ count = local.new_instance_profile_general
+
+ sts_roles = var.sts_roles
+ permissions = var.iam_permissions
+}
+
+module "cme_iam_role_gwlb" {
+ source = "../cme-iam-role-gwlb"
+ providers = {
+ aws = aws
+ }
+ count = local.new_instance_profile_gwlb
+
+ sts_roles = var.sts_roles
+ permissions = var.iam_permissions
+}
diff --git a/deprecated/terraform/aws/R80.40/management/management_userdata.yaml b/deprecated/terraform/aws/R80.40/management/management_userdata.yaml
new file mode 100755
index 00000000..0f3801ff
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/management/management_userdata.yaml
@@ -0,0 +1,4 @@
+#cloud-config
+runcmd:
+ - |
+ python3 /etc/cloud_config.py sicKey=\"${SICKey}\" installationType=\"management\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"management\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" "management_installation_type=\"${ManagementInstallationType}\"" adminSubnet=\"${AdminSubnet}\" allocatePublicAddress=\"${AllocateElasticIP}\" overTheInternet=\"${PubMgmt}\" bootstrapScript64=\"${BootstrapScript}\"
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/management/output.tf b/deprecated/terraform/aws/R80.40/management/output.tf
new file mode 100755
index 00000000..da20727b
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/management/output.tf
@@ -0,0 +1,19 @@
+output "Deployment" {
+ value = "Finalizing configuration may take up to 20 minutes after deployment is finished."
+}
+
+output "management_instance_id" {
+ value = aws_instance.management-instance.id
+}
+output "management_instance_name" {
+ value = aws_instance.management-instance.tags["Name"]
+}
+output "management_instance_tags" {
+ value = aws_instance.management-instance.tags
+}
+output "management_public_ip" {
+ value = aws_instance.management-instance.public_ip
+}
+output "management_url" {
+ value = format("https://%s", aws_instance.management-instance.public_ip)
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/management/terraform.tfvars b/deprecated/terraform/aws/R80.40/management/terraform.tfvars
new file mode 100755
index 00000000..81891681
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/management/terraform.tfvars
@@ -0,0 +1,42 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- VPC Network Configuration ---
+vpc_id = "vpc-12345678"
+subnet_id = "subnet-abc123"
+
+// --- EC2 Instances Configuration ---
+management_name = "CP-Management-tf"
+management_instance_type = "m5.xlarge"
+key_name = "publickey"
+allocate_and_associate_eip = true
+volume_size = 100
+volume_encryption = "alias/aws/ebs"
+enable_instance_connect = false
+disable_instance_termination = false
+metadata_imdsv2_required = true
+instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+}
+
+// --- IAM Permissions ---
+iam_permissions = "Create with read permissions"
+predefined_role = ""
+sts_roles = []
+
+// --- Check Point Settings ---
+management_version = "R81.20-BYOL"
+admin_shell = "/etc/cli.sh"
+management_password_hash = ""
+management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password.
+// --- Security Management Server Settings ---
+management_hostname = "mgmt-tf"
+management_installation_type = "Primary management"
+SICKey = ""
+allow_upload_download = "true"
+gateway_management = "Locally managed"
+admin_cidr = "0.0.0.0/0"
+gateway_addresses = "0.0.0.0/0"
+primary_ntp = ""
+secondary_ntp = ""
+management_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
diff --git a/deprecated/terraform/aws/R80.40/management/variables.tf b/deprecated/terraform/aws/R80.40/management/variables.tf
new file mode 100755
index 00000000..763918f0
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/management/variables.tf
@@ -0,0 +1,194 @@
+// Module: Check Point CloudGuard Network Security Management Server into an existing VPC
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+// --- VPC Network Configuration ---
+variable "vpc_id" {
+ type = string
+}
+variable "subnet_id" {
+ type = string
+ description = "To access the instance from the internet, make sure the subnet has a route to the internet"
+}
+
+// --- EC2 Instance Configuration ---
+variable "management_name" {
+ type = string
+ description = "(Optional) The name tag of the Security Management instance"
+ default = "Check-Point-Management-tf"
+}
+variable "management_instance_type" {
+ type = string
+ description = "The instance type of the Security Management Server"
+ default = "m5.xlarge"
+}
+module "validate_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "management"
+ instance_type = var.management_instance_type
+}
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instances"
+}
+variable "allocate_and_associate_eip" {
+ type = bool
+ description = "If set to true, an elastic IP will be allocated and associated with the launched instance"
+ default = true
+}
+variable "volume_size" {
+ type = number
+ description = "Root volume size (GB) - minimum 100"
+ default = 100
+}
+resource "null_resource" "volume_size_too_small" {
+ // Will fail if var.volume_size is less than 100
+ count = var.volume_size >= 100 ? 0 : "variable volume_size must be at least 100"
+}
+variable "volume_encryption" {
+ type = string
+ description = "KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs')"
+ default = "alias/aws/ebs"
+}
+variable "enable_instance_connect" {
+ type = bool
+ description = "Enable AWS Instance Connect - Ec2 Instance Connect is not supported with versions prior to R80.40"
+ default = false
+}
+variable "disable_instance_termination" {
+ type = bool
+ description = "Prevents an instance from accidental termination"
+ default = false
+}
+variable "metadata_imdsv2_required" {
+ type = bool
+ description = "Set true to deploy the instance with metadata v2 token required"
+ default = true
+}
+variable "instance_tags" {
+ type = map(string)
+ description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Management EC2 Instance"
+ default = {}
+}
+
+// --- IAM Permissions (ignored when the installation is not Primary Management Server) ---
+variable "iam_permissions" {
+ type = string
+ description = "IAM role to attach to the instance profile"
+ default = "Create with read permissions"
+}
+variable "predefined_role" {
+ type = string
+ description = "(Optional) A predefined IAM role to attach to the instance profile. Ignored if var.iam_permissions is not set to 'Use existing'"
+ default = ""
+}
+variable "sts_roles" {
+ type = list(string)
+ description = "(Optional) The IAM role will be able to assume these STS Roles (list of ARNs). Ignored if var.iam_permissions is set to 'None' or 'Use existing'"
+ default = []
+}
+
+// --- Check Point Settings ---
+variable "management_version" {
+ type = string
+ description = "Management version and license"
+ default = "R81.20-BYOL"
+}
+module "validate_management_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "management"
+ version_license = var.management_version
+}
+variable "admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+ default = "/etc/cli.sh"
+}
+variable "management_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "management_maintenance_mode_password_hash" {
+ description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+ type = string
+ default = ""
+}
+
+// --- Security Management Server Settings ---
+variable "management_hostname" {
+ type = string
+ description = "(Optional) Security Management Server prompt hostname"
+ default = ""
+}
+variable "management_installation_type" {
+ type = string
+ description = "Determines the Management Server installation type: Primary management, Secondary management, Log Server"
+ default = "Primary management"
+}
+variable "SICKey" {
+ type = string
+ description = "Mandatory only when deploying a secondary Management Server, the Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters"
+ default = ""
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+variable "gateway_management" {
+ type = string
+ description = "Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address"
+ default = "Locally managed"
+}
+variable "admin_cidr" {
+ type = string
+ description = "(CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Security Management Server"
+ default = "0.0.0.0/0"
+}
+variable "gateway_addresses" {
+ type = string
+ description = "(CIDR) Allow gateways only from this network to communicate with the Security Management Server"
+ default = "0.0.0.0/0"
+}
+variable "primary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol primary server"
+ default = "169.254.169.123"
+}
+variable "secondary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server"
+ default = "0.pool.ntp.org"
+}
+variable "management_bootstrap_script" {
+ type = string
+ description = "(Optional) Semicolon (;) separated commands to run on the initial boot"
+ default = ""
+}
+variable "volume_type" {
+ type = string
+ description = "General Purpose SSD Volume Type"
+ default = "gp3"
+}
+variable "is_gwlb_iam" {
+ type = bool
+ default = false
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/management/versions.tf b/deprecated/terraform/aws/R80.40/management/versions.tf
new file mode 100755
index 00000000..c138bbb3
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/management/versions.tf
@@ -0,0 +1,12 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ http = {
+ version = "~> 3.4.0"
+ }
+ }
+}
diff --git a/deprecated/terraform/aws/R80.40/mds/README.md b/deprecated/terraform/aws/R80.40/mds/README.md
new file mode 100755
index 00000000..112c8958
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/mds/README.md
@@ -0,0 +1,190 @@
+# Check Point CloudGuard Network Multi-Domain Server Terraform module for AWS
+
+Terraform module which deploys a Check Point CloudGuard Network Multi-Domain Server into an existing VPC.
+
+These types of Terraform resources are supported:
+* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html)
+* [Security Group](https://www.terraform.io/docs/providers/aws/r/security_group.html)
+* [Network interface](https://www.terraform.io/docs/providers/aws/r/network_interface.html)
+* [IAM Role](https://www.terraform.io/docs/providers/aws/r/iam_role.html) - conditional creation
+
+See the [Multi-Domain Management Deployment on AWS](https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk143213) for additional information
+
+This solution uses the following modules:
+- /terraform/aws/modules/amis
+- /terraform/aws/cme-iam-role
+
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/mds/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Static credentials are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-module /terraform/aws/cme-iam-role:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+ b. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-module /terraform/aws/cme-iam-role:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+
+## Usage
+- Fill all variables in the /terraform/aws/mds/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+- Create or modify the deployment:
+ ```
+ terraform apply
+ ```
+
+- Variables are configured in /terraform/aws/mds/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+ // --- VPC Network Configuration ---
+ vpc_id = "vpc-12345678"
+ subnet_id = "subnet-abc123"
+
+ // --- EC2 Instances Configuration ---
+ mds_name = "CP-MDS-tf"
+ mds_instance_type = "m5.12xlarge"
+ key_name = "publickey"
+ volume_size = 100
+ volume_encryption = "alias/aws/ebs"
+ enable_instance_connect = false
+ disable_instance_termination = false
+ instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+ }
+
+ // --- IAM Permissions ---
+ iam_permissions = "Create with read permissions"
+ predefined_role = ""
+ sts_roles = []
+
+ // --- Check Point Settings ---
+ mds_version = "R81.20-BYOL"
+ mds_admin_shell = "/etc/cli.sh"
+ mds_password_hash = ""
+ mds_maintenance_mode_password_hash = ""
+
+ // --- Multi-Domain Server Settings ---
+ mds_hostname = "mds-tf"
+ mds_SICKey = ""
+ allow_upload_download = "true"
+ mds_installation_type = "Primary Multi-Domain Server"
+ admin_cidr = "0.0.0.0/0"
+ gateway_addresses = "0.0.0.0/0"
+ primary_ntp = ""
+ secondary_ntp = ""
+ mds_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+ ```
+
+- Conditional creation
+ - To create IAM Role:
+ ```
+ iam_permissions = "Create with read permissions" | "Create with read-write permissions" | "Create with assume role permissions (specify an STS role ARN)"
+ and
+ mds_installation_type = "Primary Multi-Domain Server"
+ ```
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------|----------|
+| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes |
+| subnet_id | To access the instance from the internet, make sure the subnet has a route to the internet | string | n/a | n/a | yes |
+| mds_name | (Optional) The name tag of the Multi-Domain Server instance | string | n/a | Check-Point-MDS-tf | no |
+| mds_instance_type | The instance type of the Multi-Domain Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.12xlarge | no |
+| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes |
+| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no |
+| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no |
+| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no |
+| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no |
+| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Multi-Domain Server EC2 Instance | map(string) | n/a | {} | no |
+| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes |
+| iam_permissions | IAM role to attach to the instance profile | string | - None (configure later)
- Use existing (specify an existing IAM role name)
- Create with assume role permissions (specify an STS role ARN)
- Create with read permissions
- Create with read-write permissions | Create with read permissions | no |
+| predefined_role | (Optional) A predefined IAM role to attach to the instance profile. Ignored if var.iam_permissions is not set to 'Use existing' | string | n/a | "" | no |
+| sts_roles | (Optional) The IAM role will be able to assume these STS Roles (list of ARNs). Ignored if var.iam_permissions is set to 'None' or 'Use existing' | list(string) | n/a | [] | no |
+| mds_version | Multi-Domain Server version and license | string | - R80.40-BYOL
- R81-BYOL
- R81.10-BYOL
- R81.20-BYOL
- R82-BYOL
- R82-PAYG | R81.20-BYOL | no |
+| mds_admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no |
+| mds_password_hash | (Optional) Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash) | string | n/a | "" | no |
+| mds_hostname | (Optional) Multi-Domain Server prompt hostname. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no |
+| mds_SICKey | Mandatory if deploying a Secondary Multi-Domain Server or Multi-Domain Log Server, the Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "" | no |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no |
+| mds_installation_type | Determines the Multi-Domain Server installation type | string | - Primary Multi-Domain Server
- Secondary Multi-Domain Server
- Multi-Domain Log Server | Primary Multi-Domain Server | no |
+| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Multi-Domain Server | string | valid CIDR | 0.0.0.0/0 | no |
+| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Multi-Domain Server | string | valid CIDR | 0.0.0.0/0 | no |
+| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no |
+| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no |
+| mds_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no |
+| mds_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here). | string | n/a | "" | no |
+
+
+## Outputs
+| Name | Description |
+|-------------------|----------------------------------------------------|
+| mds_instance_id | The deployed Multi-Domain Server AWS instance id |
+| mds_instance_name | The deployed Multi-Domain Server AWS instance name |
+| mds_instance_tags | The deployed Multi-Domain Server AWS tags |
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|---------------------------------------------------------------------------------------------------------------|
+| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20231012 | Update AWS Terraform provider version to 5.20.1 |
+| 20230923 | Add support for C5d instance type |
+| 20230914 | Add support for maintenance mode password |
+| 20230829 | Change default Check Point version to R81.20 |
+| 20230806 | Add support for c6in instance type |
+| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname |
+| 20221123 | R81.20 version support |
+| 20210329 | Stability fixes |
+| 20210309 | First release of Check Point Multi-Domain Server Terraform module for AWS |
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details
diff --git a/deprecated/terraform/aws/R80.40/mds/locals.tf b/deprecated/terraform/aws/R80.40/mds/locals.tf
new file mode 100755
index 00000000..7dd690a2
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/mds/locals.tf
@@ -0,0 +1,69 @@
+locals {
+ permissions_allowed_values = [
+ "None (configure later)",
+ "Use existing (specify an existing IAM role name)",
+ "Create with assume role permissions (specify an STS role ARN)",
+ "Create with read permissions",
+ "Create with read-write permissions"]
+ // Will fail if var.iam_permissions is invalid
+ validate_permissions = index(local.permissions_allowed_values, var.iam_permissions)
+
+ installation_type_allowed_values = [
+ "Primary Multi-Domain Server",
+ "Secondary Multi-Domain Server",
+ "Multi-Domain Log Server"]
+ // Will fail if var.mds_installation_type is invalid
+ validate_installation_type = index(local.installation_type_allowed_values, var.mds_installation_type)
+
+ primary_mds = var.mds_installation_type == "Primary Multi-Domain Server"
+ secondary_mds = var.mds_installation_type == "Secondary Multi-Domain Server"
+
+ use_role = var.iam_permissions != "None (configure later)" && local.primary_mds ? 1 : 0
+ create_iam_role = (local.primary_mds) && (var.iam_permissions == "Create with assume role permissions (specify an STS role ARN)" || var.iam_permissions == "Create with read permissions" || var.iam_permissions == "Create with read-write permissions")
+
+ admin_shell_allowed_values = [
+ "/etc/cli.sh",
+ "/bin/bash",
+ "/bin/csh",
+ "/bin/tcsh"]
+ // Will fail if var.admin_shell is invalid
+ validate_admin_shell = index(local.admin_shell_allowed_values, var.mds_admin_shell)
+
+ regex_valid_key_name = "[\\S\\s]+[\\S]+"
+ // will fail if var.key_name is invalid
+ regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string"
+
+ regex_valid_cidr_range = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))?$"
+ // Will fail if var.admin_subnet or var.gateway_addresses are invalid
+ mgmt_subnet_regex_result = regex(local.regex_valid_cidr_range, var.admin_cidr) == var.admin_cidr ? 0 : "var.admin_subnet must be a valid CIDR range"
+ gw_addr_regex_result = regex(local.regex_valid_cidr_range, var.gateway_addresses) == var.gateway_addresses ? 0 : "var.gateway_addresses must be a valid CIDR range"
+ volume_encryption_condition = var.volume_encryption != "" ? true : false
+
+ regex_valid_gateway_hostname = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$"
+ // Will fail if var.mds_hostname is invalid
+ regex_gateway_hostname = regex(local.regex_valid_gateway_hostname, var.mds_hostname) == var.mds_hostname ? 0 : "Variable [mds_hostname] must be a valid hostname label or an empty string"
+
+ regex_valid_primary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.primary_ntp is invalid
+ regex_primary_ntp = regex(local.regex_valid_primary_ntp, var.primary_ntp) == var.primary_ntp ? 0 : "Variable [primary_ntp] must be a valid ntp"
+
+ regex_valid_secondary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.secondary_ntp is invalid
+ regex_secondary_ntp = regex(local.regex_valid_secondary_ntp, var.secondary_ntp) == var.secondary_ntp ? 0 : "Variable [secondary_ntp] must be a valid ntp"
+
+ regex_valid_mds_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.mds_password_hash is invalid
+ regex_mds_password_hash = regex(local.regex_valid_mds_password_hash, var.mds_password_hash) == var.mds_password_hash ? 0 : "Variable [mds_password_hash] must be a valid password hash"
+ regex_maintenance_mode_password_hash = regex(local.regex_valid_mds_password_hash, var.mds_maintenance_mode_password_hash) == var.mds_maintenance_mode_password_hash ? 0 : "Variable [mds_maintenance_mode_password_hash] must be a valid password hash"
+
+ regex_valid_sic_key = "(|[a-zA-Z0-9]{8,})"
+ // Will fail if var.mds_SICKey is invalid
+ regex_sic_result = regex(local.regex_valid_sic_key, var.mds_SICKey) == var.mds_SICKey ? 0 : "Variable [mds_SICKey] must be at least 8 alphanumeric characters"
+ //Splits the version and licence and returns the os version
+ version_split = element(split("-", var.mds_version), 0)
+
+ mds_bootstrap_script64 = base64encode(var.mds_bootstrap_script)
+ mds_SICkey_base64 = base64encode(var.mds_SICKey)
+ mds_password_hash_base64 =base64encode(var.mds_password_hash)
+ maintenance_mode_password_hash_base64 = base64encode(var.mds_maintenance_mode_password_hash)
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/mds/main.tf b/deprecated/terraform/aws/R80.40/mds/main.tf
new file mode 100755
index 00000000..8a22b264
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/mds/main.tf
@@ -0,0 +1,194 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+module "amis" {
+ source = "../modules/amis"
+
+ version_license = var.mds_version
+ chkp_type = "mds"
+}
+
+resource "aws_security_group" "mds_sg" {
+ description = "terraform Multi-Domain Server security group"
+ vpc_id = var.vpc_id
+ name_prefix = format("%s_SecurityGroup", var.mds_name)
+ // Group name
+ tags = {
+ Name = format("%s_SecurityGroup", var.mds_name)
+ // Resource name
+ }
+ ingress {
+ from_port = 257
+ to_port = 257
+ protocol = "tcp"
+ cidr_blocks = [var.gateway_addresses]
+ }
+ ingress {
+ from_port = 8211
+ to_port = 8211
+ protocol = "tcp"
+ cidr_blocks = [var.gateway_addresses]
+ }
+ ingress {
+ from_port = 18191
+ to_port = 18191
+ protocol = "tcp"
+ cidr_blocks = [var.gateway_addresses]
+ }
+ ingress {
+ from_port = 18192
+ to_port = 18192
+ protocol = "tcp"
+ cidr_blocks = [var.gateway_addresses]
+ }
+ ingress {
+ from_port = 18208
+ to_port = 18208
+ protocol = "tcp"
+ cidr_blocks = [var.gateway_addresses]
+ }
+ ingress {
+ from_port = 18210
+ to_port = 18210
+ protocol = "tcp"
+ cidr_blocks = [var.gateway_addresses]
+ }
+ ingress {
+ from_port = 18211
+ to_port = 18211
+ protocol = "tcp"
+ cidr_blocks = [var.gateway_addresses]
+ }
+ ingress {
+ from_port = 18221
+ to_port = 18221
+ protocol = "tcp"
+ cidr_blocks = [var.gateway_addresses]
+ }
+ ingress {
+ from_port = 18264
+ to_port = 18264
+ protocol = "tcp"
+ cidr_blocks = [var.gateway_addresses]
+ }
+ ingress {
+ from_port = 22
+ to_port = 22
+ protocol = "tcp"
+ cidr_blocks = [var.admin_cidr]
+ }
+ ingress {
+ from_port = 443
+ to_port = 443
+ protocol = "tcp"
+ cidr_blocks = [var.admin_cidr]
+ }
+ ingress {
+ from_port = 18190
+ to_port = 18190
+ protocol = "tcp"
+ cidr_blocks = [var.admin_cidr]
+ }
+ ingress {
+ from_port = 19009
+ to_port = 19009
+ protocol = "tcp"
+ cidr_blocks = [var.admin_cidr]
+ }
+
+ egress {
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+}
+
+resource "aws_iam_instance_profile" "mds_instance_profile" {
+ count = local.use_role
+ path = "/"
+ role = local.create_iam_role ? join("", module.cme_iam_role.*.cme_iam_role_name) : var.predefined_role
+}
+
+resource "aws_network_interface" "external-eni" {
+ subnet_id = var.subnet_id
+ security_groups = [aws_security_group.mds_sg.id]
+ description = "eth0"
+ source_dest_check = true
+ tags = {
+ Name = format("%s-network_interface", var.mds_name)
+ }
+}
+
+resource "aws_launch_template" "mds_launch_template" {
+ instance_type = var.mds_instance_type
+ key_name = var.key_name
+ image_id = module.amis.ami_id
+ description = "Initial launch template version"
+
+ iam_instance_profile {
+ name = local.use_role == 1 ? aws_iam_instance_profile.mds_instance_profile[0].id : ""
+ }
+
+ metadata_options {
+ http_tokens = var.metadata_imdsv2_required ? "required" : "optional"
+ }
+
+ network_interfaces {
+ network_interface_id = aws_network_interface.external-eni.id
+ device_index = 0
+ }
+}
+
+resource "aws_instance" "mds-instance" {
+ launch_template {
+ id = aws_launch_template.mds_launch_template.id
+ version = "$Latest"
+ }
+
+ disable_api_termination = var.disable_instance_termination
+
+ tags = merge({
+ Name = var.mds_name
+ }, var.instance_tags)
+
+ ebs_block_device {
+ device_name = "/dev/xvda"
+ volume_type = "gp2"
+ volume_size = var.volume_size
+ encrypted = local.volume_encryption_condition
+ kms_key_id = local.volume_encryption_condition ? var.volume_encryption : ""
+ }
+
+ user_data = templatefile("${path.module}/mds_userdata.yaml", {
+ // script's arguments
+ Hostname = var.mds_hostname,
+ PasswordHash = local.mds_password_hash_base64
+ MaintenanceModePassword = local.maintenance_mode_password_hash_base64
+ AllowUploadDownload = var.allow_upload_download,
+ NTPPrimary = var.primary_ntp
+ NTPSecondary = var.secondary_ntp
+ Shell = var.mds_admin_shell,
+ AdminSubnet = var.admin_cidr
+ IsPrimary = local.primary_mds
+ IsSecondary = local.secondary_mds
+ SICKey = local.mds_SICkey_base64,
+ EnableInstanceConnect = var.enable_instance_connect
+ BootstrapScript = local.mds_bootstrap_script64
+ OsVersion = local.version_split
+ })
+}
+
+module "cme_iam_role" {
+ source = "../cme-iam-role"
+ providers = {
+ aws = aws
+ }
+ count = local.create_iam_role ? 1 : 0
+
+ sts_roles = var.sts_roles
+ permissions = var.iam_permissions
+}
diff --git a/deprecated/terraform/aws/R80.40/mds/mds_userdata.yaml b/deprecated/terraform/aws/R80.40/mds/mds_userdata.yaml
new file mode 100755
index 00000000..3321cd60
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/mds/mds_userdata.yaml
@@ -0,0 +1,4 @@
+#cloud-config
+runcmd:
+ - |
+ python3 /etc/cloud_config.py sicKey=\"${SICKey}\" installationType=\"mds\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"mds\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" primary=\"${IsPrimary}\" secondary=\"${IsSecondary}\" adminSubnet=\"${AdminSubnet}\" bootstrapScript64=\"${BootstrapScript}\"
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/mds/output.tf b/deprecated/terraform/aws/R80.40/mds/output.tf
new file mode 100755
index 00000000..c1d3783a
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/mds/output.tf
@@ -0,0 +1,13 @@
+output "Deployment" {
+ value = "Finalizing configuration may take up to 20 minutes after deployment is finished."
+}
+
+output "mds_instance_id" {
+ value = aws_instance.mds-instance.id
+}
+output "mds_instance_name" {
+ value = aws_instance.mds-instance.tags["Name"]
+}
+output "mds_instance_tags" {
+ value = aws_instance.mds-instance.tags
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/mds/terraform.tfvars b/deprecated/terraform/aws/R80.40/mds/terraform.tfvars
new file mode 100755
index 00000000..e79af359
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/mds/terraform.tfvars
@@ -0,0 +1,41 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- VPC Network Configuration ---
+vpc_id = "vpc-12345678"
+subnet_id = "subnet-abc123"
+
+// --- EC2 Instances Configuration ---
+mds_name = "CP-MDS-tf"
+mds_instance_type = "m5.12xlarge"
+key_name = "publickey"
+volume_size = 100
+volume_encryption = "alias/aws/ebs"
+enable_instance_connect = false
+disable_instance_termination = false
+metadata_imdsv2_required = true
+instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+}
+
+// --- IAM Permissions ---
+iam_permissions = "Create with read permissions"
+predefined_role = ""
+sts_roles = []
+
+// --- Check Point Settings ---
+mds_version = "R81.20-BYOL"
+mds_admin_shell = "/etc/cli.sh"
+mds_password_hash = ""
+mds_maintenance_mode_password_hash = ""
+
+// --- Multi-Domain Server Settings ---
+mds_hostname = "mds-tf"
+mds_SICKey = ""
+allow_upload_download = "true"
+mds_installation_type = "Primary Multi-Domain Server"
+admin_cidr = "0.0.0.0/0"
+gateway_addresses = "0.0.0.0/0"
+primary_ntp = ""
+secondary_ntp = ""
+mds_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
diff --git a/deprecated/terraform/aws/R80.40/mds/variables.tf b/deprecated/terraform/aws/R80.40/mds/variables.tf
new file mode 100755
index 00000000..f4218e4c
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/mds/variables.tf
@@ -0,0 +1,175 @@
+// Module: Check Point CloudGuard Network Multi-Domain Server into an existing VPC
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+// --- VPC Network Configuration ---
+variable "vpc_id" {
+ type = string
+}
+variable "subnet_id" {
+ type = string
+ description = "To access the instance from the internet, make sure the subnet has a route to the internet"
+}
+
+// --- EC2 Instance Configuration ---
+variable "mds_name" {
+ type = string
+ description = "(Optional) The name tag of the Multi-Domain Server instance"
+ default = "Check-Point-MDS-tf"
+}
+variable "mds_instance_type" {
+ type = string
+ description = "The instance type of the Multi-Domain Server"
+ default = "m5.2xlarge"
+}
+module "validate_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "mds"
+ instance_type = var.mds_instance_type
+}
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instance"
+}
+variable "volume_size" {
+ type = number
+ description = "Root volume size (GB) - minimum 100"
+ default = 100
+}
+resource "null_resource" "volume_size_too_small" {
+ // Will fail if var.volume_size is less than 100
+ count = var.volume_size >= 100 ? 0 : "variable volume_size must be at least 100"
+}
+variable "volume_encryption" {
+ type = string
+ description = "KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs')"
+ default = "alias/aws/ebs"
+}
+variable "enable_instance_connect" {
+ type = bool
+ description = "Enable SSH connection over AWS web console"
+ default = false
+}
+variable "disable_instance_termination" {
+ type = bool
+ description = "Prevents an instance from accidental termination"
+ default = false
+}
+variable "metadata_imdsv2_required" {
+ type = bool
+ description = "Set true to deploy the instance with metadata v2 token required"
+ default = true
+}
+variable "instance_tags" {
+ type = map(string)
+ description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Multi-Domain Server EC2 Instance"
+ default = {}
+}
+
+// --- IAM Permissions (ignored when the installation type is not Primary Multi-Domain Server) ---
+variable "iam_permissions" {
+ type = string
+ description = "IAM role to attach to the instance profile"
+ default = "Create with read permissions"
+}
+variable "predefined_role" {
+ type = string
+ description = "(Optional) A predefined IAM role to attach to the instance profile. Ignored if var.iam_permissions is not set to 'Use existing'"
+ default = ""
+}
+variable "sts_roles" {
+ type = list(string)
+ description = "(Optional) The IAM role will be able to assume these STS Roles (list of ARNs). Ignored if var.iam_permissions is set to 'None' or 'Use existing'"
+ default = []
+}
+
+// --- Check Point Settings ---
+variable "mds_version" {
+ type = string
+ description = "Multi-Domain Server version and license"
+ default = "R81.20-BYOL"
+}
+module "validate_mds_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "mds"
+ version_license = var.mds_version
+}
+variable "mds_admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+ default = "/etc/cli.sh"
+}
+variable "mds_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "mds_maintenance_mode_password_hash" {
+ description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+ type = string
+ default = ""
+}
+
+// --- Multi-Domain Server Settings ---
+variable "mds_hostname" {
+ type = string
+ description = "(Optional) Multi-Domain Server prompt hostname"
+ default = ""
+}
+variable "mds_SICKey" {
+ type = string
+ description = "Mandatory if deploying a Secondary Multi-Domain Server or Multi-Domain Log Server, the Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters"
+ default = ""
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+variable "mds_installation_type" {
+ type = string
+ description = "Determines the Multi-Domain Server installation type"
+ default = "Primary Multi-Domain Server"
+}
+variable "admin_cidr" {
+ type = string
+ description = "(CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Multi-Domain Server"
+ default = "0.0.0.0/0"
+}
+variable "gateway_addresses" {
+ type = string
+ description = "(CIDR) Allow gateways only from this network to communicate with the Multi-Domain Server"
+ default = "0.0.0.0/0"
+}
+variable "primary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol primary server"
+ default = "169.254.169.123"
+}
+variable "secondary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server"
+ default = "0.pool.ntp.org"
+}
+variable "mds_bootstrap_script" {
+ type = string
+ description = "(Optional) Semicolon (;) separated commands to run on the initial boot"
+ default = ""
+}
diff --git a/deprecated/terraform/aws/R80.40/mds/versions.tf b/deprecated/terraform/aws/R80.40/mds/versions.tf
new file mode 100755
index 00000000..c138bbb3
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/mds/versions.tf
@@ -0,0 +1,12 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ http = {
+ version = "~> 3.4.0"
+ }
+ }
+}
diff --git a/deprecated/terraform/aws/R80.40/modules/amis/main.tf b/deprecated/terraform/aws/R80.40/modules/amis/main.tf
new file mode 100755
index 00000000..355ed112
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/modules/amis/main.tf
@@ -0,0 +1,23 @@
+locals {
+ amis_yaml_regionMap = yamldecode(split("Resources", data.http.amis_yaml_http.response_body)[0]).Mappings.RegionMap
+ amis_yaml_converterMap = yamldecode(split("Resources", data.http.amis_yaml_http.response_body)[0]).Mappings.ConverterMap
+
+
+ // Variables example:
+ // version_license = "R80.40-PAYG-NGTX"
+ // RESULT:
+ // version_license_key = "R80.40-PAYG-NGTX-GW"
+
+ // version_license_value = "R8040PAYGNGTXGW"
+
+ version_license_key_mgmt_gw = format("%s%s", var.version_license, var.chkp_type == "gateway" ? "-GW" : var.chkp_type == "management"? "-MGMT" : var.chkp_type == "mds" ? "-MGMT" : "")
+ version_license_key = var.chkp_type == "standalone" ? format("%s%s", var.version_license, element(split("-", var.version_license), 1) == "BYOL" ? "-MGMT" : "") : local.version_license_key_mgmt_gw
+
+ version_license_value = local.amis_yaml_converterMap[local.version_license_key]["Value"]
+
+ // Variables example:
+ // region = "us-east-1"
+ // version_license_key - see above
+ // RESULT: local.ami_id = "ami-1234567"
+ ami_id = local.amis_yaml_regionMap[local.region][local.version_license_value]
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/modules/amis/output.tf b/deprecated/terraform/aws/R80.40/modules/amis/output.tf
new file mode 100755
index 00000000..0be16a15
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/modules/amis/output.tf
@@ -0,0 +1,6 @@
+output "ami_id" {
+ value = local.ami_id
+}
+output "version_license_with_suffix" {
+ value = local.version_license_key
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/modules/amis/variables.tf b/deprecated/terraform/aws/R80.40/modules/amis/variables.tf
new file mode 100755
index 00000000..3cbf7b1b
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/modules/amis/variables.tf
@@ -0,0 +1,26 @@
+variable "amis_url" {
+ type = string
+ description = "URL to amis.yaml"
+ default = "https://cgi-cfts-staging.s3.amazonaws.com/utils/amis.yaml"
+}
+
+data "http" "amis_yaml_http" {
+ url = var.amis_url
+}
+
+data "aws_region" "current" {}
+locals {
+ region = data.aws_region.current.name
+}
+
+// --- Version & License ---
+variable "chkp_type" {
+ type = string
+ description = "The Check Point machine type"
+ default = "gateway"
+}
+variable "version_license" {
+ type = string
+ description = "Version and license"
+}
+
diff --git a/deprecated/terraform/aws/R80.40/modules/cloudwatch-policy/main.tf b/deprecated/terraform/aws/R80.40/modules/cloudwatch-policy/main.tf
new file mode 100755
index 00000000..3d191a01
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/modules/cloudwatch-policy/main.tf
@@ -0,0 +1,18 @@
+data "aws_iam_policy_document" "policy_document" {
+ version = "2012-10-17"
+ statement {
+ actions = ["cloudwatch:PutMetricData"]
+ effect = "Allow"
+ resources = ["*"]
+ }
+}
+
+resource "aws_iam_policy" "policy" {
+ name_prefix = format("%s-iam_policy", var.tag_name)
+ policy = data.aws_iam_policy_document.policy_document.json
+}
+
+resource "aws_iam_role_policy_attachment" "attachment" {
+ role = var.role
+ policy_arn = aws_iam_policy.policy.arn
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/modules/cloudwatch-policy/variables.tf b/deprecated/terraform/aws/R80.40/modules/cloudwatch-policy/variables.tf
new file mode 100755
index 00000000..2d3f9452
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/modules/cloudwatch-policy/variables.tf
@@ -0,0 +1,9 @@
+variable "tag_name" {
+ type = string
+ description = "(Optional) IAM policy name prefix"
+ default = "cloudwatch"
+}
+variable "role" {
+ type = string
+ description = "A IAM role to attach the cloudwatch policy to it"
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/modules/cluster-iam-role/main.tf b/deprecated/terraform/aws/R80.40/modules/cluster-iam-role/main.tf
new file mode 100755
index 00000000..b56eacd6
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/modules/cluster-iam-role/main.tf
@@ -0,0 +1,38 @@
+resource "aws_iam_role" "cluster_iam_role" {
+ assume_role_policy = data.aws_iam_policy_document.cluster_role_assume_policy_document.json
+ path = "/"
+}
+
+data "aws_iam_policy_document" "cluster_role_assume_policy_document" {
+ version = "2012-10-17"
+ statement {
+ effect = "Allow"
+ actions = ["sts:AssumeRole"]
+ principals {
+ type = "Service"
+ identifiers = ["ec2.amazonaws.com"]
+ }
+ }
+}
+
+data "aws_iam_policy_document" "cluster_role_policy_doc" {
+ version = "2012-10-17"
+ statement {
+ effect = "Allow"
+ actions = [
+ "ec2:AssignPrivateIpAddresses",
+ "ec2:AssociateAddress",
+ "ec2:CreateRoute",
+ "ec2:DescribeNetworkInterfaces",
+ "ec2:DescribeRouteTables",
+ "ec2:ReplaceRoute"]
+ resources = ["*"]
+ }
+}
+resource "aws_iam_policy" "cluster_role_policy" {
+ policy = data.aws_iam_policy_document.cluster_role_policy_doc.json
+}
+resource "aws_iam_role_policy_attachment" "attach_policy" {
+ policy_arn = aws_iam_policy.cluster_role_policy.arn
+ role = aws_iam_role.cluster_iam_role.id
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/modules/cluster-iam-role/output.tf b/deprecated/terraform/aws/R80.40/modules/cluster-iam-role/output.tf
new file mode 100755
index 00000000..7bbf0351
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/modules/cluster-iam-role/output.tf
@@ -0,0 +1,9 @@
+output "cluster_iam_role" {
+ value = aws_iam_role.cluster_iam_role
+}
+output "cluster_iam_role_arn" {
+ value = aws_iam_role.cluster_iam_role.arn
+}
+output "cluster_iam_role_name" {
+ value = aws_iam_role.cluster_iam_role.name
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/modules/common/elastic_ip/locals.tf b/deprecated/terraform/aws/R80.40/modules/common/elastic_ip/locals.tf
new file mode 100755
index 00000000..c4af5bca
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/modules/common/elastic_ip/locals.tf
@@ -0,0 +1,3 @@
+locals {
+ allocate_and_associate_eip_condition = var.allocate_and_associate_eip == true ? 1 : 0
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/modules/common/elastic_ip/main.tf b/deprecated/terraform/aws/R80.40/modules/common/elastic_ip/main.tf
new file mode 100755
index 00000000..879748a9
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/modules/common/elastic_ip/main.tf
@@ -0,0 +1,10 @@
+resource "aws_eip" "gateway_eip" {
+ count = local.allocate_and_associate_eip_condition
+ network_interface = var.external_eni_id
+}
+resource "aws_eip_association" "address_assoc" {
+ count = local.allocate_and_associate_eip_condition
+ allocation_id = aws_eip.gateway_eip[count.index].id
+ network_interface_id = var.external_eni_id
+ private_ip_address = var.private_ip_address
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/modules/common/elastic_ip/output.tf b/deprecated/terraform/aws/R80.40/modules/common/elastic_ip/output.tf
new file mode 100755
index 00000000..31857b83
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/modules/common/elastic_ip/output.tf
@@ -0,0 +1,9 @@
+output "gateway_eip_id" {
+ value = aws_eip.gateway_eip.*.id
+}
+output "gateway_eip_public_ip" {
+ value = aws_eip.gateway_eip.*.public_ip
+}
+output "gateway_eip_attached_instance" {
+ value = aws_eip.gateway_eip.*.instance
+}
diff --git a/deprecated/terraform/aws/R80.40/modules/common/elastic_ip/variables.tf b/deprecated/terraform/aws/R80.40/modules/common/elastic_ip/variables.tf
new file mode 100755
index 00000000..c6881436
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/modules/common/elastic_ip/variables.tf
@@ -0,0 +1,13 @@
+variable "allocate_and_associate_eip" {
+ type = bool
+ description = "If set to TRUE, an elastic IP will be allocated and associated with the launched instance"
+ default = true
+}
+variable "external_eni_id" {
+ type = string
+ description = "The external-eni of the security gateway"
+}
+variable "private_ip_address" {
+ type = string
+ description = "The primary or secondary private IP address to associate with the Elastic IP address. "
+}
diff --git a/deprecated/terraform/aws/R80.40/modules/common/gateway_instance/gateway_userdata.yaml b/deprecated/terraform/aws/R80.40/modules/common/gateway_instance/gateway_userdata.yaml
new file mode 100755
index 00000000..05538232
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/modules/common/gateway_instance/gateway_userdata.yaml
@@ -0,0 +1,4 @@
+#cloud-config
+runcmd:
+ - |
+ python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenKey}\"" installationType=\"gateway\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"gateway\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" bootstrapScript64=\"${GatewayBootstrapScript}\"
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/modules/common/gateway_instance/locals.tf b/deprecated/terraform/aws/R80.40/modules/common/gateway_instance/locals.tf
new file mode 100755
index 00000000..a0d9034d
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/modules/common/gateway_instance/locals.tf
@@ -0,0 +1,39 @@
+locals {
+ control_over_public_or_private_allowed_values = [
+ "public",
+ "private"]
+ // will fail if [var.control_gateway_over_public_or_private_address] is invalid:
+ validate_control_over_public_or_private = index(local.control_over_public_or_private_allowed_values, var.control_gateway_over_public_or_private_address)
+
+ admin_shell_allowed_values = [
+ "/etc/cli.sh",
+ "/bin/bash",
+ "/bin/csh",
+ "/bin/tcsh"]
+ // Will fail if var.admin_shell is invalid
+ validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell)
+
+ regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$"
+ // Will fail if var.gateway_SIC_Key is invalid
+ regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters"
+
+ regex_valid_gateway_hostname = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$"
+ // Will fail if var.gateway_hostname is invalid
+ regex_gateway_hostname = regex(local.regex_valid_gateway_hostname, var.gateway_hostname) == var.gateway_hostname ? 0 : "Variable [lambda_scheduled_interval] must be a valid hostname label or an empty string"
+
+ regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.gateway_password_hash is invalid
+ regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+ regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
+
+
+ volume_encryption_condition = var.volume_encryption != "" ? true : false
+
+ //Splits the version and licence and returns the os version
+ version_split = element(split("-", var.gateway_version), 0)
+
+ gateway_bootstrap_script64 = base64encode(var.gateway_bootstrap_script)
+ gateway_SICkey_base64 = base64encode(var.gateway_SICKey)
+ gateway_password_hash_base64 = base64encode(var.gateway_password_hash)
+ gateway_maintenance_mode_password_hash_base64 = base64encode(var.gateway_maintenance_mode_password_hash)
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/modules/common/gateway_instance/main.tf b/deprecated/terraform/aws/R80.40/modules/common/gateway_instance/main.tf
new file mode 100755
index 00000000..38382cc2
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/modules/common/gateway_instance/main.tf
@@ -0,0 +1,63 @@
+resource "aws_launch_template" "gateway_launch_template" {
+ key_name = var.key_name
+ image_id = var.ami_id
+ instance_type = var.gateway_instance_type
+ description = "Initial launch template version"
+
+ iam_instance_profile {
+ name = var.iam_instance_profile_id
+ }
+
+ network_interfaces {
+ network_interface_id = var.external_eni_id
+ device_index = 0
+ }
+
+ network_interfaces {
+ network_interface_id = var.internal_eni_id
+ device_index = 1
+ }
+
+ metadata_options {
+ http_tokens = var.metadata_imdsv2_required ? "required" : "optional"
+ }
+}
+
+resource "aws_instance" "gateway_instance" {
+ launch_template {
+ id = aws_launch_template.gateway_launch_template.id
+ version = "$Latest"
+ }
+
+ disable_api_termination = var.disable_instance_termination
+
+ tags = merge({
+ Name = var.gateway_name
+ x-chkp-tags = format("management=%s:template=%s:ip-address=%s", var.management_server, var.configuration_template, var.control_gateway_over_public_or_private_address)
+ }, var.instance_tags)
+
+ ebs_block_device {
+ device_name = "/dev/xvda"
+ volume_type = "gp2"
+ volume_size = var.volume_size
+ encrypted = local.volume_encryption_condition ? true : false
+ kms_key_id = local.volume_encryption_condition ? var.volume_encryption : ""
+ }
+
+ user_data = templatefile("${path.module}/gateway_userdata.yaml", {
+ // script's arguments
+ PasswordHash = local.gateway_password_hash_base64,
+ MaintenanceModePassword = local.gateway_maintenance_mode_password_hash_base64,
+ Shell = var.admin_shell,
+ SICKey = local.gateway_SICkey_base64,
+ TokenKey = var.gateway_TokenKey,
+ GatewayBootstrapScript = local.gateway_bootstrap_script64,
+ Hostname = var.gateway_hostname,
+ AllowUploadDownload = var.allow_upload_download,
+ EnableCloudWatch = var.enable_cloudwatch,
+ NTPPrimary = var.primary_ntp,
+ NTPSecondary = var.secondary_ntp,
+ EnableInstanceConnect = var.enable_instance_connect,
+ OsVersion = local.version_split
+ })
+}
diff --git a/deprecated/terraform/aws/R80.40/modules/common/gateway_instance/output.tf b/deprecated/terraform/aws/R80.40/modules/common/gateway_instance/output.tf
new file mode 100755
index 00000000..0c5f6d02
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/modules/common/gateway_instance/output.tf
@@ -0,0 +1,9 @@
+output "gateway_instance_id" {
+ value = aws_instance.gateway_instance.id
+}
+output "gateway_instance_arn" {
+ value = aws_instance.gateway_instance.arn
+}
+output "gateway_instance_name" {
+ value = aws_instance.gateway_instance.tags["Name"]
+}
diff --git a/deprecated/terraform/aws/R80.40/modules/common/gateway_instance/variables.tf b/deprecated/terraform/aws/R80.40/modules/common/gateway_instance/variables.tf
new file mode 100755
index 00000000..0e1a010c
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/modules/common/gateway_instance/variables.tf
@@ -0,0 +1,147 @@
+variable "external_eni_id" {
+ type = string
+ description = "The external-eni of the security gateway"
+}
+variable "internal_eni_id" {
+ type = string
+ description = "The internal-eni of the security gateway"
+}
+variable "gateway_name" {
+ type = string
+ description = "(Optional) The name tag of the Security Gateway instances"
+ default = "Check-Point-Gateway-tf"
+}
+variable "management_server" {
+ type = string
+ description = "(Optional) The name that represents the Security Management Server in the automatic provisioning configuration"
+ default = ""
+}
+variable "configuration_template" {
+ type = string
+ description = "(Optional) A name of a Security Gateway configuration template in the automatic provisioning configuration"
+ default = ""
+ validation {
+ condition = length(var.configuration_template) < 31
+ error_message = "The configuration_template name can not exceed 30 characters."
+ }
+}
+variable "control_gateway_over_public_or_private_address" {
+ type = string
+ description = "Determines if the Security Gateway is provisioned using its private or public address"
+ default = "private"
+}
+variable "volume_size" {
+ type = number
+ description = "Root volume size (GB) - minimum 100"
+ default = 100
+}
+resource "null_resource" "volume_size_too_small" {
+ // Volume Size validation - resource will not be created if the volume size is smaller than 100
+ count = var.volume_size >= 100 ? 0 : "volume_size must be at least 100"
+}
+variable "volume_encryption" {
+ type = string
+ description = "KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs')."
+ default = "alias/aws/ebs"
+}
+variable "gateway_version" {
+ type = string
+ description = "Gateway version & license"
+ default = "R81.20-BYOL"
+}
+variable "gateway_instance_type" {
+ type = string
+ description = "The instance type of the Security Gateways"
+ default = "c5.xlarge"
+}
+module "validate_instance_type" {
+ source = "../instance_type"
+
+ chkp_type = "gateway"
+ instance_type = var.gateway_instance_type
+}
+variable "instance_tags" {
+ type = map(string)
+ description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instance."
+ default = {}
+}
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instance"
+}
+variable "ami_id" {
+ type = string
+ description = "The AMI to use for the instance"
+}
+variable "iam_instance_profile_id" {
+ type = string
+ description = "The IAM instance profile id"
+}
+variable "gateway_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "gateway_maintenance_mode_password_hash" {
+ description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+ type = string
+ default = ""
+}
+variable "admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+ default = "/etc/cli.sh"
+}
+variable "gateway_SICKey" {
+ type = string
+ description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters"
+}
+variable "gateway_TokenKey" {
+ type = string
+ description = "Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud."
+}
+variable "gateway_bootstrap_script" {
+ type = string
+ description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot"
+ default = ""
+}
+variable "gateway_hostname" {
+ type = string
+ description = "(Optional)"
+ default = ""
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+variable "enable_cloudwatch" {
+ type = bool
+ description = "Report Check Point specific CloudWatch metrics"
+ default = false
+}
+variable "primary_ntp" {
+ type = string
+ description = "(Optional)"
+ default = ""
+}
+variable "secondary_ntp" {
+ type = string
+ description = "(Optional)"
+ default = ""
+}
+variable "enable_instance_connect" {
+ type = bool
+ description = "Enable SSH connection over AWS web console"
+ default = false
+}
+variable "disable_instance_termination" {
+ type = bool
+ description = "Prevents an instance from accidental termination"
+ default = false
+}
+variable "metadata_imdsv2_required" {
+ type = bool
+ description = "Set true to deploy the instance with metadata v2 token required"
+ default = true
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/modules/common/instance_type/main.tf b/deprecated/terraform/aws/R80.40/modules/common/instance_type/main.tf
new file mode 100755
index 00000000..22fffe49
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/modules/common/instance_type/main.tf
@@ -0,0 +1,353 @@
+locals {
+ gw_types = [
+ "c4.large",
+ "c4.xlarge",
+ "c5.large",
+ "c5.xlarge",
+ "c5.2xlarge",
+ "c5.4xlarge",
+ "c5.9xlarge",
+ "c5.12xlarge",
+ "c5.18xlarge",
+ "c5.24xlarge",
+ "c5n.large",
+ "c5n.xlarge",
+ "c5n.2xlarge",
+ "c5n.4xlarge",
+ "c5n.9xlarge",
+ "c5n.18xlarge",
+ "c5d.large",
+ "c5d.xlarge",
+ "c5d.2xlarge",
+ "c5d.4xlarge",
+ "c5d.9xlarge",
+ "c5d.12xlarge",
+ "c5d.18xlarge",
+ "c5d.24xlarge",
+ "m5.large",
+ "m5.xlarge",
+ "m5.2xlarge",
+ "m5.4xlarge",
+ "m5.8xlarge",
+ "m5.12xlarge",
+ "m5.16xlarge",
+ "m5.24xlarge",
+ "m6i.large",
+ "m6i.xlarge",
+ "m6i.2xlarge",
+ "m6i.4xlarge",
+ "m6i.8xlarge",
+ "m6i.12xlarge",
+ "m6i.16xlarge",
+ "m6i.24xlarge",
+ "m6i.32xlarge",
+ "c6i.large",
+ "c6i.xlarge",
+ "c6i.2xlarge",
+ "c6i.4xlarge",
+ "c6i.8xlarge",
+ "c6i.12xlarge",
+ "c6i.16xlarge",
+ "c6i.24xlarge",
+ "c6i.32xlarge",
+ "c6in.large",
+ "c6in.xlarge",
+ "c6in.2xlarge",
+ "c6in.4xlarge",
+ "c6in.8xlarge",
+ "c6in.12xlarge",
+ "c6in.16xlarge",
+ "c6in.24xlarge",
+ "c6in.32xlarge",
+ "r5.large",
+ "r5.xlarge",
+ "r5.2xlarge",
+ "r5.4xlarge",
+ "r5.8xlarge",
+ "r5.12xlarge",
+ "r5.16xlarge",
+ "r5.24xlarge",
+ "r5a.large",
+ "r5a.xlarge",
+ "r5a.2xlarge",
+ "r5a.4xlarge",
+ "r5a.8xlarge",
+ "r5a.12xlarge",
+ "r5a.16xlarge",
+ "r5a.24xlarge",
+ "r5b.large",
+ "r5b.xlarge",
+ "r5b.2xlarge",
+ "r5b.4xlarge",
+ "r5b.8xlarge",
+ "r5b.12xlarge",
+ "r5b.16xlarge",
+ "r5b.24xlarge",
+ "r5n.large",
+ "r5n.xlarge",
+ "r5n.2xlarge",
+ "r5n.4xlarge",
+ "r5n.8xlarge",
+ "r5n.12xlarge",
+ "r5n.16xlarge",
+ "r5n.24xlarge",
+ "r6i.large",
+ "r6i.xlarge",
+ "r6i.2xlarge",
+ "r6i.4xlarge",
+ "r6i.8xlarge",
+ "r6i.12xlarge",
+ "r6i.16xlarge",
+ "r6i.24xlarge",
+ "r6i.32xlarge",
+ "m6a.large",
+ "m6a.xlarge",
+ "m6a.2xlarge",
+ "m6a.4xlarge",
+ "m6a.8xlarge",
+ "m6a.12xlarge",
+ "m6a.16xlarge",
+ "m6a.24xlarge",
+ "m6a.32xlarge",
+ "m6a.48xlarge"
+ ]
+ mgmt_types = [
+ "c5.large",
+ "c5.xlarge",
+ "c5.2xlarge",
+ "c5.4xlarge",
+ "c5.9xlarge",
+ "c5.12xlarge",
+ "c5.18xlarge",
+ "c5.24xlarge",
+ "c5n.large",
+ "c5n.xlarge",
+ "c5n.2xlarge",
+ "c5n.4xlarge",
+ "c5n.9xlarge",
+ "c5n.18xlarge",
+ "c5d.large",
+ "c5d.xlarge",
+ "c5d.2xlarge",
+ "c5d.4xlarge",
+ "c5d.9xlarge",
+ "c5d.12xlarge",
+ "c5d.18xlarge",
+ "c5d.24xlarge",
+ "m5.large",
+ "m5.xlarge",
+ "m5.2xlarge",
+ "m5.4xlarge",
+ "m5.8xlarge",
+ "m5.12xlarge",
+ "m5.16xlarge",
+ "m5.24xlarge",
+ "m6i.large",
+ "m6i.xlarge",
+ "m6i.2xlarge",
+ "m6i.4xlarge",
+ "m6i.8xlarge",
+ "m6i.12xlarge",
+ "m6i.16xlarge",
+ "m6i.24xlarge",
+ "m6i.32xlarge",
+ "c6i.large",
+ "c6i.xlarge",
+ "c6i.2xlarge",
+ "c6i.4xlarge",
+ "c6i.8xlarge",
+ "c6i.12xlarge",
+ "c6i.16xlarge",
+ "c6i.24xlarge",
+ "c6i.32xlarge",
+ "c6in.large",
+ "c6in.xlarge",
+ "c6in.2xlarge",
+ "c6in.4xlarge",
+ "c6in.8xlarge",
+ "c6in.12xlarge",
+ "c6in.16xlarge",
+ "c6in.24xlarge",
+ "c6in.32xlarge",
+ "r5.large",
+ "r5.xlarge",
+ "r5.2xlarge",
+ "r5.4xlarge",
+ "r5.8xlarge",
+ "r5.12xlarge",
+ "r5.16xlarge",
+ "r5.24xlarge",
+ "r5a.large",
+ "r5a.xlarge",
+ "r5a.2xlarge",
+ "r5a.4xlarge",
+ "r5a.8xlarge",
+ "r5a.12xlarge",
+ "r5a.16xlarge",
+ "r5a.24xlarge",
+ "r5b.large",
+ "r5b.xlarge",
+ "r5b.2xlarge",
+ "r5b.4xlarge",
+ "r5b.8xlarge",
+ "r5b.12xlarge",
+ "r5b.16xlarge",
+ "r5b.24xlarge",
+ "r5n.large",
+ "r5n.xlarge",
+ "r5n.2xlarge",
+ "r5n.4xlarge",
+ "r5n.8xlarge",
+ "r5n.12xlarge",
+ "r5n.16xlarge",
+ "r5n.24xlarge",
+ "r6i.large",
+ "r6i.xlarge",
+ "r6i.2xlarge",
+ "r6i.4xlarge",
+ "r6i.8xlarge",
+ "r6i.12xlarge",
+ "r6i.16xlarge",
+ "r6i.24xlarge",
+ "r6i.32xlarge",
+ "m6a.large",
+ "m6a.xlarge",
+ "m6a.2xlarge",
+ "m6a.4xlarge",
+ "m6a.8xlarge",
+ "m6a.12xlarge",
+ "m6a.16xlarge",
+ "m6a.24xlarge",
+ "m6a.32xlarge",
+ "m6a.48xlarge"
+ ]
+ mds_types = [
+ "c5.large",
+ "c5.xlarge",
+ "c5.2xlarge",
+ "c5.4xlarge",
+ "c5.9xlarge",
+ "c5.12xlarge",
+ "c5.18xlarge",
+ "c5.24xlarge",
+ "c5n.large",
+ "c5n.xlarge",
+ "c5n.2xlarge",
+ "c5n.4xlarge",
+ "c5n.9xlarge",
+ "c5n.18xlarge",
+ "c5d.large",
+ "c5d.xlarge",
+ "c5d.2xlarge",
+ "c5d.4xlarge",
+ "c5d.9xlarge",
+ "c5d.12xlarge",
+ "c5d.18xlarge",
+ "c5d.24xlarge",
+ "m5.large",
+ "m5.xlarge",
+ "m5.2xlarge",
+ "m5.4xlarge",
+ "m5.8xlarge",
+ "m5.12xlarge",
+ "m5.16xlarge",
+ "m5.24xlarge",
+ "m6i.large",
+ "m6i.xlarge",
+ "m6i.2xlarge",
+ "m6i.4xlarge",
+ "m6i.8xlarge",
+ "m6i.12xlarge",
+ "m6i.16xlarge",
+ "m6i.24xlarge",
+ "m6i.32xlarge",
+ "c6i.large",
+ "c6i.xlarge",
+ "c6i.2xlarge",
+ "c6i.4xlarge",
+ "c6i.8xlarge",
+ "c6i.12xlarge",
+ "c6i.16xlarge",
+ "c6i.24xlarge",
+ "c6i.32xlarge",
+ "c6in.large",
+ "c6in.xlarge",
+ "c6in.2xlarge",
+ "c6in.4xlarge",
+ "c6in.8xlarge",
+ "c6in.12xlarge",
+ "c6in.16xlarge",
+ "c6in.24xlarge",
+ "c6in.32xlarge",
+ "r5.large",
+ "r5.xlarge",
+ "r5.2xlarge",
+ "r5.4xlarge",
+ "r5.8xlarge",
+ "r5.12xlarge",
+ "r5.16xlarge",
+ "r5.24xlarge",
+ "r5a.large",
+ "r5a.xlarge",
+ "r5a.2xlarge",
+ "r5a.4xlarge",
+ "r5a.8xlarge",
+ "r5a.12xlarge",
+ "r5a.16xlarge",
+ "r5a.24xlarge",
+ "r5b.large",
+ "r5b.xlarge",
+ "r5b.2xlarge",
+ "r5b.4xlarge",
+ "r5b.8xlarge",
+ "r5b.12xlarge",
+ "r5b.16xlarge",
+ "r5b.24xlarge",
+ "r5n.large",
+ "r5n.xlarge",
+ "r5n.2xlarge",
+ "r5n.4xlarge",
+ "r5n.8xlarge",
+ "r5n.12xlarge",
+ "r5n.16xlarge",
+ "r5n.24xlarge",
+ "r6i.large",
+ "r6i.xlarge",
+ "r6i.2xlarge",
+ "r6i.4xlarge",
+ "r6i.8xlarge",
+ "r6i.12xlarge",
+ "r6i.16xlarge",
+ "r6i.24xlarge",
+ "r6i.32xlarge",
+ "m6a.large",
+ "m6a.xlarge",
+ "m6a.2xlarge",
+ "m6a.4xlarge",
+ "m6a.8xlarge",
+ "m6a.12xlarge",
+ "m6a.16xlarge",
+ "m6a.24xlarge",
+ "m6a.32xlarge",
+ "m6a.48xlarge"
+ ]
+ server_types = [
+ "t3.nano",
+ "t3.micro",
+ "t3.small",
+ "t3.medium",
+ "t3.large",
+ "t3.xlarge",
+ "t3.2xlarge"
+ ]
+}
+
+locals {
+ gw_values = var.chkp_type == "gateway" ? local.gw_types : []
+ mgmt_values = var.chkp_type == "management" ? local.mgmt_types : []
+ mds_values = var.chkp_type == "mds" ? local.mds_types : []
+ server_values = var.chkp_type == "server" ? local.server_types : []
+ sa_values = var.chkp_type == "standalone" ? concat(local.gw_types, local.mgmt_types) : []
+ allowed_values = coalescelist(local.gw_values, local.mgmt_values, local.mds_values, local.sa_values , local.server_types)
+ is_allowed_type = index(local.allowed_values, var.instance_type)
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/modules/common/instance_type/variables.tf b/deprecated/terraform/aws/R80.40/modules/common/instance_type/variables.tf
new file mode 100755
index 00000000..1711c3f7
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/modules/common/instance_type/variables.tf
@@ -0,0 +1,22 @@
+variable "chkp_type" {
+ type = string
+ description = "The Check Point machine type"
+ default = "gateway"
+}
+locals {
+ type_allowed_values = [
+ "gateway",
+ "management",
+ "mds",
+ "standalone",
+ "server"
+ ]
+ // Will fail if var.chkp_type is invalid
+ validate_instance_type = index(local.type_allowed_values, var.chkp_type)
+}
+
+variable "instance_type" {
+ type = string
+ description = "AWS Instance type"
+}
+
diff --git a/deprecated/terraform/aws/R80.40/modules/common/internal_default_route/locals.tf b/deprecated/terraform/aws/R80.40/modules/common/internal_default_route/locals.tf
new file mode 100755
index 00000000..493c4d9a
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/modules/common/internal_default_route/locals.tf
@@ -0,0 +1,3 @@
+locals {
+ internal_route_table_condition = var.private_route_table != "" ? 1 : 0
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/modules/common/internal_default_route/main.tf b/deprecated/terraform/aws/R80.40/modules/common/internal_default_route/main.tf
new file mode 100755
index 00000000..ddcb5bd8
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/modules/common/internal_default_route/main.tf
@@ -0,0 +1,6 @@
+resource "aws_route" "internal_default_route" {
+ count = local.internal_route_table_condition
+ route_table_id = var.private_route_table
+ destination_cidr_block = "0.0.0.0/0"
+ network_interface_id = var.internal_eni_id
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/modules/common/internal_default_route/output.tf b/deprecated/terraform/aws/R80.40/modules/common/internal_default_route/output.tf
new file mode 100755
index 00000000..fa691b92
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/modules/common/internal_default_route/output.tf
@@ -0,0 +1,3 @@
+output "internal_default_route_id" {
+ value = aws_route.internal_default_route.*.id
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/modules/common/internal_default_route/variables.tf b/deprecated/terraform/aws/R80.40/modules/common/internal_default_route/variables.tf
new file mode 100755
index 00000000..b8e2f458
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/modules/common/internal_default_route/variables.tf
@@ -0,0 +1,9 @@
+variable "private_route_table" {
+ type = string
+ description = "Sets '0.0.0.0/0' route to the Gateway instance in the specified route table (e.g. rtb-12a34567)"
+ default=""
+}
+variable "internal_eni_id" {
+ type = string
+ description = "The internal-eni of the security gateway"
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/modules/common/load_balancer/main.tf b/deprecated/terraform/aws/R80.40/modules/common/load_balancer/main.tf
new file mode 100755
index 00000000..18b3b753
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/modules/common/load_balancer/main.tf
@@ -0,0 +1,36 @@
+resource "random_id" "unique_lb_id" {
+ keepers = {
+ prefix = var.prefix_name
+ }
+ byte_length = 8
+}
+resource "aws_lb" "load_balancer" {
+ name = substr(format("%s-%s", "${var.prefix_name}-LB", random_id.unique_lb_id.hex), 0, 32)
+ load_balancer_type = var.load_balancers_type == "gateway" ? "gateway" : var.load_balancers_type == "Network Load Balancer" ? "network": "application"
+ internal = var.load_balancers_type == "gateway" ? "false" : var.internal
+ subnets = var.instances_subnets
+ security_groups = var.security_groups
+ tags = var.tags
+ enable_cross_zone_load_balancing = var.cross_zone_load_balancing
+}
+resource "aws_lb_target_group" "lb_target_group" {
+ name = substr(format("%s-%s", "${var.prefix_name}-TG", random_id.unique_lb_id.hex), 0, 32)
+ vpc_id = var.vpc_id
+ protocol = var.load_balancer_protocol
+ port = var.target_group_port
+ health_check {
+ port = var.load_balancers_type != "gateway" ? var.health_check_port : 8117
+ protocol = var.load_balancers_type != "gateway" ? var.health_check_protocol : "TCP"
+ }
+}
+resource "aws_lb_listener" "lb_listener" {
+ depends_on = [aws_lb.load_balancer, aws_lb_target_group.lb_target_group]
+ load_balancer_arn = aws_lb.load_balancer.arn
+ certificate_arn = var.certificate_arn
+ protocol = var.load_balancers_type != "gateway" ? var.load_balancer_protocol : null
+ port = var.load_balancers_type != "gateway" ? var.listener_port : null
+ default_action {
+ type = "forward"
+ target_group_arn = aws_lb_target_group.lb_target_group.arn
+ }
+}
diff --git a/deprecated/terraform/aws/R80.40/modules/common/load_balancer/output.tf b/deprecated/terraform/aws/R80.40/modules/common/load_balancer/output.tf
new file mode 100755
index 00000000..63123606
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/modules/common/load_balancer/output.tf
@@ -0,0 +1,18 @@
+output "load_balancer_id" {
+ value = aws_lb.load_balancer.id
+}
+output "load_balancer_arn" {
+ value = aws_lb.load_balancer.arn
+}
+output "load_balancer_url" {
+ value = aws_lb.load_balancer.dns_name
+}
+output "target_group_id" {
+ value = aws_lb_target_group.lb_target_group.id
+}
+output "target_group_arn" {
+ value = aws_lb_target_group.lb_target_group.arn
+}
+output "load_balancer_tags" {
+ value = aws_lb.load_balancer.tags
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/modules/common/load_balancer/variables.tf b/deprecated/terraform/aws/R80.40/modules/common/load_balancer/variables.tf
new file mode 100755
index 00000000..2e143fc7
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/modules/common/load_balancer/variables.tf
@@ -0,0 +1,62 @@
+variable "instances_subnets" {
+ type = list(string)
+ description = "Select at least 2 public subnets in the VPC. If you choose to deploy a Security Management Server it will be deployed in the first subnet"
+}
+variable "prefix_name" {
+ type = string
+ description = "Load Balancer and Target Group prefix name"
+ default = "quickstart"
+}
+variable "internal" {
+ type = bool
+ description = "Select 'true' to create an Internal Load Balancer."
+ default = false
+}
+variable "security_groups" {
+ type = list(string)
+ description = "A list of security group IDs to assign to the LB. Only valid for Load Balancers of type application"
+}
+variable "tags" {
+ type = map(string)
+ description = "A map of tags to assign to the load balancer."
+}
+variable "vpc_id" {
+ type = string
+}
+variable "load_balancers_type" {
+ type = string
+ description = "Use Network Load Balancer if you wish to preserve the source IP address and Application Load Balancer if you wish to use content based routing"
+ default = "Network Load Balancer"
+}
+variable "load_balancer_protocol" {
+ type = string
+ description = "The protocol to use on the Load Balancer."
+}
+variable "target_group_port" {
+ type = number
+ description = "The port on which targets receive traffic."
+}
+variable "listener_port" {
+ type = string
+ description = "The port on which the load balancer is listening."
+}
+variable "certificate_arn" {
+ type = string
+ description = "The ARN of the default server certificate. Exactly one certificate is required if the protocol is HTTPS or TLS. "
+ default = ""
+}
+variable "cross_zone_load_balancing"{
+ type = bool
+ default = false
+ description = "Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges."
+}
+variable "health_check_port" {
+ description = "The health check port"
+ type = number
+ default = null
+}
+variable "health_check_protocol" {
+ description = "The health check protocol"
+ type = string
+ default = null
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/modules/common/permissive_sg/main.tf b/deprecated/terraform/aws/R80.40/modules/common/permissive_sg/main.tf
new file mode 100755
index 00000000..265f3c56
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/modules/common/permissive_sg/main.tf
@@ -0,0 +1,20 @@
+resource "aws_security_group" "permissive_sg" {
+ description = "Permissive security group"
+ vpc_id = var.vpc_id
+ egress {
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+ ingress {
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+ name_prefix = format("%s-PermissiveSecurityGroup", var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name) // Group name
+ tags = {
+ Name = format("%s-PermissiveSecurityGroup", var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name) // Resource name
+ }
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/modules/common/permissive_sg/output.tf b/deprecated/terraform/aws/R80.40/modules/common/permissive_sg/output.tf
new file mode 100755
index 00000000..83541c15
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/modules/common/permissive_sg/output.tf
@@ -0,0 +1,9 @@
+output "permissive_sg_id" {
+ value = aws_security_group.permissive_sg.id
+}
+output "permissive_sg_name" {
+ value = aws_security_group.permissive_sg.name
+}
+output "permissive_sg_arn" {
+ value = aws_security_group.permissive_sg.arn
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/modules/common/permissive_sg/variables.tf b/deprecated/terraform/aws/R80.40/modules/common/permissive_sg/variables.tf
new file mode 100755
index 00000000..d2afaad2
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/modules/common/permissive_sg/variables.tf
@@ -0,0 +1,13 @@
+variable "vpc_id" {
+ type = string
+}
+variable "resources_tag_name" {
+ type = string
+ description = "(Optional)"
+ default = ""
+}
+variable "gateway_name" {
+ type = string
+ description = "(Optional) The name tag of the Security Gateway instances"
+ default = "Check-Point-Gateway-tf"
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/modules/common/version_license/main.tf b/deprecated/terraform/aws/R80.40/modules/common/version_license/main.tf
new file mode 100755
index 00000000..4b53b80a
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/modules/common/version_license/main.tf
@@ -0,0 +1,71 @@
+locals {
+ gw_versions = [
+ "R80.40-BYOL",
+ "R80.40-PAYG-NGTP",
+ "R80.40-PAYG-NGTX",
+ "R81-BYOL",
+ "R81-PAYG-NGTP",
+ "R81-PAYG-NGTX",
+ "R81.10-BYOL",
+ "R81.10-PAYG-NGTP",
+ "R81.10-PAYG-NGTX",
+ "R81.20-BYOL",
+ "R81.20-PAYG-NGTP",
+ "R81.20-PAYG-NGTX",
+ "R82-BYOL",
+ "R82-PAYG-NGTP",
+ "R82-PAYG-NGTX"
+ ]
+ mgmt_versions = [
+ "R80.40-BYOL",
+ "R80.40-PAYG",
+ "R81-BYOL",
+ "R81-PAYG",
+ "R81.10-BYOL",
+ "R81.10-PAYG",
+ "R81.20-BYOL",
+ "R81.20-PAYG",
+ "R82-BYOL",
+ "R82-PAYG"
+ ]
+ mds_versions = [
+ "R80.40-BYOL",
+ "R81-BYOL",
+ "R81.10-BYOL",
+ "R81.20-BYOL",
+ "R82-BYOL"
+ ]
+ standalone_versions = [
+ "R80.40-BYOL",
+ "R80.40-PAYG-NGTP",
+ "R81-BYOL",
+ "R81-PAYG-NGTP",
+ "R81.10-BYOL",
+ "R81.10-PAYG-NGTP",
+ "R81.20-BYOL",
+ "R81.20-PAYG-NGTP",
+ "R82-BYOL",
+ "R82-PAYG-NGTP"
+ ]
+ gwlb_gw_versions = [
+ "R80.40-BYOL",
+ "R80.40-PAYG-NGTP",
+ "R80.40-PAYG-NGTX",
+ "R81.20-BYOL",
+ "R81.20-PAYG-NGTP",
+ "R81.20-PAYG-NGTX",
+ "R82-BYOL",
+ "R82-PAYG-NGTP",
+ "R82-PAYG-NGTX"
+ ]
+}
+
+locals {
+ gw_values = var.chkp_type == "gateway" ? local.gw_versions : []
+ mgmt_values = var.chkp_type == "management" ? local.mgmt_versions : []
+ mds_values = var.chkp_type == "mds" ? local.mds_versions : []
+ standalone_values = var.chkp_type == "standalone" ? local.standalone_versions : []
+ gwlb_gw_values = var.chkp_type == "gwlb_gw" ? local.gwlb_gw_versions : []
+ allowed_values = coalescelist(local.gw_values, local.mgmt_values, local.standalone_values, local.mds_values, local.gwlb_gw_values)
+ is_allowed_type = index(local.allowed_values, var.version_license)
+}
diff --git a/deprecated/terraform/aws/R80.40/modules/common/version_license/variables.tf b/deprecated/terraform/aws/R80.40/modules/common/version_license/variables.tf
new file mode 100755
index 00000000..9467e232
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/modules/common/version_license/variables.tf
@@ -0,0 +1,21 @@
+variable "chkp_type" {
+ type = string
+ description = "The Check Point machine type"
+ default = "gateway"
+}
+locals {
+ type_allowed_values = [
+ "gateway",
+ "management",
+ "mds",
+ "standalone",
+ "gwlb_gw"]
+ // Will fail if var.chkp_type is invalid
+ validate_chkp_type = index(local.type_allowed_values, var.chkp_type)
+}
+
+variable "version_license" {
+ type = string
+ description = "AWS Version license"
+}
+
diff --git a/deprecated/terraform/aws/R80.40/modules/custom-autoscale/locals.tf b/deprecated/terraform/aws/R80.40/modules/custom-autoscale/locals.tf
new file mode 100755
index 00000000..1a9b6900
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/modules/custom-autoscale/locals.tf
@@ -0,0 +1,9 @@
+locals {
+ asg_name = format("%s%s-servers", var.prefix != "" ? format("%s-", var.prefix) : "", var.asg_name)
+
+ regex_valid_server_ami = "^(ami-(([0-9a-f]{8})|([0-9a-f]{17})))?$"
+ // Will fail if var.server_ami is invalid
+ regex_server_ami = regex(local.regex_valid_server_ami, var.server_ami) == var.server_ami ? 0 : "Amazon Machine Image ID must be in the form ami-xxxxxxxx or ami-xxxxxxxxxxxxxxxxx"
+
+ provided_target_groups_condition = var.servers_target_groups != "" ? true : false
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/modules/custom-autoscale/main.tf b/deprecated/terraform/aws/R80.40/modules/custom-autoscale/main.tf
new file mode 100755
index 00000000..c361388d
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/modules/custom-autoscale/main.tf
@@ -0,0 +1,94 @@
+resource "aws_security_group" "servers_security_group" {
+ count = var.deploy_internal_security_group ? 1 : 0
+ name_prefix = format("%s_ServersSecurityGroup", local.asg_name)
+ description = "Servers security group"
+ vpc_id = var.vpc_id
+
+ ingress {
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ tags = {
+ Name = format("%s_ServersSecurityGroup", local.asg_name)
+ }
+}
+
+
+resource "aws_launch_template" "servers_launch_template" {
+ name_prefix = local.asg_name
+ network_interfaces {
+ associate_public_ip_address = var.allocate_public_address
+ security_groups = var.deploy_internal_security_group ? [aws_security_group.servers_security_group[0].id] : [var.source_security_group]
+ }
+ key_name = var.key_name
+ image_id = var.server_ami
+ description = "Initial template version"
+ monitoring {
+ enabled = true
+ }
+ instance_type = var.servers_instance_type
+}
+resource "aws_autoscaling_group" "servers_group" {
+ name_prefix = local.asg_name
+ vpc_zone_identifier = var.servers_subnets
+ launch_template {
+ name = aws_launch_template.servers_launch_template.name
+ version = aws_launch_template.servers_launch_template.latest_version
+ }
+ min_size = var.servers_min_group_size
+ max_size = var.servers_max_group_size
+ target_group_arns = local.provided_target_groups_condition ? [var.servers_target_groups] : []
+
+ tag {
+ key = "Name"
+ value = format("%s%s", var.prefix != "" ? format("%s-", var.prefix) : "", var.server_name)
+ propagate_at_launch = true
+ }
+}
+resource "aws_autoscaling_policy" "scale_up_policy" {
+ adjustment_type = "ChangeInCapacity"
+ autoscaling_group_name = aws_autoscaling_group.servers_group.name
+ name = "scale_up_policy"
+ cooldown = 300
+ scaling_adjustment = 1
+}
+resource "aws_autoscaling_policy" "scale_down_policy" {
+ adjustment_type = "ChangeInCapacity"
+ autoscaling_group_name = aws_autoscaling_group.servers_group.name
+ name = "scale_down_policy"
+ cooldown = 300
+ scaling_adjustment = -1
+}
+resource "aws_cloudwatch_metric_alarm" "cpu_alarm_high" {
+ alarm_description = "Scale-up if CPU > 80% for 10 minutes"
+ metric_name = "CPUUtilization"
+ namespace = "AWS/EC2"
+ statistic = "Average"
+ period = "300"
+ evaluation_periods = "2"
+ threshold = "80"
+ alarm_actions = [aws_autoscaling_policy.scale_up_policy.arn]
+ dimensions = {
+ AutoScalingGroupName = aws_autoscaling_group.servers_group.name
+ }
+ comparison_operator = "GreaterThanThreshold"
+ alarm_name = "cpu_alarm_high"
+}
+resource "aws_cloudwatch_metric_alarm" "cpu_alarm_low" {
+ alarm_description = "Scale-down if CPU < 60% for 10 minutes"
+ metric_name = "CPUUtilization"
+ namespace = "AWS/EC2"
+ statistic = "Average"
+ period = "300"
+ evaluation_periods = "2"
+ threshold = "60"
+ alarm_actions = [aws_autoscaling_policy.scale_down_policy.arn]
+ dimensions = {
+ AutoScalingGroupName = aws_autoscaling_group.servers_group.name
+ }
+ comparison_operator = "LessThanThreshold"
+ alarm_name = "cpu_alarm_low"
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/modules/custom-autoscale/variables.tf b/deprecated/terraform/aws/R80.40/modules/custom-autoscale/variables.tf
new file mode 100755
index 00000000..a99cb9a5
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/modules/custom-autoscale/variables.tf
@@ -0,0 +1,89 @@
+// Module: Auto Scaling group of workload servers
+
+// --- Environment ---
+variable "prefix" {
+ type = string
+ description = "(Optional) Instances name prefix"
+ default = ""
+}
+variable "asg_name" {
+ type = string
+ description = "Autoscaling Group name"
+ default = "Check-Point-ASG-tf"
+}
+
+// --- VPC Network Configuration ---
+variable "vpc_id" {
+ type = string
+ description = "Select an existing VPC"
+}
+variable "servers_subnets" {
+ type = list(string)
+ description = "Provide at least 2 private subnet IDs in the chosen VPC, separated by commas (e.g. subnet-0d72417c,subnet-1f61306f,subnet-1061d06f)"
+}
+
+// --- EC2 Instances Configuration ---
+variable "server_ami" {
+ type = string
+ description = "The Amazon Machine Image ID of a preconfigured web server (e.g. ami-0dc7dc63)"
+}
+variable "server_name" {
+ type = string
+ description = "AMI of the servers"
+ default = "Server-tf"
+}
+variable "servers_instance_type" {
+ type = string
+ description = "The EC2 instance type for the web servers"
+ default = "t3.micro"
+}
+module "validate_servers_instance_type" {
+ source = "../common/instance_type"
+
+ chkp_type = "server"
+ instance_type = var.servers_instance_type
+}
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instances"
+}
+variable "allocate_public_address" {
+ type = bool
+ description = "Allocate an elastic IP for each server"
+ default = false
+}
+
+// --- Auto Scaling Configuration ---
+variable "servers_min_group_size" {
+ type = number
+ description = "The minimal number of servers in the Auto Scaling group"
+ default = 2
+}
+resource "null_resource" "servers_min_group_size_too_small" {
+ // servers_min_group_size validation - resource will not be created if the size is smaller than 1
+ count = var.servers_min_group_size >= 1 ? 0 : "servers_min_group_size must be at least 1"
+}
+variable "servers_max_group_size" {
+ type = number
+ description = "The maximal number of servers in the Auto Scaling group"
+ default = 10
+}
+resource "null_resource" "servers_max_group_size_too_small" {
+ // servers_max_group_size validation - resource will not be created if the size is smaller than 1
+ count = var.servers_max_group_size >= 1 ? 0 : "servers_max_group_size must be at least 1"
+}
+variable "servers_target_groups" {
+ type = string
+ description = "(Optional) An optional list of Target Groups to associate with the Auto Scaling group (comma separated list of ARNs, without spaces)"
+ default = ""
+}
+variable "deploy_internal_security_group" {
+ type = bool
+ description = "Select 'false' to use an existing Security group"
+ default = true
+}
+variable "source_security_group" {
+ type = string
+ description = "The ID of Security Group from which access will be allowed to the instances in this Auto Scaling group"
+ default = ""
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/modules/vpc/main.tf b/deprecated/terraform/aws/R80.40/modules/vpc/main.tf
new file mode 100755
index 00000000..b4b223b8
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/modules/vpc/main.tf
@@ -0,0 +1,66 @@
+// --- VPC ---
+resource "aws_vpc" "vpc" {
+ cidr_block = var.vpc_cidr
+}
+
+// --- Internet Gateway ---
+resource "aws_internet_gateway" "igw" {
+ vpc_id = aws_vpc.vpc.id
+}
+
+// --- Public Subnets ---
+resource "aws_subnet" "public_subnets" {
+ for_each = var.public_subnets_map
+
+ vpc_id = aws_vpc.vpc.id
+ availability_zone = each.key
+ cidr_block = cidrsubnet(aws_vpc.vpc.cidr_block, var.subnets_bit_length, each.value)
+ map_public_ip_on_launch = true
+ tags = {
+ Name = format("Public subnet %s", each.value)
+ }
+}
+
+// --- Private Subnets ---
+resource "aws_subnet" "private_subnets" {
+ for_each = var.private_subnets_map
+
+ vpc_id = aws_vpc.vpc.id
+ availability_zone = each.key
+ cidr_block = cidrsubnet(aws_vpc.vpc.cidr_block, var.subnets_bit_length, each.value)
+ tags = {
+ Name = format("Private subnet %s", each.value)
+ }
+}
+
+// --- tgw Subnets ---
+resource "aws_subnet" "tgw_subnets" {
+ for_each = var.tgw_subnets_map
+
+ vpc_id = aws_vpc.vpc.id
+ availability_zone = each.key
+ cidr_block = cidrsubnet(aws_vpc.vpc.cidr_block, var.subnets_bit_length, each.value)
+ tags = {
+ Name = format("tgw subnet %s", each.value)
+ }
+}
+
+
+// --- Routes ---
+resource "aws_route_table" "public_subnet_rtb" {
+ vpc_id = aws_vpc.vpc.id
+ tags = {
+ Name = "Public Subnets Route Table"
+ }
+}
+resource "aws_route" "vpc_internet_access" {
+ route_table_id = aws_route_table.public_subnet_rtb.id
+ destination_cidr_block = "0.0.0.0/0"
+ gateway_id = aws_internet_gateway.igw.id
+}
+resource "aws_route_table_association" "public_rtb_to_public_subnets" {
+ for_each = { for public_subnet in aws_subnet.public_subnets : public_subnet.cidr_block => public_subnet.id }
+ route_table_id = aws_route_table.public_subnet_rtb.id
+ subnet_id = each.value
+}
+
diff --git a/deprecated/terraform/aws/R80.40/modules/vpc/output.tf b/deprecated/terraform/aws/R80.40/modules/vpc/output.tf
new file mode 100755
index 00000000..fc4173c9
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/modules/vpc/output.tf
@@ -0,0 +1,18 @@
+output "vpc_id" {
+ value = aws_vpc.vpc.id
+}
+output "public_subnets_ids_list" {
+ value = [for public_subnet in aws_subnet.public_subnets : public_subnet.id ]
+}
+output "private_subnets_ids_list" {
+ value = [for private_subnet in aws_subnet.private_subnets : private_subnet.id]
+}
+output "tgw_subnets_ids_list" {
+ value = [for tgw_subnet in aws_subnet.tgw_subnets : tgw_subnet.id]
+}
+output "public_rtb" {
+ value = aws_route_table.public_subnet_rtb.id
+}
+output "aws_igw" {
+ value = aws_internet_gateway.igw.id
+}
diff --git a/deprecated/terraform/aws/R80.40/modules/vpc/variables.tf b/deprecated/terraform/aws/R80.40/modules/vpc/variables.tf
new file mode 100755
index 00000000..2623f9d0
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/modules/vpc/variables.tf
@@ -0,0 +1,22 @@
+variable "vpc_cidr" {
+ type = string
+}
+variable "public_subnets_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 1} ) "
+}
+variable "private_subnets_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 2} ) "
+
+}
+variable "tgw_subnets_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 2} ) "
+ default = {}
+}
+variable "subnets_bit_length" {
+ type = number
+ description = "Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20."
+}
+
diff --git a/deprecated/terraform/aws/R80.40/qs-autoscale-master/README.md b/deprecated/terraform/aws/R80.40/qs-autoscale-master/README.md
new file mode 100755
index 00000000..54c7049b
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/qs-autoscale-master/README.md
@@ -0,0 +1,256 @@
+# Check Point CloudGuard Network Quick Start Auto Scaling Master Terraform module for AWS
+
+Terraform module which deploys a Check Point CloudGuard Network Security Gateway Auto Scaling Group, an external ALB/NLB, and optionally a Security Management Server and a web server Auto Scaling Group in a new VPC.
+
+These types of Terraform resources are supported:
+* [VPC](https://www.terraform.io/docs/providers/aws/r/vpc.html)
+* [Subnet](https://www.terraform.io/docs/providers/aws/r/subnet.html)
+* [Route](https://www.terraform.io/docs/providers/aws/r/route.html)
+* [Security Group](https://www.terraform.io/docs/providers/aws/r/security_group.html)
+* [Load Balancer](https://www.terraform.io/docs/providers/aws/r/lb.html)
+* [Load Balancer Target Group](https://www.terraform.io/docs/providers/aws/r/lb_target_group.html)
+* [Launch template](https://www.terraform.io/docs/providers/aws/r/launch_template.html)
+* [Auto Scaling Group](https://www.terraform.io/docs/providers/aws/r/autoscaling_group.html)
+* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html)
+* [IAM Role](https://www.terraform.io/docs/providers/aws/r/iam_role.html) - conditional creation
+
+See the [Check Point CloudGuard Auto Scaling on AWS](https://aws.amazon.com/quickstart/architecture/check-point-cloudguard/) for additional information
+
+This solution uses the following modules:
+- /terraform/aws/qs-autoscale
+- /terraform/aws/autoscale
+- /terraform/aws/management
+- /terraform/aws/cme-iam-role
+- /terraform/aws/modules/vpc
+
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/qs-autoscale-master/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Static credentials are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/qs-autoscale, /terraform/aws/autoscale, /terraform/aws/management and /terraform/aws/cme-iam-role:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+ b. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/qs-autoscale, /terraform/aws/autoscale and /terraform/aws/management:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+
+## Usage
+- Fill all variables in the /terraform/aws/qs-autoscale-master/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+- Create or modify the deployment:
+ ```
+ terraform apply
+ ```
+
+- Variables are configured in /terraform/aws/qs-autoscale-master/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+ // --- Environment ---
+ prefix = "TF"
+ asg_name = "asg-qs"
+
+ // --- Network Configuration ---
+ vpc_cidr = "10.0.0.0/16"
+ public_subnets_map = {
+ "us-east-1a" = 1
+ "us-east-1b" = 2
+ }
+ private_subnets_map = {
+ "us-east-1a" = 3
+ "us-east-1b" = 4
+ }
+ subnets_bit_length = 8
+
+ // --- General Settings ---
+ key_name = "publickey"
+ enable_volume_encryption = true
+ enable_instance_connect = false
+ disable_instance_termination = false
+ allow_upload_download = true
+ provision_tag = "quickstart"
+ load_balancers_type = "Network Load Balancer"
+ LB_protocol = "TCP"
+ certificate = "arn:aws:iam::12345678:server-certificate/certificate"
+ service_port = "80"
+ admin_shell = "/etc/cli.sh"
+
+ // --- Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration ---
+ gateway_instance_type = "c5.xlarge"
+ gateways_min_group_size = 2
+ gateways_max_group_size = 8
+ gateway_version = "R81.20-BYOL"
+ gateway_password_hash = ""
+ gateway_maintenance_mode_password_hash = "" # For R81.10 the gateway_password_hash is used also as maintenance-mode password.
+ gateway_SICKey = "12345678"
+ enable_cloudwatch = false
+
+ // --- Check Point CloudGuard Network Security Management Server Configuration ---
+ management_deploy = true
+ management_instance_type = "m5.xlarge"
+ management_version = "R81.20-BYOL"
+ management_password_hash = ""
+ management_maintenance_mode_password_hash = "" # For R81.10 the management_password_hash is used also as maintenance-mode password.
+ gateways_policy = "Standard"
+ gateways_blades = true
+ admin_cidr = "0.0.0.0/0"
+ gateways_addresses = "0.0.0.0/0"
+
+ // --- Web Servers Auto Scaling Group Configuration ---
+ servers_deploy = true
+ servers_instance_type = "t3.micro"
+ server_ami = "ami-12345abc"
+ ```
+
+- Conditional creation
+ - To enable cloudwatch for ASG:
+ ```
+ enable_cloudwatch = true
+ ```
+ Note: enabling cloudwatch will automatically create IAM role with cloudwatch:PutMetricData permission
+ - To deploy Security Management Server:
+ ```
+ management_deploy = true
+ ```
+ - To deploy web servers:
+ ```
+ servers_deploy = true
+ ```
+ - To create an ASG configuration without a proxy ELB:
+ ```
+ proxy_elb_type= "none"
+ ```
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|-------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|----------|
+| prefix | (Optional) Instances name prefix | string | n/a | "" | no |
+| asg_name | Autoscaling Group name | string | n/a | Check-Point-ASG-tf | no |
+| vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes |
+| public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes |
+| private_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 2} ) | map | n/a | n/a | yes |
+| subnets_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20 | number | n/a | n/a | yes |
+| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes |
+| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no |
+| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no |
+| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no |
+| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no |
+| provision_tag | The tag is used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each Quick Start deployment | string | n/a | quickstart | no |
+| load_balancers_type | Use Network Load Balancer if you wish to preserve the source IP address and Application Load Balancer if you wish to use content based routing | string | - Network Load Balancer
- Application Load Balancer
| Network Load Balancer | no |
+| load_balancer_protocol | The protocol to use on the Load Balancer | string | Network Load Balancer:
- TCP
- TLS
- UDP
- TCP_UDP
Application Load Balancer:
- HTTP
- HTTPS | TCP | yes |
+| certificate | Amazon Resource Name (ARN) of an HTTPS Certificate, ignored if the selected protocol is HTTP | string | n/a | n/a | no |
+| service_port | The external Load Balancer listens to this port. Leave this field blank to use default ports: 80 for HTTP and 443 for HTTPS | string | n/a | n/a | no |
+| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no |
+| gateways_subnets | Select at least 2 public subnets in the VPC. If you choose to deploy a Security Management Server it will be deployed in the first subnet | list(string) | n/a | n/a | yes |
+| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no |
+| gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no |
+| gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no |
+| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no |
+| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes |
+| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no |
+| management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no |
+| management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no |
+| management_version | The license to install on the Security Management Server | string | - R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG
- R82-BYOL
- R82-PAYG | R81.20-BYOL | no |
+| management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| gateways_policy | The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group | string | n/a | Standard | no |
+| gateways_blades | Turn on the Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (additional Blades can be manually turned on later) | bool | true/false | true | no |
+| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR | n/a | no |
+| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | valid CIDR | n/a | no |
+| servers_deploy | Select 'true' to deploy web servers and an internal Application Load Balancer. If you select 'false' the other parameters of this section will be ignored | bool | true/false | false | no |
+| servers_subnets | Provide at least 2 private subnet IDs in the chosen VPC, separated by commas (e.g. subnet-0d72417c,subnet-1f61306f,subnet-1061d06f). | list(string) | n/a | n/a | yes |
+| servers_instance_type | The EC2 instance type for the web servers | string | - t3.nano
- t3.micro
- t3.small
- t3.medium
- t3.large
- t3.xlarge
- t3.2xlarge | t3.micro | no |
+| server_ami | The Amazon Machine Image ID of a preconfigured web server (e.g. ami-0dc7dc63) | string | n/a | n/a | yes |
+| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no |
+| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no |
+
+
+
+## Outputs
+| Name | Description |
+|----------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| vpc_id | The id of the deployed vpc |
+| public_subnets_ids_list | A list of the public subnets ids |
+| private_subnets_ids_list | A list of the private subnets ids |
+| public_rout_table | The public route table id |
+| internal_port | The internal Load Balancer should listen to this port |
+| management_name | The deployed Security Management AWS instance name |
+| load_balancer_url | The URL of the external Load Balancer |
+| external_load_balancer_arn | The external Load Balancer ARN |
+| internal_load_balancer_arn | The internal Load Balancer ARN |
+| external_lb_target_group_arn | The external Load Balancer Target Group ARN |
+| internal_lb_target_group_arn | The internal Load Balancer Target Group ARN |
+| autoscale_autoscaling_group_name | The name of the deployed AutoScaling Group |
+| autoscale_autoscaling_group_arn | The ARN for the deployed AutoScaling Group |
+| autoscale_security_group_id | The deployed AutoScaling Group's security group id |
+| autoscale_iam_role_name | The deployed AutoScaling Group's IAM role name (if created) |
+| configuration_template | The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name |
+| controller_name | The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name |
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|---------------------------------------------------------------------------------------|
+| 20240425 | Remove support for R81 and lower versions |
+| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20231127 | Add support for parameter admin shell |
+| 20231012 | Update AWS Terraform provider version to 5.20.1 |
+| 20230923 | Add support for C5d instance type |
+| 20230914 | Add support for maintenance mode password |
+| 20230829 | Change default Check Point version to R81.20 |
+| 20230806 | Add support for c6in instance type |
+| 20221226 | Support ASG Launch Template instead of Launch Configuration |
+| 20221123 | R81.20 version support |
+| 20220606 | New instance type support |
+| 20210309 | First release of Check Point Quick Start Auto Scaling Master Terraform module for AWS |
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details
diff --git a/deprecated/terraform/aws/R80.40/qs-autoscale-master/locals.tf b/deprecated/terraform/aws/R80.40/qs-autoscale-master/locals.tf
new file mode 100755
index 00000000..e23f58a2
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/qs-autoscale-master/locals.tf
@@ -0,0 +1,63 @@
+locals {
+ regex_valid_vpc_cidr = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$"
+ // Will fail if var.vpc_cidr is invalid
+ regex_vpc_cidr = regex(local.regex_valid_vpc_cidr, var.vpc_cidr) == var.vpc_cidr ? 0 : "Variable [vpc_cidr] must be a valid vpc cidr"
+
+ regex_valid_provision_tag = "^[a-zA-Z0-9-]{1,12}$"
+ // Will fail if var.provision_tag is invalid
+ regex_provision_tag = regex(local.regex_valid_provision_tag, var.provision_tag) == var.provision_tag ? 0 : "Variable [provision_tag] must be up to 12 alphanumeric characters and unique for each Quick Start deployment"
+
+ load_balancers_type_allowed_values = [
+ "Network Load Balancer",
+ "Application Load Balancer"]
+ // Will fail if var.load_balancers_type is invalid
+ validate_load_balancers_type = index(local.load_balancers_type_allowed_values, var.load_balancers_type)
+
+ lb_protocol_allowed_values = var.load_balancers_type == "Network Load Balancer" ? [
+ "TCP",
+ "TLS",
+ "UDP",
+ "TCP_UDP"] : [
+ "HTTP",
+ "HTTPS"]
+ // Will fail if var.load_balancer_protocol is invalid
+ validate_lb_protocol = index(local.lb_protocol_allowed_values, var.load_balancer_protocol)
+
+ regex_valid_key_name = "[\\S\\s]+[\\S]+"
+ // will fail if var.key_name is invalid
+ regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string"
+
+ regex_valid_certificate = "^(arn:aws:[a-z]+::[0-9]{12}:server-certificate/[a-zA-Z0-9-]*)?$"
+ // Will fail if var.certificate is invalid
+ regex_certificate = regex(local.regex_valid_certificate, var.certificate) == var.certificate ? 0 : "Variable [certificate] must be a valid Amazon Resource Name (ARN), for example: arn:aws:iam::123456789012:server-certificate/web-server-certificate"
+
+ regex_valid_service_port = "^([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])?$"
+ // Will fail if var.service_port is invalid
+ regex_service_port = regex(local.regex_valid_service_port, var.service_port) == var.service_port ? 0 : "Custom service port must be a number between 0 and 65535"
+
+ regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.gateway_password_hash is invalid
+ regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash."
+ regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
+
+ regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$"
+ // Will fail if var.gateway_SIC_Key is invalid
+ regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters."
+
+ regex_valid_management_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.gateway_password_hash is invalid
+ regex_management_password_hash = regex(local.regex_valid_management_password_hash, var.management_password_hash) == var.management_password_hash ? 0 : "Variable [management_password_hash] must be a valid password hash."
+
+ regex_valid_admin_cidr = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$"
+ // Will fail if var.admin_cidr is invalid
+ regex_admin_cidr = regex(local.regex_valid_admin_cidr, var.admin_cidr) == var.admin_cidr ? 0 : "Variable [admin_cidr] must be a valid CIDR."
+
+ regex_valid_gateways_addresses = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$"
+ // Will fail if var.gateways_addresses is invalid
+ regex_gateways_addresses = regex(local.regex_valid_gateways_addresses, var.gateways_addresses) == var.gateways_addresses ? 0 : "Variable [gateways_addresses] must be a valid gateways addresses."
+
+
+ regex_valid_server_ami = "^(ami-(([0-9a-f]{8})|([0-9a-f]{17})))?$"
+ // Will fail if var.server_ami is invalid
+ regex_server_ami = regex(local.regex_valid_server_ami, var.server_ami) == var.server_ami ? 0 : "Amazon Machine Image ID must be in the form ami-xxxxxxxx or ami-xxxxxxxxxxxxxxxxx"
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/qs-autoscale-master/main.tf b/deprecated/terraform/aws/R80.40/qs-autoscale-master/main.tf
new file mode 100755
index 00000000..9c7eada0
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/qs-autoscale-master/main.tf
@@ -0,0 +1,60 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+module "launch_vpc" {
+ source = "../modules/vpc"
+
+ vpc_cidr = var.vpc_cidr
+ public_subnets_map = var.public_subnets_map
+ private_subnets_map = var.private_subnets_map
+ subnets_bit_length = var.subnets_bit_length
+}
+
+module "launch_qs_autoscale" {
+ source = "../qs-autoscale"
+ providers = {
+ aws = aws
+ }
+
+ region = var.region
+ prefix = var.prefix
+ asg_name = var.asg_name
+ vpc_id = module.launch_vpc.vpc_id
+ key_name = var.key_name
+ enable_volume_encryption = var.enable_volume_encryption
+ enable_instance_connect = var.enable_instance_connect
+ disable_instance_termination = var.disable_instance_termination
+ metadata_imdsv2_required = var.metadata_imdsv2_required
+ allow_upload_download = var.allow_upload_download
+ provision_tag = var.provision_tag
+ load_balancers_type = var.load_balancers_type
+ load_balancer_protocol = var.load_balancer_protocol
+ certificate = var.certificate
+ service_port = var.service_port
+ admin_shell = var.admin_shell
+ gateways_subnets = module.launch_vpc.public_subnets_ids_list
+ gateway_instance_type = var.gateway_instance_type
+ gateways_min_group_size = var.gateways_min_group_size
+ gateways_max_group_size = var.gateways_max_group_size
+ gateway_version = var.gateway_version
+ gateway_password_hash = var.gateway_password_hash
+ gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash
+ gateway_SICKey = var.gateway_SICKey
+ enable_cloudwatch = var.enable_cloudwatch
+ management_deploy = var.management_deploy
+ management_instance_type = var.management_instance_type
+ management_version = var.management_version
+ management_password_hash = var.gateway_password_hash
+ management_maintenance_mode_password_hash = var.management_maintenance_mode_password_hash
+ gateways_policy = var.gateways_policy
+ gateways_blades = var.gateways_blades
+ admin_cidr = var.admin_cidr
+ gateways_addresses = var.gateways_addresses
+ servers_deploy= var.servers_deploy
+ servers_subnets = module.launch_vpc.private_subnets_ids_list
+ servers_instance_type = var.servers_instance_type
+ server_ami = var.server_ami
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/qs-autoscale-master/output.tf b/deprecated/terraform/aws/R80.40/qs-autoscale-master/output.tf
new file mode 100755
index 00000000..1130dfe0
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/qs-autoscale-master/output.tf
@@ -0,0 +1,58 @@
+output "Deployment" {
+ value = module.launch_qs_autoscale.Deployment
+}
+
+output "vpc_id" {
+ value = module.launch_vpc.vpc_id
+}
+output "public_subnets_ids_list" {
+ value = module.launch_vpc.public_subnets_ids_list
+}
+output "private_subnets_ids_list" {
+ value = module.launch_vpc.private_subnets_ids_list
+}
+output "public_rout_table" {
+ value = module.launch_vpc.public_rtb
+}
+
+output "management_name" {
+ value = module.launch_qs_autoscale.management_name
+}
+output "internal_port" {
+ value = module.launch_qs_autoscale.internal_port
+}
+output "load_balancer_url" {
+ value = module.launch_qs_autoscale.load_balancer_url
+}
+output "external_load_balancer_arn" {
+ value = module.launch_qs_autoscale.external_load_balancer_arn
+}
+output "internal_load_balancer_arn" {
+ value = module.launch_qs_autoscale.internal_load_balancer_arn
+}
+output "external_lb_target_group_arn" {
+ value = module.launch_qs_autoscale.external_lb_target_group_arn
+}
+output "internal_lb_target_group_arn" {
+ value = module.launch_qs_autoscale.internal_lb_target_group_arn
+}
+
+output "autoscale_autoscaling_group_name" {
+ value = module.launch_qs_autoscale.autoscale_autoscaling_group_name
+}
+output "autoscale_autoscaling_group_arn" {
+ value = module.launch_qs_autoscale.autoscale_autoscaling_group_arn
+}
+output "autoscale_security_group_id" {
+ value = module.launch_qs_autoscale.autoscale_security_group_id
+}
+output "autoscale_iam_role_name" {
+ value = module.launch_qs_autoscale.autoscale_iam_role_name
+}
+
+output "configuration_template" {
+ value = module.launch_qs_autoscale.configuration_template
+}
+output "controller_name" {
+ value = module.launch_qs_autoscale.controller_name
+}
diff --git a/deprecated/terraform/aws/R80.40/qs-autoscale-master/terraform.tfvars b/deprecated/terraform/aws/R80.40/qs-autoscale-master/terraform.tfvars
new file mode 100755
index 00000000..37a07774
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/qs-autoscale-master/terraform.tfvars
@@ -0,0 +1,57 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- Environment ---
+prefix = "TF"
+asg_name = "asg-qs"
+
+// --- Network Configuration ---
+vpc_cidr = "10.0.0.0/16"
+public_subnets_map = {
+ "us-east-1a" = 1
+ "us-east-1b" = 2
+}
+private_subnets_map = {
+ "us-east-1a" = 3
+ "us-east-1b" = 4
+}
+subnets_bit_length = 8
+
+// --- General Settings ---
+key_name = "publickey"
+enable_volume_encryption = true
+enable_instance_connect = false
+disable_instance_termination = false
+metadata_imdsv2_required = true
+allow_upload_download = true
+provision_tag = "quickstart"
+load_balancers_type = "Application Load Balancer"
+load_balancer_protocol = "HTTP"
+certificate = ""
+service_port = "80"
+admin_shell = "/etc/cli.sh"
+
+// --- Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration ---
+gateway_instance_type = "c5.xlarge"
+gateways_min_group_size = 2
+gateways_max_group_size = 8
+gateway_version = "R81.20-BYOL"
+gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 the gateway_password_hash is used also as maintenance-mode password.
+gateway_SICKey = "12345678"
+enable_cloudwatch = true
+
+// --- Check Point CloudGuard Network Security Management Server Configuration ---
+management_deploy = true
+management_instance_type = "m5.xlarge"
+management_version = "R81.20-BYOL"
+management_password_hash = ""
+management_maintenance_mode_password_hash = "" # For R81.10 the management_password_hash is used also as maintenance-mode password.
+gateways_policy = "Standard"
+gateways_blades = true
+admin_cidr = "0.0.0.0/0"
+gateways_addresses = "0.0.0.0/0"
+
+// --- Web Servers Auto Scaling Group Configuration ---
+servers_deploy = true
+servers_instance_type = "t3.micro"
+server_ami = "ami-12345abc"
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/qs-autoscale-master/variables.tf b/deprecated/terraform/aws/R80.40/qs-autoscale-master/variables.tf
new file mode 100755
index 00000000..317b1c94
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/qs-autoscale-master/variables.tf
@@ -0,0 +1,240 @@
+// Module: Check Point CloudGuard Network Quick Start Auto Scaling
+//Deploy a Check Point CloudGuard Network Security Gateways Auto Scaling Group, an external ALB/NLB, and optionally a Security Management Server and a web server Auto Scaling Group in a new VPC.
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+// --- Environment ---
+variable "prefix" {
+ type = string
+ description = "(Optional) Instances name prefix"
+ default = ""
+}
+variable "asg_name" {
+ type = string
+ description = "Autoscaling Group name"
+ default = "Check-Point-ASG-tf"
+}
+// --- Network Configuration ---
+variable "vpc_cidr" {
+ type = string
+ description = "The CIDR block of the VPC"
+ default = "10.0.0.0/16"
+}
+variable "public_subnets_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1} ) "
+}
+variable "private_subnets_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 2} ) "
+
+}
+variable "subnets_bit_length" {
+ type = number
+ description = "Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20"
+}
+
+// --- General Settings ---
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instance"
+}
+variable "enable_volume_encryption" {
+ type = bool
+ description = "Encrypt Environment instances volume with default AWS KMS key"
+ default = true
+}
+variable "enable_instance_connect" {
+ type = bool
+ description = "Enable SSH connection over AWS web console"
+ default = false
+}
+variable "disable_instance_termination" {
+ type = bool
+ description = "Prevents an instance from accidental termination"
+ default = false
+}
+variable "metadata_imdsv2_required" {
+ type = bool
+ description = "Set true to deploy the instance with metadata v2 token required"
+ default = true
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+variable "provision_tag" {
+ type = string
+ description = "The tag is used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each Quick Start deployment"
+ default = "quickstart"
+}
+variable "load_balancers_type" {
+ type = string
+ description = "Use Network Load Balancer if you wish to preserve the source IP address and Application Load Balancer if you wish to use content based routing"
+ default = "Network Load Balancer"
+}
+variable "load_balancer_protocol" {
+ type = string
+ description = "The protocol to use on the Load Balancer"
+}
+variable "certificate" {
+ type = string
+ description = "Amazon Resource Name (ARN) of an HTTPS Certificate, ignored if the selected protocol is HTTP"
+}
+variable "service_port" {
+ type = string
+ description = "The external Load Balancer listens to this port. Leave this field blank to use default ports: 80 for HTTP and 443 for HTTPS"
+}
+variable "admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+ default = "/etc/cli.sh"
+}
+
+// --- Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration ---
+variable "gateway_instance_type" {
+ type = string
+ description = "The instance type of the Security Gateways"
+ default = "c5.xlarge"
+}
+module "validate_gateway_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "gateway"
+ instance_type = var.gateway_instance_type
+}
+variable "gateways_min_group_size" {
+ type = number
+ description = "The minimal number of Security Gateways"
+ default = 2
+}
+variable "gateways_max_group_size" {
+ type = number
+ description = "The maximal number of Security Gateways"
+ default = 10
+}
+variable "gateway_version" {
+ type = string
+ description = "Gateway version and license"
+ default = "R81.20-BYOL"
+}
+module "validate_gateway_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "gateway"
+ version_license = var.gateway_version
+}
+variable "gateway_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "gateway_maintenance_mode_password_hash" {
+ description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+ type = string
+ default = ""
+}
+variable "gateway_SICKey" {
+ type = string
+ description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters"
+}
+variable "enable_cloudwatch" {
+ type = bool
+ description = "Report Check Point specific CloudWatch metrics"
+ default = false
+}
+
+// --- Check Point CloudGuard Network Security Management Server Configuration ---
+variable "management_deploy" {
+ type = bool
+ description = "Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section"
+ default = true
+}
+variable "management_instance_type" {
+ type = string
+ description = "The EC2 instance type of the Security Management Server"
+ default = "m5.xlarge"
+}
+module "validate_management_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "management"
+ instance_type = var.management_instance_type
+}
+variable "management_version" {
+ type = string
+ description = "The license to install on the Security Management Server"
+ default = "R81.20-BYOL"
+}
+module "validate_management_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "management"
+ version_license = var.management_version
+}
+variable "management_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "management_maintenance_mode_password_hash" {
+ description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+ type = string
+ default = ""
+}
+variable "gateways_policy" {
+ type = string
+ description = "The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group"
+ default = "Standard"
+}
+variable "gateways_blades" {
+ type = bool
+ description = "Turn on the Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (additional Blades can be manually turned on later)"
+ default = true
+}
+variable "admin_cidr" {
+ type = string
+ description = "Allow web, ssh, and graphical clients only from this network to communicate with the Security Management Server"
+}
+variable "gateways_addresses" {
+ type = string
+ description = "Allow gateways only from this network to communicate with the Security Management Server"
+}
+
+// --- Web Servers Auto Scaling Group Configuration ---
+variable "servers_deploy" {
+ type = bool
+ description = "Select 'true' to deploy web servers and an internal Application Load Balancer. If you select 'false' the other parameters of this section will be ignored"
+ default = false
+}
+variable "servers_instance_type" {
+ type = string
+ description = "The EC2 instance type for the web servers"
+ default = "t3.micro"
+}
+module "validate_servers_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "server"
+ instance_type = var.servers_instance_type
+}
+variable "server_ami" {
+ type = string
+ description = "The Amazon Machine Image ID of a preconfigured web server (e.g. ami-0dc7dc63)"
+}
diff --git a/deprecated/terraform/aws/R80.40/qs-autoscale-master/versions.tf b/deprecated/terraform/aws/R80.40/qs-autoscale-master/versions.tf
new file mode 100755
index 00000000..dbebf275
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/qs-autoscale-master/versions.tf
@@ -0,0 +1,15 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ http = {
+ version = "~> 3.4.0"
+ }
+ random = {
+ version = "~> 3.5.1"
+ }
+ }
+}
diff --git a/deprecated/terraform/aws/R80.40/qs-autoscale/README.md b/deprecated/terraform/aws/R80.40/qs-autoscale/README.md
new file mode 100755
index 00000000..823b454e
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/qs-autoscale/README.md
@@ -0,0 +1,238 @@
+# Check Point CloudGuard Network Quick Start Auto Scaling Terraform module for AWS
+
+Terraform module which deploys a Check Point CloudGuard Network Security Gateway Auto Scaling Group, an external ALB/NLB, and optionally a Security Management Server and a web server Auto Scaling Group.
+
+These types of Terraform resources are supported:
+* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html)
+* [Security Group](https://www.terraform.io/docs/providers/aws/r/security_group.html)
+* [Load Balancer](https://www.terraform.io/docs/providers/aws/r/lb.html)
+* [Load Balancer Target Group](https://www.terraform.io/docs/providers/aws/r/lb_target_group.html)
+* [Launch template](https://www.terraform.io/docs/providers/aws/r/launch_template.html)
+* [Auto Scaling Group](https://www.terraform.io/docs/providers/aws/r/autoscaling_group.html)
+* [IAM Role](https://www.terraform.io/docs/providers/aws/r/iam_role.html) - conditional creation
+
+See the [Check Point CloudGuard Auto Scaling on AWS](https://aws.amazon.com/quickstart/architecture/check-point-cloudguard/) for additional information
+
+This solution uses the following modules:
+- /terraform/aws/autoscale
+- /terraform/aws/modules/custom-autoscale
+- /terraform/aws/management
+- /terraform/aws/cme-iam-role
+
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.aws_access_key_ID
+ secret_key = var.aws_secret_access_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/qs-autoscale/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Static credentials are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/autoscale, /terraform/aws/management and /terraform/aws/cme-iam-role:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.aws_access_key_ID
+ // secret_key = var.aws_secret_access_key
+ }
+ ```
+ b. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/autoscale, /terraform/aws/management and /terraform/aws/cme-iam-role:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.aws_access_key_ID
+ // secret_key = var.aws_secret_access_key
+ }
+ ```
+
+## Usage
+- Fill all variables in the /terraform/aws/qs-autoscale/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+- Create or modify the deployment:
+ ```
+ terraform apply
+ ```
+
+- Variables are configured in /terraform/aws/qs-autoscale/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+ // --- Environment ---
+ prefix = "TF"
+ asg_name = "asg-qs"
+
+ // --- General Settings ---
+ vpc_id = "vpc-12345678"
+ key_name = "publickey"
+ enable_volume_encryption = true
+ enable_instance_connect = false
+ disable_instance_termination = false
+ allow_upload_download = true
+ provision_tag = "quickstart"
+ load_balancers_type = "Application Load Balancer"
+ load_balancer_protocol = "HTTP"
+ certificate = ""
+ service_port = "80"
+ admin_shell = "/etc/cli.sh"
+
+ // --- Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration ---
+ gateways_subnets = ["subnet-123b5678", "subnet-123a4567"]
+ gateway_instance_type = "c5.xlarge"
+ gateways_min_group_size = 2
+ gateways_max_group_size = 8
+ gateway_version = "R81.20-BYOL"
+ gateway_password_hash = ""
+ gateway_maintenance_mode_password_hash = "" # For R81.10 the gateway_password_hash is used also as maintenance-mode password.
+ gateway_SICKey = "12345678"
+ enable_cloudwatch = true
+
+ // --- Check Point CloudGuard Network Security Management Server Configuration ---
+ management_deploy = true
+ management_instance_type = "m5.xlarge"
+ management_version = "R81.20-BYOL"
+ management_password_hash = ""
+ management_maintenance_mode_password_hash = "" # For R81.10 the management_password_hash is used also as maintenance-mode password.
+ gateways_policy = "Standard"
+ gateways_blades = true
+ admin_cidr = "0.0.0.0/0"
+ gateways_addresses = "0.0.0.0/0"
+
+ // --- Web Servers Auto Scaling Group Configuration ---
+ servers_deploy = false
+ servers_subnets = ["subnet-1234abcd", "subnet-56789def"]
+ servers_instance_type = "t3.micro"
+ server_ami = "ami-12345678"
+ ```
+
+- Conditional creation
+ - To enable cloudwatch for ASG:
+ ```
+ enable_cloudwatch = true
+ ```
+ Note: enabling cloudwatch will automatically create IAM role with cloudwatch:PutMetricData permission
+ - To deploy Security Management Server:
+ ```
+ management_deploy = true
+ ```
+ - To deploy web servers:
+ ```
+ servers_deploy = true
+ ```
+ - To create an ASG configuration without a proxy ELB:
+ ```
+ proxy_elb_type= "none"
+ ```
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|----------|
+| prefix | (Optional) Instances name prefix | string | n/a | "" | no |
+| asg_name | Autoscaling Group name | string | n/a | Check-Point-ASG-tf | no |
+| vpc_id | Select an existing VPC | string | n/a | n/a | yes |
+| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes |
+| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no |
+| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no |
+| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no |
+| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no |
+| provision_tag | The tag is used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each Quick Start deployment | string | n/a | quickstart | no |
+| load_balancers_type | Use Network Load Balancer if you wish to preserve the source IP address and Application Load Balancer if you wish to use content based routing | string | - Network Load Balancer
- Application Load Balancer
| Network Load Balancer | no |
+| load_balancer_protocol | The protocol to use on the Load Balancer | string | Network Load Balancer:
- TCP
- TLS
- UDP
- TCP_UDP
Application Load Balancer:
- HTTP
- HTTPS | TCP | yes |
+| certificate | Amazon Resource Name (ARN) of an HTTPS Certificate, ignored if the selected protocol is HTTP | string | n/a | n/a | no |
+| service_port | The external Load Balancer listens to this port. Leave this field blank to use default ports: 80 for HTTP and 443 for HTTPS | string | n/a | n/a | no |
+| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no |
+| gateways_subnets | Select at least 2 public subnets in the VPC. If you choose to deploy a Security Management Server it will be deployed in the first subnet | list(string) | n/a | n/a | yes |
+| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no |
+| gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no |
+| gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no |
+| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no |
+| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes |
+| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no |
+| management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no |
+| management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no |
+| management_version | The license to install on the Security Management Server | string | - R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG
- R82-BYOL
- R82-PAYG | R81.20-BYOL | no |
+| management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| gateways_policy | The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group | string | n/a | Standard | no |
+| gateways_blades | Turn on the Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (additional Blades can be manually turned on later) | bool | true/false | true | no |
+| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR | n/a | no |
+| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | valid CIDR | n/a | no |
+| servers_deploy | Select 'true' to deploy web servers and an internal Application Load Balancer. If you select 'false' the other parameters of this section will be ignored | bool | true/false | false | no |
+| servers_subnets | Provide at least 2 private subnet IDs in the chosen VPC, separated by commas (e.g. subnet-0d72417c,subnet-1f61306f,subnet-1061d06f). | list(string) | n/a | n/a | yes |
+| servers_instance_type | The EC2 instance type for the web servers | string | - t3.nano
- t3.micro
- t3.small
- t3.medium
- t3.large
- t3.xlarge
- t3.2xlarge | t3.micro | no |
+| server_ami | The Amazon Machine Image ID of a preconfigured web server (e.g. ami-0dc7dc63) | string | n/a | n/a | yes |
+| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no |
+| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no |
+
+
+## Outputs
+| Name | Description |
+|----------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| management_name | The deployed Security Management AWS instance name |
+| internal_port | The internal Load Balancer should listen to this port |
+| load_balancer_url | The URL of the external Load Balancer |
+| external_load_balancer_arn | The external Load Balancer ARN |
+| internal_load_balancer_arn | The internal Load Balancer ARN |
+| external_LB_target_group_arn | The external Load Balancer Target Group ARN |
+| internal_LB_target_group_arn | The internal Load Balancer Target Group ARN |
+| autoscale_autoscaling_group_name | The name of the deployed AutoScaling Group |
+| autoscale_autoscaling_group_arn | The ARN for the deployed AutoScaling Group |
+| autoscale_security_group_id | The deployed AutoScaling Group's security group id |
+| autoscale_iam_role_name | The deployed AutoScaling Group's IAM role name (if created) |
+| configuration_template | The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name |
+| controller_name | The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name |
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|-------------------------------------------------------------------------------------------------------------------------------------|
+| 20240425 | Remove support for R81 and lower versions |
+| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20240130 | Network Load Balancer Health Check configuration change for higher than R81 version. New Health Check Port is 8117 and Protocol TCP |
+| 20231127 | Add support for parameter admin shell |
+| 20231022 | Fixed template to populate x-chkp-tags correctly |
+| 20231012 | Update AWS Terraform provider version to 5.20.1 |
+| 20230923 | Add support for C5d instance type |
+| 20230914 | Add support for maintenance mode password |
+| 20230829 | Change default Check Point version to R81.20 |
+| 20230806 | Add support for c6in instance type |
+| 20221226 | Support ASG Launch Template instead of Launch Configuration |
+| 20221123 | R81.20 version support |
+| 20220606 | New instance type support |
+| 20210329 | Stability fixes |
+| 20210309 | First release of Check Point Quick Start Auto Scaling Terraform module for AWS |
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details
diff --git a/deprecated/terraform/aws/R80.40/qs-autoscale/locals.tf b/deprecated/terraform/aws/R80.40/qs-autoscale/locals.tf
new file mode 100755
index 00000000..2ecac5dd
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/qs-autoscale/locals.tf
@@ -0,0 +1,71 @@
+locals {
+ load_balancer_name = format("%sLB", var.prefix != "" ? format("%s-", var.prefix) : "")
+ target_group_name = format("%sTG", var.prefix != "" ? format("%s-", var.prefix) : "")
+ regex_valid_provision_tag = "^[a-zA-Z0-9-]{1,12}$"
+ // Will fail if var.provision_tag is invalid
+ regex_provision_tag = regex(local.regex_valid_provision_tag, var.provision_tag) == var.provision_tag ? 0 : "Variable [provision_tag] must be up to 12 alphanumeric characters and unique for each Quick Start deployment"
+
+ load_balancers_type_allowed_values = [
+ "Network Load Balancer",
+ "Application Load Balancer"
+ ]
+ // Will fail if var.load_balancers_type is invalid
+ validate_load_balancers_type = index(local.load_balancers_type_allowed_values, var.load_balancers_type)
+
+ lb_protocol_allowed_values = var.load_balancers_type == "Network Load Balancer" ? [
+ "TCP",
+ "TLS",
+ "UDP",
+ "TCP_UDP"
+ ] : [
+ "HTTP",
+ "HTTPS"
+ ]
+ // Will fail if var.load_balancer_protocol is invalid
+ validate_lb_protocol = index(local.lb_protocol_allowed_values, var.load_balancer_protocol)
+
+ regex_valid_key_name = "[\\S\\s]+[\\S]+"
+ // will fail if var.key_name is invalid
+ regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string"
+
+ regex_valid_certificate = "^(arn:aws:[a-z]+::[0-9]{12}:server-certificate/[a-zA-Z0-9-]*)?$"
+ // Will fail if var.certificate is invalid
+ regex_certificate = regex(local.regex_valid_certificate, var.certificate) == var.certificate ? 0 : "Variable [certificate] must be a valid Amazon Resource Name (ARN), for example: arn:aws:iam::123456789012:server-certificate/web-server-certificate"
+
+ regex_valid_service_port = "^([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])?$"
+ // Will fail if var.service_port is invalid
+ regex_service_port = regex(local.regex_valid_service_port, var.service_port) == var.service_port ? 0 : "Custom service port must be a number between 0 and 65535"
+
+ regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.gateway_password_hash is invalid
+ regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash."
+ regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
+
+ regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$"
+ // Will fail if var.gateway_SIC_Key is invalid
+ regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters."
+
+ regex_valid_management_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.gateway_password_hash is invalid
+ regex_management_password_hash = regex(local.regex_valid_management_password_hash, var.management_password_hash) == var.management_password_hash ? 0 : "Variable [management_password_hash] must be a valid password hash."
+ regex_management_maintenance_mode_password_hash = regex(local.regex_valid_management_password_hash, var.management_maintenance_mode_password_hash) == var.management_maintenance_mode_password_hash ? 0 : "Variable [management_maintenance_mode_password_hash] must be a valid password hash"
+
+ regex_valid_admin_cidr = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$"
+ // Will fail if var.admin_cidr is invalid
+ regex_admin_cidr = regex(local.regex_valid_admin_cidr, var.admin_cidr) == var.admin_cidr ? 0 : "Variable [admin_cidr] must be a valid CIDR."
+
+ regex_valid_gateways_addresses = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$"
+ // Will fail if var.gateways_addresses is invalid
+ regex_gateways_addresses = regex(local.regex_valid_gateways_addresses, var.gateways_addresses) == var.gateways_addresses ? 0 : "Variable [gateways_addresses] must be a valid gateways addresses."
+
+ regex_valid_server_ami = "^(ami-(([0-9a-f]{8})|([0-9a-f]{17})))?$"
+ // Will fail if var.server_ami is invalid
+ regex_server_ami = regex(local.regex_valid_server_ami, var.server_ami) == var.server_ami ? 0 : "Amazon Machine Image ID must be in the form ami-xxxxxxxx or ami-xxxxxxxxxxxxxxxxx"
+
+ alb_condition = var.load_balancers_type == "Application Load Balancer"
+ nlb_condition = var.load_balancers_type == "Network Load Balancer"
+ provided_port_condition = var.service_port != ""
+ encrypted_protocol_condition = (local.alb_condition && var.load_balancer_protocol == "HTTPS") || (local.nlb_condition && var.load_balancer_protocol == "TLS") ? true : false
+ deploy_management_condition = var.management_deploy == true
+ deploy_servers_condition = var.servers_deploy == true
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/qs-autoscale/main.tf b/deprecated/terraform/aws/R80.40/qs-autoscale/main.tf
new file mode 100755
index 00000000..7fa5f27f
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/qs-autoscale/main.tf
@@ -0,0 +1,165 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+resource "aws_security_group" "external_alb_security_group" {
+ count = local.alb_condition ? 1 : 0
+ description = "External ALB security group"
+ vpc_id = var.vpc_id
+
+ egress {
+ from_port = local.encrypted_protocol_condition ? 9443 : 9080
+ protocol = "tcp"
+ to_port = local.encrypted_protocol_condition ? 9443 : 9080
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+ ingress {
+ from_port = local.provided_port_condition ? var.service_port : local.encrypted_protocol_condition ? 443 : 80
+ protocol = "tcp"
+ to_port = local.provided_port_condition ? var.service_port : local.encrypted_protocol_condition ? 443 : 80
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+}
+
+module "external_load_balancer" {
+ source = "../modules/common/load_balancer"
+
+ load_balancers_type = var.load_balancers_type
+ instances_subnets = var.gateways_subnets
+ prefix_name = "${var.prefix}-External"
+ internal = false
+ security_groups = local.alb_condition ? [aws_security_group.external_alb_security_group[0].id] : []
+ tags = {}
+ vpc_id = var.vpc_id
+ load_balancer_protocol = var.load_balancer_protocol
+ target_group_port = local.encrypted_protocol_condition ? 9443 : 9080
+ listener_port = local.provided_port_condition ? var.service_port : local.encrypted_protocol_condition ? "443" : "80"
+ certificate_arn = local.encrypted_protocol_condition ? var.certificate : ""
+ health_check_port = var.load_balancers_type == "Network Load Balancer" ? 8117 : null
+ health_check_protocol = var.load_balancers_type == "Network Load Balancer" ? "TCP" : null
+}
+
+module "autoscale" {
+ source = "../autoscale"
+ providers = {
+ aws = aws
+ }
+
+ prefix = var.prefix
+ asg_name = var.asg_name
+ vpc_id = var.vpc_id
+ subnet_ids = var.gateways_subnets
+ gateway_name = "${var.provision_tag}-security-gateway"
+ gateway_instance_type = var.gateway_instance_type
+ key_name = var.key_name
+ enable_volume_encryption = var.enable_volume_encryption
+ enable_instance_connect = var.enable_instance_connect
+ metadata_imdsv2_required = var.metadata_imdsv2_required
+ minimum_group_size = var.gateways_min_group_size
+ maximum_group_size = var.gateways_max_group_size
+ target_groups = tolist([module.external_load_balancer.target_group_arn])
+ gateway_version = var.gateway_version
+ admin_shell = var.admin_shell
+ gateway_password_hash = var.gateway_password_hash
+ gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash
+ gateway_SICKey = var.gateway_SICKey
+ allow_upload_download = var.allow_upload_download
+ enable_cloudwatch = var.enable_cloudwatch
+ gateway_bootstrap_script = "echo -e '\nStarting Bootstrap script\n'; echo 'Adding quickstart identifier to cloud-version'; cv_path='/etc/cloud-version'\n if test -f \"$cv_path\"; then sed -i '/template_name/c\\template_name: autoscale_qs' /etc/cloud-version; fi; cv_json_path='/etc/cloud-version.json'\n cv_json_path_tmp='/etc/cloud-version-tmp.json'\n if test -f \"$cv_json_path\"; then cat \"$cv_json_path\" | jq '.template_name = \"'\"autoscale_qs\"'\"' > \"$cv_json_path_tmp\"; mv \"$cv_json_path_tmp\" \"$cv_json_path\"; fi; echo -e '\nFinished Bootstrap script\n'"
+ management_server = "${var.provision_tag}-management"
+ configuration_template = "${var.provision_tag}-template"
+}
+
+data "aws_region" "current"{}
+
+module "management" {
+ providers = {
+ aws = aws
+ }
+ count = local.deploy_management_condition ? 1 : 0
+ source = "../management"
+
+ vpc_id = var.vpc_id
+ subnet_id = var.gateways_subnets[0]
+ management_name = "${var.provision_tag}-management"
+ management_instance_type = var.management_instance_type
+ key_name = var.key_name
+ volume_encryption = var.enable_volume_encryption ? "alias/aws/ebs" : ""
+ enable_instance_connect = var.enable_instance_connect
+ disable_instance_termination = var.disable_instance_termination
+ metadata_imdsv2_required = var.metadata_imdsv2_required
+ iam_permissions = "Create with read-write permissions"
+ management_version = var.management_version
+ admin_shell = var.admin_shell
+ management_password_hash = var.management_password_hash
+ management_maintenance_mode_password_hash = var.management_maintenance_mode_password_hash
+ allow_upload_download = var.allow_upload_download
+ admin_cidr = var.admin_cidr
+ gateway_addresses = var.gateways_addresses
+ management_bootstrap_script = "echo -e '\nStarting Bootstrap script\n'; echo 'Adding quickstart identifier to cloud-version'; cv_path='/etc/cloud-version'\n if test -f \"$cv_path\"; then sed -i '/template_name/c\\template_name: management_qs' /etc/cloud-version; fi; cv_json_path='/etc/cloud-version.json'\n cv_json_path_tmp='/etc/cloud-version-tmp.json'\n if test -f \"$cv_json_path\"; then cat \"$cv_json_path\" | jq '.template_name = \"'\"management_qs\"'\"' > \"$cv_json_path_tmp\"; mv \"$cv_json_path_tmp\" \"$cv_json_path\"; fi; echo 'Creating CME configuration'; autoprov_cfg -f init AWS -mn ${var.provision_tag}-management -tn ${var.provision_tag}-template -cn ${var.provision_tag}-controller -po ${var.gateways_policy} -otp ${var.gateway_SICKey} -r ${data.aws_region.current.name} -ver ${split("-", var.gateway_version)[0]} -iam; ${var.gateways_blades} && autoprov_cfg -f set template -tn ${var.provision_tag}-template -ips -appi -av -ab; echo -e '\nFinished Bootstrap script\n'"
+}
+
+resource "aws_security_group" "internal_security_group" {
+ count = local.deploy_servers_condition ? 1 : 0
+ vpc_id = var.vpc_id
+
+ egress {
+ from_port = local.provided_port_condition ? var.service_port : local.encrypted_protocol_condition ? 443 : 80
+ protocol = "tcp"
+ to_port = local.provided_port_condition ? var.service_port : local.encrypted_protocol_condition ? 443 : 80
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+ ingress {
+ from_port = local.encrypted_protocol_condition ? 443 : 80
+ protocol = "tcp"
+ to_port = local.encrypted_protocol_condition ? 443 : 80
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+ ingress {
+ from_port = -1
+ protocol = "icmp"
+ to_port = -1
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+}
+
+module "internal_load_balancer" {
+ count = local.deploy_servers_condition ? 1 : 0
+ source = "../modules/common/load_balancer"
+
+ load_balancers_type = var.load_balancers_type
+ instances_subnets = var.servers_subnets
+ prefix_name = "${var.prefix}-Internal"
+ internal = true
+ security_groups = local.alb_condition ? [aws_security_group.internal_security_group[0].id] : []
+ tags = {
+ x-chkp-management = "${var.provision_tag}-management"
+ x-chkp-template = "${var.provision_tag}-template"
+ }
+ vpc_id = var.vpc_id
+ load_balancer_protocol = var.load_balancer_protocol
+ target_group_port = local.encrypted_protocol_condition ? 443 : 80
+ listener_port = local.encrypted_protocol_condition ? "443" : "80"
+ certificate_arn = local.encrypted_protocol_condition ? var.certificate : ""
+}
+
+module "custom_autoscale" {
+ count = local.deploy_servers_condition ? 1 : 0
+ source = "../modules/custom-autoscale"
+
+ prefix = var.prefix
+ asg_name = var.asg_name
+ vpc_id = var.vpc_id
+ servers_subnets = var.servers_subnets
+ server_ami = var.server_ami
+ server_name = "${var.provision_tag}-server"
+ servers_instance_type = var.servers_instance_type
+ key_name = var.key_name
+ servers_min_group_size = var.gateways_min_group_size
+ servers_max_group_size = var.gateways_max_group_size
+ servers_target_groups = module.internal_load_balancer[0].target_group_id
+ deploy_internal_security_group = local.nlb_condition ? true : false
+ source_security_group = local.nlb_condition ? "" : aws_security_group.internal_security_group[0].id
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/qs-autoscale/output.tf b/deprecated/terraform/aws/R80.40/qs-autoscale/output.tf
new file mode 100755
index 00000000..edb1a1f6
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/qs-autoscale/output.tf
@@ -0,0 +1,45 @@
+output "Deployment" {
+ value = "Finalizing instances configuration may take up to 20 minutes after deployment is finished."
+}
+
+output "management_name" {
+ value = "${var.provision_tag}-management"
+}
+output "internal_port" {
+ value = local.encrypted_protocol_condition ? 443 : 80
+}
+output "load_balancer_url" {
+ value = module.external_load_balancer.load_balancer_url
+}
+output "external_load_balancer_arn" {
+ value = module.external_load_balancer.load_balancer_arn
+}
+output "internal_load_balancer_arn" {
+ value = module.internal_load_balancer[*].load_balancer_arn
+}
+output "external_lb_target_group_arn" {
+ value = module.external_load_balancer.target_group_arn
+}
+output "internal_lb_target_group_arn" {
+ value = module.internal_load_balancer[*].target_group_arn
+}
+
+output "autoscale_autoscaling_group_name" {
+ value = module.autoscale.autoscale_autoscaling_group_name
+}
+output "autoscale_autoscaling_group_arn" {
+ value = module.autoscale.autoscale_autoscaling_group_arn
+}
+output "autoscale_security_group_id" {
+ value = module.autoscale.autoscale_security_group_id
+}
+output "autoscale_iam_role_name" {
+ value = module.autoscale.autoscale_iam_role_name
+}
+
+output "configuration_template" {
+ value = "${var.provision_tag}-template"
+}
+output "controller_name" {
+ value = "${var.provision_tag}-controller"
+}
diff --git a/deprecated/terraform/aws/R80.40/qs-autoscale/terraform.tfvars b/deprecated/terraform/aws/R80.40/qs-autoscale/terraform.tfvars
new file mode 100755
index 00000000..d9eb16f4
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/qs-autoscale/terraform.tfvars
@@ -0,0 +1,48 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- Environment ---
+prefix = "TF"
+asg_name = "asg-qs"
+
+// --- General Settings ---
+vpc_id = "vpc-12345678"
+key_name = "publickey"
+enable_volume_encryption = true
+enable_instance_connect = false
+disable_instance_termination = false
+metadata_imdsv2_required = true
+allow_upload_download = true
+provision_tag = "quickstart"
+load_balancers_type = "Application Load Balancer"
+load_balancer_protocol = "HTTP"
+certificate = ""
+service_port = "80"
+admin_shell = "/etc/cli.sh"
+
+// --- Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration ---
+gateways_subnets = ["subnet-123b5678", "subnet-123a4567"]
+gateway_instance_type = "c5.xlarge"
+gateways_min_group_size = 2
+gateways_max_group_size = 8
+gateway_version = "R81.20-BYOL"
+gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 the gateway_password_hash is used also as maintenance-mode password.
+gateway_SICKey = "12345678"
+enable_cloudwatch = true
+
+// --- Check Point CloudGuard Network Security Management Server Configuration ---
+management_deploy = true
+management_instance_type = "m5.xlarge"
+management_version = "R81.20-BYOL"
+management_password_hash = ""
+management_maintenance_mode_password_hash = "" # For R81.10 the management_password_hash is used also as maintenance-mode password.
+gateways_policy = "Standard"
+gateways_blades = true
+admin_cidr = "0.0.0.0/0"
+gateways_addresses = "0.0.0.0/0"
+
+// --- Web Servers Auto Scaling Group Configuration ---
+servers_deploy = false
+servers_subnets = ["subnet-1234abcd", "subnet-56789def"]
+servers_instance_type = "t3.micro"
+server_ami = "ami-12345678"
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/qs-autoscale/variables.tf b/deprecated/terraform/aws/R80.40/qs-autoscale/variables.tf
new file mode 100755
index 00000000..070ec4f4
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/qs-autoscale/variables.tf
@@ -0,0 +1,231 @@
+// Module: Check Point CloudGuard Network Quick Start Auto Scaling
+//Deploy a Check Point CloudGuard Network Security Gateways Auto Scaling Group, an external ALB/NLB, and optionally a Security Management Server and a web server Auto Scaling Group.
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+// --- Environment ---
+variable "prefix" {
+ type = string
+ description = "(Optional) Instances name prefix"
+ default = ""
+}
+variable "asg_name" {
+ type = string
+ description = "Autoscaling Group name"
+ default = "Check-Point-ASG-tf"
+}
+// --- General Settings ---
+variable "vpc_id" {
+ type = string
+}
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instances"
+}
+variable "enable_volume_encryption" {
+ type = bool
+ description = "Encrypt Environment instances volume with default AWS KMS key"
+ default = true
+}
+variable "enable_instance_connect" {
+ type = bool
+ description = "Enable SSH connection over AWS web console"
+ default = false
+}
+variable "disable_instance_termination" {
+ type = bool
+ description = "Prevents an instance from accidental termination"
+ default = false
+}
+variable "metadata_imdsv2_required" {
+ type = bool
+ description = "Set true to deploy the instance with metadata v2 token required"
+ default = true
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+variable "provision_tag" {
+ type = string
+ description = "The tag is used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each Quick Start deployment"
+ default = "quickstart"
+}
+variable "load_balancers_type" {
+ type = string
+ description = "Use Network Load Balancer if you wish to preserve the source IP address and Application Load Balancer if you wish to use content based routing"
+ default = "Network Load Balancer"
+}
+variable "load_balancer_protocol" {
+ type = string
+ description = "The protocol to use on the Load Balancer"
+}
+variable "certificate" {
+ type = string
+ description = "Amazon Resource Name (ARN) of an HTTPS Certificate, ignored if the selected protocol is HTTP"
+}
+variable "service_port" {
+ type = string
+ description = "The external Load Balancer listens to this port. Leave this field blank to use default ports: 80 for HTTP and 443 for HTTPS"
+}
+variable "admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+ default = "/etc/cli.sh"
+}
+
+// --- Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration ---
+variable "gateways_subnets" {
+ type = list(string)
+ description = "Select at least 2 public subnets in the VPC. If you choose to deploy a Security Management Server it will be deployed in the first subnet"
+}
+variable "gateway_instance_type" {
+ type = string
+ description = "The instance type of the Security Gateways"
+ default = "c5.xlarge"
+}
+module "validate_gateway_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "gateway"
+ instance_type = var.gateway_instance_type
+}
+variable "gateways_min_group_size" {
+ type = number
+ description = "The minimal number of Security Gateways"
+ default = 2
+}
+variable "gateways_max_group_size" {
+ type = number
+ description = "The maximal number of Security Gateways"
+ default = 10
+}
+variable "gateway_version" {
+ type = string
+ description = "Gateway version and license"
+ default = "R81.20-BYOL"
+}
+module "validate_gateway_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "gateway"
+ version_license = var.gateway_version
+}
+variable "gateway_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "gateway_maintenance_mode_password_hash" {
+ description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+ type = string
+ default = ""
+}
+variable "gateway_SICKey" {
+ type = string
+ description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters"
+}
+variable "enable_cloudwatch" {
+ type = bool
+ description = "Report Check Point specific CloudWatch metrics"
+ default = false
+}
+
+// --- Check Point CloudGuard Network Security Management Server Configuration ---
+variable "management_deploy" {
+ type = bool
+ description = "Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section"
+ default = true
+}
+variable "management_instance_type" {
+ type = string
+ description = "The EC2 instance type of the Security Management Server"
+ default = "m5.xlarge"
+}
+module "validate_management_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "management"
+ instance_type = var.management_instance_type
+}
+variable "management_version" {
+ type = string
+ description = "The license to install on the Security Management Server"
+ default = "R81.20-BYOL"
+}
+module "validate_management_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "management"
+ version_license = var.management_version
+}
+variable "management_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "management_maintenance_mode_password_hash" {
+ description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+ type = string
+ default = ""
+}
+variable "gateways_policy" {
+ type = string
+ description = "The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group"
+ default = "Standard"
+}
+variable "gateways_blades" {
+ type = bool
+ description = "Turn on the Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (additional Blades can be manually turned on later)"
+ default = true
+}
+variable "admin_cidr" {
+ type = string
+ description = "Allow web, ssh, and graphical clients only from this network to communicate with the Security Management Server"
+}
+variable "gateways_addresses" {
+ type = string
+ description = "Allow gateways only from this network to communicate with the Security Management Server"
+}
+
+// --- Web Servers Auto Scaling Group Configuration ---
+variable "servers_deploy" {
+ type = bool
+ description = "Select 'true' to deploy web servers and an internal Application Load Balancer. If you select 'false' the other parameters of this section will be ignored"
+ default = false
+}
+variable "servers_subnets" {
+ type = list(string)
+ description = "Provide at least 2 private subnet IDs in the chosen VPC, separated by commas (e.g. subnet-1234,subnet-5678,subnet-9012)"
+}
+variable "servers_instance_type" {
+ type = string
+ description = "The EC2 instance type for the web servers"
+ default = "t3.micro"
+}
+module "validate_servers_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "server"
+ instance_type = var.servers_instance_type
+}
+variable "server_ami" {
+ type = string
+ description = "The Amazon Machine Image ID of a preconfigured web server (e.g. ami-1234)"
+}
diff --git a/deprecated/terraform/aws/R80.40/qs-autoscale/versions.tf b/deprecated/terraform/aws/R80.40/qs-autoscale/versions.tf
new file mode 100755
index 00000000..dbebf275
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/qs-autoscale/versions.tf
@@ -0,0 +1,15 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ http = {
+ version = "~> 3.4.0"
+ }
+ random = {
+ version = "~> 3.5.1"
+ }
+ }
+}
diff --git a/deprecated/terraform/aws/R80.40/standalone-master/README.md b/deprecated/terraform/aws/R80.40/standalone-master/README.md
new file mode 100755
index 00000000..fb6a5453
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/standalone-master/README.md
@@ -0,0 +1,201 @@
+# Check Point CloudGuard Network Security Management Server & Security Gateway (Standalone) Master Terraform module for AWS
+
+Terraform module which deploys a Check Point CloudGuard Network Security Gateway & Management (Standalone) instance into a new VPC.
+
+These types of Terraform resources are supported:
+* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html)
+* [VPC](https://www.terraform.io/docs/providers/aws/r/vpc.html)
+* [Security group](https://www.terraform.io/docs/providers/aws/r/security_group.html)
+* [Network interface](https://www.terraform.io/docs/providers/aws/r/network_interface.html)
+* [Route](https://www.terraform.io/docs/providers/aws/r/route.html)
+* [EIP](https://www.terraform.io/docs/providers/aws/r/eip.html) - conditional creation
+
+This solution uses the following modules:
+- /terraform/aws/standalone
+- /terraform/aws/modules/amis
+- /terraform/aws/modules/vpc
+
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/standalone-master/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Static credentials are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-module /terraform/aws/standalone:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+ b. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-module /terraform/aws/standalone:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+
+## Usage
+- Fill all variables in the /terraform/aws/standalone-master/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+- Create or modify the deployment:
+ - Due to terraform limitation, the apply command is:
+ ```
+ terraform apply -target=aws_route_table.private_subnet_rtb -auto-approve && terraform apply
+ ```
+ >Once terraform is updated, we will update accordingly.
+
+- Variables are configured in /terraform/aws/standalone-master/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+ // --- VPC Network Configuration ---
+ vpc_cidr = "10.0.0.0/16"
+ public_subnets_map = {
+ "us-east-1a" = 1
+ }
+ private_subnets_map = {
+ "us-east-1a" = 2
+ }
+ subnets_bit_length = 8
+
+ // --- EC2 Instance Configuration ---
+ standalone_name = "Check-Point-Standalone-tf"
+ standalone_instance_type = "c5.xlarge"
+ key_name = "publickey"
+ allocate_and_associate_eip = true
+ volume_size = 100
+ volume_encryption = "alias/aws/ebs"
+ enable_instance_connect = false
+ disable_instance_termination = false
+ instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+ }
+
+ // --- Check Point Settings ---
+ standalone_version = "R81.BYOL"
+ admin_shell = "/etc/cli.sh"
+ standalone_password_hash = ""
+ standalone_maintenance_mode_password_hash = ""
+
+ // --- Advanced Settings ---
+ resources_tag_name = "tag-name"
+ standalone_hostname = "standalone-tf"
+ allow_upload_download = true
+ enable_cloudwatch = false
+ standalone_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+ primary_ntp = ""
+ secondary_ntp = ""
+ admin_cidr = "0.0.0.0/0"
+ gateway_addresses = "0.0.0.0/0"
+ ```
+
+- Conditional creation
+ - To create an Elastic IP and associate it to the Standalone instance:
+ ```
+ allocate_and_associate_eip = true
+ ```
+
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------|----------|
+| vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes |
+| public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes |
+| private_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 2} ) | map | n/a | n/a | yes |
+| subnets_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20 | number | n/a | n/a | yes |
+| standalone_name | (Optional) The name tag of the Security Gateway & Management (Standalone) instance | string | n/a | Check-Point-Standalone-tf | no |
+| standalone_instance_type | The instance type of the Security Gateway & Management (Standalone) instance | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no |
+| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes |
+| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with the launched instance | bool | true/false | true | no |
+| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no |
+| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no |
+| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no |
+| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no |
+| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes |
+| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Standalone EC2 Instance | map(string) | n/a | {} | no |
+| standalone_version | Security Gateway & Management (Standalone) version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R81-BYOL
- R81-PAYG-NGTP
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R82-BYOL
- R82-PAYG-NGTP | R81.20-BYOL | no |
+| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no |
+| standalone_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| resources_tag_name | (optional) | string | n/a | "" | no |
+| standalone_hostname | (Optional) Security Gateway & Management (Standalone) prompt hostname. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no |
+| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no |
+| standalone_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no |
+| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no |
+| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no |
+| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | n/a | 0.0.0.0/0 | no |
+| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | n/a | 0.0.0.0/0 | no |
+| standalone_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no |
+
+
+## Outputs
+| Name | Description |
+|------------------------------|------------------------------------------------------------------------------|
+| vpc_id | The id of the deployed vpc |
+| internal_rtb_id | The internal route table id |
+| vpc_public_subnets_ids_list | A list of the public subnets ids |
+| vpc_private_subnets_ids_list | A list of the private subnets ids |
+| standalone_instance_id | The deployed Security Gateway & Management (Standalone) AWS instance id |
+| standalone_instance_name | The deployed Security Gateway & Management (Standalone) AWS instance name |
+| standalone_public_ip | The deployed Security Gateway & Management (Standalone) AWS public address |
+| standalone_ssh | SSH command to the Security Gateway & Management (Standalone) |
+| standalone_url | URL to the portal of the deployed Security Gateway & Management (Standalone) |
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|-------------------------------------------------------------------------------------------------------------------------|
+| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20231113 | Add support for BYOL license type for Standalone |
+| 20231012 | Update AWS Terraform Provider version to 5.20.1 |
+| 20230914 | Add support for maintenance mode password |
+| 20230829 | Change default Check Point version to R81.20 |
+| 20230806 | Add support for c6in instance type |
+| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname |
+| 20221123 | R81.20 version support |
+| 20220606 | New instance type support |
+| 20210309 | First release of Check Point Security Management Server & Security Gateway (Standalone) Master Terraform module for AWS |
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/standalone-master/locals.tf b/deprecated/terraform/aws/R80.40/standalone-master/locals.tf
new file mode 100755
index 00000000..61326301
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/standalone-master/locals.tf
@@ -0,0 +1,36 @@
+locals {
+ regex_valid_vpc_cidr = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$"
+ // Will fail if var.vpc_cidr is invalid
+ regex_vpc_cidr = regex(local.regex_valid_vpc_cidr, var.vpc_cidr) == var.vpc_cidr ? 0 : "Variable [vpc_cidr] must be a valid vpc cidr"
+
+ admin_shell_allowed_values = [
+ "/etc/cli.sh",
+ "/bin/bash",
+ "/bin/csh",
+ "/bin/tcsh"]
+ // Will fail if var.admin_shell is invalid
+ validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell)
+
+ regex_valid_key_name = "[\\S\\s]+[\\S]+"
+ // will fail if var.key_name is invalid
+ regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string"
+
+ regex_valid_cidr_range = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))?$"
+ // Will fail if var.admin_subnet or var.gateway_addresses are invalid
+ mgmt_subnet_regex_result = regex(local.regex_valid_cidr_range, var.admin_cidr) == var.admin_cidr ? 0 : "var.admin_subnet must be a valid CIDR range"
+ gw_addr_regex_result = regex(local.regex_valid_cidr_range, var.gateway_addresses) == var.gateway_addresses ? 0 : "var.gateway_addresses must be a valid CIDR range"
+
+ regex_valid_primary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.primary_ntp is invalid
+ regex_primary_ntp = regex(local.regex_valid_primary_ntp, var.primary_ntp) == var.primary_ntp ? 0 : "Variable [primary_ntp] must be a valid ntp"
+
+ regex_valid_secondary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.secondary_ntp is invalid
+ regex_secondary_ntp = regex(local.regex_valid_secondary_ntp, var.secondary_ntp) == var.secondary_ntp ? 0 : "Variable [secondary_ntp] must be a valid ntp"
+
+ regex_valid_standalone_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.standalone_password_hash is invalid
+ regex_standalone_password_hash = regex(local.regex_valid_standalone_password_hash, var.standalone_password_hash) == var.standalone_password_hash ? 0 : "Variable [standalone_password_hash] must be a valid password hash"
+ regex_maintenance_mode_password_hash = regex(local.regex_valid_standalone_password_hash, var.standalone_maintenance_mode_password_hash) == var.standalone_maintenance_mode_password_hash ? 0 : "Variable [standalone_maintenance_mode_password_hash] must be a valid password hash"
+
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/standalone-master/main.tf b/deprecated/terraform/aws/R80.40/standalone-master/main.tf
new file mode 100755
index 00000000..999c506e
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/standalone-master/main.tf
@@ -0,0 +1,63 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+// --- VPC ---
+module "launch_vpc" {
+ source = "../modules/vpc"
+
+ vpc_cidr = var.vpc_cidr
+ public_subnets_map = var.public_subnets_map
+ private_subnets_map = var.private_subnets_map
+ subnets_bit_length = var.subnets_bit_length
+}
+
+resource "aws_route_table" "private_subnet_rtb" {
+ depends_on = [module.launch_vpc]
+ vpc_id = module.launch_vpc.vpc_id
+ tags = {
+ Name = "Private Subnets Route Table"
+ }
+}
+resource "aws_route_table_association" "private_rtb_to_private_subnets" {
+ depends_on = [module.launch_vpc, aws_route_table.private_subnet_rtb]
+ route_table_id = aws_route_table.private_subnet_rtb.id
+ subnet_id = module.launch_vpc.private_subnets_ids_list[0]
+}
+
+module "launch_standalone_into_vpc" {
+ source = "../standalone"
+ providers = {
+ aws = aws
+ }
+
+ vpc_id = module.launch_vpc.vpc_id
+ public_subnet_id = module.launch_vpc.public_subnets_ids_list[0]
+ private_subnet_id = module.launch_vpc.private_subnets_ids_list[0]
+ private_route_table = aws_route_table.private_subnet_rtb.id
+ resources_tag_name = var.resources_tag_name
+ standalone_name = var.standalone_name
+ standalone_instance_type = var.standalone_instance_type
+ key_name = var.key_name
+ allocate_and_associate_eip = var.allocate_and_associate_eip
+ volume_size = var.volume_size
+ volume_encryption = var.volume_encryption
+ enable_instance_connect = var.enable_instance_connect
+ disable_instance_termination = var.disable_instance_termination
+ metadata_imdsv2_required = var.metadata_imdsv2_required
+ instance_tags = var.instance_tags
+ standalone_version = var.standalone_version
+ admin_shell = var.admin_shell
+ standalone_password_hash = var.standalone_password_hash
+ standalone_maintenance_mode_password_hash = var.standalone_maintenance_mode_password_hash
+ standalone_hostname = var.standalone_hostname
+ allow_upload_download = var.allow_upload_download
+ enable_cloudwatch = var.enable_cloudwatch
+ standalone_bootstrap_script = var.standalone_bootstrap_script
+ primary_ntp = var.primary_ntp
+ secondary_ntp = var.secondary_ntp
+ admin_cidr = var.admin_cidr
+ gateway_addresses = var.gateway_addresses
+}
diff --git a/deprecated/terraform/aws/R80.40/standalone-master/output.tf b/deprecated/terraform/aws/R80.40/standalone-master/output.tf
new file mode 100755
index 00000000..11d557b9
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/standalone-master/output.tf
@@ -0,0 +1,27 @@
+output "vpc_id" {
+ value = module.launch_vpc.vpc_id
+}
+output "internal_rtb_id" {
+ value = aws_route_table.private_subnet_rtb.id
+}
+output "vpc_public_subnets_ids_list" {
+ value = module.launch_vpc.public_subnets_ids_list
+}
+output "vpc_private_subnets_ids_list" {
+ value = module.launch_vpc.private_subnets_ids_list
+}
+output "standalone_instance_id" {
+ value = module.launch_standalone_into_vpc.standalone_instance_id
+}
+output "standalone_instance_name" {
+ value = module.launch_standalone_into_vpc.standalone_instance_name
+}
+output "standalone_public_ip" {
+ value = module.launch_standalone_into_vpc.standalone_public_ip
+}
+output "standalone_ssh" {
+ value = module.launch_standalone_into_vpc.standalone_ssh
+}
+output "standalone_url" {
+ value = module.launch_standalone_into_vpc.standalone_url
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/standalone-master/terraform.tfvars b/deprecated/terraform/aws/R80.40/standalone-master/terraform.tfvars
new file mode 100755
index 00000000..4f6b6131
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/standalone-master/terraform.tfvars
@@ -0,0 +1,43 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- VPC Network Configuration ---
+vpc_cidr = "10.0.0.0/16"
+public_subnets_map = {
+ "us-east-1a" = 1
+}
+private_subnets_map = {
+ "us-east-1a" = 2
+}
+subnets_bit_length = 8
+
+// --- EC2 Instance Configuration ---
+standalone_name = "Check-Point-Standalone-tf"
+standalone_instance_type = "c5.xlarge"
+key_name = "publickey"
+allocate_and_associate_eip = true
+volume_size = 100
+volume_encryption = "alias/aws/ebs"
+enable_instance_connect = false
+disable_instance_termination = false
+metadata_imdsv2_required = true
+instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+}
+
+// --- Check Point Settings ---
+standalone_version = "R81.20-BYOL"
+admin_shell = "/etc/cli.sh"
+standalone_password_hash = ""
+standalone_maintenance_mode_password_hash = ""
+
+// --- Advanced Settings ---
+resources_tag_name = "tag-name"
+standalone_hostname = "standalone-tf"
+allow_upload_download = true
+enable_cloudwatch = false
+standalone_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+primary_ntp = ""
+secondary_ntp = ""
+admin_cidr = "0.0.0.0/0"
+gateway_addresses = "0.0.0.0/0"
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/standalone-master/variables.tf b/deprecated/terraform/aws/R80.40/standalone-master/variables.tf
new file mode 100755
index 00000000..212dc108
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/standalone-master/variables.tf
@@ -0,0 +1,174 @@
+// Module: Check Point CloudGuard Network Security Gateway & Management (Standalone) instance into a new VPC
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+// --- VPC Network Configuration ---
+variable "vpc_cidr" {
+ type = string
+ description = "The CIDR block of the VPC"
+ default = "10.0.0.0/16"
+}
+variable "public_subnets_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 1} ) "
+}
+variable "private_subnets_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 2} ) "
+
+}
+variable "subnets_bit_length" {
+ type = number
+ description = "Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20"
+}
+
+// --- EC2 Instance Configuration ---
+variable "standalone_name" {
+ type = string
+ description = "(Optional) The name tag of the Security Gateway & Management (Standalone) instance"
+ default = "Check-Point-Standalone-tf"
+}
+variable "standalone_instance_type" {
+ type = string
+ description = "The instance type of the Security Gateway & Management (Standalone) instance"
+ default = "c5.xlarge"
+}
+module "validate_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "standalone"
+ instance_type = var.standalone_instance_type
+}
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instance"
+}
+variable "allocate_and_associate_eip" {
+ type = bool
+ description = "If set to true, an elastic IP will be allocated and associated with the launched instance"
+ default = true
+}
+variable "volume_size" {
+ type = number
+ description = "Root volume size (GB) - minimum 100"
+ default = 100
+}
+resource "null_resource" "volume_size_too_small" {
+ // Volume Size validation - resource will not be created if the volume size is smaller than 100
+ count = var.volume_size >= 100 ? 0 : "volume_size must be at least 100"
+}
+variable "volume_encryption" {
+ type = string
+ description = "KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs')"
+ default = "alias/aws/ebs"
+}
+variable "enable_instance_connect" {
+ type = bool
+ description = "Enable SSH connection over AWS web console"
+ default = false
+}
+variable "disable_instance_termination" {
+ type = bool
+ description = "Prevents an instance from accidental termination"
+ default = false
+}
+variable "metadata_imdsv2_required" {
+ type = bool
+ description = "Set true to deploy the instance with metadata v2 token required"
+ default = true
+}
+variable "instance_tags" {
+ type = map(string)
+ description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Standalone EC2 Instance"
+ default = {}
+}
+
+// --- Check Point Settings ---
+variable "standalone_version" {
+ type = string
+ description = "Gateway & Management (Standalone) version and license"
+ default = "R81.20-BYOL"
+}
+module "validate_standalone_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "standalone"
+ version_license = var.standalone_version
+}
+variable "admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+ default = "/etc/cli.sh"
+}
+variable "standalone_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "standalone_maintenance_mode_password_hash" {
+ description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+ type = string
+ default = ""
+}
+
+// --- Advanced Settings ---
+variable "resources_tag_name" {
+ type = string
+ description = "(Optional) The name tag of the resources"
+ default = ""
+}
+variable "standalone_hostname" {
+ type = string
+ description = "(Optional) Security Gateway & Management (Standalone) prompt hostname"
+ default = ""
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+variable "enable_cloudwatch" {
+ type = bool
+ description = "Report Check Point specific CloudWatch metrics"
+ default = false
+}
+variable "standalone_bootstrap_script" {
+ type = string
+ description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot"
+ default = ""
+}
+variable "primary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol primary server"
+ default = "169.254.169.123"
+}
+variable "secondary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server"
+ default = "0.pool.ntp.org"
+}
+variable "admin_cidr" {
+ type = string
+ description = "(CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server"
+ default = "0.0.0.0/0"
+}
+variable "gateway_addresses" {
+ type = string
+ description = "(CIDR) Allow gateways only from this network to communicate with the Management Server"
+ default = "0.0.0.0/0"
+}
diff --git a/deprecated/terraform/aws/R80.40/standalone-master/versions.tf b/deprecated/terraform/aws/R80.40/standalone-master/versions.tf
new file mode 100755
index 00000000..a95f0172
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/standalone-master/versions.tf
@@ -0,0 +1,12 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ http = {
+ version = "~> 3.4.0"
+ }
+ }
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/standalone/README.md b/deprecated/terraform/aws/R80.40/standalone/README.md
new file mode 100755
index 00000000..e61e06ce
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/standalone/README.md
@@ -0,0 +1,176 @@
+# Check Point CloudGuard Network Security Management Server & Security Gateway (Standalone) Terraform module for AWS
+
+Terraform module which deploys a Check Point CloudGuard Network Security Gateway & Management (Standalone) instance into an existing VPC.
+
+These types of Terraform resources are supported:
+* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html)
+* [Security group](https://www.terraform.io/docs/providers/aws/r/security_group.html)
+* [Network interface](https://www.terraform.io/docs/providers/aws/r/network_interface.html)
+* [EIP](https://www.terraform.io/docs/providers/aws/r/eip.html) - conditional creation
+* [Route](https://www.terraform.io/docs/providers/aws/r/route.html) - conditional creation
+
+
+This solution uses the following modules:
+- /terraform/aws/modules/amis
+
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/standalone/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+
+## Usage
+- Fill all variables in the /terraform/aws/standalone/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+- Create or modify the deployment:
+ ```
+ terraform apply
+ ```
+
+- Variables are configured in /terraform/aws/standalone/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+ // --- VPC Network Configuration ---
+ vpc_id = "vpc-12345678"
+ public_subnet_id = "subnet-123456"
+ private_subnet_id = "subnet-345678"
+ private_route_table = "rtb-12345678"
+
+ // --- EC2 Instance Configuration ---
+ standalone_name = "Check-Point-Standalone-tf"
+ standalone_instance_type = "c5.xlarge"
+ key_name = "publickey"
+ allocate_and_associate_eip = true
+ volume_size = 100
+ volume_encryption = "alias/aws/ebs"
+ enable_instance_connect = false
+ disable_instance_termination = false
+ instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+ }
+
+ // --- Check Point Settings ---
+ standalone_version = "R81.20-BYOL"
+ admin_shell = "/etc/cli.sh"
+ standalone_password_hash = ""
+ standalone_maintenance_mode_password_hash = ""
+ // --- Advanced Settings ---
+ resources_tag_name = "tag-name"
+ standalone_hostname = "standalone-tf"
+ allow_upload_download = true
+ enable_cloudwatch = false
+ standalone_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+ primary_ntp = ""
+ secondary_ntp = ""
+ admin_cidr = "0.0.0.0/0"
+ gateway_addresses = "0.0.0.0/0"
+ ```
+
+- Conditional creation
+ - To create an Elastic IP and associate it to the Standalone instance:
+ ```
+ allocate_and_associate_eip = true
+ ```
+ - To create route from '0.0.0.0/0' to the Standalone instance, please provide route table:
+ ```
+ private_route_table = "rtb-12345678"
+ ```
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------|----------|
+| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes |
+| public_subnet_id | The public subnet of the Security Gateway & Management (Standalone) | string | n/a | n/a | yes |
+| private_subnet_id | The private subnet of the Security Gateway & Management (Standalone) | string | n/a | n/a | yes |
+| private_route_table | Sets '0.0.0.0/0' route to the Security Gateway & Management (Standalone) instance in the specified route table (e.g. rtb-12a34567) | string | n/a | "" | no |
+| standalone_name | (Optional) The name tag of the Security Gateway & Management (Standalone) instance | string | n/a | Check-Point-Standalone-tf | no |
+| standalone_instance_type | The instance type of the Security Gateway & Management (Standalone) instance | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no |
+| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes |
+| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with the launched instance | bool | true/false | true | no |
+| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no |
+| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no |
+| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no |
+| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no |
+| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes |
+| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Standalone EC2 Instance | map(string) | n/a | {} | no |
+| standalone_version | Security Gateway & Management (Standalone) version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R81-BYOL
- R81-PAYG-NGTP
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R82-BYOL
- R82-PAYG-NGTP | R81.20-BYOL | no |
+| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no |
+| standalone_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| resources_tag_name | (optional) | string | n/a | "" | no |
+| standalone_hostname | (Optional) Security Gateway & Management (Standalone) prompt hostname. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no |
+| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no |
+| standalone_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no |
+| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no |
+| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no |
+| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | n/a | 0.0.0.0/0 | no |
+| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | n/a | 0.0.0.0/0 | no |
+| standalone_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no |
+
+
+## Outputs
+| Name | Description |
+|--------------------------|------------------------------------------------------------------------------|
+| standalone_instance_id | The deployed Security Gateway & Management (Standalone) AWS instance id |
+| standalone_instance_name | The deployed Security Gateway & Management (Standalone) AWS instance name |
+| standalone_public_ip | The deployed Security Gateway & Management (Standalone) AWS public address |
+| standalone_ssh | SSH command to the Security Gateway & Management (Standalone) |
+| standalone_url | URL to the portal of the deployed Security Gateway & Management (Standalone) |
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|------------------------------------------------------------------------------------------------------------------|
+| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20231113 | Add support for BYOL license type for Standalone |
+| 20231012 | Update AWS Terraform provider version to 5.20.1 |
+| 20230923 | Add support for C5d instance type |
+| 20230914 | Add support for maintenance mode password |
+| 20230829 | Change default Check Point version to R81.20 |
+| 20230806 | Add support for c6in instance type |
+| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname |
+| 20221123 | R81.20 version support |
+| 20220606 | New instance type support |
+| 20210329 | Stability fixes |
+| 20210309 | First release of Check Point Security Management Server & Security Gateway (Standalone) Terraform module for AWS |
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/standalone/locals.tf b/deprecated/terraform/aws/R80.40/standalone/locals.tf
new file mode 100755
index 00000000..6e438e83
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/standalone/locals.tf
@@ -0,0 +1,41 @@
+locals {
+ admin_shell_allowed_values = [
+ "/etc/cli.sh",
+ "/bin/bash",
+ "/bin/csh",
+ "/bin/tcsh"]
+ // Will fail if var.admin_shell is invalid
+ validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell)
+
+ enable_cloudwatch_policy = var.enable_cloudwatch ? 1 : 0
+
+ regex_valid_key_name = "[\\S\\s]+[\\S]+"
+ // will fail if var.key_name is invalid
+ regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string"
+
+ regex_valid_cidr_range = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))?$"
+ // Will fail if var.admin_subnet or var.gateway_addresses are invalid
+ mgmt_subnet_regex_result = regex(local.regex_valid_cidr_range, var.admin_cidr) == var.admin_cidr ? 0 : "var.admin_subnet must be a valid CIDR range"
+ gw_addr_regex_result = regex(local.regex_valid_cidr_range, var.gateway_addresses) == var.gateway_addresses ? 0 : "var.gateway_addresses must be a valid CIDR range"
+ volume_encryption_condition = var.volume_encryption != "" ? true : false
+
+ regex_valid_primary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.primary_ntp is invalid
+ regex_primary_ntp = regex(local.regex_valid_primary_ntp, var.primary_ntp) == var.primary_ntp ? 0 : "Variable [primary_ntp] must be a valid ntp"
+
+ regex_valid_secondary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.secondary_ntp is invalid
+ regex_secondary_ntp = regex(local.regex_valid_secondary_ntp, var.secondary_ntp) == var.secondary_ntp ? 0 : "Variable [secondary_ntp] must be a valid ntp"
+
+ regex_valid_standalone_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.standalone_password_hash is invalid
+ regex_standalone_password_hash = regex(local.regex_valid_standalone_password_hash, var.standalone_password_hash) == var.standalone_password_hash ? 0 : "Variable [standalone_password_hash] must be a valid password hash"
+ regex_maintenance_mode_password_hash = regex(local.regex_valid_standalone_password_hash, var.standalone_maintenance_mode_password_hash) == var.standalone_maintenance_mode_password_hash ? 0 : "Variable [standalone_maintenance_mode_password_hash] must be a valid password hash"
+
+ //Splits the version and licence and returns the os version
+ version_split = element(split("-", var.standalone_version), 0)
+
+ standalone_bootstrap_script64 = base64encode(var.standalone_bootstrap_script)
+ standalone_password_hash_base64 = base64encode(var.standalone_password_hash)
+ maintenance_mode_password_hash_base64 = base64encode(var.standalone_maintenance_mode_password_hash)
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/standalone/main.tf b/deprecated/terraform/aws/R80.40/standalone/main.tf
new file mode 100755
index 00000000..f9df43ff
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/standalone/main.tf
@@ -0,0 +1,145 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+module "amis" {
+ source = "../modules/amis"
+
+ version_license = var.standalone_version
+ chkp_type = "standalone"
+}
+
+module "common_permissive_sg" {
+ source = "../modules/common/permissive_sg"
+
+ vpc_id = var.vpc_id
+ resources_tag_name = var.resources_tag_name
+ gateway_name = var.standalone_name
+}
+
+resource "aws_iam_instance_profile" "standalone_instance_profile" {
+ count = local.enable_cloudwatch_policy
+ path = "/"
+ role = aws_iam_role.standalone_iam_role[count.index].name
+}
+
+resource "aws_iam_role" "standalone_iam_role" {
+ count = local.enable_cloudwatch_policy
+ assume_role_policy = data.aws_iam_policy_document.standalone_role_assume_policy_document.json
+ path = "/"
+}
+
+data "aws_iam_policy_document" "standalone_role_assume_policy_document" {
+ version = "2012-10-17"
+ statement {
+ effect = "Allow"
+ actions = ["sts:AssumeRole"]
+ principals {
+ type = "Service"
+ identifiers = ["ec2.amazonaws.com"]
+ }
+ }
+}
+
+module "attach_cloudwatch_policy" {
+ source = "../modules/cloudwatch-policy"
+ count = local.enable_cloudwatch_policy
+ role = aws_iam_role.standalone_iam_role[count.index].name
+ tag_name = var.resources_tag_name != "" ? var.resources_tag_name : var.standalone_name
+}
+resource "aws_network_interface" "public_eni" {
+ subnet_id = var.public_subnet_id
+ security_groups = [module.common_permissive_sg.permissive_sg_id]
+ description = "eth0"
+ source_dest_check = false
+ tags = {
+ Name = format("%s-external-eni", var.resources_tag_name != "" ? var.resources_tag_name : var.standalone_name) }
+}
+resource "aws_network_interface" "private_eni" {
+ subnet_id = var.private_subnet_id
+ security_groups = [module.common_permissive_sg.permissive_sg_id]
+ description = "eth1"
+ source_dest_check = false
+ tags = {
+ Name = format("%s-internal-eni", var.resources_tag_name != "" ? var.resources_tag_name : var.standalone_name) }
+}
+
+module "common_eip" {
+ source = "../modules/common/elastic_ip"
+
+ allocate_and_associate_eip = var.allocate_and_associate_eip
+ external_eni_id = aws_network_interface.public_eni.id
+ private_ip_address = aws_network_interface.public_eni.private_ip
+}
+
+module "common_internal_default_route" {
+ source = "../modules/common/internal_default_route"
+
+ private_route_table = var.private_route_table
+ internal_eni_id = aws_network_interface.private_eni.id
+}
+
+resource "aws_launch_template" "standalone_launch_template" {
+ instance_type = var.standalone_instance_type
+ key_name = var.key_name
+ image_id = module.amis.ami_id
+ description = "Initial launch template version"
+
+ iam_instance_profile {
+ name = (local.enable_cloudwatch_policy == 1 ? aws_iam_instance_profile.standalone_instance_profile[0].id : "")
+ }
+
+ network_interfaces {
+ network_interface_id = aws_network_interface.public_eni.id
+ device_index = 0
+ }
+
+ metadata_options {
+ http_tokens = var.metadata_imdsv2_required ? "required" : "optional"
+ }
+
+ network_interfaces {
+ network_interface_id = aws_network_interface.private_eni.id
+ device_index = 1
+ }
+}
+
+resource "aws_instance" "standalone-instance" {
+ launch_template {
+ id = aws_launch_template.standalone_launch_template.id
+ version = "$Latest"
+ }
+
+ disable_api_termination = var.disable_instance_termination
+
+ tags = merge({
+ Name = var.standalone_name
+ }, var.instance_tags)
+
+ ebs_block_device {
+ device_name = "/dev/xvda"
+ volume_type = "gp2"
+ volume_size = var.volume_size
+ encrypted = local.volume_encryption_condition
+ kms_key_id = local.volume_encryption_condition ? var.volume_encryption : ""
+ }
+
+ user_data = templatefile("${path.module}/standalone_userdata.yaml", {
+ // script's arguments
+ Hostname = var.standalone_hostname,
+ PasswordHash = local.standalone_password_hash_base64,
+ MaintenanceModePassword = local.maintenance_mode_password_hash_base64,
+ AllowUploadDownload = var.allow_upload_download,
+ EnableCloudWatch = var.enable_cloudwatch,
+ NTPPrimary = var.primary_ntp,
+ NTPSecondary = var.secondary_ntp,
+ Shell = var.admin_shell,
+ AdminSubnet = var.admin_cidr,
+ EnableInstanceConnect = var.enable_instance_connect,
+ StandaloneBootstrapScript = local.standalone_bootstrap_script64
+ AllocateElasticIP = var.allocate_and_associate_eip
+ OsVersion = local.version_split
+ })
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/standalone/output.tf b/deprecated/terraform/aws/R80.40/standalone/output.tf
new file mode 100755
index 00000000..5a46d0fa
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/standalone/output.tf
@@ -0,0 +1,15 @@
+output "standalone_instance_id" {
+ value = aws_instance.standalone-instance.id
+}
+output "standalone_instance_name" {
+ value = aws_instance.standalone-instance.tags["Name"]
+}
+output "standalone_public_ip" {
+ value = aws_instance.standalone-instance.public_ip
+}
+output "standalone_ssh" {
+ value = format("ssh -i %s admin@%s", var.key_name, aws_instance.standalone-instance.public_ip)
+}
+output "standalone_url" {
+ value = format("https://%s", aws_instance.standalone-instance.public_ip)
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/standalone/standalone_userdata.yaml b/deprecated/terraform/aws/R80.40/standalone/standalone_userdata.yaml
new file mode 100755
index 00000000..1bdf7eca
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/standalone/standalone_userdata.yaml
@@ -0,0 +1,4 @@
+#cloud-config
+runcmd:
+ - |
+ python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" installationType=\"standalone\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"standalone\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" adminSubnet=\"${AdminSubnet}\" allocatePublicAddress=\"${AllocateElasticIP}\" bootstrapScript64=\"${StandaloneBootstrapScript}\"
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/standalone/terraform.tfvars b/deprecated/terraform/aws/R80.40/standalone/terraform.tfvars
new file mode 100755
index 00000000..edad70cd
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/standalone/terraform.tfvars
@@ -0,0 +1,39 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- VPC Network Configuration ---
+vpc_id = "vpc-12345678"
+public_subnet_id = "subnet-123456"
+private_subnet_id = "subnet-345678"
+private_route_table = "rtb-12345678"
+
+// --- EC2 Instance Configuration ---
+standalone_name = "Check-Point-Standalone-tf"
+standalone_instance_type = "c5.xlarge"
+key_name = "publickey"
+allocate_and_associate_eip = true
+volume_size = 100
+volume_encryption = "alias/aws/ebs"
+enable_instance_connect = false
+disable_instance_termination = false
+metadata_imdsv2_required = true
+instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+}
+
+// --- Check Point Settings ---
+standalone_version = "R81.20-BYOL"
+admin_shell = "/etc/cli.sh"
+standalone_password_hash = ""
+standalone_maintenance_mode_password_hash = ""
+
+// --- Advanced Settings ---
+resources_tag_name = "tag-name"
+standalone_hostname = "standalone-tf"
+allow_upload_download = true
+enable_cloudwatch = false
+standalone_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+primary_ntp = ""
+secondary_ntp = ""
+admin_cidr = "0.0.0.0/0"
+gateway_addresses = "0.0.0.0/0"
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/standalone/variables.tf b/deprecated/terraform/aws/R80.40/standalone/variables.tf
new file mode 100755
index 00000000..afdec993
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/standalone/variables.tf
@@ -0,0 +1,172 @@
+// Module: Check Point CloudGuard Network Security Gateway & Management (Standalone) instance into an existing VPC
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+// --- VPC Network Configuration ---
+variable "vpc_id" {
+ type = string
+}
+variable "public_subnet_id" {
+ type = string
+ description = "The public subnet of the Security Gateway & Management (Standalone)"
+}
+variable "private_subnet_id" {
+ type = string
+ description = "The private subnet of the Security Gateway & Management (Standalone)"
+}
+variable "private_route_table" {
+ type = string
+ description = "Sets '0.0.0.0/0' route to the Security Gateway & Management (Standalone) instance in the specified route table (e.g. rtb-12a34567)"
+ default= ""
+}
+
+// --- EC2 Instance Configuration ---
+variable "standalone_name" {
+ type = string
+ description = "(Optional) The name tag of the Security Gateway & Management (Standalone) instance"
+ default = "Check-Point-Standalone-tf"
+}
+variable "standalone_instance_type" {
+ type = string
+ description = "The instance type of the Security Gateway & Management (Standalone) instance"
+ default = "c5.xlarge"
+}
+module "validate_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "standalone"
+ instance_type = var.standalone_instance_type
+}
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instance"
+}
+variable "allocate_and_associate_eip" {
+ type = bool
+ description = "If set to true, an elastic IP will be allocated and associated with the launched instance"
+ default = true
+}
+variable "volume_size" {
+ type = number
+ description = "Root volume size (GB) - minimum 100"
+ default = 100
+}
+resource "null_resource" "volume_size_too_small" {
+ // Volume Size validation - resource will not be created if the volume size is smaller than 100
+ count = var.volume_size >= 100 ? 0 : "volume_size must be at least 100"
+}
+variable "volume_encryption" {
+ type = string
+ description = "KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs')"
+ default = "alias/aws/ebs"
+}
+variable "enable_instance_connect" {
+ type = bool
+ description = "Enable SSH connection over AWS web console"
+ default = false
+}
+variable "disable_instance_termination" {
+ type = bool
+ description = "Prevents an instance from accidental termination"
+ default = false
+}
+variable "metadata_imdsv2_required" {
+ type = bool
+ description = "Set true to deploy the instance with metadata v2 token required"
+ default = true
+}
+variable "instance_tags" {
+ type = map(string)
+ description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Standalone EC2 Instance"
+ default = {}
+}
+
+// --- Check Point Settings ---
+variable "standalone_version" {
+ type = string
+ description = "Security Gateway & Management (Standalone) version and license"
+ default = "R81.20-BYOL"
+}
+module "validate_standalone_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "standalone"
+ version_license = var.standalone_version
+}
+variable "admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+ default = "/etc/cli.sh"
+}
+variable "standalone_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "standalone_maintenance_mode_password_hash" {
+ description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+ type = string
+ default = ""
+}
+
+// --- Advanced Settings ---
+variable "resources_tag_name" {
+ type = string
+ description = "(Optional) The name tag of the resources"
+ default = ""
+}
+variable "standalone_hostname" {
+ type = string
+ description = "(Optional) Security Gateway & Management (Standalone) prompt hostname"
+ default = ""
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+variable "enable_cloudwatch" {
+ type = bool
+ description = "Report Check Point specific CloudWatch metrics"
+ default = false
+}
+variable "standalone_bootstrap_script" {
+ type = string
+ description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot"
+ default = ""
+}
+variable "primary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol primary server"
+ default = "169.254.169.123"
+}
+variable "secondary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server"
+ default = "0.pool.ntp.org"
+}
+variable "admin_cidr" {
+ type = string
+ description = "(CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server"
+ default = "0.0.0.0/0"
+}
+variable "gateway_addresses" {
+ type = string
+ description = "(CIDR) Allow gateways only from this network to communicate with the Management Server"
+ default = "0.0.0.0/0"
+}
diff --git a/deprecated/terraform/aws/R80.40/standalone/versions.tf b/deprecated/terraform/aws/R80.40/standalone/versions.tf
new file mode 100755
index 00000000..c138bbb3
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/standalone/versions.tf
@@ -0,0 +1,12 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ http = {
+ version = "~> 3.4.0"
+ }
+ }
+}
diff --git a/deprecated/terraform/aws/R80.40/tap/Check Point NOW onboarding page.docx b/deprecated/terraform/aws/R80.40/tap/Check Point NOW onboarding page.docx
new file mode 100755
index 00000000..54b4968d
Binary files /dev/null and b/deprecated/terraform/aws/R80.40/tap/Check Point NOW onboarding page.docx differ
diff --git a/deprecated/terraform/aws/R80.40/tap/CheckPoint_NOW_onboarding_page.pdf b/deprecated/terraform/aws/R80.40/tap/CheckPoint_NOW_onboarding_page.pdf
new file mode 100755
index 00000000..c25e9592
Binary files /dev/null and b/deprecated/terraform/aws/R80.40/tap/CheckPoint_NOW_onboarding_page.pdf differ
diff --git a/deprecated/terraform/aws/R80.40/tap/README.md b/deprecated/terraform/aws/R80.40/tap/README.md
new file mode 100755
index 00000000..bb2467ea
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tap/README.md
@@ -0,0 +1,258 @@
+# Check Point Traffic Access Point (TAP) Terraform module for AWS
+
+Terraform module which deploys a TAP solution in an existing VPC on AWS.
+
+To learn about Check Point's TAP solution, click [here](CheckPoint_NOW_onboarding_page.pdf).
+
+
+These types of Terraform resources are supported:
+* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html) - TAP Gateway
+* [AWS CloudFormation Stack](https://www.terraform.io/docs/providers/aws/r/cloudformation_stack.html) - creates Traffic Mirror Filter and Target
+* [AWS Lambdas](https://www.terraform.io/docs/providers/aws/r/lambda_function.html) - TAP Lambda, TAP Termination Lambda
+
+Learn more about [TAP Lambda](#TAP-Lambda) and [TAP Termination Lambda](#TAP-Termination-Lambda)
+
+This solution uses the following modules:
+- /terraform/aws/modules/amis
+
+
+## Prerequisites
+* **Internet Gateway -** The VPC deployed into **must** have an [Internet Gateway](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html)
+configured as default route in the VPC's main route-table in order to allow communication between the TAP Gateway and Check Point NOW Cloud.
+**Note:** Internet connectivity is mandatory pre-deployment.
+* **License -** This module supports Check Point R80.40 NGTX-PAYG license only
+* **NOW domain and Cyber Sentry -**
+To create a NOW domain fill in the [NOW cloud registration form](https://now.checkpoint.com/register/index.html).
+Once you are logged in to your NOW domain, create a Cyber Sentry and use its MAC address as the 'registration_key' variable in the terraform deployment.
+For detailed information and instructions refer to the [NOW onboarding page](CheckPoint_NOW_onboarding_page.pdf).
+
+> **Note:** Make sure the Cyber Sentry you intend to connect to is 'decativated' pre-deployment in the NOW portal.
+
+### Notes and limitations
+* As explained in [AWS Traffic Mirroring considerations](https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-considerations.html) page,
+AWS supports traffic mirroring for [Nitro-based instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances) only.
+* Post-deployment refer to [Check Point NOW portal](https://now.checkpoint.com) > Cyber Sentries.
+Once your Cyber sentry changes its state to 'activated' and 'connected' - the instance connected successfully to Check Point NOW Cloud.
+This may take up to 20 minutes.
+* Due to an AWS limitation the **maximum number of mirror sources per target** depends on the TAP Gateway instance type.
+For a non-dedicated instance type as target, the limit is 10 sources.
+For a dedicated instance type, the limit is 100 sources.
+CGI supports the following dedicated instance types: c5.18xlarge and c5n.18xlarge
+For more information please refer to [AWS Traffic Mirroring quotas and considerations](https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-considerations.html#traffic-mirroring-limits) page.
+
+## Note
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/tap/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+
+## Usage
+[Clone or download](https://github.com/CheckPointSW/CloudGuardIaaS) Check Point CloudGuard Network Github Repository.
+
+Configure your variables in /terraform/aws/tap/**terraform.tfvars** file as follows:
+```
+// --- VPC Network Configuration ---
+vpc_id = "vpc-12345678"
+external_subnet_id = "subnet-abc123"
+internal_subnet_id = "subnet-def456"
+resources_tag_name = "env1"
+
+// --- TAP Configuration ---
+registration_key = "10:10:10:10:10:10"
+vxlan_id = 10
+blacklist_tags = {
+ env = "staging"
+ state = "stable"
+}
+schedule_scan_interval = 60
+
+// --- EC2 Instance Configuration ---
+instance_name = "tap-gateway"
+instance_type = "c5.xlarge"
+key_name = "publickey"
+```
+**main.tf** - Refers to the above configured variables and does not require any changes:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+module "tap" {
+ source = "../../modules/tap"
+
+ // --- VPC Network Configuration ---
+ vpc_id = var.vpc_id
+ external_subnet_id = var.external_subnet_id
+ internal_subnet_id = var.internal_subnet_id
+ resources_tag_name = var.resources_tag_name
+
+ // --- TAP Configuration ---
+ registration_key = var.registration_key
+ vxlan_id = var.vxlan_id
+ blacklist_tags = var.blacklist_tags
+ schedule_scan_interval = var.schedule_scan_interval
+
+ // --- EC2 Instance Configuration ---
+ instance_name = var.instance_name
+ instance_type = var.instance_type
+ key_name = var.key_name
+}
+```
+From your tap directory's command line -
+* Run 'terraform plan' to generate and show an execution plan
+* Run 'terraform apply' to initiate deployment and build the TAP infrastructure
+* Run 'terraform destroy' to destroy the terraform-managed infrastructure
+
+> Find Terraform commands doc [here](https://www.terraform.io/docs/commands/index.html).
+
+This module creates a Check Point TAP Gateway instance in the VPC specified by the user,
+along with traffic mirror filter and target, and two lambda functions: TAP Lambda and TAP Termination Lambda.
+
+Once the Check Point TAP Gateway instance is deployed, the TAP Lambda is invoked and scans the entire
+VPC for mirrorable NITRO instances.
+
+## Deployment
+
+First, purchase a [CloudGuard Network security gateway](https://aws.amazon.com/marketplace/pp/B07LB54LFB?qid=1586153579302&sr=0-2&ref_=srh_res_product_title)
+with Threat Prevention & SandBlast from the AWS marketplace.
+A named customer domain must be provisioned on the Check Point now.checkpoint.com SaaS –
+during the Early Availability period, this must be performed by Check Point.
+To create a NOW domain fill in the [NOW cloud registration form](https://now.checkpoint.com/register/index.html) and your request will be handled as soon as possible.
+You will receive an email with a registration link – click that, and a certificate will be automatically generated and provided to you for download and import into your browser.
+(Note: some browsers, e.g. Google Chrome, require a restart for the certificate to be activated – kill all instances of the browser, and restart it.)
+Now point your browser at [now.checkpoint.com](https://now.checkpoint.com). You will be directed into your new domain.
+Go to the Management > Sentries tab and click 'New'
+* The New Sentry pane will open – select 'Virtual’, enter an optional description, verify the time zone, and click ADD
+* A new sentry entry will appear. It will be uniquely identified by automatically generated 'Name’ and 'MAC Address’
+* Download the CloudGuard Network TAP Terraform module from [CloudGuard Network Github - TAP module](https://github.com/CheckPointSW/CloudGuardIaaS/tree/master/terraform/aws/modules/tap).
+Edit terraform.tfvars file according to the instructions in the [Usage](#Usage) section above, using the sentry’s 'MAC Address’ for the registration_key variable.
+* Launch the module using Terraform. As described above, this module creates a Check Point TAP Gateway instance in the VPC specified by the user, along with traffic mirror filter and target, and two lambda functions: 'TAP Lambda' and 'TAP Termination Lambda'. Once the Check Point CloudGuard Network TAP Gateway instance is deployed, the TAP Lambda is invoked and scans the entire VPC for mirrorable NITRO instances that meet the configured selection criteria.
+* After up to 20 minutes, the sentry state will change to “Connected” in the NOW portal.
+Check the Logs tab to see that network traffic is flowing into the sentry.
+
+### TAP Lambda
+
+#### IAM role
+The module creates an IAM role for the TAP Lambda, named 'chkp_iam_tap_lambda' suffixed with a uuid.
+This role is granted minimum permissions for the Lambda to execute.
+
+#### Responsibilities
+
+1. Invoked by Terraform once the Check Point TAP Gateway instance is deployed.
+ 1. Scans the VPC for mirrorable instances
+ 2. Creates traffic mirror sessions between the TAP Gateway traffic mirror target
+ and the primary ENI of non-blacklisted instances
+ 3. Skips traffic mirror session creation for blacklisted instances
+
+2. Invoked by an EC2 event: Every instance in the VPC that changes its state to 'Running'.
+ 1. Updates TAP for triggered instance - If not blacklisted and not TAPed,
+ creates traffic mirror session to the TAP Gateway traffic mirror target.
+ If blacklisted and TAPed, deletes traffic mirror session with the TAP Gateway target
+ 2. Scans VPC and updates TAP for all mirrorable instances (see 2.i)
+
+3. Invoked by a scheduled event: every X minutes, configured by the 'schedule_scan_interval' variable (default = 60).
+ 1. Scans the VPC for mirrorable instances
+ 2. Updates TAP for all mirrorable instances in the VPC (see 2.i)
+
+
+#### Instances blacklisting:
+
+This module supports tag based blacklist mechanism to avoid TAP for desired instances.
+
+The Terraform TAP module holds a 'blacklist_tags' variable of type map(string).
+The 'blacklist_tags' variable consists of key value pairs representing tag-key and tag-value pairs.
+
+The TAP Lambda will create traffic mirror sessions only for instances which **do not** hold any of
+these tag pairs. Instances with any of these tag pairs will not be TAPed by the TAP Lambda function.
+If a blacklisted instance is already TAPed, the TAP Lambda will act accordingly and
+delete the traffic mirror session.
+
+During the solution deployment, the 'blacklist_tags' variable's values are joined to a string in the
+following structure: "key1=value1:key2-value2:key3=value3" and so on.
+This string is passed as 'TAP_BLACKLIST' environment variable to the TAP Lambda.
+You can update the blacklist tags list by editing the TAP Lambda 'TAP_BLACKLIST' environment variable.
+The structure "key1=value1:key2-value2:key3=value3" of the variable must be maintained.
+
+
+### TAP Termination Lambda
+
+ This Lambda should be manually invoked **prior** to destroying the Terraform environment.
+ The environment destruction **will fail** if skipping the Termination Lambda invocation.
+
+#### IAM role
+The module creates an IAM role for the TAP Termination Lambda, named 'chkp_iam_tap_termination_lambda' suffixed with a uuid.
+This role is granted minimum permissions for the Lambda to execute.
+
+#### Responsibilities:
+
+Lambda deletes all traffic mirror sessions associated with the TAP Gateway's target.
+This step is crucial before environment destruction in order for destruction to finish successfully
+(an alternative way is to navigate to AWS traffic mirror sessions page and manually
+delete the relevant sessions).
+
+
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|------------------------|-----------------------------------------------------------------------------------------------------|-------------|----------------|-------------------|----------|
+| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes |
+| external_subnet_id | The external subnet of the security gateway (internet access) | string | n/a | n/a | yes |
+| internal_subnet_id | The internal subnet of the security gateway. This subnet will be connected to the mirrored sources. | string | n/a | n/a | yes |
+| resources_tag_name | (Optional) Resources prefix tag | string | n/a | "" | no |
+| registration_key | The gateway registration key to Check Point NOW cloud | string | n/a | n/a | yes |
+| vxlan_id | (Optional) VXLAN ID (number) for mirroring sessions | number | n/a | 1 | no |
+| blacklist_tags | Key value pairs of tag key and tag value. Instances with any of these tag pairs will not be TAPed | map(string) | n/a | {} | no |
+| schedule_scan_interval | (minutes) Lambda will scan the VPC every X minutes for TAP updates | number | n/a | 60 | no |
+| instance_name | AWS instance name to launch | string | n/a | CP-TAP-Gateway-tf | no |
+| instance_type | AWS instance type - View [Notes and limitations](#Notes-and-limitations) section | string | n/a | c5.xlarge | no |
+| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes |
+
+
+## Outputs
+| Name | Description |
+|--------------------------------|------------------------------------------------------------------------------------------------------------------------------------------|
+| tap-gateway_instance_id | The instance id of the deployed Check Point TAP Gateway |
+| gateway_instance_name | The instance name of the deployed Check Point TAP Gateway |
+| gateway_instance_public_ip | The public ip address of the deployed Check Point TAP Gateway |
+| traffic_mirror_filter_id | The traffic mirror filter id created during deployment by the 'tap_target_and_filter' stack |
+| traffic_mirror_target_id | The traffic mirror target id pointing to the TAP Gateway's internal ENI - created during deployment by the 'tap_target_and_filter' stack |
+| tap_lambda_name | TAP main lambda name (responsible for creating and deleting traffic mirror sessions with the TAP Gateway's target) |
+| tap_lambda_description | TAP main lambda description |
+| termination_lambda_name | TAP termination lambda name (deletes all traffic mirror sessions with the TAP Gateway's target) |
+| termination_lambda_description | TAP termination lambda description |
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|----------------------------------------------------------------------------------|
+| 20210329 | Stability fixes |
+| 20210309 | AWS Terraform modules refactor |
+| 20200413 | First release of Check Point Traffic Access Point (TAP) Terraform module for AWS |
+
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details
diff --git a/deprecated/terraform/aws/R80.40/tap/main.tf b/deprecated/terraform/aws/R80.40/tap/main.tf
new file mode 100755
index 00000000..01cc19d0
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tap/main.tf
@@ -0,0 +1,301 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+module "amis" {
+ source = "../modules/amis"
+
+ version_license = var.version_license
+ chkp_type = "gateway"
+}
+
+resource "aws_security_group" "tap_sg" {
+ description = format("%s Security group", var.resources_tag_name != "" ? var.resources_tag_name : var.instance_name)
+ vpc_id = var.vpc_id
+ egress {
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+ ingress {
+ protocol = "tcp"
+ from_port = 443
+ to_port = 443
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+ ingress {
+ protocol = "tcp"
+ from_port = 22
+ to_port = 22
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+ ingress {
+ description = "allow VXLAN for traffic mirroring"
+ protocol = "udp"
+ from_port = 4789
+ to_port = 4789
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+ name = format("%s_SecurityGroup", var.resources_tag_name != "" ? var.resources_tag_name : var.instance_name) // Group name
+ tags = {
+ Name = format("%s_SecurityGroup", var.resources_tag_name != "" ? var.resources_tag_name : var.instance_name) // Resource name
+ }
+}
+resource "aws_network_interface" "external-eni" {
+ subnet_id = var.external_subnet_id
+ security_groups = [aws_security_group.tap_sg.id]
+ description = "eth0"
+ source_dest_check = false
+ tags = {
+ Name = format("%s-external_network_interface", var.resources_tag_name != "" ? var.resources_tag_name : var.instance_name)
+ }
+}
+resource "aws_network_interface" "internal-eni" {
+ subnet_id = var.internal_subnet_id
+ security_groups = [aws_security_group.tap_sg.id]
+ description = "eth1"
+ source_dest_check = false
+ tags = {
+ Name = format("%s-internal_network_interface", var.resources_tag_name != "" ? var.resources_tag_name : var.instance_name)
+ }
+}
+resource "aws_eip" "eip" {
+ network_interface = aws_network_interface.external-eni.id
+}
+resource "aws_instance" "tap_gateway" {
+ depends_on = [
+ aws_network_interface.external-eni,
+ aws_network_interface.internal-eni,
+ aws_eip.eip
+ ]
+
+ ami = module.amis.ami_id
+ tags = {
+ Name = var.instance_name
+ }
+ instance_type = var.instance_type
+ key_name = var.key_name
+
+ ebs_block_device {
+ device_name = "/dev/xvda"
+ volume_type = "gp2"
+ volume_size = 100
+ }
+ network_interface {
+ // external
+ network_interface_id = aws_network_interface.external-eni.id
+ device_index = 0
+ }
+ network_interface {
+ // internal
+ network_interface_id = aws_network_interface.internal-eni.id
+ device_index = 1
+ }
+
+ user_data = templatefile("${path.module}/tap_user_data.sh", {
+ // script's arguments
+ RegistrationKey = var.registration_key
+ VxlanIds = var.vxlan_id
+ })
+}
+
+// Create CloudFormation Stack
+resource "random_id" "stack_uuid" {
+ byte_length = 5
+}
+resource "aws_cloudformation_stack" "tap_target_and_filter" {
+ depends_on = [aws_instance.tap_gateway]
+ name = format("traffic-mirror-filter-and-target-%s", random_id.stack_uuid.hex)
+
+ parameters = {
+ MirroringNetworkInterfaceId = aws_network_interface.internal-eni.id
+ EnvironmentPrefix = var.resources_tag_name
+ }
+ template_url = "https://cgi-cfts.s3.amazonaws.com/utils/tap_target_and_filter.yaml"
+}
+locals {
+ trafficMirrorTargetId = aws_cloudformation_stack.tap_target_and_filter.outputs["TrafficMirrorTargetId"]
+ trafficMirrorFilterId = aws_cloudformation_stack.tap_target_and_filter.outputs["TrafficMirrorFilterId"]
+}
+
+// Lambdas
+// --- TAP Lambda ---
+data "aws_iam_policy_document" "assume_policy_doc" {
+ statement {
+ effect = "Allow"
+ principals {
+ identifiers = ["lambda.amazonaws.com"]
+ type = "Service"
+ }
+ actions = ["sts:AssumeRole"]
+ }
+}
+data "aws_iam_policy_document" "tap_lambda_policy_doc" {
+ statement {
+ effect = "Allow"
+ actions = [
+ "logs:CreateLogGroup",
+ "logs:CreateLogStream",
+ "logs:PutLogEvents",
+ "ec2:DescribeInstances",
+ "ec2:CreateTags",
+ "ec2:DeleteTrafficMirrorSession",
+ "ec2:CreateTrafficMirrorSession",
+ "ec2:DescribeTrafficMirrorSessions"
+ ]
+ resources = ["*"]
+ }
+}
+resource "aws_iam_role" "tap_lambda_iam_role" {
+ name_prefix = "chkp_iam_tap_lambda"
+ assume_role_policy = data.aws_iam_policy_document.assume_policy_doc.json
+}
+resource "aws_iam_role_policy" "tap_lambda_policy" {
+ policy = data.aws_iam_policy_document.tap_lambda_policy_doc.json
+ role = aws_iam_role.tap_lambda_iam_role.id
+}
+// Lambda Function
+resource "random_id" "tap_lambda_uuid" {
+ byte_length = 5
+}
+data "archive_file" "tap_lambda_zip" {
+ type = "zip"
+ source_file = "${path.module}/tap_lambda.py"
+ output_path = "${path.module}/tap_lambda.zip"
+}
+locals {
+ blacklisted_tag_pairs_joined = join(":", [for tag_key in keys(var.blacklist_tags): join("=", [tag_key, var.blacklist_tags[tag_key]])])
+}
+resource "aws_lambda_function" "tap_lambda" {
+ depends_on = [aws_instance.tap_gateway]
+ function_name = format("chkp_tap_lambda-%s", random_id.tap_lambda_uuid.hex)
+ description = "The TAP lambda creates traffic mirror sessions with the TAP gateway instance, and removes them for blacklisted instances in the VPC."
+
+ filename = "${path.module}/tap_lambda.zip"
+
+ role = aws_iam_role.tap_lambda_iam_role.arn
+ handler = "tap_lambda.lambda_handler"
+ runtime = "python3.8"
+ timeout = 30
+
+ environment {
+ variables = {
+ VPC_ID = var.vpc_id
+ GW_ID = aws_instance.tap_gateway.id
+ TM_TARGET_ID = local.trafficMirrorTargetId
+ TM_FILTER_ID = local.trafficMirrorFilterId
+ VNI = var.vxlan_id
+ TAP_BLACKLIST = local.blacklisted_tag_pairs_joined
+ }
+ }
+}
+// CloudWatch event - EC2 state change to Running
+resource "aws_cloudwatch_event_rule" "on_ec2_running_state" {
+ name_prefix = "tap_ec2_running_rule"
+ description = "Invoked when an instance changes its state to Running"
+ event_pattern = </var/log/aws-user-data.log 2>&1
+
+echo template_name: TAP_tf >> /etc/cloud-version
+echo template_version: 20210309 >> /etc/cloud-version
+echo template_type: terraform >> $cv_path
+
+hname="CP-TAP"
+
+echo "Generating SIC password"
+sic=$(tr -dc "0-9a-zA-Z" < /dev/urandom | head -c 8)
+
+blink_config -s "hostname='$hname'&gateway_cluster_member=false&ftw_sic_key='$sic'&upload_info=true&download_info=true"
+rc=$?
+
+echo "Pulling NOW install script..."
+INSTALLER=/var/log/now_installer
+
+runtime="10 minute"
+endtime=$(date -ud "$runtime" +%s)
+
+while [[ $(date -u +%s) -le $endtime ]]; do
+ curl_cli -s -S --cacert "$CPDIR/conf/ca-bundle.crt" https://portal.now.checkpoint.com/static/configure.aws.sh -o $INSTALLER && break
+ sleep 2
+done
+
+chmod +x $INSTALLER
+dos2unix $INSTALLER
+$INSTALLER ${RegistrationKey} ${VxlanIds} >& $FWDIR/log/now_installer.elg
+
+LOADER=$FWDIR/bin/loadInstaller
+echo '' > $LOADER
+chmod +x "$LOADER"
+
+cpwd_admin start -name NOW_HF_LOADER -path "$LOADER" -command loadInstaller -slp_timeout 5 -retry_limit 10
+echo "done"
diff --git a/deprecated/terraform/aws/R80.40/tap/terraform.tfvars b/deprecated/terraform/aws/R80.40/tap/terraform.tfvars
new file mode 100755
index 00000000..f6fbebcb
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tap/terraform.tfvars
@@ -0,0 +1,21 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- VPC Network Configuration ---
+vpc_id = "vpc-12345678"
+external_subnet_id = "subnet-abc123"
+internal_subnet_id = "subnet-def456"
+resources_tag_name = "env1"
+
+// --- TAP Configuration ---
+registration_key = "10:10:10:10:10:10"
+vxlan_id = 10
+blacklist_tags = {
+ env = "staging"
+ state = "stable"
+}
+schedule_scan_interval = 60
+
+// --- EC2 Instance Configuration ---
+instance_name = "tap-gateway"
+instance_type = "c5.xlarge"
+key_name = "publickey"
diff --git a/deprecated/terraform/aws/R80.40/tap/variables.tf b/deprecated/terraform/aws/R80.40/tap/variables.tf
new file mode 100755
index 00000000..e7e45a6d
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tap/variables.tf
@@ -0,0 +1,89 @@
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+// --- VPC Network Configuration ---
+variable "vpc_id" {
+ type = string
+}
+variable "external_subnet_id" {
+ type = string
+ description = "The external subnet of the security gateway (internet access)"
+}
+variable "internal_subnet_id" {
+ type = string
+ description = "The internal subnet of the security gateway. This subnet will be connected to the mirrored sources."
+}
+variable "resources_tag_name" {
+ type = string
+ description = "(Optional) Resources prefix tag"
+ default = ""
+}
+
+// --- TAP Configuration ---
+variable "registration_key" {
+ type = string
+ description = "The gateway registration key to Check Point NOW cloud"
+}
+variable "vxlan_id" {
+ type = number
+ description = "(Optional) VXLAN ID (number) for mirroring sessions - Predefined VTEP number"
+ default = 1
+}
+variable "blacklist_tags" {
+ type = map(string)
+ description = "Key value pairs of tag key and tag value. Instances with any of these tag pairs will not be TAPed"
+ default = {}
+}
+variable "schedule_scan_interval" {
+ type = number
+ description = "(minutes) Lambda will scan the VPC every X minutes for TAP updates"
+ default = 60
+}
+
+// --- EC2 Instance Configuration ---
+variable "instance_name" {
+ type = string
+ description = "AWS instance name to launch"
+ default = "CP-TAP-Gateway-tf"
+}
+variable "instance_type" {
+ type = string
+ default = "c5.xlarge"
+}
+module "validate_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "gateway"
+ instance_type = var.instance_type
+}
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instance"
+}
+
+// --- Check Point Settings ---
+variable "version_license" {
+ type = string
+ description = "version and license"
+ default = "R80.40-PAYG-NGTX"
+}
+module "validate_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "gateway"
+ version_license = var.version_license
+}
diff --git a/deprecated/terraform/aws/R80.40/tests/cluster_master_test.go b/deprecated/terraform/aws/R80.40/tests/cluster_master_test.go
new file mode 100755
index 00000000..adf31fe9
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tests/cluster_master_test.go
@@ -0,0 +1,100 @@
+package tests
+
+import (
+ "github.com/stretchr/testify/assert"
+ "testing"
+
+ "github.com/gruntwork-io/terratest/modules/terraform"
+)
+
+// Test the Terraform module in aws/cluster-master using terratest.
+func TestClusterMaster(t *testing.T) {
+ t.Parallel()
+
+ // website::tag::1::Configure Terraform setting path to Terraform code, EC2 instance name, and AWS Region.
+ terraformOptions := GetTerraformOptionsClusterMaster()
+ terraformOptionsWithTarget := GetTerraformOptionsWithTargetClusterMaster()
+
+ // website::tag::4::At the end of the tests, run `terraform destroy` to clean up any resources that were created
+ defer terraform.Destroy(t, terraformOptions)
+
+ // website::tag::2::Run `terraform init` and `terraform apply` and fail the tests if there are any errors
+ terraform.InitAndApply(t, terraformOptionsWithTarget)
+ terraform.Apply(t, terraformOptions)
+
+ // Run 'terraform output' and validate output values
+ ValidateOutputsClusterMaster(t, terraformOptions)
+}
+
+func GetTerraformOptionsClusterMaster() *terraform.Options {
+ terraformOptions := &terraform.Options{
+ TerraformDir: "../cluster-master",
+
+ // Variables passed to the module execution using -var options. To change any value refer to globals.go
+ Vars: map[string]interface{}{
+ "vpc_cidr": vpcCIDR,
+ "public_subnets_map": publicSubnetsMapSingle,
+ "private_subnets_map": privateSubnetsMapSingle,
+ "subnets_bit_length": subnetsBitLength,
+
+ "gateway_name": clusterGatewayExpectedName,
+ "gateway_instance_type": gatewayInstanceType,
+ "key_name": keyName,
+ "allocate_and_associate_eip": allocateAndAssociatePublicEip,
+ "volume_size": volumeSize,
+ "volume_encryption": volumeEncryption,
+ "enable_instance_connect": enableInstanceConnect,
+ "disable_instance_termination": disableInstanceTermination,
+ "instance_tags": map[string]string{expectedTestTagKey: expectedTestTagValueClusterGateway},
+ "predefined_role": predefinedRole,
+
+ "gateway_version": version,
+ "admin_shell": adminShell,
+ "gateway_SICKey": SICKey,
+ "gateway_password_hash": passwordHash,
+ "gateway_maintenance_mode_password_hash": passwordHash,
+
+ "memberAToken": gatewaySmart1CloudToken,
+ "memberBToken": gatewaySmart1CloudToken,
+
+ "resources_tag_name": resourcesTagName,
+ "gateway_hostname": gatewayHostname,
+ "allow_upload_download": allowUploadDownload,
+ "enable_cloudwatch": enableCloudWatch,
+ "gateway_bootstrap_script": gatewayBootstrapScript,
+ "primary_ntp": primaryNtp,
+ "secondary_ntp": secondaryNtp,
+ },
+
+ // Set environment variables when running Terraform
+ EnvVars: envVars,
+ }
+ return terraformOptions
+}
+
+func GetTerraformOptionsWithTargetClusterMaster() *terraform.Options {
+ terraformOptionsWithTarget := GetTerraformOptionsClusterMaster()
+ terraformOptionsWithTarget.Targets = []string{"aws_route_table.private_subnet_rtb"}
+
+ return terraformOptionsWithTarget
+}
+
+func ValidateOutputsClusterMaster(t *testing.T, terraformOptions *terraform.Options) {
+ outputAmiId := terraform.Output(t, terraformOptions, "ami_id")
+ outputClusterPublicIP := terraform.Output(t, terraformOptions, "cluster_public_ip")
+ outputMemberAEipPublicIP := terraform.Output(t, terraformOptions, "member_a_public_ip")
+ outputMemberBEipPublicIP := terraform.Output(t, terraformOptions, "member_b_public_ip")
+ outputMemberASSH := terraform.Output(t, terraformOptions, "member_a_ssh")
+ outputMemberBSSH := terraform.Output(t, terraformOptions, "member_b_ssh")
+ outputMemberAURL := terraform.Output(t, terraformOptions, "member_a_url")
+ outputMemberBURL := terraform.Output(t, terraformOptions, "member_b_url")
+
+ assert.NotEmpty(t, outputAmiId)
+ assert.NotEmpty(t, outputClusterPublicIP)
+ assert.NotEmpty(t, outputMemberAEipPublicIP)
+ assert.NotEmpty(t, outputMemberBEipPublicIP)
+ assert.NotEmpty(t, outputMemberASSH)
+ assert.NotEmpty(t, outputMemberBSSH)
+ assert.NotEmpty(t, outputMemberAURL)
+ assert.NotEmpty(t, outputMemberBURL)
+}
diff --git a/deprecated/terraform/aws/R80.40/tests/cross_az_cluster_master_test.go b/deprecated/terraform/aws/R80.40/tests/cross_az_cluster_master_test.go
new file mode 100755
index 00000000..9e09bcef
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tests/cross_az_cluster_master_test.go
@@ -0,0 +1,99 @@
+package tests
+
+import (
+ "github.com/gruntwork-io/terratest/modules/terraform"
+ "github.com/stretchr/testify/assert"
+ "testing"
+)
+
+// Test the Terraform module in aws/cross-az-cluster-master using terratest.
+func TestCrossAzClusterMaster(t *testing.T) {
+ t.Parallel()
+
+ // website::tag::1::Configure Terraform setting path to Terraform code, EC2 instance name, and AWS Region.
+ terraformOptions := GetTerraformOptionsCrossAzClusterMaster()
+ terraformOptionsWithTarget := GetTerraformOptionsWithTargetCrossAzClusterMaster()
+
+ // website::tag::4::At the end of the tests, run `terraform destroy` to clean up any resources that were created
+ defer terraform.Destroy(t, terraformOptions)
+
+ // website::tag::2::Run `terraform init` and `terraform apply` and fail the tests if there are any errors
+ terraform.InitAndApply(t, terraformOptionsWithTarget)
+ terraform.Apply(t, terraformOptions)
+
+ // Run 'terraform output' and validate output values
+ ValidateOutputsCrossAzClusterMaster(t, terraformOptions)
+}
+
+func GetTerraformOptionsCrossAzClusterMaster() *terraform.Options {
+ terraformOptions := &terraform.Options{
+ TerraformDir: "../cross-az-cluster-master",
+
+ // Variables passed to the module execution using -var options
+ Vars: map[string]interface{}{
+ "vpc_cidr": vpcCIDR,
+ "public_subnets_map": publicSubnetsMap,
+ "private_subnets_map": privateSubnetsMap,
+ "subnets_bit_length": subnetsBitLength,
+
+ "gateway_name": crossAZClusterGatewayExpectedName,
+ "gateway_instance_type": gatewayInstanceType,
+ "key_name": keyName,
+ "volume_size": volumeSize,
+ "volume_encryption": volumeEncryption,
+ "enable_instance_connect": enableInstanceConnect,
+ "disable_instance_termination": disableInstanceTermination,
+ "instance_tags": map[string]string{expectedTestTagKey: expectedTestTagValueClusterGateway},
+ "predefined_role": predefinedRole,
+
+ "gateway_version": version,
+ "admin_shell": adminShell,
+ "gateway_SICKey": SICKey,
+ "gateway_password_hash": passwordHash,
+ "gateway_maintenance_mode_password_hash": passwordHash,
+
+ "memberAToken": gatewaySmart1CloudToken,
+ "memberBToken": gatewaySmart1CloudToken,
+
+ "resources_tag_name": resourcesTagName,
+ "gateway_hostname": gatewayHostname,
+ "allow_upload_download": allowUploadDownload,
+ "enable_cloudwatch": enableCloudWatch,
+ "gateway_bootstrap_script": gatewayBootstrapScript,
+ "primary_ntp": primaryNtp,
+ "secondary_ntp": secondaryNtp,
+ },
+
+ // Set environment variables when running Terraform
+ EnvVars: envVars,
+ }
+ return terraformOptions
+}
+
+func GetTerraformOptionsWithTargetCrossAzClusterMaster() *terraform.Options {
+ terraformOptionsWithTarget := GetTerraformOptionsCrossAzClusterMaster()
+ terraformOptionsWithTarget.Targets = []string{"aws_route_table.private_subnet_rtb"}
+
+ return terraformOptionsWithTarget
+}
+
+func ValidateOutputsCrossAzClusterMaster(t *testing.T, terraformOptions *terraform.Options) {
+ outputAmiId := terraform.Output(t, terraformOptions, "ami_id")
+ outputClusterPublicIP := terraform.Output(t, terraformOptions, "cluster_public_ip")
+ outputMemberAPublicIP := terraform.Output(t, terraformOptions, "member_a_public_ip")
+ outputMemberBPublicIP := terraform.Output(t, terraformOptions, "member_b_public_ip")
+ outputMemberASSH := terraform.Output(t, terraformOptions, "member_a_ssh")
+ outputMemberBSSH := terraform.Output(t, terraformOptions, "member_b_ssh")
+ outputMemberAURL := terraform.Output(t, terraformOptions, "member_a_url")
+ outputMemberBURL := terraform.Output(t, terraformOptions, "member_b_url")
+
+ // Validate that all output values exist
+ assert.NotEmpty(t, outputAmiId)
+ assert.NotEmpty(t, outputClusterPublicIP)
+ assert.NotEmpty(t, outputMemberAPublicIP)
+ assert.NotEmpty(t, outputMemberASSH)
+ assert.NotEmpty(t, outputMemberAURL)
+ assert.NotEmpty(t, outputMemberBPublicIP)
+ assert.NotEmpty(t, outputMemberBSSH)
+ assert.NotEmpty(t, outputMemberBURL)
+}
diff --git a/deprecated/terraform/aws/R80.40/tests/gateway_master_test.go b/deprecated/terraform/aws/R80.40/tests/gateway_master_test.go
new file mode 100755
index 00000000..dd803d59
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tests/gateway_master_test.go
@@ -0,0 +1,119 @@
+package tests
+
+import (
+ "testing"
+
+ "github.com/gruntwork-io/terratest/modules/aws"
+ "github.com/gruntwork-io/terratest/modules/terraform"
+ "github.com/stretchr/testify/assert"
+)
+
+// Test the Terraform module in aws/gateway-master using terratest.
+func TestGatewayMaster(t *testing.T) {
+ t.Parallel()
+
+ // website::tag::1::Configure Terraform setting path to Terraform code, EC2 instance name, and AWS Region.
+ terraformOptions := GetTerraformOptionsGatewayMaster()
+ terraformOptionsWithTarget := GetTerraformOptionsWithTargetGatewayMaster()
+
+ // website::tag::4::At the end of the tests, run `terraform destroy` to clean up any resources that were created
+ defer terraform.Destroy(t, terraformOptions)
+
+ // website::tag::2::Run `terraform init` and `terraform apply` and fail the tests if there are any errors
+ terraform.InitAndApply(t, terraformOptionsWithTarget)
+ terraform.Apply(t, terraformOptions)
+
+ // Run 'terraform output' and validate output values
+ ValidateOutputsGatewayMaster(t, terraformOptions)
+}
+
+func GetTerraformOptionsGatewayMaster() *terraform.Options {
+ terraformOptions := &terraform.Options{
+ TerraformDir: "../gateway-master",
+
+ // Variables passed to the module execution using -var options
+ Vars: map[string]interface{}{
+ "vpc_cidr": vpcCIDR,
+ "public_subnets_map": publicSubnetsMapSingle,
+ "private_subnets_map": privateSubnetsMapSingle,
+ "subnets_bit_length": subnetsBitLength,
+
+ "gateway_name": gatewayExpectedName,
+ "gateway_instance_type": gatewayInstanceType,
+ "key_name": keyName,
+ "allocate_and_associate_eip": allocateAndAssociatePublicEip,
+ "volume_size": volumeSize,
+ "volume_encryption": volumeEncryption,
+ "enable_instance_connect": enableInstanceConnect,
+ "disable_instance_termination": disableInstanceTermination,
+ "instance_tags": map[string]string{expectedTestTagKey: expectedTestTagValueGateway},
+
+ "gateway_version": version,
+ "admin_shell": adminShell,
+ "gateway_SICKey": SICKey,
+ "gateway_password_hash": passwordHash,
+ "gateway_maintenance_mode_password_hash": passwordHash,
+
+ "gateway_TokenKey": gatewaySmart1CloudToken,
+
+ "resources_tag_name": resourcesTagName,
+ "gateway_hostname": gatewayHostname,
+ "allow_upload_download": allowUploadDownload,
+ "enable_cloudwatch": enableCloudWatch,
+ "gateway_bootstrap_script": gatewayBootstrapScript,
+ "primary_ntp": primaryNtp,
+ "secondary_ntp": secondaryNtp,
+
+ "control_gateway_over_public_or_private_address": gatewaysProvisionAddressType,
+ "management_server": managementExpectedName,
+ "configuration_template": configurationTemplate,
+ },
+
+ // Set environment variables when running Terraform
+ EnvVars: envVars,
+ }
+ return terraformOptions
+}
+
+func GetTerraformOptionsWithTargetGatewayMaster() *terraform.Options {
+ terraformOptionsWithTarget := GetTerraformOptionsGatewayMaster()
+ terraformOptionsWithTarget.Targets = []string{"aws_route_table.private_subnet_rtb"}
+
+ return terraformOptionsWithTarget
+}
+
+func ValidateOutputsGatewayMaster(t *testing.T, terraformOptions *terraform.Options) {
+ outputVpcId := terraform.Output(t, terraformOptions, "vpc_id")
+ outputInternalRouteTableId := terraform.Output(t, terraformOptions, "internal_rtb_id")
+ outputVpcPublicSubnetsIdsList := terraform.Output(t, terraformOptions, "vpc_public_subnets_ids_list")
+ outputVpcPrivateSubnetsIdsList := terraform.Output(t, terraformOptions, "vpc_private_subnets_ids_list")
+ outputAmiId := terraform.Output(t, terraformOptions, "ami_id")
+ outputPermissiveSgId := terraform.Output(t, terraformOptions, "permissive_sg_id")
+ outputPermissiveSgName := terraform.Output(t, terraformOptions, "permissive_sg_name")
+ outputGatewayUrl := terraform.Output(t, terraformOptions, "gateway_url")
+ outputGatewayPublicIp := terraform.Output(t, terraformOptions, "gateway_public_ip")
+ outputGatewayInstanceId := terraform.Output(t, terraformOptions, "gateway_instance_id")
+ outputGatewayInstanceName := terraform.Output(t, terraformOptions, "gateway_instance_name")
+
+ instanceTags := aws.GetTagsForEc2Instance(t, region, outputGatewayInstanceId)
+ nameTag, containsNameTag := instanceTags["Name"]
+ assert.True(t, containsNameTag)
+ assert.Equal(t, gatewayExpectedName, nameTag)
+ assert.Equal(t, gatewayExpectedName, outputGatewayInstanceName)
+
+ testTag, containsTestTag := instanceTags[expectedTestTagKey]
+ assert.True(t, containsTestTag)
+ assert.Equal(t, expectedTestTagValueGateway, testTag)
+
+ assert.NotEmpty(t, outputVpcId)
+ assert.NotEmpty(t, outputInternalRouteTableId)
+ assert.NotEmpty(t, outputVpcPublicSubnetsIdsList)
+ assert.NotEmpty(t, outputVpcPrivateSubnetsIdsList)
+ assert.NotEmpty(t, outputAmiId)
+ assert.NotEmpty(t, outputPermissiveSgId)
+ assert.NotEmpty(t, outputPermissiveSgName)
+ assert.NotEmpty(t, outputGatewayUrl)
+ assert.NotEmpty(t, outputGatewayPublicIp)
+ assert.NotEmpty(t, outputGatewayInstanceId)
+ assert.NotEmpty(t, outputGatewayInstanceName)
+}
diff --git a/deprecated/terraform/aws/R80.40/tests/globals.go b/deprecated/terraform/aws/R80.40/tests/globals.go
new file mode 100755
index 00000000..647a026f
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tests/globals.go
@@ -0,0 +1,177 @@
+package tests
+
+import "fmt"
+
+// AWS region for deployed resources
+const region = "ca-central-1"
+
+var envVars = map[string]string{
+ "AWS_DEFAULT_REGION": region,
+}
+
+const availabilityZoneA = region + "a"
+
+const availabilityZoneB = region + "b"
+
+// Predefined prefix for deployed resources
+const predefinedPrefix = "test"
+
+// Predefined names for deployed resources
+const gatewayPredefinedName = "CheckPoint-Gateway"
+
+const standalonePredefinedName = "CheckPoint-Standalone"
+
+const managementPredefinedName = "CheckPoint-Management"
+
+const gwlbPredefinedName = "CheckPoint-GWLB"
+
+const clusterGatewayPredefinedName = "CheckPoint-Cluster-Gateway"
+
+const crossAZClusterGatewayPredefinedName = "CheckPoint-Cross-AZ-Cluster-Gateway"
+
+const qsAutoscaleGatewayPredefinedName = "quickstart-security-gateway"
+
+const qsAutoscaleProvisionTag = "quickstart"
+
+const configurationTemplate = "configuration-template"
+
+// Expected names for deployed resources
+func getExpectedName(predefinedName string) string {
+ return fmt.Sprintf("%s-%s", predefinedPrefix, predefinedName)
+}
+
+var gatewayExpectedName = getExpectedName(gatewayPredefinedName)
+
+var standaloneExpectedName = getExpectedName(standalonePredefinedName)
+
+var managementExpectedName = getExpectedName(managementPredefinedName)
+
+var gwlbExpectedName = getExpectedName(gwlbPredefinedName)
+
+var clusterGatewayExpectedName = getExpectedName(clusterGatewayPredefinedName)
+
+var crossAZClusterGatewayExpectedName = getExpectedName(crossAZClusterGatewayPredefinedName)
+
+var qsAutoscaleGatewayExpectedName = getExpectedName(qsAutoscaleGatewayPredefinedName)
+
+// Autoscale group capacity configuration
+const autoscaleGroupExpectedCapacityMin = 1
+
+const autoscaleGroupExpectedCapacityMax = 1
+
+const targetGroup1Name = "tf-test-target-group-1"
+
+// Common parameters for deployed resources
+const keyName = "tf-test"
+
+const version = "R81.20-BYOL"
+
+const standaloneVersion = "R81.20-BYOL"
+
+const adminShell = "/bin/bash"
+
+const gatewayBootstrapScript = "echo 'this is gateway bootstrap script' > /home/admin/bootstrap.txt"
+
+const standaloneBootstrapScript = "echo 'this is standalone bootstrap script' > /home/admin/bootstrap.txt"
+
+const passwordHash = "12345678"
+
+const SICKey = "12345678"
+
+const gatewayInstanceType = "c5.xlarge"
+
+const standaloneInstanceType = gatewayInstanceType
+
+const managementInstanceType = "m5.xlarge"
+
+const volumeSize = 100
+
+const volumeEncryption = "alias/aws/ebs"
+
+const webServerInstanceType = "t3.micro"
+
+const webServerAMI = "ami-0718a739967397e7d"
+
+const volumeType = "gp3"
+
+const anywhereAddress = "0.0.0.0/0"
+
+const loadBalancersType = "Network Load Balancer"
+
+const loadBalancerProtocol = "TCP"
+
+const certificate = ""
+
+const servicePort = "80"
+
+const enableVolumeEncryption = true
+
+const allocatePublicIP = true
+
+const allocateAndAssociatePublicEip = true
+
+const allowUploadDownload = true
+
+const enableInstanceConnect = true
+
+const enableCloudWatch = false
+
+const connectionAcceptanceRequired = false
+
+const enableCrossZoneLoadBalancing = true
+
+const managementDeploy = true
+
+const webServerDeploy = true
+
+const gatewaysBlades = true
+
+const disableInstanceTermination = false
+
+const gatewaySmart1CloudToken = ""
+
+const predefinedRole = ""
+
+const primaryNtp = ""
+
+const secondaryNtp = ""
+
+const expectedTestTagKey = "test_tag"
+
+const expectedTestTagValueClusterGateway = "cluster_gateway_tf"
+
+const expectedTestTagValueGateway = "gateway_tf"
+
+const autoscaleGroupName = "CheckPoint-ASG"
+
+const resourcesTagName = "tag-name"
+
+const gatewayHostname = "gw-hostname"
+
+const gatewaysProvisionAddressType = "private"
+
+const gatewaysPolicy = "Standard"
+
+const gatewayManagement = "Locally managed"
+
+// New VPC configuration
+const vpcCIDR = "10.0.0.0/16"
+
+var publicSubnetsMap = map[string]int{availabilityZoneA: 1, availabilityZoneB: 3}
+
+var privateSubnetsMap = map[string]int{availabilityZoneA: 2, availabilityZoneB: 4}
+
+var publicSubnetsMapSingle = map[string]int{availabilityZoneA: 1}
+
+var privateSubnetsMapSingle = map[string]int{availabilityZoneA: 2}
+
+var tgwSubnetsMap = map[string]int{availabilityZoneA: 5, availabilityZoneB: 6}
+
+var availabilityZones = []string{availabilityZoneA, availabilityZoneB}
+
+const numberOfAZs = 2
+
+const subnetsBitLength = 8
+
+// Controller expected names
+const gwlbControlllerExpectedName = "gwlb-controller"
diff --git a/deprecated/terraform/aws/R80.40/tests/gwlb_master_test.go b/deprecated/terraform/aws/R80.40/tests/gwlb_master_test.go
new file mode 100755
index 00000000..787277a8
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tests/gwlb_master_test.go
@@ -0,0 +1,99 @@
+package tests
+
+import (
+ "testing"
+
+ "github.com/gruntwork-io/terratest/modules/terraform"
+ "github.com/stretchr/testify/assert"
+)
+
+// Test the Terraform module in aws/gwlb-master using terratest.
+func TestGwlbMaster(t *testing.T) {
+ t.Parallel()
+
+ // website::tag::1::Configure Terraform setting path to Terraform code, EC2 instance name, and AWS Region.
+ terraformOptions := GetTerraformOptionsGwlbMaster()
+
+ // website::tag::4::At the end of the tests, run `terraform destroy` to clean up any resources that were created
+ defer terraform.Destroy(t, terraformOptions)
+
+ // website::tag::2::Run `terraform init` and `terraform apply` and fail the tests if there are any errors
+ terraform.InitAndApply(t, terraformOptions)
+
+ // Run 'terraform output' and validate output values
+ ValidateOutputsGwlbMaster(t, terraformOptions)
+}
+
+func GetTerraformOptionsGwlbMaster() *terraform.Options {
+ terraformOptions := &terraform.Options{
+ TerraformDir: "../gwlb-master",
+
+ // Variables passed to the module execution using -var options
+ Vars: map[string]interface{}{
+ "vpc_cidr": vpcCIDR,
+ "public_subnets_map": publicSubnetsMap,
+ "subnets_bit_length": subnetsBitLength,
+
+ "key_name": keyName,
+ "enable_volume_encryption": enableVolumeEncryption,
+ "volume_size": volumeSize,
+ "enable_instance_connect": enableInstanceConnect,
+ "management_server": managementExpectedName,
+ "configuration_template": configurationTemplate,
+ "admin_shell": adminShell,
+
+ "gateway_load_balancer_name": gwlbExpectedName,
+ "target_group_name": targetGroup1Name,
+ "connection_acceptance_required": connectionAcceptanceRequired,
+ "enable_cross_zone_load_balancing": enableCrossZoneLoadBalancing,
+
+ "gateway_name": gatewayExpectedName,
+ "gateway_instance_type": gatewayInstanceType,
+ "minimum_group_size": autoscaleGroupExpectedCapacityMin,
+ "maximum_group_size": autoscaleGroupExpectedCapacityMax,
+ "gateway_version": version,
+ "gateway_password_hash": passwordHash,
+ "gateway_maintenance_mode_password_hash": passwordHash,
+ "gateway_SICKey": SICKey,
+ "gateways_provision_address_type": gatewaysProvisionAddressType,
+ "allocate_public_IP": allocatePublicIP,
+ "enable_cloudwatch": enableCloudWatch,
+ "gateway_bootstrap_script": gatewayBootstrapScript,
+
+ "management_deploy": managementDeploy,
+ "management_instance_type": managementInstanceType,
+ "management_version": version,
+ "management_password_hash": passwordHash,
+ "management_maintenance_mode_password_hash": passwordHash,
+ "gateways_policy": gatewaysPolicy,
+ "gateway_management": gatewayManagement,
+ "admin_cidr": anywhereAddress,
+ "gateways_addresses": anywhereAddress,
+
+ "volume_type": volumeType,
+ },
+
+ // Set environment variables when running Terraform
+ EnvVars: envVars,
+ }
+ return terraformOptions
+}
+
+func ValidateOutputsGwlbMaster(t *testing.T, terraformOptions *terraform.Options) {
+ outputDeployment := terraform.Output(t, terraformOptions, "Deployment")
+ outputManagementPublicIP := terraform.Output(t, terraformOptions, "management_public_ip")
+ outputGWLBARN := terraform.Output(t, terraformOptions, "gwlb_arn")
+ outputGWLBServiceName := terraform.Output(t, terraformOptions, "gwlb_service_name")
+ outputGWLBName := terraform.Output(t, terraformOptions, "gwlb_name")
+ outputGWLBControllerName := terraform.Output(t, terraformOptions, "controller_name")
+ outputConfigurationTemplateName := terraform.Output(t, terraformOptions, "template_name")
+
+ assert.Equal(t, outputGWLBName, gwlbExpectedName)
+ assert.Equal(t, outputGWLBControllerName, gwlbControlllerExpectedName)
+ assert.Equal(t, outputConfigurationTemplateName, configurationTemplate)
+
+ assert.NotEmpty(t, outputDeployment)
+ assert.NotEmpty(t, outputManagementPublicIP)
+ assert.NotEmpty(t, outputGWLBARN)
+ assert.NotEmpty(t, outputGWLBServiceName)
+}
diff --git a/deprecated/terraform/aws/R80.40/tests/qs_autoscale_master_test.go b/deprecated/terraform/aws/R80.40/tests/qs_autoscale_master_test.go
new file mode 100755
index 00000000..df2bdbab
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tests/qs_autoscale_master_test.go
@@ -0,0 +1,129 @@
+package tests
+
+import (
+ "github.com/gruntwork-io/terratest/modules/aws"
+ "testing"
+
+ "github.com/gruntwork-io/terratest/modules/terraform"
+ "github.com/stretchr/testify/assert"
+)
+
+// Test the Terraform module in qs-autoscale-master using terratest.
+func TestQsAutoscaleMaster(t *testing.T) {
+ t.Parallel()
+
+ // website::tag::1::Configure Terraform setting path to Terraform code, EC2 instance name, and AWS Region.
+ terraformOptions := GetTerraformOptionsQsAutoscaleMaster()
+
+ // website::tag::4::At the end of the tests, run `terraform destroy` to clean up any resources that were created
+ defer terraform.Destroy(t, terraformOptions)
+
+ // website::tag::2::Run `terraform init` and `terraform apply` and fail the tests if there are any errors
+ terraform.InitAndApply(t, terraformOptions)
+
+ // Run 'terraform output' and validate output values
+ ValidateOutputsQsAutoscaleMaster(t, terraformOptions)
+}
+
+func GetTerraformOptionsQsAutoscaleMaster() *terraform.Options {
+ terraformOptions := &terraform.Options{
+ TerraformDir: "../qs-autoscale-master",
+
+ // Variables passed to the module execution using -var options
+ Vars: map[string]interface{}{
+ "prefix": predefinedPrefix,
+ "asg_name": autoscaleGroupName,
+
+ "vpc_cidr": vpcCIDR,
+ "public_subnets_map": publicSubnetsMap,
+ "private_subnets_map": privateSubnetsMap,
+ "subnets_bit_length": subnetsBitLength,
+
+ "key_name": keyName,
+ "enable_volume_encryption": enableVolumeEncryption,
+ "enable_instance_connect": enableInstanceConnect,
+ "disable_instance_termination": disableInstanceTermination,
+ "allow_upload_download": allowUploadDownload,
+ "provision_tag": qsAutoscaleProvisionTag,
+
+ "load_balancers_type": loadBalancersType,
+ "load_balancer_protocol": loadBalancerProtocol,
+ "certificate": certificate,
+ "service_port": servicePort,
+
+ "gateway_instance_type": gatewayInstanceType,
+ "gateways_min_group_size": autoscaleGroupExpectedCapacityMin,
+ "gateways_max_group_size": autoscaleGroupExpectedCapacityMax,
+ "gateway_version": version,
+ "gateway_password_hash": passwordHash,
+ "gateway_maintenance_mode_password_hash": passwordHash,
+ "gateway_SICKey": SICKey,
+ "enable_cloudwatch": enableCloudWatch,
+
+ "management_deploy": managementDeploy,
+ "management_instance_type": managementInstanceType,
+ "management_version": version,
+ "management_password_hash": passwordHash,
+ "management_maintenance_mode_password_hash": passwordHash,
+ "gateways_policy": gatewaysPolicy,
+ "gateways_blades": gatewaysBlades,
+ "admin_cidr": anywhereAddress,
+ "gateways_addresses": anywhereAddress,
+
+ "servers_deploy": webServerDeploy,
+ "servers_instance_type": webServerInstanceType,
+ "server_ami": webServerAMI,
+ },
+
+ // Set environment variables when running Terraform
+ EnvVars: envVars,
+ }
+ return terraformOptions
+}
+
+func ValidateOutputsQsAutoscaleMaster(t *testing.T, terraformOptions *terraform.Options) {
+ outputVpcId := terraform.Output(t, terraformOptions, "vpc_id")
+ outputPublicSubnetsIdsList := terraform.Output(t, terraformOptions, "public_subnets_ids_list")
+ outputPrivateSubnetsIdsList := terraform.Output(t, terraformOptions, "private_subnets_ids_list")
+ outputManagementInstanceName := terraform.Output(t, terraformOptions, "management_name")
+ outputLBUrl := terraform.Output(t, terraformOptions, "load_balancer_url")
+ outputExternalLBId := terraform.Output(t, terraformOptions, "external_load_balancer_arn")
+ outputInternalLBId := terraform.Output(t, terraformOptions, "internal_load_balancer_arn")
+ outputExternalTGId := terraform.Output(t, terraformOptions, "external_lb_target_group_arn")
+ outputInternalTGId := terraform.Output(t, terraformOptions, "internal_lb_target_group_arn")
+ outputGwsASGId := terraform.Output(t, terraformOptions, "autoscale_autoscaling_group_arn")
+ outputSecurityGroup := terraform.Output(t, terraformOptions, "autoscale_security_group_id")
+
+ asgName := terraform.Output(t, terraformOptions, "autoscale_autoscaling_group_name")
+ asgCapacityInfo := aws.GetCapacityInfoForAsg(t, asgName, region)
+ awsInstancesIds := aws.GetInstanceIdsForAsg(t, asgName, region)
+
+ // website::tag::3::
+ // Verify the ASG's Gateway instances contain the expected Name tag value
+ for _, instanceId := range awsInstancesIds {
+ // Look up the tags for the given Instance ID
+ instanceTags := aws.GetTagsForEc2Instance(t, region, instanceId)
+
+ nameTag, containsNameTag := instanceTags["Name"]
+ assert.True(t, containsNameTag)
+ assert.Equal(t, qsAutoscaleGatewayExpectedName, nameTag)
+ }
+
+ // Verify the ASG capacity info matches the expected
+ assert.Equal(t, int64(autoscaleGroupExpectedCapacityMax), asgCapacityInfo.MaxCapacity)
+ assert.Equal(t, int64(autoscaleGroupExpectedCapacityMin), asgCapacityInfo.MinCapacity)
+ assert.Equal(t, int64(autoscaleGroupExpectedCapacityMin), asgCapacityInfo.CurrentCapacity)
+ assert.Equal(t, int64(autoscaleGroupExpectedCapacityMin), asgCapacityInfo.DesiredCapacity)
+
+ assert.NotEmpty(t, outputManagementInstanceName)
+ assert.NotEmpty(t, outputVpcId)
+ assert.NotEmpty(t, outputPublicSubnetsIdsList)
+ assert.NotEmpty(t, outputPrivateSubnetsIdsList)
+ assert.NotEmpty(t, outputLBUrl)
+ assert.NotEmpty(t, outputExternalLBId)
+ assert.NotEmpty(t, outputInternalLBId)
+ assert.NotEmpty(t, outputExternalTGId)
+ assert.NotEmpty(t, outputInternalTGId)
+ assert.NotEmpty(t, outputGwsASGId)
+ assert.NotEmpty(t, outputSecurityGroup)
+}
diff --git a/deprecated/terraform/aws/R80.40/tests/standalone_master_test.go b/deprecated/terraform/aws/R80.40/tests/standalone_master_test.go
new file mode 100755
index 00000000..c04e7f78
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tests/standalone_master_test.go
@@ -0,0 +1,112 @@
+package tests
+
+import (
+ "github.com/gruntwork-io/terratest/modules/aws"
+ "testing"
+
+ "github.com/gruntwork-io/terratest/modules/terraform"
+ "github.com/stretchr/testify/assert"
+)
+
+// Test the Terraform module in aws/standalone-master using terratest.
+func TestStandaloneMaster(t *testing.T) {
+ t.Parallel()
+
+ // website::tag::1::Configure Terraform setting path to Terraform code, EC2 instance name, and AWS Region.
+ terraformOptions := GetTerraformOptionsStandaloneMaster()
+ terraformOptionsWithTarget := GetTerraformOptionsWithTargetStandaloneMaster()
+
+ // website::tag::4::At the end of the tests, run `terraform destroy` to clean up any resources that were created
+ defer terraform.Destroy(t, terraformOptions)
+
+ // website::tag::2::Run `terraform init` and `terraform apply` and fail the tests if there are any errors
+ terraform.InitAndApply(t, terraformOptionsWithTarget)
+ terraform.Apply(t, terraformOptions)
+
+ // Run 'terraform output' and validate output values
+ ValidateOutputsStandaloneMaster(t, terraformOptions)
+}
+
+func GetTerraformOptionsStandaloneMaster() *terraform.Options {
+ terraformOptions := &terraform.Options{
+ TerraformDir: "../standalone-master",
+
+ // Variables passed to the module execution using -var options
+ Vars: map[string]interface{}{
+ "vpc_cidr": vpcCIDR,
+ "public_subnets_map": publicSubnetsMapSingle,
+ "private_subnets_map": privateSubnetsMapSingle,
+ "subnets_bit_length": subnetsBitLength,
+
+ "standalone_name": standaloneExpectedName,
+ "standalone_instance_type": standaloneInstanceType,
+ "key_name": keyName,
+ "allocate_and_associate_eip": allocateAndAssociatePublicEip,
+ "volume_size": volumeSize,
+ "volume_encryption": volumeEncryption,
+ "enable_instance_connect": enableInstanceConnect,
+ "disable_instance_termination": disableInstanceTermination,
+ "instance_tags": map[string]string{expectedTestTagKey: expectedTestTagValueGateway},
+
+ "standalone_version": standaloneVersion,
+ "admin_shell": adminShell,
+ "standalone_password_hash": passwordHash,
+ "standalone_maintenance_mode_password_hash": passwordHash,
+
+ "resources_tag_name": resourcesTagName,
+ "standalone_hostname": gatewayHostname,
+ "allow_upload_download": allowUploadDownload,
+ "enable_cloudwatch": enableCloudWatch,
+ "standalone_bootstrap_script": standaloneBootstrapScript,
+ "primary_ntp": primaryNtp,
+ "secondary_ntp": secondaryNtp,
+ "admin_cidr": anywhereAddress,
+ "gateway_addresses": anywhereAddress,
+ },
+
+ // Set environment variables when running Terraform
+ EnvVars: envVars,
+ }
+ return terraformOptions
+}
+
+func GetTerraformOptionsWithTargetStandaloneMaster() *terraform.Options {
+ terraformOptionsWithTarget := GetTerraformOptionsStandaloneMaster()
+ terraformOptionsWithTarget.Targets = []string{"aws_route_table.private_subnet_rtb"}
+
+ return terraformOptionsWithTarget
+}
+
+func ValidateOutputsStandaloneMaster(t *testing.T, terraformOptions *terraform.Options) {
+ outputVpcId := terraform.Output(t, terraformOptions, "vpc_id")
+ outputInternalRouteTableId := terraform.Output(t, terraformOptions, "internal_rtb_id")
+ outputVpcPublicSubnetsIdsList := terraform.Output(t, terraformOptions, "vpc_public_subnets_ids_list")
+ outputVpcPrivateSubnetsIdsList := terraform.Output(t, terraformOptions, "vpc_private_subnets_ids_list")
+ outputStandaloneInstanceId := terraform.Output(t, terraformOptions, "standalone_instance_id")
+ outputStandaloneInstanceName := terraform.Output(t, terraformOptions, "standalone_instance_name")
+ outputStandalonePublicIP := terraform.Output(t, terraformOptions, "standalone_public_ip")
+ outputStandaloneSSH := terraform.Output(t, terraformOptions, "standalone_ssh")
+ outputStandaloneURL := terraform.Output(t, terraformOptions, "standalone_url")
+
+ // website::tag::3::
+ // Verify the Standalone's instances contain the expected Name tag value
+ instanceTags := aws.GetTagsForEc2Instance(t, region, outputStandaloneInstanceId)
+ nameTag, containsNameTag := instanceTags["Name"]
+ assert.True(t, containsNameTag)
+ assert.Equal(t, standaloneExpectedName, nameTag)
+ assert.Equal(t, standaloneExpectedName, outputStandaloneInstanceName)
+
+ testTag, containsTestTag := instanceTags[expectedTestTagKey]
+ assert.True(t, containsTestTag)
+ assert.Equal(t, expectedTestTagValueGateway, testTag)
+
+ assert.NotEmpty(t, outputVpcId)
+ assert.NotEmpty(t, outputInternalRouteTableId)
+ assert.NotEmpty(t, outputVpcPublicSubnetsIdsList)
+ assert.NotEmpty(t, outputVpcPrivateSubnetsIdsList)
+ assert.NotEmpty(t, outputStandaloneInstanceId)
+ assert.NotEmpty(t, outputStandaloneInstanceName)
+ assert.NotEmpty(t, outputStandalonePublicIP)
+ assert.NotEmpty(t, outputStandaloneSSH)
+ assert.NotEmpty(t, outputStandaloneURL)
+}
diff --git a/deprecated/terraform/aws/R80.40/tests/tgw_asg_master_test.go b/deprecated/terraform/aws/R80.40/tests/tgw_asg_master_test.go
new file mode 100755
index 00000000..c5c98afa
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tests/tgw_asg_master_test.go
@@ -0,0 +1,95 @@
+package tests
+
+import (
+ "testing"
+
+ "github.com/gruntwork-io/terratest/modules/terraform"
+ "github.com/stretchr/testify/assert"
+)
+
+// Test the Terraform module in aws/tgw-asg-master using terratest.
+func TestTgwAsgMaster(t *testing.T) {
+ t.Parallel()
+
+ // website::tag::1::Configure Terraform setting path to Terraform code, EC2 instance name, and AWS Region.
+ terraformOptions := GetTerraformOptionsTgwAsgMaster()
+
+ // website::tag::4::At the end of the tests, run `terraform destroy` to clean up any resources that were created
+ defer terraform.Destroy(t, terraformOptions)
+
+ // website::tag::2::Run `terraform init` and `terraform apply` and fail the tests if there are any errors
+ terraform.InitAndApply(t, terraformOptions)
+
+ // Run 'terraform output' and validate output values
+ ValidateOutputsTgwAsgMaster(t, terraformOptions)
+}
+
+func GetTerraformOptionsTgwAsgMaster() *terraform.Options {
+ terraformOptions := &terraform.Options{
+ TerraformDir: "../tgw-asg-master",
+
+ // Variables passed to the module execution using -var options
+ Vars: map[string]interface{}{
+ "vpc_cidr": vpcCIDR,
+ "public_subnets_map": publicSubnetsMap,
+ "subnets_bit_length": subnetsBitLength,
+
+ "key_name": keyName,
+ "enable_volume_encryption": enableVolumeEncryption,
+ "enable_instance_connect": enableInstanceConnect,
+ "disable_instance_termination": disableInstanceTermination,
+ "allow_upload_download": allowUploadDownload,
+
+ "gateway_name": crossAZClusterGatewayExpectedName,
+ "gateway_instance_type": gatewayInstanceType,
+ "gateways_min_group_size": autoscaleGroupExpectedCapacityMin,
+ "gateways_max_group_size": autoscaleGroupExpectedCapacityMax,
+ "gateway_version": version,
+ "gateway_password_hash": passwordHash,
+ "gateway_maintenance_mode_password_hash": passwordHash,
+ "gateway_SICKey": SICKey,
+ "enable_cloudwatch": enableCloudWatch,
+ "asn": 6500,
+
+ "management_deploy": managementDeploy,
+ "management_instance_type": managementInstanceType,
+ "management_version": version,
+ "management_password_hash": passwordHash,
+ "management_maintenance_mode_password_hash": passwordHash,
+ "management_permissions": "Create with read-write permissions",
+ "management_predefined_role": predefinedRole,
+ "gateways_blades": gatewaysBlades,
+ "admin_cidr": anywhereAddress,
+ "gateways_addresses": anywhereAddress,
+ "gateway_management": gatewayManagement,
+
+ "control_gateway_over_public_or_private_address": "private",
+ "management_server": managementExpectedName,
+ "configuration_template": configurationTemplate,
+ },
+
+ // Set environment variables when running Terraform
+ EnvVars: envVars,
+ }
+ return terraformOptions
+}
+
+func ValidateOutputsTgwAsgMaster(t *testing.T, terraformOptions *terraform.Options) {
+ outputVpcId := terraform.Output(t, terraformOptions, "vpc_id")
+ outputVpcPublicSubnetsIdsList := terraform.Output(t, terraformOptions, "public_subnets_ids_list")
+ outputManagementInstanceName := terraform.Output(t, terraformOptions, "management_instance_name")
+ outputConfigurationTemplate := terraform.Output(t, terraformOptions, "configuration_template")
+ outputControllerName := terraform.Output(t, terraformOptions, "controller_name")
+ outputManagementPublicIP := terraform.Output(t, terraformOptions, "management_public_ip")
+ outputManagementURL := terraform.Output(t, terraformOptions, "management_url")
+ outputAutoscalingGroupName := terraform.Output(t, terraformOptions, "autoscaling_group_name")
+
+ assert.NotEmpty(t, outputVpcId)
+ assert.NotEmpty(t, outputVpcPublicSubnetsIdsList)
+ assert.NotEmpty(t, outputManagementInstanceName)
+ assert.NotEmpty(t, outputConfigurationTemplate)
+ assert.NotEmpty(t, outputControllerName)
+ assert.NotEmpty(t, outputManagementPublicIP)
+ assert.NotEmpty(t, outputManagementURL)
+ assert.NotEmpty(t, outputAutoscalingGroupName)
+}
diff --git a/deprecated/terraform/aws/R80.40/tests/tgw_cross_az_cluster_master_test.go b/deprecated/terraform/aws/R80.40/tests/tgw_cross_az_cluster_master_test.go
new file mode 100755
index 00000000..8220bcd3
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tests/tgw_cross_az_cluster_master_test.go
@@ -0,0 +1,103 @@
+package tests
+
+import (
+ "github.com/gruntwork-io/terratest/modules/terraform"
+ "github.com/stretchr/testify/assert"
+ "testing"
+)
+
+// Test the Terraform module in aws/tgw-cross-az-cluster-master using terratest.
+func TestTgwCrossAzClusterMaster(t *testing.T) {
+ t.Parallel()
+
+ // website::tag::1::Configure Terraform setting path to Terraform code, EC2 instance name, and AWS Region.
+ terraformOptions := GetTerraformOptionsTgwCrossAzClusterMaster()
+ terraformOptionsWithTarget := GetTerraformOptionsWithTargetTgwCrossAzClusterMaster()
+
+ // website::tag::4::At the end of the tests, run `terraform destroy` to clean up any resources that were created
+ defer terraform.Destroy(t, terraformOptions)
+
+ // website::tag::2::Run `terraform init` and `terraform apply` and fail the tests if there are any errors
+ terraform.InitAndApply(t, terraformOptionsWithTarget)
+ terraform.Apply(t, terraformOptions)
+
+ // Run 'terraform output' and validate output values
+ ValidateOutputsTgwCrossAzClusterMaster(t, terraformOptions)
+}
+
+func GetTerraformOptionsTgwCrossAzClusterMaster() *terraform.Options {
+ terraformOptions := &terraform.Options{
+ TerraformDir: "../tgw-cross-az-cluster-master",
+
+ // Variables passed to the module execution using -var options
+ Vars: map[string]interface{}{
+ "vpc_cidr": vpcCIDR,
+ "public_subnets_map": publicSubnetsMap,
+ "private_subnets_map": privateSubnetsMap,
+ "tgw_subnets_map": tgwSubnetsMap,
+ "subnets_bit_length": subnetsBitLength,
+
+ "gateway_name": crossAZClusterGatewayExpectedName,
+ "gateway_instance_type": gatewayInstanceType,
+ "key_name": keyName,
+ "volume_size": volumeSize,
+ "volume_encryption": volumeEncryption,
+ "enable_instance_connect": enableInstanceConnect,
+ "disable_instance_termination": disableInstanceTermination,
+
+ "predefined_role": predefinedRole,
+
+ "gateway_version": version,
+ "admin_shell": adminShell,
+ "gateway_SICKey": SICKey,
+ "gateway_password_hash": passwordHash,
+ "gateway_maintenance_mode_password_hash": passwordHash,
+
+ "memberAToken": gatewaySmart1CloudToken,
+ "memberBToken": gatewaySmart1CloudToken,
+
+ "resources_tag_name": resourcesTagName,
+ "gateway_hostname": gatewayHostname,
+ "allow_upload_download": allowUploadDownload,
+ "enable_cloudwatch": enableCloudWatch,
+ "gateway_bootstrap_script": gatewayBootstrapScript,
+ "primary_ntp": primaryNtp,
+ "secondary_ntp": secondaryNtp,
+ },
+
+ // Set environment variables when running Terraform
+ EnvVars: envVars,
+ }
+ return terraformOptions
+}
+
+func GetTerraformOptionsWithTargetTgwCrossAzClusterMaster() *terraform.Options {
+ terraformOptionsWithTarget := GetTerraformOptionsTgwCrossAzClusterMaster()
+ terraformOptionsWithTarget.Targets = []string{"aws_route_table.private_subnet_rtb"}
+
+ return terraformOptionsWithTarget
+}
+
+func ValidateOutputsTgwCrossAzClusterMaster(t *testing.T, terraformOptions *terraform.Options) {
+ outputClusterPublicIP := terraform.Output(t, terraformOptions, "cluster_public_ip")
+ outputMemberAPublicIP := terraform.Output(t, terraformOptions, "member_a_public_ip")
+ outputMemberBPublicIP := terraform.Output(t, terraformOptions, "member_b_public_ip")
+ outputMemberASSH := terraform.Output(t, terraformOptions, "member_a_ssh")
+ outputMemberBSSH := terraform.Output(t, terraformOptions, "member_b_ssh")
+ outputMemberAURL := terraform.Output(t, terraformOptions, "member_a_url")
+ outputMemberBURL := terraform.Output(t, terraformOptions, "member_b_url")
+ outputMemberAENI := terraform.Output(t, terraformOptions, "member_a_eni")
+ outputMemberBENI := terraform.Output(t, terraformOptions, "member_b_eni")
+ outputVpcId := terraform.Output(t, terraformOptions, "vpc_id")
+
+ assert.NotEmpty(t, outputClusterPublicIP)
+ assert.NotEmpty(t, outputMemberAPublicIP)
+ assert.NotEmpty(t, outputMemberASSH)
+ assert.NotEmpty(t, outputMemberAURL)
+ assert.NotEmpty(t, outputMemberBPublicIP)
+ assert.NotEmpty(t, outputMemberBSSH)
+ assert.NotEmpty(t, outputMemberBURL)
+ assert.NotEmpty(t, outputMemberAENI)
+ assert.NotEmpty(t, outputMemberBENI)
+ assert.NotEmpty(t, outputVpcId)
+}
diff --git a/deprecated/terraform/aws/R80.40/tests/tgw_gwlb_master_test.go b/deprecated/terraform/aws/R80.40/tests/tgw_gwlb_master_test.go
new file mode 100755
index 00000000..da863cea
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tests/tgw_gwlb_master_test.go
@@ -0,0 +1,110 @@
+package tests
+
+import (
+ "testing"
+
+ "github.com/gruntwork-io/terratest/modules/terraform"
+ "github.com/stretchr/testify/assert"
+)
+
+// Test the Terraform module in aws/tgw-gwlb-master using terratest.
+func TestTgwGwlbMaster(t *testing.T) {
+ t.Parallel()
+
+ // website::tag::1::Configure Terraform setting path to Terraform code, EC2 instance name, and AWS Region.
+ terraformOptions := GetTerraformOptionsTgwGwlbMaster()
+
+ // website::tag::4::At the end of the tests, run `terraform destroy` to clean up any resources that were created
+ defer terraform.Destroy(t, terraformOptions)
+
+ // website::tag::2::Run `terraform init` and `terraform apply` and fail the tests if there are any errors
+ terraform.InitAndApply(t, terraformOptions)
+
+ // Run 'terraform output' and validate output values
+ ValidateOutputsTgwGwlbMaster(t, terraformOptions)
+}
+
+func GetTerraformOptionsTgwGwlbMaster() *terraform.Options {
+ terraformOptions := &terraform.Options{
+ TerraformDir: "../tgw-gwlb-master",
+
+ // Variables passed to the module execution using -var options
+ Vars: map[string]interface{}{
+ "vpc_cidr": vpcCIDR,
+ "public_subnets_map": publicSubnetsMap,
+ "tgw_subnets_map": tgwSubnetsMap,
+ "subnets_bit_length": subnetsBitLength,
+
+ "availability_zones": availabilityZones,
+ "number_of_AZs": numberOfAZs,
+
+ "nat_gw_subnet_1_cidr": "10.0.13.0/24",
+ "nat_gw_subnet_2_cidr": "10.0.23.0/24",
+
+ "gwlbe_subnet_1_cidr": "10.0.14.0/24",
+ "gwlbe_subnet_2_cidr": "10.0.24.0/24",
+
+ "key_name": keyName,
+ "enable_volume_encryption": enableVolumeEncryption,
+ "volume_size": volumeSize,
+ "enable_instance_connect": enableInstanceConnect,
+ "disable_instance_termination": disableInstanceTermination,
+ "allow_upload_download": allowUploadDownload,
+ "management_server": managementExpectedName,
+ "configuration_template": configurationTemplate,
+ "admin_shell": adminShell,
+
+ "gateway_load_balancer_name": gwlbExpectedName,
+ "target_group_name": targetGroup1Name,
+ "enable_cross_zone_load_balancing": enableCrossZoneLoadBalancing,
+
+ "gateway_name": gatewayExpectedName,
+ "gateway_instance_type": gatewayInstanceType,
+ "minimum_group_size": autoscaleGroupExpectedCapacityMin,
+ "maximum_group_size": autoscaleGroupExpectedCapacityMax,
+ "gateway_version": version,
+ "gateway_password_hash": passwordHash,
+ "gateway_maintenance_mode_password_hash": passwordHash,
+ "gateway_SICKey": SICKey,
+ "gateways_provision_address_type": gatewaysProvisionAddressType,
+ "allocate_public_IP": allocatePublicIP,
+ "enable_cloudwatch": enableCloudWatch,
+ "gateway_bootstrap_script": gatewayBootstrapScript,
+
+ "management_deploy": managementDeploy,
+ "management_instance_type": managementInstanceType,
+ "management_version": version,
+ "management_password_hash": passwordHash,
+ "management_maintenance_mode_password_hash": passwordHash,
+ "gateways_policy": gatewaysPolicy,
+ "gateway_management": gatewayManagement,
+ "admin_cidr": anywhereAddress,
+ "gateways_addresses": anywhereAddress,
+
+ "volume_type": volumeType,
+ },
+
+ // Set environment variables when running Terraform
+ EnvVars: envVars,
+ }
+ return terraformOptions
+}
+
+func ValidateOutputsTgwGwlbMaster(t *testing.T, terraformOptions *terraform.Options) {
+ outputDeployment := terraform.Output(t, terraformOptions, "Deployment")
+ outputManagementPublicIP := terraform.Output(t, terraformOptions, "management_public_ip")
+ outputGWLBARN := terraform.Output(t, terraformOptions, "gwlb_arn")
+ outputGWLBServiceName := terraform.Output(t, terraformOptions, "gwlb_service_name")
+ outputGWLBName := terraform.Output(t, terraformOptions, "gwlb_name")
+ outputGWLBControllerName := terraform.Output(t, terraformOptions, "controller_name")
+ outputConfigurationTemplateName := terraform.Output(t, terraformOptions, "template_name")
+
+ assert.Equal(t, outputGWLBName, gwlbExpectedName)
+ assert.Equal(t, outputGWLBControllerName, gwlbControlllerExpectedName)
+ assert.Equal(t, outputConfigurationTemplateName, configurationTemplate)
+
+ assert.NotEmpty(t, outputDeployment)
+ assert.NotEmpty(t, outputManagementPublicIP)
+ assert.NotEmpty(t, outputGWLBARN)
+ assert.NotEmpty(t, outputGWLBServiceName)
+}
diff --git a/deprecated/terraform/aws/R80.40/tgw-asg-master/README.md b/deprecated/terraform/aws/R80.40/tgw-asg-master/README.md
new file mode 100755
index 00000000..4c9ec6f8
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tgw-asg-master/README.md
@@ -0,0 +1,223 @@
+# Check Point CloudGuard Network Transit Gateway Auto Scaling Group Master Terraform module for AWS
+
+Terraform module which deploys a Check Point CloudGuard Network Security Gateway Auto Scaling Group for Transit Gateway with an optional Management Server in a new VPC.
+
+These types of Terraform resources are supported:
+* [VPC](https://www.terraform.io/docs/providers/aws/r/vpc.html)
+* [Subnet](https://www.terraform.io/docs/providers/aws/r/subnet.html)
+* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html)
+* [Security Group](https://www.terraform.io/docs/providers/aws/r/security_group.html)
+* [Network interface](https://www.terraform.io/docs/providers/aws/r/network_interface.html)
+* [CloudWatch Metric Alarm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm)
+* [EIP](https://www.terraform.io/docs/providers/aws/r/eip.html)
+* [Launch template](https://www.terraform.io/docs/providers/aws/r/launch_template.html)
+* [Auto Scaling Group](https://www.terraform.io/docs/providers/aws/r/autoscaling_group.html)
+* [IAM Role](https://www.terraform.io/docs/providers/aws/r/iam_role.html) - conditional creation
+
+See the [CloudGuard Network for AWS Transit Gateway R80.10 and Higher Deployment Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_AWS_Transit_Gateway/Content/Topics-AWS-TGW-R80-10-AG/Introduction.htm) for additional information
+
+This solution uses the following modules:
+- /terraform/aws/tgw-asg
+- /terraform/aws/autoscale
+- /terraform/aws/management
+- /terraform/aws/cme-iam-role
+- /terraform/aws/modules/vpc
+
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.aws_access_key_ID
+ secret_key = var.aws_secret_access_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/tgw-asg-master/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Static credentials are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/tgw-asg, /terraform/aws/autoscale, /terraform/aws/management and /terraform/aws/cme-iam-role:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.aws_access_key_ID
+ // secret_key = var.aws_secret_access_key
+ }
+ ```
+ b. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/tgw-asg, /terraform/aws/autoscale, /terraform/aws/management and /terraform/aws/cme-iam-role:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.aws_access_key_ID
+ // secret_key = var.aws_secret_access_key
+ }
+ ```
+
+## Usage
+- Fill all variables in the /terraform/aws/tgw-asg-master/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+- Create or modify the deployment:
+ ```
+ terraform apply
+ ```
+
+- Variables are configured in /terraform/aws/tgw-asg-master/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+ // --- Network Configuration ---
+ vpc_cidr = "10.0.0.0/16"
+ public_subnets_map = {
+ "us-east-1a" = 1
+ "us-east-1b" = 2
+ }
+ subnets_bit_length = 8
+
+ // --- General Settings ---
+ key_name = "publickey"
+ enable_volume_encryption = true
+ enable_instance_connect = false
+ disable_instance_termination = false
+ allow_upload_download = true
+
+ // --- Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration ---
+ gateway_name = "Check-Point-gateway"
+ gateway_instance_type = "c5.xlarge"
+ gateways_min_group_size = 2
+ gateways_max_group_size = 8
+ gateway_version = "R81.20-BYOL"
+ gateway_password_hash = ""
+ gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+ gateway_SICKey = "12345678"
+ enable_cloudwatch = true
+ asn = "6500"
+
+ // --- Check Point CloudGuard Network Security Management Server Configuration ---
+ management_deploy = true
+ management_instance_type = "m5.xlarge"
+ management_version = "R81.20-BYOL"
+ management_password_hash = ""
+ management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password.
+ management_permissions = "Create with read-write permissions"
+ management_predefined_role = ""
+ gateways_blades = true
+ admin_cidr = "0.0.0.0/0"
+ gateways_addresses = "0.0.0.0/0"
+ gateway_management = "Locally managed"
+
+ // --- Automatic Provisioning with Security Management Server Settings ---
+ control_gateway_over_public_or_private_address = "private"
+ management_server = "management-server"
+ configuration_template = "template-name"
+ ```
+
+- Conditional creation
+ - To create a Security Management server with IAM Role:
+ ```
+ management_permissions = "Create with read permissions" | "Create with read-write permissions" | "Create with assume role permissions (specify an STS role ARN)"
+ ```
+ - To enable cloudwatch for ASG:
+ ```
+ enable_cloudwatch = true
+ ```
+ Note: enabling cloudwatch will automatically create IAM role with cloudwatch:PutMetricData permission
+ - To deploy Security Management Server:
+ ```
+ management_deploy = true
+ ```
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------|----------|
+| vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes |
+| public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes |
+| subnets_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20 | number | n/a | n/a | yes |
+| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes |
+| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no |
+| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no |
+| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no |
+| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no |
+| gateway_name | (Optional) The name tag of the Security Gateway instances | string | n/a | Check-Point-Gateway | no |
+| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no |
+| gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no |
+| gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no |
+| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81-BYOL
- R81-PAYG-NGTP
- R81-PAYG-NGTX
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no |
+| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes |
+| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no |
+| asn | The organization Autonomous System Number (ASN) that identifies the routing domain for the Security Gateways | string | n/a | 6500 | no |
+| management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no |
+| management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no |
+| management_version | The license to install on the Security Management Server | string | - R80.40-BYOL
- R80.40-PAYG
- R81-BYOL
- R81-PAYG
- R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG
- R82-BYOL
- R82-PAYG | R81.20-BYOL | no |
+| management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| management_permissions | IAM role to attach to the instance profile | string | - None (configure later)
- Use existing (specify an existing IAM role name)
- Create with assume role permissions (specify an STS role ARN)
- Create with read permissions
- Create with read-write permissions | Create with read-write permissions | no |
+| management_predefined_role | ((Optional) A predefined IAM role to attach to the instance profile. Ignored if IAM role is not set to 'Use existing' | string | n/a | "" | no |
+| gateways_blades | Turn on the Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (additional Blades can be manually turned on later) | bool | true/false | true | no |
+| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR | n/a | no |
+| gateway_addresses | Allow gateways only from this network to communicate with the Security Management Server | string | valid CIDR | n/a | no |
+| gateway_management | Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address | string | - Locally managed
- Over the internet | Locally managed | no |
+| control_gateway_over_public_or_private_address | Determines if the gateways are provisioned using their private or public address | string | - private
- public | private | no |
+| management_server | (Optional) The name that represents the Security Management Server in the automatic provisioning configuration | string | n/a | management-server | no |
+| configuration_template | (Optional) A name of a Security Gateway configuration template in the automatic provisioning configuration | string | n/a | TGW-ASG-configuration | no |
+| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no |
+| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no |
+
+
+## Outputs
+| Name | Description |
+|--------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| vpc_id | The id of the deployed vpc |
+| public_subnets_ids_list | A list of the public subnets ids |
+| management_instance_name | The deployed Security Management AWS instance name |
+| management_public_ip | The deployed Security Management Server AWS public ip |
+| management_url | URL to the portal of the deployed Security Management Server |
+| autoscaling_group_name | The name of the deployed AutoScaling Group |
+| configuration_template | The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name |
+| controller_name | The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name |
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|-------------------------------------------------------------------------------------------------|
+| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20231012 | Update AWS Terraform provider version to 5.20.1 |
+| 20230923 | Add support for C5d instance type |
+| 20230914 | Add support for maintenance mode password |
+| 20230829 | Change default Check Point version to R81.20 |
+| 20230806 | Add support for c6in instance type |
+| 20221226 | Support ASG Launch Template instead of Launch Configuration |
+| 20221123 | R81.20 version support |
+| 20220606 | New instance type support |
+| 20210329 | First release of Check Point Transit Gateway Auto Scaling Group Master Terraform module for AWS |
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details
diff --git a/deprecated/terraform/aws/R80.40/tgw-asg-master/locals.tf b/deprecated/terraform/aws/R80.40/tgw-asg-master/locals.tf
new file mode 100755
index 00000000..467c4b4e
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tgw-asg-master/locals.tf
@@ -0,0 +1,66 @@
+locals {
+ regex_valid_vpc_cidr = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$"
+ // Will fail if var.vpc_cidr is invalid
+ regex_vpc_cidr = regex(local.regex_valid_vpc_cidr, var.vpc_cidr) == var.vpc_cidr ? 0 : "Variable [vpc_cidr] must be a valid vpc cidr"
+
+ permissions_allowed_values = [
+ "None (configure later)",
+ "Use existing (specify an existing IAM role name)",
+ "Create with assume role permissions (specify an STS role ARN)",
+ "Create with read permissions",
+ "Create with read-write permissions"]
+ // Will fail if var.management_permissions is invalid
+ validate_permissions = index(local.permissions_allowed_values, var.management_permissions)
+
+ regex_valid_key_name = "[\\S\\s]+[\\S]+"
+ // will fail if var.key_name is invalid
+ regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string"
+
+ regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$"
+ // Will fail if var.gateway_SIC_Key is invalid
+ regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters"
+
+ control_over_public_or_private_allowed_values = [
+ "public",
+ "private"]
+ // will fail if [var.control_gateway_over_public_or_private_address] is invalid:
+ validate_control_over_public_or_private = index(local.control_over_public_or_private_allowed_values, var.control_gateway_over_public_or_private_address)
+
+ gateway_management_allowed_values = [
+ "Locally managed",
+ "Over the internet"]
+ // will fail if [var.gateway_management] is invalid:
+ validate_gateway_management = index(local.gateway_management_allowed_values, var.gateway_management)
+
+ regex_valid_management_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.management_password_hash is invalid
+ regex_management_password_hash = regex(local.regex_valid_management_password_hash, var.management_password_hash) == var.management_password_hash ? 0 : "Variable [management_password_hash] must be a valid password hash"
+ regex_management_maintenance_mode_password_hash = regex(local.regex_valid_management_password_hash, var.management_maintenance_mode_password_hash) == var.management_maintenance_mode_password_hash ? 0 : "Variable [management_maintenance_mode_password_hash] must be a valid password hash"
+
+ regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.gateway_password_hash is invalid
+ regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+ regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
+
+ regex_valid_asn = "^[0-9]+$"
+ // Will fail if var.asn is invalid
+ regex_asn = regex(local.regex_valid_asn, var.asn) == var.asn ? 0 : "Variable [asn] must be a valid asn"
+
+ regex_valid_admin_cidr = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$"
+ // Will fail if var.admin_cidr is invalid
+ regex_admin_cidr = regex(local.regex_valid_admin_cidr, var.admin_cidr) == var.admin_cidr ? 0 : "Variable [admin_cidr] must be a valid CIDR"
+
+ regex_valid_gateways_addresses = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$"
+ // Will fail if var.gateways_addresses is invalid
+ regex_gateways_addresses = regex(local.regex_valid_gateways_addresses, var.gateways_addresses) == var.gateways_addresses ? 0 : "Variable [gateways_addresses] must be a valid gateways addresses"
+
+ regex_valid_management_server = "^[0-9a-zA-Z-._]+$"
+ // Will fail if var.management_server is invalid
+ regex_management_server = regex(local.regex_valid_management_server, var.management_server) == var.management_server ? 0 : "Variable [management_server] can not be an empty string"
+
+ regex_valid_configuration_template = "^[0-9a-zA-Z-._]+$"
+ // Will fail if var.configuration_template is invalid
+ regex_configuration_template = regex(local.regex_valid_configuration_template, var.configuration_template) == var.configuration_template ? 0 : "Variable [configuration_template] can not be an empty string"
+
+ deploy_management_condition = var.management_deploy == true
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/tgw-asg-master/main.tf b/deprecated/terraform/aws/R80.40/tgw-asg-master/main.tf
new file mode 100755
index 00000000..a9fdd06e
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tgw-asg-master/main.tf
@@ -0,0 +1,55 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+// --- VPC ---
+module "launch_vpc" {
+ source = "../modules/vpc"
+
+ vpc_cidr = var.vpc_cidr
+ public_subnets_map = var.public_subnets_map
+ private_subnets_map = {}
+ subnets_bit_length = var.subnets_bit_length
+}
+
+module "launch_tgw_asg_into_vpc" {
+ source = "../tgw-asg"
+ providers = {
+ aws = aws
+ }
+
+ vpc_id = module.launch_vpc.vpc_id
+ gateways_subnets = module.launch_vpc.public_subnets_ids_list
+ key_name = var.key_name
+ enable_volume_encryption = var.enable_volume_encryption
+ enable_instance_connect = var.enable_instance_connect
+ disable_instance_termination = var.disable_instance_termination
+ metadata_imdsv2_required = var.metadata_imdsv2_required
+ allow_upload_download = var.allow_upload_download
+ gateway_name = var.gateway_name
+ gateway_instance_type = var.gateway_instance_type
+ gateways_min_group_size = var.gateways_min_group_size
+ gateways_max_group_size = var.gateways_max_group_size
+ gateway_version = var.gateway_version
+ gateway_password_hash = var.gateway_password_hash
+ gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash
+ gateway_SICKey = var.gateway_SICKey
+ enable_cloudwatch = var.enable_cloudwatch
+ asn = var.asn
+ management_deploy = var.management_deploy
+ management_instance_type = var.management_instance_type
+ management_version = var.management_version
+ management_password_hash = var.management_password_hash
+ management_maintenance_mode_password_hash = var.management_maintenance_mode_password_hash
+ management_permissions = var.management_permissions
+ management_predefined_role = var.management_predefined_role
+ gateways_blades = var.gateways_blades
+ admin_cidr = var.admin_cidr
+ gateways_addresses = var.gateways_addresses
+ gateway_management = var.gateway_management
+ control_gateway_over_public_or_private_address = var.control_gateway_over_public_or_private_address
+ management_server = var.management_server
+ configuration_template = var.configuration_template
+}
diff --git a/deprecated/terraform/aws/R80.40/tgw-asg-master/output.tf b/deprecated/terraform/aws/R80.40/tgw-asg-master/output.tf
new file mode 100755
index 00000000..ed183c0a
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tgw-asg-master/output.tf
@@ -0,0 +1,24 @@
+output "vpc_id" {
+ value = module.launch_vpc.vpc_id
+}
+output "public_subnets_ids_list" {
+ value = module.launch_vpc.public_subnets_ids_list
+}
+output "management_instance_name" {
+ value = module.launch_tgw_asg_into_vpc.management_instance_name
+}
+output "configuration_template" {
+ value = module.launch_tgw_asg_into_vpc.configuration_template
+}
+output "controller_name" {
+ value = module.launch_tgw_asg_into_vpc.controller_name
+}
+output "management_public_ip" {
+ value = module.launch_tgw_asg_into_vpc.management_public_ip
+}
+output "management_url" {
+ value = module.launch_tgw_asg_into_vpc.management_url
+}
+output "autoscaling_group_name" {
+ value = module.launch_tgw_asg_into_vpc.autoscaling_group_name
+}
diff --git a/deprecated/terraform/aws/R80.40/tgw-asg-master/terraform.tfvars b/deprecated/terraform/aws/R80.40/tgw-asg-master/terraform.tfvars
new file mode 100755
index 00000000..7807cc3d
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tgw-asg-master/terraform.tfvars
@@ -0,0 +1,47 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- Network Configuration ---
+vpc_cidr = "10.0.0.0/16"
+public_subnets_map = {
+ "us-east-1a" = 1
+ "us-east-1b" = 2
+}
+subnets_bit_length = 8
+
+// --- General Settings ---
+key_name = "publickey"
+enable_volume_encryption = true
+enable_instance_connect = false
+disable_instance_termination = false
+metadata_imdsv2_required = true
+allow_upload_download = true
+
+// --- Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration ---
+gateway_name = "Check-Point-gateway"
+gateway_instance_type = "c5.xlarge"
+gateways_min_group_size = 2
+gateways_max_group_size = 8
+gateway_version = "R81.20-BYOL"
+gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+gateway_SICKey = "12345678"
+enable_cloudwatch = true
+asn = "6500"
+
+// --- Check Point CloudGuard Network Security Management Server Configuration ---
+management_deploy = true
+management_instance_type = "m5.xlarge"
+management_version = "R81.20-BYOL"
+management_password_hash = ""
+management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password.
+management_permissions = "Create with read-write permissions"
+management_predefined_role = ""
+gateways_blades = true
+admin_cidr = "0.0.0.0/0"
+gateways_addresses = "0.0.0.0/0"
+gateway_management = "Locally managed"
+
+// --- Automatic Provisioning with Security Management Server Settings ---
+control_gateway_over_public_or_private_address = "private"
+management_server = "management-server"
+configuration_template = "template-name"
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/tgw-asg-master/variables.tf b/deprecated/terraform/aws/R80.40/tgw-asg-master/variables.tf
new file mode 100755
index 00000000..a709a74f
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tgw-asg-master/variables.tf
@@ -0,0 +1,217 @@
+// Module: Check Point CloudGuard Network Transit Gateway Auto Scaling Group
+// Deploy an Auto Scaling Group of CloudGuard Security Gateways for Transit Gateway with an optional Management Server in a new VPC
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+// --- Network Configuration ---
+variable "vpc_cidr" {
+ type = string
+ description = "The CIDR block of the VPC"
+ default = "10.0.0.0/16"
+}
+variable "public_subnets_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1} ) "
+}
+variable "subnets_bit_length" {
+ type = number
+ description = "Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20"
+}
+
+// --- General Settings ---
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instances"
+ default = true
+}
+variable "enable_volume_encryption" {
+ type = bool
+ description = "Encrypt Environment instances volume with default AWS KMS key"
+ default = true
+}
+variable "enable_instance_connect" {
+ type = bool
+ description = "Enable SSH connection over AWS web console"
+ default = false
+}
+variable "disable_instance_termination" {
+ type = bool
+ description = "Prevents an instance from accidental termination"
+ default = false
+}
+variable "metadata_imdsv2_required" {
+ type = bool
+ description = "Set true to deploy the instance with metadata v2 token required"
+ default = true
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+
+// --- Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration ---
+variable "gateway_name" {
+ type = string
+ description = "(Optional) The name tag of the Security Gateway instances"
+ default = "Check-Point-Gateway"
+}
+variable "gateway_instance_type" {
+ type = string
+ description = "The instance type of the Security Gateways"
+ default = "c5.xlarge"
+}
+module "validate_gateway_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "gateway"
+ instance_type = var.gateway_instance_type
+}
+variable "gateways_min_group_size" {
+ type = number
+ description = "The minimal number of Security Gateways"
+ default = 2
+}
+variable "gateways_max_group_size" {
+ type = number
+ description = "The maximal number of Security Gateways"
+ default = 10
+}
+variable "gateway_version" {
+ type = string
+ description = "Gateway version and license"
+ default = "R81.20-BYOL"
+}
+module "validate_gateway_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "gateway"
+ version_license = var.gateway_version
+}
+variable "gateway_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "gateway_maintenance_mode_password_hash" {
+ description = "Maintenance mode password hash for the gateway instances, relevant only for R81.20 and higher versions"
+ type = string
+ default = ""
+}
+variable "gateway_SICKey" {
+ type = string
+ description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters"
+}
+variable "enable_cloudwatch" {
+ type = bool
+ description = "Report Check Point specific CloudWatch metrics"
+ default = false
+}
+variable "asn" {
+ type = string
+ description = "The organization Autonomous System Number (ASN) that identifies the routing domain for the Security Gateways"
+ default = "6500"
+}
+
+// --- Check Point CloudGuard Network Security Management Server Configuration ---
+variable "management_deploy" {
+ type = bool
+ description = "Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section"
+ default = true
+}
+variable "management_instance_type" {
+ type = string
+ description = "The EC2 instance type of the Security Management Server"
+ default = "m5.xlarge"
+}
+module "validate_management_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "management"
+ instance_type = var.management_instance_type
+}
+variable "management_version" {
+ type = string
+ description = "The license to install on the Security Management Server"
+ default = "R81.20-BYOL"
+}
+module "validate_management_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "management"
+ version_license = var.management_version
+}
+variable "management_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "management_maintenance_mode_password_hash" {
+ description = "Maintenance mode password hash for the management instance, relevant only for R81.20 and higher versions"
+ type = string
+ default = ""
+}
+variable "management_permissions" {
+ type = string
+ description = "IAM role to attach to the instance profile"
+ default = "Create with read-write permissions"
+}
+variable "management_predefined_role" {
+ type = string
+ description = "(Optional) A predefined IAM role to attach to the instance profile. Ignored if IAM role is not set to 'Use existing'"
+ default = ""
+}
+variable "gateways_blades" {
+ type = bool
+ description = "Turn on the Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (additional Blades can be manually turned on later)"
+ default = true
+}
+variable "admin_cidr" {
+ type = string
+ description = "Allow web, ssh, and graphical clients only from this network to communicate with the Security Management Server"
+}
+variable "gateways_addresses" {
+ type = string
+ description = "Allow gateways only from this network to communicate with the Security Management Server"
+}
+variable "gateway_management" {
+ type = string
+ description = "Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address"
+ default = "Locally managed"
+}
+
+// --- Automatic Provisioning with Security Management Server Settings ---
+variable "control_gateway_over_public_or_private_address" {
+ type = string
+ description = "Determines if the gateways are provisioned using their private or public address"
+ default = "private"
+}
+variable "management_server" {
+ type = string
+ description = "(Optional) The name that represents the Security Management Server in the automatic provisioning configuration"
+ default = "management-server"
+}
+variable "configuration_template" {
+ type = string
+ description = "(Optional) A name of a Security Gateway configuration template in the automatic provisioning configuration"
+ default = "TGW-ASG-configuration"
+ validation {
+ condition = length(var.configuration_template) < 31
+ error_message = "The configuration_template name can not exceed 30 characters"
+ }
+}
diff --git a/deprecated/terraform/aws/R80.40/tgw-asg-master/versions.tf b/deprecated/terraform/aws/R80.40/tgw-asg-master/versions.tf
new file mode 100755
index 00000000..dbebf275
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tgw-asg-master/versions.tf
@@ -0,0 +1,15 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ http = {
+ version = "~> 3.4.0"
+ }
+ random = {
+ version = "~> 3.5.1"
+ }
+ }
+}
diff --git a/deprecated/terraform/aws/R80.40/tgw-asg/README.md b/deprecated/terraform/aws/R80.40/tgw-asg/README.md
new file mode 100755
index 00000000..3861bec6
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tgw-asg/README.md
@@ -0,0 +1,213 @@
+# Check Point CloudGuard Network Transit Gateway Auto Scaling Group Terraform module for AWS
+
+Terraform module which deploys a Check Point CloudGuard Network Security Gateway Auto Scaling Group for Transit Gateway with an optional Management Server into an existing VPC.
+
+These types of Terraform resources are supported:
+* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html)
+* [Security Group](https://www.terraform.io/docs/providers/aws/r/security_group.html)
+* [Network interface](https://www.terraform.io/docs/providers/aws/r/network_interface.html)
+* [CloudWatch Metric Alarm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm)
+* [EIP](https://www.terraform.io/docs/providers/aws/r/eip.html)
+* [Launch template](https://www.terraform.io/docs/providers/aws/r/launch_template.html)
+* [Auto Scaling Group](https://www.terraform.io/docs/providers/aws/r/autoscaling_group.html)
+* [IAM Role](https://www.terraform.io/docs/providers/aws/r/iam_role.html) - conditional creation
+
+See the [CloudGuard Network for AWS Transit Gateway R80.10 and Higher Deployment Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_AWS_Transit_Gateway/Content/Topics-AWS-TGW-R80-10-AG/Introduction.htm) for additional information
+
+This solution uses the following modules:
+- /terraform/aws/autoscale
+- /terraform/aws/management
+- /terraform/aws/cme-iam-role
+
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.aws_access_key_ID
+ secret_key = var.aws_secret_access_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/tgw-asg/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Static credentials are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/autoscale, /terraform/aws/management and /terraform/aws/cme-iam-role:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.aws_access_key_ID
+ // secret_key = var.aws_secret_access_key
+ }
+ ```
+ b. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/autoscale, /terraform/aws/management and /terraform/aws/cme-iam-role:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.aws_access_key_ID
+ // secret_key = var.aws_secret_access_key
+ }
+ ```
+
+## Usage
+- Fill all variables in the /terraform/aws/tgw-asg/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+- Create or modify the deployment:
+ ```
+ terraform apply
+ ```
+
+- Variables are configured in /terraform/aws/tgw-asg/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+ // --- Network Configuration ---
+ vpc_id = "vpc-12345678"
+ gateways_subnets = ["subnet-123b5678", "subnet-123a4567"]
+
+ // --- General Settings ---
+ key_name = "publickey"
+ enable_volume_encryption = true
+ enable_instance_connect = false
+ disable_instance_termination = false
+ allow_upload_download = true
+
+ // --- Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration ---
+ gateway_name = "Check-Point-gateway"
+ gateway_instance_type = "c5.xlarge"
+ gateways_min_group_size = 2
+ gateways_max_group_size = 8
+ gateway_version = "R81.20-BYOL"
+ gateway_password_hash = ""
+ gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+ gateway_SICKey = "12345678"
+ enable_cloudwatch = true
+ asn = "6500"
+
+ // --- Check Point CloudGuard Network Security Management Server Configuration ---
+ management_deploy = true
+ management_instance_type = "m5.xlarge"
+ management_version = "R81.20-BYOL"
+ management_password_hash = ""
+ management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password.
+ management_permissions = "Create with read-write permissions"
+ management_predefined_role = ""
+ gateways_blades = true
+ admin_cidr = "0.0.0.0/0"
+ gateways_addresses = "0.0.0.0/0"
+ gateway_management = "Locally managed"
+
+ // --- Automatic Provisioning with Security Management Server Settings ---
+ control_gateway_over_public_or_private_address = "private"
+ management_server = "management-server"
+ configuration_template = "template-name"
+ ```
+
+- Conditional creation
+ - To create a Security Management server with IAM Role:
+ ```
+ management_permissions = "Create with read permissions" | "Create with read-write permissions" | "Create with assume role permissions (specify an STS role ARN)"
+ ```
+ - To enable cloudwatch for ASG:
+ ```
+ enable_cloudwatch = true
+ ```
+ Note: enabling cloudwatch will automatically create IAM role with cloudwatch:PutMetricData permission
+ - To deploy Security Management Server:
+ ```
+ management_deploy = true
+ ```
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------|----------|
+| vpc_id | Select an existing VPC | string | n/a | n/a | yes |
+| gateways_subnets | Select at least 2 public subnets in the VPC. If you choose to deploy a Security Management Server it will be deployed in the first subnet | list(string) | n/a | n/a | yes |
+| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes |
+| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no |
+| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no |
+| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no |
+| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no |
+| gateway_name | (Optional) The name tag of the Security Gateway instances | string | n/a | Check-Point-Gateway | no |
+| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no |
+| gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no |
+| gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no |
+| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81-BYOL
- R81-PAYG-NGTP
- R81-PAYG-NGTX
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no |
+| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes |
+| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no |
+| asn | The organization Autonomous System Number (ASN) that identifies the routing domain for the Security Gateways | string | n/a | 6500 | no |
+| management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no |
+| management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no |
+| management_version | The license to install on the Security Management Server | string | - R80.40-BYOL
- R80.40-PAYG
- R81-BYOL
- R81-PAYG
- R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG
- R82-BYOL
- R82-PAYG | R81.20-BYOL | no |
+| management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| management_permissions | IAM role to attach to the instance profile | string | - None (configure later)
- Use existing (specify an existing IAM role name)
- Create with assume role permissions (specify an STS role ARN)
- Create with read permissions
- Create with read-write permissions | Create with read-write permissions | no |
+| management_predefined_role | ((Optional) A predefined IAM role to attach to the instance profile. Ignored if IAM role is not set to 'Use existing' | string | n/a | "" | no |
+| gateways_blades | Turn on the Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (additional Blades can be manually turned on later) | bool | true/false | true | no |
+| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR | n/a | no |
+| gateway_addresses | Allow gateways only from this network to communicate with the Security Management Server | string | valid CIDR | n/a | no |
+| gateway_management | Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address | string | - Locally managed
- Over the internet | Locally managed | no |
+| control_gateway_over_public_or_private_address | Determines if the gateways are provisioned using their private or public address | string | - private
- public | private | no |
+| management_server | (Optional) The name that represents the Security Management Server in the automatic provisioning configuration | string | n/a | management-server | no |
+| configuration_template | (Optional) A name of a Security Gateway configuration template in the automatic provisioning configuration | string | n/a | TGW-ASG-configuration | no |
+| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no |
+| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no |
+
+
+## Outputs
+| Name | Description |
+|--------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| management_instance_name | The deployed Security Management AWS instance name |
+| management_public_ip | The deployed Security Management Server AWS public ip |
+| management_url | URL to the portal of the deployed Security Management Server |
+| autoscaling_group_name | The name of the deployed AutoScaling Group |
+| configuration_template | The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name |
+| controller_name | The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name |
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|------------------------------------------------------------------------------------------|
+| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20231012 | Update AWS Terraform provider version to 5.20.1 |
+| 20230923 | Add support for C5d instance type |
+| 20230914 | Add support for maintenance mode password |
+| 20230829 | Change default Check Point version to R81.20 |
+| 20230806 | Add support for c6in instance type |
+| 20230626 | Fixed missing x-chkp-* tags on Auto Scale Group |
+| 20221226 | Support ASG Launch Template instead of Launch Configuration |
+| 20221123 | R81.20 version support |
+| 20220606 | New instance type support |
+| 20210329 | First release of Check Point Transit Gateway Auto Scaling Group Terraform module for AWS |
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details
diff --git a/deprecated/terraform/aws/R80.40/tgw-asg/locals.tf b/deprecated/terraform/aws/R80.40/tgw-asg/locals.tf
new file mode 100755
index 00000000..7ecd5cf4
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tgw-asg/locals.tf
@@ -0,0 +1,64 @@
+locals {
+ permissions_allowed_values = [
+ "None (configure later)",
+ "Use existing (specify an existing IAM role name)",
+ "Create with assume role permissions (specify an STS role ARN)",
+ "Create with read permissions",
+ "Create with read-write permissions"]
+ // Will fail if var.management_permissions is invalid
+ validate_permissions = index(local.permissions_allowed_values, var.management_permissions)
+
+ regex_valid_key_name = "[\\S\\s]+[\\S]+"
+ // will fail if var.key_name is invalid
+ regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string"
+
+ regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$"
+ // Will fail if var.gateway_SIC_Key is invalid
+ regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters"
+
+ control_over_public_or_private_allowed_values = [
+ "public",
+ "private"]
+ // will fail if [var.control_gateway_over_public_or_private_address] is invalid:
+ validate_control_over_public_or_private = index(local.control_over_public_or_private_allowed_values, var.control_gateway_over_public_or_private_address)
+
+ gateway_management_allowed_values = [
+ "Locally managed",
+ "Over the internet"]
+ // will fail if [var.gateway_management] is invalid:
+ validate_gateway_management = index(local.gateway_management_allowed_values, var.gateway_management)
+
+ regex_valid_management_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.management_password_hash is invalid
+ regex_management_password_hash = regex(local.regex_valid_management_password_hash, var.management_password_hash) == var.management_password_hash ? 0 : "Variable [management_password_hash] must be a valid password hash"
+ regex_management_maintenance_mode_password_hash = regex(local.regex_valid_management_password_hash, var.management_maintenance_mode_password_hash) == var.management_maintenance_mode_password_hash ? 0 : "Variable [management_maintenance_mode_password_hash] must be a valid password hash"
+
+
+ regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.gateway_password_hash is invalid
+ regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+ regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
+
+
+ regex_valid_asn = "^[0-9]+$"
+ // Will fail if var.asn is invalid
+ regex_asn = regex(local.regex_valid_asn, var.asn) == var.asn ? 0 : "Variable [asn] must be a valid asn"
+
+ regex_valid_admin_cidr = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$"
+ // Will fail if var.admin_cidr is invalid
+ regex_admin_cidr = regex(local.regex_valid_admin_cidr, var.admin_cidr) == var.admin_cidr ? 0 : "Variable [admin_cidr] must be a valid CIDR"
+
+ regex_valid_gateways_addresses = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$"
+ // Will fail if var.gateways_addresses is invalid
+ regex_gateways_addresses = regex(local.regex_valid_gateways_addresses, var.gateways_addresses) == var.gateways_addresses ? 0 : "Variable [gateways_addresses] must be a valid gateways addresses"
+
+ regex_valid_management_server = "^[0-9a-zA-Z-._]+$"
+ // Will fail if var.management_server is invalid
+ regex_management_server = regex(local.regex_valid_management_server, var.management_server) == var.management_server ? 0 : "Variable [management_server] can not be an empty string"
+
+ regex_valid_configuration_template = "^[0-9a-zA-Z-._]+$"
+ // Will fail if var.configuration_template is invalid
+ regex_configuration_template = regex(local.regex_valid_configuration_template, var.configuration_template) == var.configuration_template ? 0 : "Variable [configuration_template] can not be an empty string"
+
+ deploy_management_condition = var.management_deploy == true
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/tgw-asg/main.tf b/deprecated/terraform/aws/R80.40/tgw-asg/main.tf
new file mode 100755
index 00000000..8b7b3cf1
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tgw-asg/main.tf
@@ -0,0 +1,64 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+module "autoscale" {
+ source = "../autoscale"
+ providers = {
+ aws = aws
+ }
+
+ vpc_id = var.vpc_id
+ subnet_ids = var.gateways_subnets
+ gateway_name = var.gateway_name
+ gateway_instance_type = var.gateway_instance_type
+ key_name = var.key_name
+ enable_volume_encryption = var.enable_volume_encryption
+ enable_instance_connect = var.enable_instance_connect
+ metadata_imdsv2_required = var.metadata_imdsv2_required
+ minimum_group_size = var.gateways_min_group_size
+ maximum_group_size = var.gateways_max_group_size
+ gateway_version = var.gateway_version
+ gateway_password_hash = var.gateway_password_hash
+ gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash
+ gateway_SICKey = var.gateway_SICKey
+ allow_upload_download = var.allow_upload_download
+ enable_cloudwatch = var.enable_cloudwatch
+ gateway_bootstrap_script = "echo -e '\nStarting Bootstrap script\n'; echo 'Adding tgw identifier to cloud-version'; cv_path='/etc/cloud-version'\n if test -f \"$cv_path\"; then sed -i '/template_name/c\\template_name: autoscale_tgw' /etc/cloud-version; fi; cv_json_path='/etc/cloud-version.json'\n cv_json_path_tmp='/etc/cloud-version-tmp.json'\n if test -f \"$cv_json_path\"; then cat \"$cv_json_path\" | jq '.template_name = \"'\"autoscale_tgw\"'\"' > \"$cv_json_path_tmp\"; mv \"$cv_json_path_tmp\" \"$cv_json_path\"; fi; echo 'Setting ASN to: ${var.asn}'; clish -c 'set as ${var.asn}' -s; echo -e '\nFinished Bootstrap script\n'"
+ gateways_provision_address_type = var.control_gateway_over_public_or_private_address
+ management_server = var.management_server
+ configuration_template = var.configuration_template
+}
+
+data "aws_region" "current"{}
+
+module "management" {
+ providers = {
+ aws = aws
+ }
+ count = local.deploy_management_condition ? 1 : 0
+ source = "../management"
+
+ vpc_id = var.vpc_id
+ subnet_id = var.gateways_subnets[0]
+ management_name = var.management_server
+ management_instance_type = var.management_instance_type
+ key_name = var.key_name
+ allocate_and_associate_eip = true
+ volume_encryption = var.enable_volume_encryption ? "alias/aws/ebs" : ""
+ enable_instance_connect = var.enable_instance_connect
+ disable_instance_termination = var.disable_instance_termination
+ metadata_imdsv2_required = var.metadata_imdsv2_required
+ iam_permissions = var.management_permissions
+ predefined_role = var.management_predefined_role
+ management_version = var.management_version
+ management_password_hash = var.management_password_hash
+ management_maintenance_mode_password_hash = var.management_maintenance_mode_password_hash
+ allow_upload_download = var.allow_upload_download
+ admin_cidr = var.admin_cidr
+ gateway_addresses = var.gateways_addresses
+ gateway_management = var.gateway_management
+ management_bootstrap_script = "echo -e '\nStarting Bootstrap script\n'; echo 'Adding tgw identifier to cloud-version'; cv_path='/etc/cloud-version'\n if test -f \"$cv_path\"; then sed -i '/template_name/c\\template_name: management_tgw_asg' /etc/cloud-version; fi; cv_json_path='/etc/cloud-version.json'\n cv_json_path_tmp='/etc/cloud-version-tmp.json'\n if test -f \"$cv_json_path\"; then cat \"$cv_json_path\" | jq '.template_name = \"'\"management_tgw_asg\"'\"' > \"$cv_json_path_tmp\"; mv \"$cv_json_path_tmp\" \"$cv_json_path\"; fi; echo 'Configuring VPN community: tgw-community'; [[ -d /opt/CPcme/menu/additions ]] && /opt/CPcme/menu/additions/config-community.sh \"tgw-community\" || /etc/fw/scripts/autoprovision/config-community.sh \"tgw-community\"; echo 'Setting VPN rules'; mgmt_cli -r true add access-layer name 'Inline'; mgmt_cli -r true add access-rule layer Network position 1 name 'tgw-community VPN Traffic Rule' vpn.directional.1.from 'tgw-community' vpn.directional.1.to 'tgw-community' vpn.directional.2.from 'tgw-community' vpn.directional.2.to External_clear action 'Apply Layer' inline-layer 'Inline'; mgmt_cli -r true add nat-rule package standard position bottom install-on 'Policy Targets' original-source All_Internet translated-source All_Internet method hide; echo 'Creating CME configuration'; autoprov_cfg -f init AWS -mn ${var.management_server} -tn ${var.configuration_template} -cn tgw-controller -po Standard -otp ${var.gateway_SICKey} -r ${data.aws_region.current.name} -ver ${split("-", var.gateway_version)[0]} -iam -dt TGW; autoprov_cfg -f set controller AWS -cn tgw-controller -sv -com tgw-community; autoprov_cfg -f set template -tn ${var.configuration_template} -vpn -vd '''' -con tgw-community; ${var.gateways_blades} && autoprov_cfg -f set template -tn ${var.configuration_template} -ia -ips -appi -av -ab; echo -e '\nFinished Bootstrap script\n'"
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/tgw-asg/output.tf b/deprecated/terraform/aws/R80.40/tgw-asg/output.tf
new file mode 100755
index 00000000..8a282a53
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tgw-asg/output.tf
@@ -0,0 +1,18 @@
+output "management_instance_name" {
+ value = module.management[0].management_instance_name
+}
+output "configuration_template" {
+ value = var.configuration_template
+}
+output "controller_name" {
+ value = "tgw-controller"
+}
+output "management_public_ip" {
+ value = module.management[0].management_public_ip
+}
+output "management_url" {
+ value = module.management[0].management_url
+}
+output "autoscaling_group_name" {
+ value = module.autoscale.autoscale_autoscaling_group_name
+}
diff --git a/deprecated/terraform/aws/R80.40/tgw-asg/terraform.tfvars b/deprecated/terraform/aws/R80.40/tgw-asg/terraform.tfvars
new file mode 100755
index 00000000..943f16b4
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tgw-asg/terraform.tfvars
@@ -0,0 +1,43 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- Network Configuration ---
+vpc_id = "vpc-12345678"
+gateways_subnets = ["subnet-123b5678", "subnet-123a4567"]
+
+// --- General Settings ---
+key_name = "publickey"
+enable_volume_encryption = true
+enable_instance_connect = false
+disable_instance_termination = false
+metadata_imdsv2_required = true
+allow_upload_download = true
+
+// --- Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration ---
+gateway_name = "Check-Point-gateway"
+gateway_instance_type = "c5.xlarge"
+gateways_min_group_size = 2
+gateways_max_group_size = 8
+gateway_version = "R81.20-BYOL"
+gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+gateway_SICKey = "12345678"
+enable_cloudwatch = true
+asn = "65000"
+
+// --- Check Point CloudGuard Network Security Management Server Configuration ---
+management_deploy = true
+management_instance_type = "m5.xlarge"
+management_version = "R81.20-BYOL"
+management_password_hash = ""
+management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password.
+management_permissions = "Create with read-write permissions"
+management_predefined_role = ""
+gateways_blades = true
+admin_cidr = "0.0.0.0/0"
+gateways_addresses = "0.0.0.0/0"
+gateway_management = "Locally managed"
+
+// --- Automatic Provisioning with Security Management Server Settings ---
+control_gateway_over_public_or_private_address = "private"
+management_server = "management-server"
+configuration_template = "template-name"
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/tgw-asg/variables.tf b/deprecated/terraform/aws/R80.40/tgw-asg/variables.tf
new file mode 100755
index 00000000..9a9a47e1
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tgw-asg/variables.tf
@@ -0,0 +1,211 @@
+// Module: Check Point CloudGuard Network Transit Gateway Auto Scaling Group
+// Deploy an Auto Scaling Group of CloudGuard Security Gateways for Transit Gateway with an optional Management Server into an existing VPC
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+// --- Network Configuration ---
+variable "vpc_id" {
+ type = string
+}
+variable "gateways_subnets" {
+ type = list(string)
+ description = "Select at least 2 external subnets in the VPC. If you choose to deploy a Security Management Server it will be deployed in the first subnet"
+}
+
+// --- General Settings ---
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instances"
+ default = true
+}
+variable "enable_volume_encryption" {
+ type = bool
+ description = "Encrypt Environment instances volume with default AWS KMS key"
+ default = true
+}
+variable "enable_instance_connect" {
+ type = bool
+ description = "Enable SSH connection over AWS web console"
+ default = false
+}
+variable "disable_instance_termination" {
+ type = bool
+ description = "Prevents an instance from accidental termination"
+ default = false
+}
+variable "metadata_imdsv2_required" {
+ type = bool
+ description = "Set true to deploy the instance with metadata v2 token required"
+ default = true
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+
+// --- Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration ---
+variable "gateway_name" {
+ type = string
+ description = "(Optional) The name tag of the Security Gateway instances"
+ default = "Check-Point-Gateway"
+}
+variable "gateway_instance_type" {
+ type = string
+ description = "The instance type of the Security Gateways"
+ default = "c5.xlarge"
+}
+module "validate_gateway_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "gateway"
+ instance_type = var.gateway_instance_type
+}
+variable "gateways_min_group_size" {
+ type = number
+ description = "The minimal number of Security Gateways"
+ default = 2
+}
+variable "gateways_max_group_size" {
+ type = number
+ description = "The maximal number of Security Gateways"
+ default = 10
+}
+variable "gateway_version" {
+ type = string
+ description = "Gateway version and license"
+ default = "R81.20-BYOL"
+}
+module "validate_gateway_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "gateway"
+ version_license = var.gateway_version
+}
+variable "gateway_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "gateway_maintenance_mode_password_hash" {
+ description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+ type = string
+ default = ""
+}
+variable "gateway_SICKey" {
+ type = string
+ description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters"
+}
+variable "enable_cloudwatch" {
+ type = bool
+ description = "Report Check Point specific CloudWatch metrics"
+ default = false
+}
+variable "asn" {
+ type = string
+ description = "The organization Autonomous System Number (ASN) that identifies the routing domain for the Security Gateways"
+ default = "6500"
+}
+
+// --- Check Point CloudGuard Network Security Management Server Configuration ---
+variable "management_deploy" {
+ type = bool
+ description = "Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section"
+ default = true
+}
+variable "management_instance_type" {
+ type = string
+ description = "The EC2 instance type of the Security Management Server"
+ default = "m5.xlarge"
+}
+module "validate_management_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "management"
+ instance_type = var.management_instance_type
+}
+variable "management_version" {
+ type = string
+ description = "The license to install on the Security Management Server"
+ default = "R81.20-BYOL"
+}
+module "validate_management_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "management"
+ version_license = var.management_version
+}
+variable "management_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "management_maintenance_mode_password_hash" {
+ description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+ type = string
+ default = ""
+}
+variable "management_permissions" {
+ type = string
+ description = "IAM role to attach to the instance profile"
+ default = "Create with read-write permissions"
+}
+variable "management_predefined_role" {
+ type = string
+ description = "(Optional) A predefined IAM role to attach to the instance profile. Ignored if IAM role is not set to 'Use existing'"
+ default = ""
+}
+variable "gateways_blades" {
+ type = bool
+ description = "Turn on the Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (additional Blades can be manually turned on later)"
+ default = true
+}
+variable "admin_cidr" {
+ type = string
+ description = "Allow web, ssh, and graphical clients only from this network to communicate with the Security Management Server"
+}
+variable "gateways_addresses" {
+ type = string
+ description = "Allow gateways only from this network to communicate with the Security Management Server"
+}
+variable "gateway_management" {
+ type = string
+ description = "Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address"
+ default = "Locally managed"
+}
+
+// --- Automatic Provisioning with Security Management Server Settings ---
+variable "control_gateway_over_public_or_private_address" {
+ type = string
+ description = "Determines if the gateways are provisioned using their private or public address"
+ default = "private"
+}
+variable "management_server" {
+ type = string
+ description = "(Optional) The name that represents the Security Management Server in the automatic provisioning configuration"
+ default = "management-server"
+}
+variable "configuration_template" {
+ type = string
+ description = "(Optional) A name of a Security Gateway configuration template in the automatic provisioning configuration"
+ default = "TGW-ASG-configuration"
+ validation {
+ condition = length(var.configuration_template) < 31
+ error_message = "The configuration_template name can not exceed 30 characters"
+ }
+}
diff --git a/deprecated/terraform/aws/R80.40/tgw-asg/versions.tf b/deprecated/terraform/aws/R80.40/tgw-asg/versions.tf
new file mode 100755
index 00000000..dbebf275
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tgw-asg/versions.tf
@@ -0,0 +1,15 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ http = {
+ version = "~> 3.4.0"
+ }
+ random = {
+ version = "~> 3.5.1"
+ }
+ }
+}
diff --git a/deprecated/terraform/aws/R80.40/tgw-cross-az-cluster-master/README.md b/deprecated/terraform/aws/R80.40/tgw-cross-az-cluster-master/README.md
new file mode 100755
index 00000000..1dbcaeef
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tgw-cross-az-cluster-master/README.md
@@ -0,0 +1,208 @@
+# Check Point CloudGuard Network Security Cross AZ Cluster for Transit Gateway Terraform module for AWS
+
+Terraform module which deploys a Check Point CloudGuard Network Security Cross AZ Cluster with a new VPC on AWS for Transit Gateway.
+
+These types of Terraform resources are supported:
+* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html)
+* [Security Group](https://www.terraform.io/docs/providers/aws/r/security_group.html)
+* [Network interface](https://www.terraform.io/docs/providers/aws/r/network_interface.html)
+* [IAM Role](https://www.terraform.io/docs/providers/aws/r/iam_role.html) - conditional creation
+
+See the [Deploying a Check Point Cluster in AWS (Amazon Web Services)](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Cross_AZ_Cluster/Default.htm) for additional information
+
+This solution uses the following modules:
+- /terraform/aws/modules/amis
+- /terraform/aws/modules/cluster-iam-role
+
+
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/cluster/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+
+## Usage
+- Fill all variables in the /terraform/aws/cluster/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+- Create or modify the deployment:
+ ```
+ terraform apply -target=aws_route_table.private_subnet_rtb -auto-approve && terraform apply
+ ```
+
+ - Variables are configured in /terraform/aws/cluster/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+ // --- VPC Network Configuration ---
+ vpc_cidr = "10.0.0.0/16"
+ public_subnets_map = {
+ "us-east-1a" = 1
+ "us-east-1b" = 2
+ }
+ private_subnets_map = {
+ "us-east-1a" = 3
+ "us-east-1b" = 4
+ }
+ tgw_subnets_map = {
+ "us-east-1a" = 5
+ "us-east-1b" = 6
+ }
+ subnets_bit_length = 8
+
+ // --- EC2 Instance Configuration ---
+ gateway_name = "Check-Point-Cluster-tf"
+ gateway_instance_type = "c5.xlarge"
+ key_name = "publickey"
+ allocate_and_associate_eip = true
+ volume_size = 100
+ volume_encryption = "alias/aws/ebs"
+ enable_instance_connect = false
+ disable_instance_termination = false
+ instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+ }
+ predefined_role = ""
+
+ // --- Check Point Settings ---
+ gateway_version = "R81.20-BYOL"
+ admin_shell = "/etc/cli.sh"
+ gateway_SICKey = "12345678"
+ gateway_password_hash = ""
+ gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+ // --- Quick connect to Smart-1 Cloud (Recommended) ---
+ memberAToken = ""
+ memberBToken = ""
+
+ // --- Advanced Settings ---
+ resources_tag_name = "tag-name"
+ gateway_hostname = "gw-hostname"
+ allow_upload_download = true
+ enable_cloudwatch = false
+ gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+ primary_ntp = ""
+ secondary_ntp = ""
+ ```
+
+- Conditional creation
+ - To create an Elastic IP and associate it to each cluster member instance:
+ ```
+ allocate_and_associate_eip = "true"
+ ```
+ - To create IAM Role:
+ ```
+ predefined_role = ""
+ ```
+ - To create route from '0.0.0.0/0' to the Active Cluster member instance, please provide route table:
+ ```
+ private_route_table = "rtb-12345678"
+ ```
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+ ### Optional re-deploy of cluster member:
+ In case of re-deploying one cluster member, make sure that it's in STANDBY state, and the second member is the ACTIVE one.
+ Follow the commands below in order to re-deploy (replace MEMBER with a or b):
+ - terraform taint aws_instance.member-MEMBER-instance
+ - terraform plan (review the changes)
+ - terraform apply
+ - In Smart Console: reset SIC with the re-deployed member and install policy
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|----------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|----------|
+| vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes |
+| public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1 \"us-east-1b\" = 2} ) | map | n/a | n/a | yes |
+| private_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 3 \"us-east-1b\" = 4} ) | map | n/a | n/a | yes |
+| tgw_subnets_map | A map of pairs {availability-zone = subnet-suffix-number} for the tgw subnets. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes |
+| subnets_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20 | number | n/a | n/a | yes |
+| gateway_name | (Optional) The name tag of the Security Gateway instances | string | n/a | Check-Point-Cluster-tf | no |
+| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no |
+| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes |
+| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with each cluster member, in addition to the shared cluster Elastic IP | bool | true/false | true | no |
+| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no |
+| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no |
+| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no |
+| enable_instance_connect | Enable AWS Instance Connect. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no |
+| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no |
+| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes |
+| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances | map(string) | n/a | {} | no |
+| predefined_role | (Optional) A predefined IAM role to attach to the cluster profile | string | n/a | "" | no |
+| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no |
+| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no |
+| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes |
+| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| memberAToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no |
+| memberBToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no |
+| resources_tag_name | (Optional) Name tag prefix of the resources | string | n/a | "" | no |
+| gateway_hostname | (Optional) The host name will be appended with member-a/b accordingly. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no |
+| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no |
+| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no |
+| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no |
+| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no |
+| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no |
+
+
+## Outputs
+| Name | Description |
+|--------------------|-----------------------------------|
+| cluster_public_ip | The public address of the cluster |
+| member_a_public_ip | The public address of member A |
+| member_b_public_ip | The public address of member B |
+| member_a_ssh | SSH command to member A |
+| member_b_ssh | SSH command to member B |
+| member_a_url | URL to the member A portal |
+| member_b_url | URL to the member B portal |
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20231012 | Update AWS Terraform provider version to 5.20.1 |
+| 20230923 | Add support for C5d instance type |
+| 20230914 | Add support for maintenance mode password |
+| 20230829 | Change default Check Point version to R81.20 |
+| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname |
+| 20230503 | Smart-1 Cloud token validation |
+| 20230411 | - Improved deployment experience for gateways and clusters managed by Smart-1 Cloud
- Multiple VIPs support for Cross Availability Zone Cluster. For more details refer to the [Cross Availability Zone Cluster for AWS R81.20 Administration Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Cross_AZ_Cluster/Content/Topics-AWS-CrossAZ-Cluster-AG/Check-Point-CloudGuard-for-AWS.htm) -> "Deploying Cross AZ Cluster with multiple VIPs" section. |
+| 20221123 | R81.20 version support |
+| 20221229 | Removed unsupported versions |
+| 20221123 | First release of Check Point Security Cluster Terraform module for AWS |
+
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details
diff --git a/deprecated/terraform/aws/R80.40/tgw-cross-az-cluster-master/locals.tf b/deprecated/terraform/aws/R80.40/tgw-cross-az-cluster-master/locals.tf
new file mode 100755
index 00000000..387fb7c1
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tgw-cross-az-cluster-master/locals.tf
@@ -0,0 +1,61 @@
+locals {
+ regex_valid_vpc_cidr = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$"
+ // Will fail if var.vpc_cidr is invalid
+ regex_vpc_cidr = regex(local.regex_valid_vpc_cidr, var.vpc_cidr) == var.vpc_cidr ? 0 : "Variable [vpc_cidr] must be a valid vpc cidr"
+
+ admin_shell_allowed_values = [
+ "/etc/cli.sh",
+ "/bin/bash",
+ "/bin/csh",
+ "/bin/tcsh"]
+ // Will fail if var.admin_shell is invalid
+ validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell)
+
+ create_iam_role = var.predefined_role == "" ? 1 : 0
+
+ regex_valid_key_name = "[\\S\\s]+[\\S]+"
+ // will fail if var.key_name is invalid
+ regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string"
+
+ regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$"
+ // Will fail if var.gateway_SIC_Key is invalid
+ regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters"
+
+ is_both_tokens_used = length(var.memberAToken) > 0 == length(var.memberBToken) > 0
+ validation_message_both = "Smart-1 Cloud Tokens for member A and member B can not be empty."
+ //Will fail if var.memberAToken is empty and var.memberBToken isn't and vice versa
+ regex_s1c_validate = regex("^$", (local.is_both_tokens_used ? "" : local.validation_message_both))
+
+ is_tokens_used = length(var.memberAToken) > 0
+ is_both_tokens_the_same = var.memberAToken == var.memberBToken
+ validation_message_unique = "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+ //Will fail if both s1c tokens are the same
+ regex_s1c_unique = local.is_tokens_used ? regex("^$", (local.is_both_tokens_the_same ? local.validation_message_unique : "")) : ""
+
+ regex_valid_gateway_hostname = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$"
+ // Will fail if var.gateway_hostname is invalid
+ regex_gateway_hostname = regex(local.regex_valid_gateway_hostname, var.gateway_hostname) == var.gateway_hostname ? 0 : "Variable [gateway_hostname] must be a valid hostname label or an empty string"
+ volume_encryption_condition = var.volume_encryption != "" ? true : false
+
+ regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.gateway_password_hash is invalid
+ regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+ regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
+
+ regex_valid_primary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.primary_ntp is invalid
+ regex_primary_ntp = regex(local.regex_valid_primary_ntp, var.primary_ntp) == var.primary_ntp ? 0 : "Variable [primary_ntp] must be a valid ntp"
+
+ regex_valid_secondary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.secondary_ntp is invalid
+ regex_secondary_ntp = regex(local.regex_valid_secondary_ntp, var.secondary_ntp) == var.secondary_ntp ? 0 : "Variable [secondary_ntp] must be a valid ntp"
+
+ //Splits the version and licence and returns the os version
+ version_split = element(split("-", var.gateway_version), 0)
+
+ volume_type_allowed_values = [
+ "gp3",
+ "gp2"]
+ // will fail if [var.VolumeType] is invalid:
+ validate_volume_type = index(local.volume_type_allowed_values, var.volume_type)
+}
diff --git a/deprecated/terraform/aws/R80.40/tgw-cross-az-cluster-master/main.tf b/deprecated/terraform/aws/R80.40/tgw-cross-az-cluster-master/main.tf
new file mode 100755
index 00000000..d04b9548
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tgw-cross-az-cluster-master/main.tf
@@ -0,0 +1,73 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+module "launch_vpc" {
+ source = "../modules/vpc"
+
+ vpc_cidr = var.vpc_cidr
+ public_subnets_map = var.public_subnets_map
+ private_subnets_map = var.private_subnets_map
+ tgw_subnets_map = var.tgw_subnets_map
+ subnets_bit_length = var.subnets_bit_length
+}
+resource "aws_route_table" "private_subnet_rtb" {
+ depends_on = [module.launch_vpc]
+ vpc_id = module.launch_vpc.vpc_id
+ tags = {
+ Name = "Private Subnets Route Table"
+ }
+}
+resource "aws_route_table_association" "private_rtb_to_private_subnet1" {
+ depends_on = [module.launch_vpc, aws_route_table.private_subnet_rtb]
+ route_table_id = aws_route_table.private_subnet_rtb.id
+ subnet_id = module.launch_vpc.private_subnets_ids_list[0]
+}
+resource "aws_route_table_association" "private_rtb_to_private_subnet2" {
+ depends_on = [module.launch_vpc, aws_route_table.private_subnet_rtb]
+ route_table_id = aws_route_table.private_subnet_rtb.id
+ subnet_id = module.launch_vpc.private_subnets_ids_list[1]
+}
+module "tgw_cluster_into_vpc" {
+ depends_on = [module.launch_vpc, aws_route_table.private_subnet_rtb]
+ source = "../tgw-cross-az-cluster"
+ providers = {
+ aws = aws
+ }
+
+ vpc_id = module.launch_vpc.vpc_id
+ public_subnet_1 = module.launch_vpc.public_subnets_ids_list[0]
+ public_subnet_2 = module.launch_vpc.public_subnets_ids_list[1]
+ private_subnet_1 = module.launch_vpc.private_subnets_ids_list[0]
+ private_subnet_2 = module.launch_vpc.private_subnets_ids_list[1]
+ tgw_subnet_1_id = module.launch_vpc.tgw_subnets_ids_list[0]
+ tgw_subnet_2_id =module.launch_vpc.tgw_subnets_ids_list[1]
+ private_route_table = aws_route_table.private_subnet_rtb.id
+ gateway_name = var.gateway_name
+ gateway_instance_type = var.gateway_instance_type
+ key_name = var.key_name
+ volume_size = var.volume_size
+ volume_encryption = var.volume_encryption
+ enable_instance_connect = var.enable_instance_connect
+ disable_instance_termination = var.disable_instance_termination
+ metadata_imdsv2_required = var.metadata_imdsv2_required
+ instance_tags = var.instance_tags
+ predefined_role = var.predefined_role
+ gateway_version = var.gateway_version
+ admin_shell = var.admin_shell
+ gateway_SICKey = var.gateway_SICKey
+ gateway_password_hash = var.gateway_password_hash
+ gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash
+ memberAToken = var.memberAToken
+ memberBToken = var.memberBToken
+ resources_tag_name = var.resources_tag_name
+ gateway_hostname = var.gateway_hostname
+ allow_upload_download = var.allow_upload_download
+ enable_cloudwatch = var.enable_cloudwatch
+ gateway_bootstrap_script = var.gateway_bootstrap_script
+ primary_ntp = var.primary_ntp
+ secondary_ntp = var.secondary_ntp
+ volume_type = var.volume_type
+}
diff --git a/deprecated/terraform/aws/R80.40/tgw-cross-az-cluster-master/output.tf b/deprecated/terraform/aws/R80.40/tgw-cross-az-cluster-master/output.tf
new file mode 100755
index 00000000..fd143a67
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tgw-cross-az-cluster-master/output.tf
@@ -0,0 +1,30 @@
+output "cluster_public_ip" {
+ value = module.tgw_cluster_into_vpc.cluster_public_ip
+}
+output "member_a_public_ip" {
+ value = module.tgw_cluster_into_vpc.member_a_public_ip
+}
+output "member_b_public_ip" {
+ value = module.tgw_cluster_into_vpc.member_b_public_ip
+}
+output "member_a_ssh" {
+ value = module.tgw_cluster_into_vpc.member_a_ssh
+}
+output "member_b_ssh" {
+ value = module.tgw_cluster_into_vpc.member_b_ssh
+}
+output "member_a_url" {
+ value = module.tgw_cluster_into_vpc.member_a_url
+}
+output "member_b_url" {
+ value = module.tgw_cluster_into_vpc.member_b_url
+}
+output "member_a_eni" {
+ value = module.tgw_cluster_into_vpc.member_a_eni
+}
+output "member_b_eni" {
+ value = module.tgw_cluster_into_vpc.member_b_eni
+}
+output "vpc_id" {
+ value = module.launch_vpc.vpc_id
+}
diff --git a/deprecated/terraform/aws/R80.40/tgw-cross-az-cluster-master/terraform.tfvars b/deprecated/terraform/aws/R80.40/tgw-cross-az-cluster-master/terraform.tfvars
new file mode 100755
index 00000000..2a1fee10
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tgw-cross-az-cluster-master/terraform.tfvars
@@ -0,0 +1,48 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- VPC Network Configuration ---
+vpc_cidr = "10.29.0.0/16"
+public_subnets_map = {
+ "us-east-1a" = 1
+ "us-east-1b" = 2
+}
+private_subnets_map = {
+ "us-east-1a" = 3
+ "us-east-1b" = 4
+}
+tgw_subnets_map = {
+ "us-east-1a" = 5
+ "us-east-1b" = 6
+}
+subnets_bit_length = 8
+
+// --- EC2 Instance Configuration ---
+gateway_name = "Check-Point-Cluster-tf"
+gateway_instance_type = "c5.xlarge"
+key_name = "publickey"
+volume_size = 100
+volume_encryption = "alias/aws/ebs"
+enable_instance_connect = false
+disable_instance_termination = false
+metadata_imdsv2_required = true
+
+predefined_role = ""
+
+// --- Check Point Settings ---
+gateway_version = "R81.20-BYOL"
+admin_shell = "/etc/cli.sh"
+gateway_SICKey = "12345678"
+gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+// --- Quick connect to Smart-1 Cloud (Recommended) ---
+memberAToken = ""
+memberBToken = ""
+
+// --- Advanced Settings ---
+resources_tag_name = "tag-name"
+gateway_hostname = "gw-hostname"
+allow_upload_download = true
+enable_cloudwatch = false
+gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+primary_ntp = ""
+secondary_ntp = ""
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/tgw-cross-az-cluster-master/variables.tf b/deprecated/terraform/aws/R80.40/tgw-cross-az-cluster-master/variables.tf
new file mode 100755
index 00000000..1485389b
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tgw-cross-az-cluster-master/variables.tf
@@ -0,0 +1,200 @@
+// Module: Check Point CloudGuard Network Security Cluster into an existing VPC
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+// ---VPC Network Configuration ---
+variable "vpc_cidr" {
+ type = string
+ description = "The CIDR block of the VPC"
+ default = "10.0.0.0/16"
+}
+variable "public_subnets_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1} ) "
+}
+resource "null_resource" "tgw_availability_zones_validation1" {
+ count = length(var.public_subnets_map) == 2 ? 0 : "variable public_subnets_map size must be equal to variable 2"
+}
+variable "private_subnets_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 2} ) "
+}
+resource "null_resource" "tgw_availability_zones_validation2" {
+ count = length(var.private_subnets_map) == 2 ? 0 : "variable private_subnets_map size must be equal to variable 2"
+}
+variable "tgw_subnets_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = subnet-suffix-number} for the tgw subnets. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 3} ) "
+}
+resource "null_resource" "tgw_availability_zones_validation3" {
+ count = length(var.tgw_subnets_map) == 2 ? 0 : "variable tgw_subnets_map size must be equal to variable 2"
+}
+variable "subnets_bit_length" {
+ type = number
+ description = "Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20"
+}
+
+
+// --- EC2 Instance Configuration ---
+variable "gateway_name" {
+ type = string
+ description = "(Optional) The name tag of the Security Gateway instances"
+ default = "Check-Point-Cluster-tf"
+}
+variable "gateway_instance_type" {
+ type = string
+ description = "The instance type of the Security Gateways"
+ default = "c5.xlarge"
+}
+module "validate_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "gateway"
+ instance_type = var.gateway_instance_type
+}
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instance"
+}
+variable "allocate_and_associate_eip" {
+ type = bool
+ description = "If set to true, an elastic IP will be allocated and associated with each cluster member, in addition to the shared cluster Elastic IP"
+ default = true
+}
+variable "volume_size" {
+ type = number
+ description = "Root volume size (GB) - minimum 100"
+ default = 100
+}
+resource "null_resource" "volume_size_too_small" {
+ // Volume Size validation - resource will not be created if the volume size is smaller than 100
+ count = var.volume_size >= 100 ? 0 : "volume_size must be at least 100"
+}
+variable "volume_type" {
+ type = string
+ description = "General Purpose SSD Volume Type"
+ default = "gp3"
+}
+variable "volume_encryption" {
+ type = string
+ description = "KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs')"
+ default = "alias/aws/ebs"
+}
+variable "enable_instance_connect" {
+ type = bool
+ description = "Enable SSH connection over AWS web console"
+ default = false
+}
+variable "disable_instance_termination" {
+ type = bool
+ description = "Prevents an instance from accidental termination"
+ default = false
+}
+variable "metadata_imdsv2_required" {
+ type = bool
+ description = "Set true to deploy the instance with metadata v2 token required"
+ default = true
+}
+variable "instance_tags" {
+ type = map(string)
+ description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances"
+ default = {}
+}
+variable "predefined_role" {
+ type = string
+ description = "(Optional) A predefined IAM role to attach to the cluster profile"
+ default = ""
+}
+
+// --- Check Point Settings ---
+variable "gateway_version" {
+ type = string
+ description = "Gateway version and license"
+ default = "R81.20-BYOL"
+}
+module "validate_gateway_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "gateway"
+ version_license = var.gateway_version
+}
+variable "admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+ default = "/etc/cli.sh"
+}
+variable "gateway_SICKey" {
+ type = string
+ description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters"
+}
+variable "gateway_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "gateway_maintenance_mode_password_hash" {
+ description = "Maintenance mode password hash for the gateway instances, relevant only for R81.20 and higher versions"
+ type = string
+ default = ""
+}
+// --- Quick connect to Smart-1 Cloud (Recommended) ---
+variable "memberAToken" {
+ type = string
+ description = "Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud."
+}
+variable "memberBToken" {
+ type = string
+ description = "Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud."
+}
+
+// --- Advanced Settings ---
+variable "resources_tag_name" {
+ type = string
+ description = "(Optional) Name tag prefix of the resources"
+ default = ""
+}
+variable "gateway_hostname" {
+ type = string
+ description = "(Optional) The host name will be appended with member-a/b accordingly"
+ default = ""
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+variable "enable_cloudwatch" {
+ type = bool
+ description = "Report Check Point specific CloudWatch metrics"
+ default = false
+}
+variable "gateway_bootstrap_script" {
+ type = string
+ description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot"
+ default = ""
+}
+variable "primary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol primary server"
+ default = "169.254.169.123"
+}
+variable "secondary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server"
+ default = "0.pool.ntp.org"
+}
diff --git a/deprecated/terraform/aws/R80.40/tgw-cross-az-cluster-master/versions.tf b/deprecated/terraform/aws/R80.40/tgw-cross-az-cluster-master/versions.tf
new file mode 100755
index 00000000..dbebf275
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tgw-cross-az-cluster-master/versions.tf
@@ -0,0 +1,15 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ http = {
+ version = "~> 3.4.0"
+ }
+ random = {
+ version = "~> 3.5.1"
+ }
+ }
+}
diff --git a/deprecated/terraform/aws/R80.40/tgw-cross-az-cluster/README.md b/deprecated/terraform/aws/R80.40/tgw-cross-az-cluster/README.md
new file mode 100755
index 00000000..ac9a5fc2
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tgw-cross-az-cluster/README.md
@@ -0,0 +1,204 @@
+# Check Point CloudGuard Network Security Cross AZ Cluster for Transit Gateway Terraform module for AWS
+
+Terraform module which deploys a Check Point CloudGuard Network Security Cross AZ Cluster into an existing VPC on AWS for Transit Gateway.
+
+These types of Terraform resources are supported:
+* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html)
+* [Security Group](https://www.terraform.io/docs/providers/aws/r/security_group.html)
+* [Network interface](https://www.terraform.io/docs/providers/aws/r/network_interface.html)
+* [IAM Role](https://www.terraform.io/docs/providers/aws/r/iam_role.html) - conditional creation
+
+See the [Deploying a Check Point Cluster in AWS (Amazon Web Services)](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Cross_AZ_Cluster/Default.htm) for additional information
+
+This solution uses the following modules:
+- /terraform/aws/modules/amis
+- /terraform/aws/modules/cluster-iam-role
+
+
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/cluster/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+
+## Usage
+- Fill all variables in the /terraform/aws/cluster/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+- Create or modify the deployment:
+ ```
+ terraform apply
+ ```
+
+ - Variables are configured in /terraform/aws/cluster/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+ // --- VPC Network Configuration ---
+ vpc_id = "vpc-1234"
+ public_subnet_1 = "subnet-1234"
+ public_subnet_2 = "subnet-2345"
+ private_subnet_1 = "subnet-3456"
+ private_subnet_2 = "subnet-4567"
+ tgw_subnet_1_id = "subnet-5678"
+ tgw_subnet_2_id = "subnet-6789"
+ private_route_table = ""
+
+ // --- EC2 Instance Configuration ---
+ gateway_name = "Check-Point-Cluster-tf"
+ gateway_instance_type = "c5.xlarge"
+ key_name = "publickey"
+ allocate_and_associate_eip = true
+ volume_size = 100
+ volume_encryption = "alias/aws/ebs"
+ enable_instance_connect = false
+ disable_instance_termination = false
+ instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+ }
+ predefined_role = ""
+
+ // --- Check Point Settings ---
+ gateway_version = "R81.20-BYOL"
+ admin_shell = "/etc/cli.sh"
+ gateway_SICKey = "12345678"
+ gateway_password_hash = ""
+ gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+
+ // --- Quick connect to Smart-1 Cloud (Recommended) ---
+ memberAToken = ""
+ memberBToken = ""
+
+ // --- Advanced Settings ---
+ resources_tag_name = "tag-name"
+ gateway_hostname = "gw-hostname"
+ allow_upload_download = true
+ enable_cloudwatch = false
+ gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+ primary_ntp = ""
+ secondary_ntp = ""
+ ```
+
+- Conditional creation
+ - To create an Elastic IP and associate it to each cluster member instance:
+ ```
+ allocate_and_associate_eip = "true"
+ ```
+ - To create IAM Role:
+ ```
+ predefined_role = ""
+ ```
+ - To create route from '0.0.0.0/0' to the Active Cluster member instance, please provide route table:
+ ```
+ private_route_table = "rtb-12345678"
+ ```
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+ ### Optional re-deploy of cluster member:
+ In case of re-deploying one cluster member, make sure that it's in STANDBY state, and the second member is the ACTIVE one.
+ Follow the commands below in order to re-deploy (replace MEMBER with a or b):
+ - terraform taint aws_instance.member-MEMBER-instance
+ - terraform plan (review the changes)
+ - terraform apply
+ - In Smart Console: reset SIC with the re-deployed member and install policy
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|----------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|----------|
+| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes |
+| public_subnet_id | The public subnet of the cluster. The cluster's public IPs will be generated from this subnet | string | n/a | n/a | yes |
+| private_subnet_id | The private subnet of the cluster. The cluster's private IPs will be generated from this subnet | string | n/a | n/a | yes |
+| tgw_subnet_1_id | The TGW attachment subnet ID located in the 1st Availability Zone | string | n/a | n/a | yes |
+| tgw_subnet_2_id | The TGW attachment subnet ID located in the 2st Availability Zone | string | n/a | n/a | yes |
+| private_route_table | (Optional) Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route | string | n/a | "" | no |
+| gateway_name | (Optional) The name tag of the Security Gateway instances | string | n/a | Check-Point-Cluster-tf | no |
+| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no |
+| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes |
+| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with each cluster member, in addition to the shared cluster Elastic IP | bool | true/false | true | no |
+| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no |
+| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no |
+| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no |
+| enable_instance_connect | Enable AWS Instance Connect. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no |
+| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no |
+| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes |
+| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances | map(string) | n/a | {} | no |
+| predefined_role | (Optional) A predefined IAM role to attach to the cluster profile | string | n/a | "" | no |
+| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no |
+| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no |
+| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes |
+| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| memberAToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no |
+| memberBToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no |
+| resources_tag_name | (Optional) Name tag prefix of the resources | string | n/a | "" | no |
+| gateway_hostname | (Optional) The host name will be appended with member-a/b accordingly. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no |
+| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no |
+| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no |
+| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no |
+| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no |
+| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no |
+
+
+## Outputs
+| Name | Description |
+|--------------------|-----------------------------------|
+| cluster_public_ip | The public address of the cluster |
+| member_a_public_ip | The public address of member A |
+| member_b_public_ip | The public address of member B |
+| member_a_ssh | SSH command to member A |
+| member_b_ssh | SSH command to member B |
+| member_a_url | URL to the member A portal |
+| member_b_url | URL to the member B portal |
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20231012 | Update AWS Terraform provider version to 5.20.1 |
+| 20230923 | Add support for C5d instance type |
+| 20230914 | Add support for maintenance mode password |
+| 20230829 | Change default Check Point version to R81.20 |
+| 20230806 | Add support for c6in instance type |
+| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname |
+| 20230503 | Smart-1 Cloud token validation |
+| 20230411 | - Improved deployment experience for gateways and clusters managed by Smart-1 Cloud
- Multiple VIPs support for Cross Availability Zone Cluster. For more details refer to the [Cross Availability Zone Cluster for AWS R81.20 Administration Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Cross_AZ_Cluster/Content/Topics-AWS-CrossAZ-Cluster-AG/Check-Point-CloudGuard-for-AWS.htm) -> "Deploying Cross AZ Cluster with multiple VIPs" section. |
+| 20221229 | Removed unsupported versions |
+| 20221123 | R81.20 version support |
+| 20221123 | First release of Check Point Security Cluster Terraform module for AWS |
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details
diff --git a/deprecated/terraform/aws/R80.40/tgw-cross-az-cluster/locals.tf b/deprecated/terraform/aws/R80.40/tgw-cross-az-cluster/locals.tf
new file mode 100755
index 00000000..9a9929b7
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tgw-cross-az-cluster/locals.tf
@@ -0,0 +1,60 @@
+locals {
+ admin_shell_allowed_values = [
+ "/etc/cli.sh",
+ "/bin/bash",
+ "/bin/csh",
+ "/bin/tcsh"]
+ // Will fail if var.admin_shell is invalid
+ validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell)
+
+ create_iam_role = var.predefined_role == "" ? 1 : 0
+ provided_roue_table = var.private_route_table == "" ? 0 : 1
+ internal_route_table_condition = var.private_route_table != "" ? 1 : 0
+
+ regex_valid_key_name = "[\\S\\s]+[\\S]+"
+ // will fail if var.key_name is invalid
+ regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string"
+
+ regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$"
+ // Will fail if var.gateway_SIC_Key is invalid
+ regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters"
+
+ is_both_tokens_used = length(var.memberAToken) > 0 == length(var.memberBToken) > 0
+ validation_message_both = "Smart-1 Cloud Tokens for member A and member B can not be empty."
+ //Will fail if var.memberAToken is empty and var.memberBToken isn't and vice versa
+ regex_s1c_validate = regex("^$", (local.is_both_tokens_used ? "" : local.validation_message_both))
+
+ is_tokens_used = length(var.memberAToken) > 0
+ is_both_tokens_the_same = var.memberAToken == var.memberBToken
+ validation_message_unique = "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+ //Will fail if both s1c tokens are the same
+ regex_s1c_unique = local.is_tokens_used ? regex("^$", (local.is_both_tokens_the_same ? local.validation_message_unique : "")) : ""
+
+ regex_valid_gateway_hostname = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$"
+ // Will fail if var.gateway_hostname is invalid
+ regex_gateway_hostname = regex(local.regex_valid_gateway_hostname, var.gateway_hostname) == var.gateway_hostname ? 0 : "Variable [gateway_hostname] must be a valid hostname label or an empty string"
+ volume_encryption_condition = var.volume_encryption != "" ? true : false
+
+ regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.gateway_password_hash is invalid
+ regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+ regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
+
+ regex_valid_primary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.primary_ntp is invalid
+ regex_primary_ntp = regex(local.regex_valid_primary_ntp, var.primary_ntp) == var.primary_ntp ? 0 : "Variable [primary_ntp] must be a valid ntp"
+
+ regex_valid_secondary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.secondary_ntp is invalid
+ regex_secondary_ntp = regex(local.regex_valid_secondary_ntp, var.secondary_ntp) == var.secondary_ntp ? 0 : "Variable [secondary_ntp] must be a valid ntp"
+
+ gateway_bootstrap_script64 = base64encode(var.gateway_bootstrap_script)
+ //Splits the version and licence and returns the os version
+ version_split = element(split("-", var.gateway_version), 0)
+
+ volume_type_allowed_values = [
+ "gp3",
+ "gp2"]
+ // will fail if [var.VolumeType] is invalid:
+ validate_volume_type = index(local.volume_type_allowed_values, var.volume_type)
+}
diff --git a/deprecated/terraform/aws/R80.40/tgw-cross-az-cluster/main.tf b/deprecated/terraform/aws/R80.40/tgw-cross-az-cluster/main.tf
new file mode 100755
index 00000000..4ae319ab
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tgw-cross-az-cluster/main.tf
@@ -0,0 +1,62 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+
+module "cluster_into_vpc" {
+ source = "../cross-az-cluster"
+ providers = {
+ aws = aws
+ }
+
+ vpc_id = var.vpc_id
+ public_subnet_ids = tolist([var.public_subnet_1, var.public_subnet_2])
+ private_subnet_ids = tolist([var.private_subnet_1, var.private_subnet_2])
+ private_route_table = var.private_route_table
+ gateway_name = var.gateway_name
+ gateway_instance_type = var.gateway_instance_type
+ key_name = var.key_name
+ volume_size = var.volume_size
+ volume_encryption = var.volume_encryption
+ enable_instance_connect = var.enable_instance_connect
+ disable_instance_termination = var.disable_instance_termination
+ metadata_imdsv2_required = var.metadata_imdsv2_required
+ instance_tags = var.instance_tags
+ predefined_role = var.predefined_role
+ gateway_version = var.gateway_version
+ admin_shell = var.admin_shell
+ gateway_SICKey = var.gateway_SICKey
+ gateway_password_hash = var.gateway_password_hash
+ gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash
+ memberAToken = var.memberAToken
+ memberBToken = var.memberBToken
+ resources_tag_name = var.resources_tag_name
+ gateway_hostname = var.gateway_hostname
+ allow_upload_download = var.allow_upload_download
+ enable_cloudwatch = var.enable_cloudwatch
+ gateway_bootstrap_script = var.gateway_bootstrap_script
+ primary_ntp = var.primary_ntp
+ secondary_ntp = var.secondary_ntp
+ volume_type = var.volume_type
+}
+resource "aws_route_table" "tgw_route_table" {
+ vpc_id = var.vpc_id
+ route{
+ cidr_block = "0.0.0.0/0"
+ network_interface_id = module.cluster_into_vpc.member_a_eni
+ }
+ tags = {
+ Name = "TGW Attachment Route Table"
+ Network = "Private"
+ }
+}
+resource "aws_route_table_association" "tgw_attachment1_rtb_assoc" {
+ subnet_id = var.tgw_subnet_1_id
+ route_table_id = aws_route_table.tgw_route_table.id
+}
+resource "aws_route_table_association" "tgw_attachment2_rtb_assoc" {
+ subnet_id = var.tgw_subnet_2_id
+ route_table_id = aws_route_table.tgw_route_table.id
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/tgw-cross-az-cluster/output.tf b/deprecated/terraform/aws/R80.40/tgw-cross-az-cluster/output.tf
new file mode 100755
index 00000000..2aa6d333
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tgw-cross-az-cluster/output.tf
@@ -0,0 +1,27 @@
+output "cluster_public_ip" {
+ value = module.cluster_into_vpc.cluster_public_ip
+}
+output "member_a_public_ip" {
+ value = module.cluster_into_vpc.member_a_public_ip
+}
+output "member_b_public_ip" {
+ value = module.cluster_into_vpc.member_b_public_ip
+}
+output "member_a_eni" {
+ value = module.cluster_into_vpc.member_a_eni
+}
+output "member_a_ssh" {
+ value = module.cluster_into_vpc.member_a_ssh
+}
+output "member_b_ssh" {
+ value = module.cluster_into_vpc.member_b_ssh
+}
+output "member_a_url" {
+ value = module.cluster_into_vpc.member_a_url
+}
+output "member_b_url" {
+ value = module.cluster_into_vpc.member_b_url
+}
+output "member_b_eni" {
+ value = module.cluster_into_vpc.member_b_eni
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/tgw-cross-az-cluster/terraform.tfvars b/deprecated/terraform/aws/R80.40/tgw-cross-az-cluster/terraform.tfvars
new file mode 100755
index 00000000..c1008d0d
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tgw-cross-az-cluster/terraform.tfvars
@@ -0,0 +1,43 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- VPC Network Configuration ---
+vpc_id = "vpc-1234"
+public_subnet_1 = "subnet-1234"
+public_subnet_2 = "subnet-2345"
+private_subnet_1 = "subnet-3456"
+private_subnet_2 = "subnet-4567"
+tgw_subnet_1_id = "subnet-5678"
+tgw_subnet_2_id = "subnet-6789"
+private_route_table = ""
+
+// --- EC2 Instance Configuration ---
+gateway_name = "Check-Point-Cluster-tf"
+gateway_instance_type = "c5.xlarge"
+key_name = "publickey"
+volume_size = 100
+volume_encryption = "alias/aws/ebs"
+enable_instance_connect = false
+disable_instance_termination = false
+metadata_imdsv2_required = true
+
+predefined_role = ""
+
+// --- Check Point Settings ---
+gateway_version = "R81.20-BYOL"
+admin_shell = "/etc/cli.sh"
+gateway_SICKey = "12345678"
+gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+
+// --- Quick connect to Smart-1 Cloud (Recommended) ---
+memberAToken = ""
+memberBToken = ""
+
+// --- Advanced Settings ---
+resources_tag_name = "tag-name"
+gateway_hostname = "gw-hostname"
+allow_upload_download = true
+enable_cloudwatch = false
+gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+primary_ntp = ""
+secondary_ntp = ""
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/tgw-cross-az-cluster/variables.tf b/deprecated/terraform/aws/R80.40/tgw-cross-az-cluster/variables.tf
new file mode 100755
index 00000000..eb330795
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tgw-cross-az-cluster/variables.tf
@@ -0,0 +1,201 @@
+// Module: Check Point CloudGuard Network Security Cluster into an existing VPC
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+// --- VPC Network Configuration ---
+variable "vpc_id" {
+ type = string
+}
+variable "public_subnet_1" {
+ type = string
+ description = "The public subnet ID of the cluster that located in the 1st Availability Zone"
+}
+variable "public_subnet_2" {
+ type = string
+ description = "The public subnet of the cluster that located in the 2st Availability Zone"
+}
+variable "private_subnet_1" {
+ type = string
+ description = "The private subnet of the cluster that located in the 1st Availability Zone"
+}
+variable "private_subnet_2" {
+ type = string
+ description = "The private subnet of the cluster that located in the 2st Availability Zone"
+}
+variable "tgw_subnet_1_id" {
+ type = string
+ description = "The TGW attachment subnet ID located in the 1st Availability Zone"
+}
+variable "tgw_subnet_2_id" {
+ type = string
+ description = "The TGW attachment subnet ID located in the 2st Availability Zone"
+}
+variable "private_route_table" {
+ type = string
+ description = "(Optional) Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route"
+ default= ""
+}
+
+// --- EC2 Instance Configuration ---
+variable "gateway_name" {
+ type = string
+ description = "(Optional) The name tag of the Security Gateway instances"
+ default = "Check-Point-Cluster-tf"
+}
+variable "gateway_instance_type" {
+ type = string
+ description = "The instance type of the Security Gateways"
+ default = "c5.xlarge"
+}
+module "validate_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "gateway"
+ instance_type = var.gateway_instance_type
+}
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instance"
+}
+variable "allocate_and_associate_eip" {
+ type = bool
+ description = "If set to true, an elastic IP will be allocated and associated with each cluster member, in addition to the shared cluster Elastic IP"
+ default = true
+}
+variable "volume_size" {
+ type = number
+ description = "Root volume size (GB) - minimum 100"
+ default = 100
+}
+resource "null_resource" "volume_size_too_small" {
+ // Volume Size validation - resource will not be created if the volume size is smaller than 100
+ count = var.volume_size >= 100 ? 0 : "volume_size must be at least 100"
+}
+variable "volume_type" {
+ type = string
+ description = "General Purpose SSD Volume Type"
+ default = "gp3"
+}
+variable "volume_encryption" {
+ type = string
+ description = "KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs')"
+ default = "alias/aws/ebs"
+}
+variable "enable_instance_connect" {
+ type = bool
+ description = "Enable SSH connection over AWS web console"
+ default = false
+}
+variable "disable_instance_termination" {
+ type = bool
+ description = "Prevents an instance from accidental termination"
+ default = false
+}
+variable "metadata_imdsv2_required" {
+ type = bool
+ description = "Set true to deploy the instance with metadata v2 token required"
+ default = true
+}
+variable "instance_tags" {
+ type = map(string)
+ description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances"
+ default = {}
+}
+variable "predefined_role" {
+ type = string
+ description = "(Optional) A predefined IAM role to attach to the cluster profile"
+ default = ""
+}
+
+// --- Check Point Settings ---
+variable "gateway_version" {
+ type = string
+ description = "Gateway version and license"
+ default = "R81.20-BYOL"
+}
+module "validate_gateway_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "gateway"
+ version_license = var.gateway_version
+}
+variable "admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+ default = "/etc/cli.sh"
+}
+variable "gateway_SICKey" {
+ type = string
+ description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters"
+}
+variable "gateway_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "gateway_maintenance_mode_password_hash" {
+ description = "Maintenance mode password hash for the gateway instances, relevant only for R81.20 and higher versions"
+ type = string
+ default = ""
+}
+// --- Quick connect to Smart-1 Cloud (Recommended) ---
+variable "memberAToken" {
+ type = string
+ description = "Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud."
+}
+variable "memberBToken" {
+ type = string
+ description = "Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud."
+}
+
+// --- Advanced Settings ---
+variable "resources_tag_name" {
+ type = string
+ description = "(Optional) Name tag prefix of the resources"
+ default = ""
+}
+variable "gateway_hostname" {
+ type = string
+ description = "(Optional) The host name will be appended with member-a/b accordingly"
+ default = ""
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+variable "enable_cloudwatch" {
+ type = bool
+ description = "Report Check Point specific CloudWatch metrics"
+ default = false
+}
+variable "gateway_bootstrap_script" {
+ type = string
+ description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot"
+ default = ""
+}
+variable "primary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol primary server"
+ default = "169.254.169.123"
+}
+variable "secondary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server"
+ default = "0.pool.ntp.org"
+}
diff --git a/deprecated/terraform/aws/R80.40/tgw-cross-az-cluster/versions.tf b/deprecated/terraform/aws/R80.40/tgw-cross-az-cluster/versions.tf
new file mode 100755
index 00000000..dbebf275
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tgw-cross-az-cluster/versions.tf
@@ -0,0 +1,15 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ http = {
+ version = "~> 3.4.0"
+ }
+ random = {
+ version = "~> 3.5.1"
+ }
+ }
+}
diff --git a/deprecated/terraform/aws/R80.40/tgw-gwlb-master/README.md b/deprecated/terraform/aws/R80.40/tgw-gwlb-master/README.md
new file mode 100755
index 00000000..e03fc496
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tgw-gwlb-master/README.md
@@ -0,0 +1,264 @@
+# Check Point CloudGuard Network Gateway Load Balancer for Transit Gateway Terraform Master module for AWS
+
+Terraform module which deploys an AWS Auto Scaling group configured for Gateway Load Balancer into new Centralized Security VPC for Transit Gateway.
+
+These types of Terraform resources are supported:
+* [AWS Instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance)
+* [Security Group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group)
+* [Load Balancer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb)
+* [Load Balancer Target Group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group)
+* [Launch template](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template)
+* [Auto Scaling Group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group)
+* [IAM Role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) - conditional creation
+
+See the [Check Point CloudGuard Gateway Load Balancer on AWS](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_AWS_Centralized_Gateway_Load_Balancer/Content/Topics-AWS-GWLB-VPC-DG/Introduction.htm) for additional information
+
+This solution uses the following modules:
+- /terraform/aws/autoscale-gwlb
+- /terraform/aws/modules/vpc
+- /terraform/aws/management
+- /terraform/aws/cme-iam-role-gwlb
+- /terraform/aws/modules/amis
+- /terraform/aws/gwlb
+
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.aws_access_key_ID
+ secret_key = var.aws_secret_access_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/qs-autoscale/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Static credentials are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/autoscale-gwlb, /terraform/aws/management and /terraform/aws/cme-iam-role-gwlb:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.aws_access_key_ID
+ // secret_key = var.aws_secret_access_key
+ }
+ ```
+ b. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/autoscale, /terraform/aws/management and /terraform/aws/cme-iam-role-gwlb:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.aws_access_key_ID
+ // secret_key = var.aws_secret_access_key
+ }
+ ```
+
+## Usage
+- Fill all variables in the /terraform/aws/gwlb/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+ - Create or modify the deployment:
+ ```
+ terraform apply
+ ```
+
+ - Variables are configured in /terraform/aws/qs-autoscale/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+ // --- VPC Network Configuration ---
+ vpc_cidr = "10.0.0.0/16"
+ public_subnets_map = {
+ "us-east-1a" = 1
+ "us-east-1b" = 2
+ "us-east-1c" = 3
+ "us-east-1d" = 4
+ }
+ tgw_subnets_map = {
+ "us-east-1a" = 5
+ "us-east-1b" = 6
+ "us-east-1c" = 7
+ "us-east-1d" = 8
+ }
+ subnets_bit_length = 8
+
+ availability_zones = ["us-east-1a", "us-east-1b", "us-east-1c", "us-east-1d"]
+ number_of_AZs = 4
+
+ nat_gw_subnet_1_cidr ="10.0.13.0/24"
+ nat_gw_subnet_2_cidr = "10.0.23.0/24"
+ nat_gw_subnet_3_cidr = "10.0.33.0/24"
+ nat_gw_subnet_4_cidr = "10.0.43.0/24"
+
+ gwlbe_subnet_1_cidr = "10.0.14.0/24"
+ gwlbe_subnet_2_cidr = "10.0.24.0/24"
+ gwlbe_subnet_3_cidr = "10.0.34.0/24"
+ gwlbe_subnet_4_cidr = "10.0.44.0/24"
+
+ // --- General Settings ---
+ key_name = "publickey"
+ enable_volume_encryption = true
+ volume_size = 100
+ enable_instance_connect = false
+ disable_instance_termination = false
+ allow_upload_download = true
+ management_server = "CP-Management-gwlb-tf"
+ configuration_template = "gwlb-configuration"
+ admin_shell = "/etc/cli.sh"
+
+ // --- Gateway Load Balancer Configuration ---
+ gateway_load_balancer_name = "gwlb"
+ target_group_name = "tg1"
+ enable_cross_zone_load_balancing = "true"
+
+ // --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration ---
+ gateway_name = "Check-Point-GW-tf"
+ gateway_instance_type = "c5.xlarge"
+ minimum_group_size = 2
+ maximum_group_size = 10
+ gateway_version = "R81.20-BYOL"
+ gateway_password_hash = ""
+ gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+ gateway_SICKey = "12345678"
+ gateways_provision_address_type = "private"
+ allocate_public_IP = false
+ enable_cloudwatch = false
+ gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+
+ // --- Check Point CloudGuard IaaS Security Management Server Configuration ---
+ management_deploy = true
+ management_instance_type = "m5.xlarge"
+ management_version = "R81.20-BYOL"
+ management_password_hash = ""
+ management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password.
+ gateways_policy = "Standard"
+ gateway_management = "Locally managed"
+ admin_cidr = "0.0.0.0/0"
+ gateways_addresses = "0.0.0.0/0"
+
+ // --- Other parameters ---
+ volume_type = "gp3"
+ ```
+
+- Conditional creation
+ - To enable cloudwatch for tgw-gwlb-master:
+ ```
+ enable_cloudwatch = true
+ ```
+ Note: enabling cloudwatch will automatically create IAM role with cloudwatch:PutMetricData permission
+ - To deploy Security Management Server:
+ ```
+ management_deploy = true
+ ```
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|----------|
+| vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes |
+| subnets_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20 | number | n/a | n/a | yes |
+| public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes |
+| availability_zones | The Availability Zones (AZs) to use for the subnets in the VPC. | string | n/a | n/a | yes |
+| Number_of_AZs | Number of Availability Zones to use in the VPC. | number | n/a | 2 | yes |
+| tgw_subnets_map | A map of pairs {availability-zone = subnet-suffix-number} for the tgw subnets. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes |
+| nat_gw_subnet_1_cidr | CIDR block for NAT subnet 1 located in the 1st Availability Zone | string | n/a | 10.0.13.0/24 | yes |
+| nat_gw_subnet_2_cidr | CIDR block for NAT subnet 2 located in the 2st Availability Zone | string | n/a | 10.0.23.0/24 | yes |
+| nat_gw_subnet_3_cidr | CIDR block for NAT subnet 3 located in the 3st Availability Zone | string | n/a | 10.0.33.0/24 | yes |
+| nat_gw_subnet_4_cidr | CIDR block for NAT subnet 4 located in the 4st Availability Zone | string | n/a | 10.0.43.0/24 | yes |
+| gwlbe_subnet_1_cidr | CIDR block for GWLBe subnet 1 located in the 1st Availability Zone | string | n/a | 10.0.14.0/24 | yes |
+| gwlbe_subnet_2_cidr | CIDR block for GWLBe subnet 2 located in the 2st Availability Zone | string | n/a | 10.0.24.0/24 | yes |
+| gwlbe_subnet_3_cidr | CIDR block for GWLBe subnet 3 located in the 3st Availability Zone | string | n/a | 10.0.34.0/24 | yes |
+| gwlbe_subnet_4_cidr | CIDR block for GWLBe subnet 4 located in the 4st Availability Zone | string | n/a | 10.0.44.0/24 | yes |
+| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes |
+| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no |
+| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no |
+| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no |
+| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes |
+| volume_size | Instances volume size | number | n/a | 100 | no |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no |
+| management_server | The name that represents the Security Management Server in the automatic provisioning configuration. | string | n/a | CP-Management-gwlb-tf | yes |
+| configuration_template | The tag is used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each Quick Start deployment | string | n/a | gwlb-ter | no |
+| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no |
+| gateway_load_balancer_name | Load Balancer name in AWS | string | n/a | gwlb-terraform | yes |
+| target_group_name | Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. | string | n/a | tg1-terraform | yes |
+| connection_acceptance_required | Indicate whether requests from service consumers to create an endpoint to your service must be accepted. Default is set to false(acceptance not required). | bool | true/false | false | yes |
+| enable_cross_zone_load_balancing | Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges. | bool | true/false | true | yes |
+| gateway_name | The name tag of the Security Gateway instances. (optional) | string | n/a | gwlb-terraform | yes |
+| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no |
+| gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no |
+| gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no |
+| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no |
+| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes |
+| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no |
+| gateway_bootstrap_script | (Optional) An optional script with semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no |
+| gateways_provision_address_type | Determines if the gateways are provisioned using their private or public address. | string | - private
- public | private | no |
+| allocate_public_IP | Allocate a Public IP for gateway members. | bool | true/false | false | no |
+| management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no |
+| management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no |
+| management_version | The license to install on the Security Management Server | string | - R80.40-BYOL
- R80.40-PAYG
- R81-BYOL
- R81-PAYG
- R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG
- R82-BYOL
- R82-PAYG | R81.20-BYOL | no |
+| management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| gateways_policy | The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group | string | n/a | Standard | no |
+| gateway_management | Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. | string | - Locally managed
- Over the internet | Locally managed | no |
+| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR | n/a | no |
+| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | valid CIDR | n/a | no |
+| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no |
+| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no |
+| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no |
+
+
+## Outputs
+| Name | Description |
+|---------------------|---------------------------------------------------------------------------------------|
+| managment_public_ip | The deployed Security Management AWS instance public IP |
+| load_balancer_url | The URL of the external Load Balancer |
+| template_name | Name of a gateway configuration template in the automatic provisioning configuration. |
+| controller_name | The controller name in CME. |
+| gwlb_name | The name of the deployed Gateway Load Balancer |
+| gwlb_service_name | The service name for the deployed Gateway Load Balancer |
+| gwlb_arn | The arn for the deployed Gateway Load Balancer |
+
+
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|----------------------------------------------------------------------------------------------------------------------------|
+| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20231012 | Update AWS Terraform provider version to 5.20.1 |
+| 20230923 | Add support for C5d instance type |
+| 20230914 | Add support for maintenance mode password |
+| 20230910 | Add bootstrap script execution option for deployed gateways |
+| 20230829 | Change default Check Point version to R81.20 |
+| 20230806 | Add support for c6in instance type |
+| 20221226 | Support ASG Launch Template instead of Launch Configuration |
+| 20221123 | R81.20 version support |
+| 20220606 | New instance type support |
+| 20220414 | First release of Check Point CloudGuar d Network Gateway Load Balancer for Transit Gateway Master Terraform module for AWS |
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details
diff --git a/deprecated/terraform/aws/R80.40/tgw-gwlb-master/locals.tf b/deprecated/terraform/aws/R80.40/tgw-gwlb-master/locals.tf
new file mode 100755
index 00000000..d75eeaa5
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tgw-gwlb-master/locals.tf
@@ -0,0 +1,62 @@
+locals {
+ regex_valid_vpc_cidr = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$"
+ // Will fail if var.vpc_cidr is invalid
+ regex_vpc_cidr = regex(local.regex_valid_vpc_cidr, var.vpc_cidr) == var.vpc_cidr ? 0 : "Variable [vpc_cidr] must be a valid vpc cidr"
+
+ regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$"
+ // Will fail if var.gateway_SIC_Key is invalid
+ regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters"
+
+ control_over_public_or_private_allowed_values = [
+ "public",
+ "private"]
+ // will fail if [var.control_gateway_over_public_or_private_address] is invalid:
+ validate_control_over_public_or_private = index(local.control_over_public_or_private_allowed_values, var.gateways_provision_address_type)
+
+ gateway_management_allowed_values = [
+ "Locally managed",
+ "Over the internet"]
+ // will fail if [var.gateway_management] is invalid:
+ validate_gateway_management = index(local.gateway_management_allowed_values, var.gateway_management)
+
+ regex_valid_key_name = "[\\S\\s]+[\\S]+"
+ // will fail if var.key_name is invalid
+ regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string"
+
+ regex_valid_management_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.management_password_hash is invalid
+ regex_management_password_hash = regex(local.regex_valid_management_password_hash, var.management_password_hash) == var.management_password_hash ? 0 : "Variable [management_password_hash] must be a valid password hash"
+ regex_management_maintenance_mode_password_hash = regex(local.regex_valid_management_password_hash, var.management_maintenance_mode_password_hash) == var.management_maintenance_mode_password_hash ? 0 : "Variable [management_maintenance_mode_password_hash] must be a valid password hash"
+ regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.gateway_password_hash is invalid
+ regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+ regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
+
+
+ regex_valid_admin_cidr = "^([0-9]{1,3}\\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$"
+ // Will fail if var.admin_cidr is invalid
+ regex_admin_cidr = regex(local.regex_valid_admin_cidr, var.admin_cidr) == var.admin_cidr ? 0 : "Variable [admin_cidr] must be a valid CIDR"
+
+ regex_valid_gateways_addresses = "^([0-9]{1,3}\\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$"
+ // Will fail if var.gateways_addresses is invalid
+ regex_gateways_addresses = regex(local.regex_valid_gateways_addresses, var.gateways_addresses) == var.gateways_addresses ? 0 : "Variable [gateways_addresses] must be a valid gateways addresses"
+
+ regex_valid_management_server = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$"
+ // Will fail if var.management_server is invalid
+ regex_management_server = regex(local.regex_valid_management_server, var.management_server) == var.management_server ? 0 : "Variable [management_server] can not be an empty string"
+
+ regex_valid_configuration_template = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$"
+ // Will fail if var.configuration_template is invalid
+ regex_configuration_template = regex(local.regex_valid_configuration_template, var.configuration_template) == var.configuration_template ? 0 : "Variable [configuration_template] can not be an empty string"
+
+ deploy_management_condition = var.management_deploy == true
+
+ volume_type_allowed_values = [
+ "gp3",
+ "gp2"]
+ // will fail if [var.volume_type] is invalid:
+ validate_volume_type = index(local.volume_type_allowed_values, var.volume_type)
+
+
+ #note: we need to add validiation for every subnet in masters solution
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/tgw-gwlb-master/main.tf b/deprecated/terraform/aws/R80.40/tgw-gwlb-master/main.tf
new file mode 100755
index 00000000..3b616ebc
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tgw-gwlb-master/main.tf
@@ -0,0 +1,85 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+module "launch_vpc" {
+ source = "../modules/vpc"
+
+ vpc_cidr = var.vpc_cidr
+ public_subnets_map = var.public_subnets_map
+ private_subnets_map = {}
+ tgw_subnets_map = var.tgw_subnets_map
+ subnets_bit_length = var.subnets_bit_length
+}
+module "tgw-gwlb"{
+ source = "../tgw-gwlb"
+ providers = {
+ aws = aws
+ }
+ vpc_id = module.launch_vpc.vpc_id
+ gateways_subnets = module.launch_vpc.public_subnets_ids_list
+ number_of_AZs = var.number_of_AZs
+ availability_zones = var.availability_zones
+ internet_gateway_id = module.launch_vpc.aws_igw
+
+ transit_gateway_attachment_subnet_1_id = element(module.launch_vpc.tgw_subnets_ids_list, 0)
+ transit_gateway_attachment_subnet_2_id = element(module.launch_vpc.tgw_subnets_ids_list, 1)
+ transit_gateway_attachment_subnet_3_id = var.number_of_AZs >= 3 ? element(module.launch_vpc.tgw_subnets_ids_list, 2) : ""
+ transit_gateway_attachment_subnet_4_id = var.number_of_AZs >= 4 ? element(module.launch_vpc.tgw_subnets_ids_list, 3) : ""
+
+ nat_gw_subnet_1_cidr = var.nat_gw_subnet_1_cidr
+ nat_gw_subnet_2_cidr = var.nat_gw_subnet_2_cidr
+ nat_gw_subnet_3_cidr = var.nat_gw_subnet_3_cidr
+ nat_gw_subnet_4_cidr = var.nat_gw_subnet_4_cidr
+
+ gwlbe_subnet_1_cidr = var.gwlbe_subnet_1_cidr
+ gwlbe_subnet_2_cidr = var.gwlbe_subnet_2_cidr
+ gwlbe_subnet_3_cidr = var.gwlbe_subnet_3_cidr
+ gwlbe_subnet_4_cidr = var.gwlbe_subnet_4_cidr
+
+ // --- General Settings ---
+ key_name = var.key_name
+ enable_volume_encryption = var.enable_volume_encryption
+ volume_size = var.volume_size
+ enable_instance_connect = var.enable_instance_connect
+ disable_instance_termination = var.disable_instance_termination
+ metadata_imdsv2_required = var.metadata_imdsv2_required
+ allow_upload_download = var.allow_upload_download
+ management_server = var.management_server
+ configuration_template = var.configuration_template
+ admin_shell = var.admin_shell
+
+ // --- Gateway Load Balancer Configuration ---
+ gateway_load_balancer_name = var.gateway_load_balancer_name
+ target_group_name = var.target_group_name
+ enable_cross_zone_load_balancing = var.enable_cross_zone_load_balancing
+
+ // --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration ---
+ gateway_name = var.gateway_name
+ gateway_instance_type = var.gateway_instance_type
+ minimum_group_size = var.minimum_group_size
+ maximum_group_size = var.maximum_group_size
+ gateway_version = var.gateway_version
+ gateway_password_hash = var.gateway_password_hash
+ gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash
+ gateway_SICKey = var.gateway_SICKey
+ gateways_provision_address_type = var.gateways_provision_address_type
+ allocate_public_IP = var.allocate_public_IP
+ enable_cloudwatch = var.enable_cloudwatch
+ gateway_bootstrap_script = var.gateway_bootstrap_script
+
+ // --- Check Point CloudGuard IaaS Security Management Server Configuration ---
+ management_deploy = var.management_deploy
+ management_instance_type = var.management_instance_type
+ management_version = var.management_version
+ management_password_hash = var.management_password_hash
+ management_maintenance_mode_password_hash = var.management_maintenance_mode_password_hash
+ gateways_policy = var.gateways_policy
+ gateway_management = var.gateway_management
+ admin_cidr = var.admin_cidr
+ gateways_addresses = var.gateways_addresses
+
+ volume_type = var.volume_type
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/tgw-gwlb-master/output.tf b/deprecated/terraform/aws/R80.40/tgw-gwlb-master/output.tf
new file mode 100755
index 00000000..67085776
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tgw-gwlb-master/output.tf
@@ -0,0 +1,24 @@
+output "Deployment" {
+ value = "Finalizing instances configuration may take up to 20 minutes after deployment is finished."
+}
+output "management_public_ip" {
+ depends_on = [module.tgw-gwlb]
+ value = module.tgw-gwlb[*].management_public_ip
+}
+output "gwlb_arn" {
+ depends_on = [module.tgw-gwlb]
+ value = module.tgw-gwlb[*].gwlb_arn
+}
+output "gwlb_service_name" {
+ depends_on = [module.tgw-gwlb]
+ value = module.tgw-gwlb[*].gwlb_service_name
+}
+output "gwlb_name" {
+ value = var.gateway_load_balancer_name
+}
+output "controller_name" {
+ value = "gwlb-controller"
+}
+output "template_name" {
+ value = var.configuration_template
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/tgw-gwlb-master/terraform.tfvars b/deprecated/terraform/aws/R80.40/tgw-gwlb-master/terraform.tfvars
new file mode 100755
index 00000000..bdb7a361
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tgw-gwlb-master/terraform.tfvars
@@ -0,0 +1,76 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- VPC Network Configuration ---
+vpc_cidr = "10.0.0.0/16"
+public_subnets_map = {
+ "us-east-1a" = 1
+ "us-east-1b" = 2
+ "us-east-1c" = 3
+ "us-east-1d" = 4
+}
+tgw_subnets_map = {
+ "us-east-1a" = 5
+ "us-east-1b" = 6
+ "us-east-1c" = 7
+ "us-east-1d" = 8
+}
+subnets_bit_length = 8
+
+availability_zones = ["us-east-1a", "us-east-1b", "us-east-1c", "us-east-1d"]
+number_of_AZs = 4
+
+nat_gw_subnet_1_cidr = "10.0.13.0/24"
+nat_gw_subnet_2_cidr = "10.0.23.0/24"
+nat_gw_subnet_3_cidr = "10.0.33.0/24"
+nat_gw_subnet_4_cidr = "10.0.43.0/24"
+
+gwlbe_subnet_1_cidr = "10.0.14.0/24"
+gwlbe_subnet_2_cidr = "10.0.24.0/24"
+gwlbe_subnet_3_cidr = "10.0.34.0/24"
+gwlbe_subnet_4_cidr = "10.0.44.0/24"
+
+// --- General Settings ---
+key_name = "publickey"
+enable_volume_encryption = true
+volume_size = 100
+enable_instance_connect = false
+disable_instance_termination = false
+metadata_imdsv2_required = true
+allow_upload_download = true
+management_server = "CP-Management-gwlb-tf"
+configuration_template = "gwlb-configuration"
+admin_shell = "/etc/cli.sh"
+
+// --- Gateway Load Balancer Configuration ---
+gateway_load_balancer_name = "gwlb1"
+target_group_name = "tg1"
+enable_cross_zone_load_balancing = "true"
+
+// --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration ---
+gateway_name = "Check-Point-GW-tf"
+gateway_instance_type = "c5.xlarge"
+minimum_group_size = 2
+maximum_group_size = 10
+gateway_version = "R81.20-BYOL"
+gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+gateway_SICKey = "12345678"
+gateways_provision_address_type = "private"
+allocate_public_IP = false
+enable_cloudwatch = false
+gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+
+// --- Check Point CloudGuard IaaS Security Management Server Configuration ---
+management_deploy = true
+management_instance_type = "m5.xlarge"
+management_version = "R81.20-BYOL"
+management_password_hash = ""
+management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password.
+gateways_policy = "Standard"
+gateway_management = "Locally managed"
+admin_cidr = "0.0.0.0/0"
+gateways_addresses = "0.0.0.0/0"
+
+// --- Other parameters ---
+volume_type = "gp3"
+
diff --git a/deprecated/terraform/aws/R80.40/tgw-gwlb-master/variables.tf b/deprecated/terraform/aws/R80.40/tgw-gwlb-master/variables.tf
new file mode 100755
index 00000000..af425811
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tgw-gwlb-master/variables.tf
@@ -0,0 +1,326 @@
+// Module: Check Point CloudGuard Network Gateway Load Balancer into an existing VPC
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+// ---VPC Network Configuration ---
+variable "number_of_AZs" {
+ type = number
+ description = "Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter"
+ default = 2
+}
+variable "availability_zones"{
+ type = list(string)
+ description = "The Availability Zones (AZs) to use for the subnets in the VPC. Select two (the logical order is preserved)"
+}
+resource "null_resource" "tgw_availability_zones_validation1" {
+ count = var.number_of_AZs == length(var.availability_zones) ? 0 : "variable availability_zones list size must be equal to variable num_of_AZs"
+}
+variable "vpc_cidr" {
+ type = string
+ description = "The CIDR block of the VPC"
+ default = "10.0.0.0/16"
+}
+variable "public_subnets_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1} ) "
+}
+resource "null_resource" "tgw_availability_zones_validation2" {
+ count = var.number_of_AZs == length(var.public_subnets_map) ? 0 : "variable public_subnets_map size must be equal to variable num_of_AZs"
+}
+variable "subnets_bit_length" {
+ type = number
+ description = "Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20"
+}
+variable "tgw_subnets_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = subnet-suffix-number} for the tgw subnets. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1} ) "
+}
+resource "null_resource" "tgw_availability_zones_validation3" {
+ count = var.number_of_AZs == length(var.tgw_subnets_map) ? 0 : "variable tgw_subnets_map size must be equal to variable num_of_AZs"
+}
+variable "nat_gw_subnet_1_cidr" {
+ type = string
+ description = "CIDR block for NAT subnet 1 located in the 1st Availability Zone"
+ default = "10.0.13.0/24"
+}
+variable "nat_gw_subnet_2_cidr" {
+ type = string
+ description = "CIDR block for NAT subnet 2 located in the 2st Availability Zone"
+ default = "10.0.23.0/24"
+}
+variable "nat_gw_subnet_3_cidr" {
+ type = string
+ description = "CIDR block for NAT subnet 3 located in the 3st Availability Zone"
+ default = "10.0.33.0/24"
+}
+variable "nat_gw_subnet_4_cidr" {
+ type = string
+ description = "CIDR block for NAT subnet 4 located in the 4st Availability Zone"
+ default = "10.0.43.0/24"
+}
+variable "gwlbe_subnet_1_cidr" {
+ type = string
+ description = "CIDR block for Gateway Loadbalancer endpoint subnet 1 located in the 1st Availability Zone"
+ default = "10.0.14.0/24"
+}
+variable "gwlbe_subnet_2_cidr" {
+ type = string
+ description = "CIDR block for Gateway Loadbalancer endpoint subnet 2 located in the 2st Availability Zone"
+ default = "10.0.24.0/24"
+}
+variable "gwlbe_subnet_3_cidr" {
+ type = string
+ description = "CIDR block for Gateway Loadbalancer endpoint subnet 3 located in the 3st Availability Zone"
+ default = "10.0.34.0/24"
+}
+variable "gwlbe_subnet_4_cidr" {
+ type = string
+ description = "CIDR block for Gateway Loadbalancer endpoint subnet 4 located in the 4st Availability Zone"
+ default = "10.0.44.0/24"
+}
+// --- General Settings ---
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instances"
+}
+variable "enable_volume_encryption" {
+ type = bool
+ description = "Encrypt Environment instances volume with default AWS KMS key"
+ default = true
+}
+variable "volume_size" {
+ type = number
+ description = "Root volume size (GB) - minimum 100"
+ default = 100
+}
+resource "null_resource" "volume_size_too_small" {
+ // Will fail if var.volume_size is less than 100
+ count = var.volume_size >= 100 ? 0 : "variable volume_size must be at least 100"
+}
+variable "volume_type" {
+ type = string
+ description = "General Purpose SSD Volume Type"
+ default = "gp3"
+}
+variable "enable_instance_connect" {
+ type = bool
+ description = "Enable SSH connection over AWS web console"
+ default = false
+}
+variable "disable_instance_termination" {
+ type = bool
+ description = "Prevents an instance from accidental termination"
+ default = false
+}
+variable "metadata_imdsv2_required" {
+ type = bool
+ description = "Set true to deploy the instance with metadata v2 token required"
+ default = true
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+variable "management_server" {
+ type = string
+ description = "The name that represents the Security Management Server in the automatic provisioning configuration."
+ default = "gwlb-management-server"
+}
+variable "configuration_template" {
+ type = string
+ description = "A name of a gateway configuration template in the automatic provisioning configuration."
+ default = "gwlb-ASG-configuration"
+ validation {
+ condition = length(var.configuration_template) < 31
+ error_message = "The configuration_template name can not exceed 30 characters"
+ }
+}
+variable "admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+ default = "/etc/cli.sh"
+}
+
+// --- Gateway Load Balancer Configuration ---
+
+variable "gateway_load_balancer_name" {
+ type = string
+ description = "Gateway Load Balancer name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen."
+ default = "gwlb1"
+}
+resource "null_resource" "gateway_load_balancer_name_too_long" {
+ // Will fail if gateway_load_balancer_name more than 32
+ count = length(var.gateway_load_balancer_name) <= 32 ? 0 : "variable gateway_load_balancer_name must be at most 32"
+}
+variable "target_group_name" {
+ type = string
+ description = "Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen."
+ default = "tg1"
+}
+resource "null_resource" "target_group_name_too_long" {
+ // Will fail if target_group_name more than 32
+ count = length(var.target_group_name) <= 32 ? 0 : "variable target_group_name must be at most 32"
+}
+variable "enable_cross_zone_load_balancing" {
+ type = bool
+ description = "Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges."
+ default = true
+}
+
+// --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration ---
+
+variable "gateway_name" {
+ type = string
+ description = "The name tag of the Security Gateway instances. (optional)"
+ default = "Check-Point-Gateway-tf"
+}
+variable "gateway_instance_type" {
+ type = string
+ description = "The EC2 instance type for the Security Gateways."
+ default = "c5.xlarge"
+}
+module "validate_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "gateway"
+ instance_type = var.gateway_instance_type
+}
+variable "minimum_group_size" {
+ type = number
+ description = "The minimal number of Security Gateways."
+ default = 2
+}
+variable "maximum_group_size" {
+ type = number
+ description = "The maximal number of Security Gateways."
+ default = 10
+}
+variable "gateway_version" {
+ type = string
+ description = "The version and license to install on the Security Gateways."
+ default = "R81.20-BYOL"
+}
+module "validate_gateway_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "gwlb_gw"
+ version_license = var.gateway_version
+}
+variable "gateway_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+}
+variable "gateway_maintenance_mode_password_hash" {
+ description = "Maintenance mode password hash for the gateway instances, relevant only for R81.20 and higher versions"
+ type = string
+ default = ""
+}
+variable "gateway_SICKey" {
+ type = string
+ description = "The Secure Internal Communication key for trusted connection between Check Point components (at least 8 alphanumeric characters)"
+}
+
+variable "gateways_provision_address_type" {
+ type = string
+ description = "Determines if the gateways are provisioned using their private or public address"
+ default = "private"
+}
+
+variable "allocate_public_IP" {
+ type = bool
+ description = "Allocate an Elastic IP for security gateway."
+ default = false
+}
+
+resource "null_resource" "invalid_allocation" {
+ // Will fail if var.gateways_provision_address_type is public and var.allocate_public_IP is false
+ count = var.gateways_provision_address_type != "public" ? 0 : var.allocate_public_IP == true ? 0 : "Gateway's selected to be provisioned by public IP, but [allocate_public_IP] parameter is false"
+}
+
+
+variable "enable_cloudwatch" {
+ type = bool
+ description = "Report Check Point specific CloudWatch metrics."
+ default = false
+}
+
+variable "gateway_bootstrap_script" {
+ type = string
+ description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot"
+ default = ""
+}
+
+// --- Check Point CloudGuard IaaS Security Management Server Configuration ---
+
+variable "management_deploy" {
+ type = bool
+ description = "Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section"
+ default = true
+}
+variable "management_instance_type" {
+ type = string
+ description = "The EC2 instance type of the Security Management Server"
+ default = "m5.xlarge"
+}
+module "validate_management_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "management"
+ instance_type = var.management_instance_type
+}
+variable "management_version" {
+ type = string
+ description = "The license to install on the Security Management Server"
+ default = "R81.20-BYOL"
+}
+module "validate_management_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "management"
+ version_license = var.management_version
+}
+variable "management_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "management_maintenance_mode_password_hash" {
+ description = "Maintenance mode password hash for the management instance, relevant only for R81.20 and higher versions"
+ type = string
+ default = ""
+}
+variable "gateways_policy" {
+ type = string
+ description = "The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group"
+ default = "Standard"
+}
+variable "gateway_management" {
+ type = string
+ description = "Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address."
+ default = "Locally managed"
+}
+variable "admin_cidr" {
+ type = string
+ description = "Allow web, ssh, and graphical clients only from this network to communicate with the Security Management Server"
+}
+variable "gateways_addresses" {
+ type = string
+ description = "Allow gateways only from this network to communicate with the Security Management Server"
+}
+
diff --git a/deprecated/terraform/aws/R80.40/tgw-gwlb-master/versions.tf b/deprecated/terraform/aws/R80.40/tgw-gwlb-master/versions.tf
new file mode 100755
index 00000000..dbebf275
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tgw-gwlb-master/versions.tf
@@ -0,0 +1,15 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ http = {
+ version = "~> 3.4.0"
+ }
+ random = {
+ version = "~> 3.5.1"
+ }
+ }
+}
diff --git a/deprecated/terraform/aws/R80.40/tgw-gwlb/README.md b/deprecated/terraform/aws/R80.40/tgw-gwlb/README.md
new file mode 100755
index 00000000..e94a1eea
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tgw-gwlb/README.md
@@ -0,0 +1,263 @@
+# Check Point CloudGuard Network Gateway Load Balancer for Transit Gateway Terraform module for AWS
+
+Terraform module which deploys an AWS Auto Scaling group configured for Gateway Load Balancer into existing Centralized Security VPC for Transit Gateway.
+
+These types of Terraform resources are supported:
+* [AWS Instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance)
+* [VPC](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc)
+* [Security Group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group)
+* [Load Balancer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb)
+* [Load Balancer Target Group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group)
+* [Launch template](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template)
+* [Auto Scaling Group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group)
+* [IAM Role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) - conditional creation
+
+See the [Check Point CloudGuard Gateway Load Balancer on AWS](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_AWS_Centralized_Gateway_Load_Balancer/Content/Topics-AWS-GWLB-VPC-DG/Introduction.htm) for additional information
+
+This solution uses the following modules:
+- /terraform/aws/autoscale-gwlb
+- /terraform/aws/management
+- /terraform/aws/cme-iam-role-gwlb
+- /terraform/aws/modules/amis
+- /terraform/aws/gwlb
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.aws_access_key_ID
+ secret_key = var.aws_secret_access_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/qs-autoscale/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Static credentials are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/autoscale-gwlb, /terraform/aws/management and /terraform/aws/cme-iam-role-gwlb:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.aws_access_key_ID
+ // secret_key = var.aws_secret_access_key
+ }
+ ```
+ b. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/autoscale, /terraform/aws/management and /terraform/aws/cme-iam-role-gwlb:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.aws_access_key_ID
+ // secret_key = var.aws_secret_access_key
+ }
+ ```
+
+## Usage
+- Fill all variables in the /terraform/aws/gwlb/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+ - Create or modify the deployment:
+ ```
+ terraform apply
+ ```
+
+ - Variables are configured in /terraform/aws/qs-autoscale/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+ // --- VPC Network Configuration ---
+ vpc_id = "vpc-12345678"
+ internet_gateway_id ="igw-12345"
+ availability_zones = ["us-east-1a", "us-east-1b"]
+ number_of_AZs = 2
+ gateways_subnets= ["subnet-123456", "subnet-234567"]
+
+ transit_gateway_attachment_subnet_1_id="subnet-3456"
+ transit_gateway_attachment_subnet_2_id="subnet-4567"
+ transit_gateway_attachment_subnet_3_id="subnet-5678"
+ transit_gateway_attachment_subnet_4_id="subnet-6789"
+
+ nat_gw_subnet_1_cidr ="10.0.13.0/24"
+ nat_gw_subnet_2_cidr = "10.0.23.0/24"
+ nat_gw_subnet_3_cidr = "10.0.33.0/24"
+ nat_gw_subnet_4_cidr = "10.0.43.0/24"
+
+ gwlbe_subnet_1_cidr = "10.0.14.0/24"
+ gwlbe_subnet_2_cidr = "10.0.24.0/24"
+ gwlbe_subnet_3_cidr = "10.0.34.0/24"
+ gwlbe_subnet_4_cidr = "10.0.44.0/24"
+
+
+ // --- General Settings ---
+ key_name = "publickey"
+ enable_volume_encryption = true
+ volume_size = 100
+ enable_instance_connect = false
+ disable_instance_termination = false
+ allow_upload_download = true
+ management_server = "CP-Management-gwlb-tf"
+ configuration_template = "gwlb-configuration"
+ admin_shell = "/etc/cli.sh"
+
+ // --- Gateway Load Balancer Configuration ---
+ gateway_load_balancer_name = "gwlb1"
+ target_group_name = "tg1"
+ connection_acceptance_required = "false"
+ enable_cross_zone_load_balancing = "true"
+
+ // --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration ---
+ gateway_name = "Check-Point-GW-tf"
+ gateway_instance_type = "c5.xlarge"
+ minimum_group_size = 2
+ maximum_group_size = 10
+ gateway_version = "R81.20-BYOL"
+ gateway_password_hash = ""
+ gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+ gateway_SICKey = "12345678"
+ gateways_provision_address_type = "private"
+ allocate_public_IP = false
+ enable_cloudwatch = false
+ gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+
+ // --- Check Point CloudGuard IaaS Security Management Server Configuration ---
+ management_deploy = true
+ management_instance_type = "m5.xlarge"
+ management_version = "R81.20-BYOL"
+ management_password_hash = ""
+ management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password.
+ gateways_policy = "Standard"
+ gateway_management = "Locally managed"
+ admin_cidr = ""
+ gateways_addresses = ""
+
+ // --- Other parameters ---
+ VolumeType = "gp3"
+
+
+ ```
+
+- Conditional creation
+ - To enable cloudwatch for tgw-gwlb:
+ ```
+ enable_cloudwatch = true
+ ```
+ Note: enabling cloudwatch will automatically create IAM role with cloudwatch:PutMetricData permission
+ - To deploy Security Management Server:
+ ```
+ management_deploy = true
+ ```
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|----------|
+| vpc_id | Select an existing VPC | string | n/a | n/a | yes |
+| internet_gateway_id | VPC's Internet Gateway Id | string | n/a | n/a | yes |
+| availability_zones | The Availability Zones (AZs) to use for the subnets in the VPC. | string | n/a | n/a | yes |
+| Number_of_AZs | Number of Availability Zones to use in the VPC. | number | n/a | 2 | yes |
+| Gateways_subnets | Select at least 2 public subnets in the VPC. If you choose to deploy a Security Management Server it will be deployed in the first subnet | string | n/a | n/a | yes |
+| transit_gateway_attachment_subnet_1_id | The TGW attachment subnet ID located in the 1st Availability Zone | string | n/a | n/a | yes |
+| transit_gateway_attachment_subnet_2_id | The TGW attachment subnet ID located in the 2st Availability Zone | string | n/a | n/a | yes |
+| transit_gateway_attachment_subnet_3_id | The TGW attachment subnet ID located in the 3st Availability Zone | string | n/a | n/a | yes |
+| transit_gateway_attachment_subnet_4_id | The TGW attachment subnet ID located in the 4st Availability Zone | string | n/a | n/a | yes |
+| nat_gw_subnet_1_cidr | CIDR block for NAT subnet 1 located in the 1st Availability Zone | string | n/a | 10.0.13.0/24 | yes |
+| nat_gw_subnet_2_cidr | CIDR block for NAT subnet 2 located in the 2st Availability Zone | string | n/a | 10.0.23.0/24 | yes |
+| nat_gw_subnet_3_cidr | CIDR block for NAT subnet 3 located in the 3st Availability Zone | string | n/a | 10.0.33.0/24 | yes |
+| nat_gw_subnet_4_cidr | CIDR block for NAT subnet 4 located in the 4st Availability Zone | string | n/a | 10.0.43.0/24 | yes |
+| gwlbe_subnet_1_cidr | CIDR block for GWLBe subnet 1 located in the 1st Availability Zone | string | n/a | 10.0.14.0/24 | yes |
+| gwlbe_subnet_2_cidr | CIDR block for GWLBe subnet 2 located in the 2st Availability Zone | string | n/a | 10.0.24.0/24 | yes |
+| gwlbe_subnet_3_cidr | CIDR block for GWLBe subnet 3 located in the 3st Availability Zone | string | n/a | 10.0.34.0/24 | yes |
+| gwlbe_subnet_4_cidr | CIDR block for GWLBe subnet 4 located in the 4st Availability Zone | string | n/a | 10.0.44.0/24 | yes |
+| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes |
+| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no |
+| management_server | The name that represents the Security Management Server in the automatic provisioning configuration. | string | n/a | CP-Management-gwlb-tf | yes |
+| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no |
+| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no |
+| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes |
+| volume_size | Instances volume size | number | n/a | 100 | no |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no |
+| configuration_template | The tag is used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each Quick Start deployment | string | n/a | gwlb-ter | no |
+| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no |
+| gateway_load_balancer_name | Load Balancer name in AWS | string | n/a | gwlb-terraform | yes |
+| target_group_name | Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. | string | n/a | tg1-terraform | yes |
+| connection_acceptance_required | Indicate whether requests from service consumers to create an endpoint to your service must be accepted. Default is set to false(acceptance not required). | bool | true/false | false | yes |
+| enable_cross_zone_load_balancing | Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges. | bool | true/false | true | yes |
+| gateway_name | The name tag of the Security Gateway instances. (optional) | string | n/a | gwlb-terraform | yes |
+| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no |
+| gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no |
+| gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no |
+| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no |
+| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes |
+| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no |
+| gateway_bootstrap_script | (Optional) An optional script with semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no |
+| gateways_provision_address_type | Determines if the gateways are provisioned using their private or public address. | string | - private
- public | private | no |
+| allocate_public_IP | Allocate a Public IP for gateway members. | bool | true/false | false | no |
+| management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no |
+| management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no |
+| management_version | The license to install on the Security Management Server | string | - R80.40-BYOL
- R80.40-PAYG
- R81-BYOL
- R81-PAYG
- R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG
- R82-BYOL
- R82-PAYG | R81.20-BYOL | no |
+| management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| gateways_policy | The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group | string | n/a | Standard | no |
+| gateway_management | Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. | string | - Locally managed
- Over the internet | Locally managed | no |
+| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR | n/a | no |
+| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | valid CIDR | n/a | no |
+| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no |
+| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no |
+| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no |
+
+
+## Outputs
+| Name | Description |
+|---------------------|---------------------------------------------------------------------------------------|
+| managment_public_ip | The deployed Security Management AWS instance public IP |
+| load_balancer_url | The URL of the external Load Balancer |
+| template_name | Name of a gateway configuration template in the automatic provisioning configuration. |
+| controller_name | The controller name in CME. |
+| gwlb_name | The name of the deployed Gateway Load Balancer |
+| gwlb_service_name | The service name for the deployed Gateway Load Balancer |
+| gwlb_arn | The arn for the deployed Gateway Load Balancer |
+
+
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|--------------------------------------------------------------------------------------------------------------------|
+| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20231012 | Update AWS Terraform provider version to 5.20.1 |
+| 20230923 | Add support for C5d instance type |
+| 20230914 | Add support for maintenance mode password |
+| 20230910 | Add bootstrap script execution option for deployed gateways |
+| 20230829 | Change default Check Point version to R81.20 |
+| 20230806 | Add support for c6in instance type |
+| 20221226 | Support ASG Launch Template instead of Launch Configuration |
+| 20221123 | R81.20 version support |
+| 20220606 | New instance type support |
+| 20220414 | First release of Check Point CloudGuard Network Gateway Load Balancer for Transit Gateway Terraform module for AWS |
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details
diff --git a/deprecated/terraform/aws/R80.40/tgw-gwlb/locals.tf b/deprecated/terraform/aws/R80.40/tgw-gwlb/locals.tf
new file mode 100755
index 00000000..0693df6d
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tgw-gwlb/locals.tf
@@ -0,0 +1,60 @@
+locals {
+
+ regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$"
+ // Will fail if var.gateway_SIC_Key is invalid
+ regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters"
+
+ control_over_public_or_private_allowed_values = [
+ "public",
+ "private"]
+ // will fail if [var.control_gateway_over_public_or_private_address] is invalid:
+ validate_control_over_public_or_private = index(local.control_over_public_or_private_allowed_values, var.gateways_provision_address_type)
+
+ gateway_management_allowed_values = [
+ "Locally managed",
+ "Over the internet"]
+ // will fail if [var.gateway_management] is invalid:
+ validate_gateway_management = index(local.gateway_management_allowed_values, var.gateway_management)
+
+ regex_valid_key_name = "[\\S\\s]+[\\S]+"
+ // will fail if var.key_name is invalid
+ regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string"
+
+ regex_valid_management_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.management_password_hash is invalid
+ regex_management_password_hash = regex(local.regex_valid_management_password_hash, var.management_password_hash) == var.management_password_hash ? 0 : "Variable [management_password_hash] must be a valid password hash"
+ regex_management_maintenance_mode_password_hash = regex(local.regex_valid_management_password_hash, var.management_maintenance_mode_password_hash) == var.management_maintenance_mode_password_hash ? 0 : "Variable [management_maintenance_mode_password_hash] must be a valid password hash"
+
+ regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.gateway_password_hash is invalid
+ regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+ regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
+
+
+ regex_valid_admin_cidr = "^([0-9]{1,3}\\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$"
+ // Will fail if var.admin_cidr is invalid
+ regex_admin_cidr = regex(local.regex_valid_admin_cidr, var.admin_cidr) == var.admin_cidr ? 0 : "Variable [admin_cidr] must be a valid CIDR"
+
+ regex_valid_gateways_addresses = "^([0-9]{1,3}\\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$"
+ // Will fail if var.gateways_addresses is invalid
+ regex_gateways_addresses = regex(local.regex_valid_gateways_addresses, var.gateways_addresses) == var.gateways_addresses ? 0 : "Variable [gateways_addresses] must be a valid gateways addresses"
+
+ regex_valid_management_server = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$"
+ // Will fail if var.management_server is invalid
+ regex_management_server = regex(local.regex_valid_management_server, var.management_server) == var.management_server ? 0 : "Variable [management_server] can not be an empty string"
+
+ regex_valid_configuration_template = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$"
+ // Will fail if var.configuration_template is invalid
+ regex_configuration_template = regex(local.regex_valid_configuration_template, var.configuration_template) == var.configuration_template ? 0 : "Variable [configuration_template] can not be an empty string"
+
+ deploy_management_condition = var.management_deploy == true
+
+ volume_type_allowed_values = [
+ "gp3",
+ "gp2"]
+ // will fail if [var.VolumeType] is invalid:
+ validate_volume_type = index(local.volume_type_allowed_values, var.volume_type)
+
+
+ #note: we need to add validiation for every subnet in masters solution
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/tgw-gwlb/main.tf b/deprecated/terraform/aws/R80.40/tgw-gwlb/main.tf
new file mode 100755
index 00000000..64ce7101
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tgw-gwlb/main.tf
@@ -0,0 +1,438 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+
+resource "aws_subnet" "gwlbe_subnet1" {
+ vpc_id = var.vpc_id
+ availability_zone = element(var.availability_zones, 0)
+ cidr_block = var.gwlbe_subnet_1_cidr
+ tags = {
+ Name = "GWLBe subnet 1"
+ Network = "Private"
+ }
+}
+resource "aws_route_table" "gwlbe_subnet1_rtb" {
+ vpc_id = var.vpc_id
+ route{
+ cidr_block = "0.0.0.0/0"
+ nat_gateway_id = aws_nat_gateway.nat_gateway1.id
+ }
+ tags = {
+ Name = "GWLBe Subnet 1 Route Table"
+ Network = "Private"
+ }
+}
+resource "aws_route_table_association" "gwlbe_subnet1_rtb_assoc" {
+ subnet_id = aws_subnet.gwlbe_subnet1.id
+ route_table_id = aws_route_table.gwlbe_subnet1_rtb.id
+}
+
+
+resource "aws_subnet" "gwlbe_subnet2" {
+ vpc_id = var.vpc_id
+ availability_zone = element(var.availability_zones, 1)
+ cidr_block = var.gwlbe_subnet_2_cidr
+ tags = {
+ Name = "GWLBe subnet 2"
+ Network = "Private"
+ }
+}
+resource "aws_route_table" "gwlbe_subnet2_rtb" {
+ vpc_id = var.vpc_id
+ route{
+ cidr_block = "0.0.0.0/0"
+ nat_gateway_id = aws_nat_gateway.nat_gateway2.id
+ }
+ tags = {
+ Name = "GWLBe Subnet 2 Route Table"
+ Network = "Private"
+ }
+}
+resource "aws_route_table_association" "gwlbe_subnet2_rtb_assoc" {
+ subnet_id = aws_subnet.gwlbe_subnet2.id
+ route_table_id = aws_route_table.gwlbe_subnet2_rtb.id
+}
+
+
+resource "aws_subnet" "gwlbe_subnet3" {
+ count = var.number_of_AZs >= 3 ? 1 :0
+ vpc_id = var.vpc_id
+ availability_zone = element(var.availability_zones, 2)
+ cidr_block = var.gwlbe_subnet_3_cidr
+ tags = {
+ Name = "GWLBe subnet 3"
+ Network = "Private"
+ }
+}
+resource "aws_route_table" "gwlbe_subnet3_rtb" {
+ count = var.number_of_AZs >= 3 ? 1 :0
+ vpc_id = var.vpc_id
+ route{
+ cidr_block = "0.0.0.0/0"
+ nat_gateway_id = aws_nat_gateway.nat_gateway3[0].id
+ }
+ tags = {
+ Name = "GWLBe Subnet 3 Route Table"
+ Network = "Private"
+ }
+}
+resource "aws_route_table_association" "gwlbe_subnet3_rtb_assoc" {
+ count = var.number_of_AZs >= 3 ? 1 :0
+ subnet_id = aws_subnet.gwlbe_subnet3[0].id
+ route_table_id = aws_route_table.gwlbe_subnet3_rtb[0].id
+}
+
+
+resource "aws_subnet" "gwlbe_subnet4" {
+ count = var.number_of_AZs >= 4 ? 1 :0
+ vpc_id = var.vpc_id
+ availability_zone = element(var.availability_zones, 3)
+ cidr_block = var.gwlbe_subnet_4_cidr
+ tags = {
+ Name = "GWLBe subnet 4"
+ Network = "Private"
+ }
+}
+resource "aws_route_table" "gwlbe_subnet4_rtb" {
+ count = var.number_of_AZs >= 4 ? 1 :0
+ vpc_id = var.vpc_id
+ route{
+ cidr_block = "0.0.0.0/0"
+ nat_gateway_id = aws_nat_gateway.nat_gateway4[0].id
+ }
+ tags = {
+ Name = "GWLBe Subnet 4 Route Table"
+ Network = "Private"
+ }
+}
+resource "aws_route_table_association" "gwlbe_subnet4_rtb_assoc" {
+ count = var.number_of_AZs >= 4 ? 1 :0
+ subnet_id = aws_subnet.gwlbe_subnet4[0].id
+ route_table_id = aws_route_table.gwlbe_subnet4_rtb[0].id
+}
+
+
+
+
+resource "aws_subnet" "nat_gw_subnet1" {
+ vpc_id = var.vpc_id
+ availability_zone = element(var.availability_zones, 0)
+ cidr_block = var.nat_gw_subnet_1_cidr
+ tags = {
+ Name = "NAT subnet 1"
+ Network = "Private"
+ }
+}
+resource "aws_route_table" "nat_gw_subnet1_rtb" {
+ vpc_id = var.vpc_id
+ route{
+ cidr_block = "0.0.0.0/0"
+ gateway_id = var.internet_gateway_id
+ }
+ tags = {
+ Name = "NAT Subnet 1 Route Table"
+ Network = "Public"
+ }
+}
+resource "aws_route_table_association" "nat_gw_subnet1_rtb_assoc" {
+ subnet_id = aws_subnet.nat_gw_subnet1.id
+ route_table_id = aws_route_table.nat_gw_subnet1_rtb.id
+}
+
+resource "aws_subnet" "nat_gw_subnet2" {
+ vpc_id = var.vpc_id
+ availability_zone = element(var.availability_zones, 1)
+ cidr_block = var.nat_gw_subnet_2_cidr
+ tags = {
+ Name = "NAT subnet 2"
+ Network = "Private"
+ }
+}
+resource "aws_route_table" "nat_gw_subnet2_rtb" {
+ vpc_id = var.vpc_id
+ route{
+ cidr_block = "0.0.0.0/0"
+ gateway_id = var.internet_gateway_id
+ }
+ tags = {
+ Name = "NAT Subnet 2 Route Table"
+ Network = "Public"
+ }
+}
+resource "aws_route_table_association" "nat_gw_subnet2_rtb_assoc" {
+ subnet_id = aws_subnet.nat_gw_subnet2.id
+ route_table_id = aws_route_table.nat_gw_subnet2_rtb.id
+}
+
+resource "aws_subnet" "nat_gw_subnet3" {
+ count = var.number_of_AZs >= 3 ? 1 :0
+ vpc_id = var.vpc_id
+ availability_zone = element(var.availability_zones, 2)
+ cidr_block = var.nat_gw_subnet_3_cidr
+ tags = {
+ Name = "NAT subnet 3"
+ Network = "Private"
+ }
+}
+resource "aws_route_table" "nat_gw_subnet3_rtb" {
+ count = var.number_of_AZs >= 3 ? 1 :0
+ vpc_id = var.vpc_id
+ route{
+ cidr_block = "0.0.0.0/0"
+ gateway_id = var.internet_gateway_id
+ }
+ tags = {
+ Name = "NAT Subnet 3 Route Table"
+ Network = "Public"
+ }
+}
+resource "aws_route_table_association" "nat_gw_subnet3_rtb_assoc" {
+ count = var.number_of_AZs >= 3 ? 1 :0
+ subnet_id = aws_subnet.nat_gw_subnet3[0].id
+ route_table_id = aws_route_table.nat_gw_subnet3_rtb[0].id
+}
+
+resource "aws_subnet" "nat_gw_subnet4" {
+ count = var.number_of_AZs >= 4 ? 1 :0
+ vpc_id = var.vpc_id
+ availability_zone = element(var.availability_zones, 3)
+ cidr_block = var.nat_gw_subnet_4_cidr
+ tags = {
+ Name = "NAT subnet 4"
+ Network = "Private"
+ }
+}
+resource "aws_route_table" "nat_gw_subnet4_rtb" {
+ count = var.number_of_AZs >= 4 ? 1 :0
+ vpc_id = var.vpc_id
+ route{
+ cidr_block = "0.0.0.0/0"
+ gateway_id = var.internet_gateway_id
+ }
+ tags = {
+ Name = "NAT Subnet 4 Route Table"
+ Network = "Public"
+ }
+}
+resource "aws_route_table_association" "nat_gw_subnet4_rtb_assoc" {
+ count = var.number_of_AZs >= 4 ? 1 :0
+ subnet_id = aws_subnet.nat_gw_subnet4[0].id
+ route_table_id = aws_route_table.nat_gw_subnet4_rtb[0].id
+}
+
+module "gwlb" {
+ source = "../gwlb"
+ providers = {
+ aws = aws
+ }
+ vpc_id = var.vpc_id
+ subnet_ids = var.gateways_subnets
+
+ // --- General Settings ---
+ key_name = var.key_name
+ enable_volume_encryption = var.enable_volume_encryption
+ volume_size = var.volume_size
+ enable_instance_connect = var.enable_instance_connect
+ disable_instance_termination = var.disable_instance_termination
+ metadata_imdsv2_required = var.metadata_imdsv2_required
+ allow_upload_download = var.allow_upload_download
+ management_server = var.management_server
+ configuration_template = var.configuration_template
+ admin_shell = var.admin_shell
+
+ // --- Gateway Load Balancer Configuration ---
+ gateway_load_balancer_name = var.gateway_load_balancer_name
+ target_group_name = var.target_group_name
+ connection_acceptance_required = false
+ enable_cross_zone_load_balancing = var.enable_cross_zone_load_balancing
+
+ // --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration ---
+ gateway_name = var.gateway_name
+ gateway_instance_type = var.gateway_instance_type
+ minimum_group_size = var.minimum_group_size
+ maximum_group_size = var.maximum_group_size
+ gateway_version = var.gateway_version
+ gateway_password_hash = var.gateway_password_hash
+ gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash
+ gateway_SICKey = var.gateway_SICKey
+ gateways_provision_address_type = var.gateways_provision_address_type
+ allocate_public_IP = var.allocate_public_IP
+ enable_cloudwatch = var.enable_cloudwatch
+ gateway_bootstrap_script = var.gateway_bootstrap_script
+
+ // --- Check Point CloudGuard IaaS Security Management Server Configuration ---
+ management_deploy = var.management_deploy
+ management_instance_type = var.management_instance_type
+ management_version = var.management_version
+ management_password_hash = var.management_password_hash
+ management_maintenance_mode_password_hash = var.management_maintenance_mode_password_hash
+ gateways_policy = var.gateways_policy
+ gateway_management = var.gateway_management
+ admin_cidr = var.admin_cidr
+ gateways_addresses = var.gateways_addresses
+
+ volume_type = var.volume_type
+}
+
+resource "aws_vpc_endpoint" "gwlb_endpoint1" {
+ depends_on = [module.gwlb, aws_subnet.gwlbe_subnet1]
+ vpc_id = var.vpc_id
+ vpc_endpoint_type = "GatewayLoadBalancer"
+ service_name = module.gwlb.gwlb_service_name
+ subnet_ids = aws_subnet.gwlbe_subnet1[*].id
+ tags = {
+ "Name" = "gwlb_endpoint1"
+ }
+}
+resource "aws_vpc_endpoint" "gwlb_endpoint2" {
+ depends_on = [module.gwlb, aws_subnet.gwlbe_subnet2]
+ vpc_id = var.vpc_id
+ vpc_endpoint_type = "GatewayLoadBalancer"
+ service_name = module.gwlb.gwlb_service_name
+ subnet_ids = aws_subnet.gwlbe_subnet2[*].id
+ tags = {
+ "Name" = "gwlb_endpoint2"
+ }
+}
+resource "aws_vpc_endpoint" "gwlb_endpoint3" {
+ count = var.number_of_AZs >= 3 ? 1 :0
+ depends_on = [module.gwlb, aws_subnet.gwlbe_subnet3]
+ vpc_id = var.vpc_id
+ vpc_endpoint_type = "GatewayLoadBalancer"
+ service_name = module.gwlb.gwlb_service_name
+ subnet_ids = aws_subnet.gwlbe_subnet3[*].id
+ tags = {
+ "Name" = "gwlb_endpoint3"
+ }
+}
+resource "aws_vpc_endpoint" "gwlb_endpoint4" {
+ count = var.number_of_AZs >= 4 ? 1 :0
+ depends_on = [module.gwlb, aws_subnet.gwlbe_subnet4]
+ vpc_id = var.vpc_id
+ vpc_endpoint_type = "GatewayLoadBalancer"
+ service_name = module.gwlb.gwlb_service_name
+ subnet_ids = aws_subnet.gwlbe_subnet4[*].id
+ tags = {
+ "Name" = "gwlb_endpoint4"
+ }
+}
+
+
+resource "aws_route_table" "tgw_attachment_subnet1_rtb" {
+ vpc_id = var.vpc_id
+ route{
+ cidr_block = "0.0.0.0/0"
+ vpc_endpoint_id = aws_vpc_endpoint.gwlb_endpoint1.id
+ }
+ tags = {
+ Name = "TGW Attachment Subnet 1 Route Table"
+ Network = "Private"
+ }
+}
+resource "aws_route_table_association" "tgw_attachment1_rtb_assoc" {
+ subnet_id = var.transit_gateway_attachment_subnet_1_id
+ route_table_id = aws_route_table.tgw_attachment_subnet1_rtb.id
+}
+resource "aws_route_table" "tgw_attachment_subnet2_rtb" {
+ vpc_id = var.vpc_id
+ route{
+ cidr_block = "0.0.0.0/0"
+ vpc_endpoint_id = aws_vpc_endpoint.gwlb_endpoint2.id
+ }
+ tags = {
+ Name = "TGW Attachment Subnet 2 Route Table"
+ Network = "Private"
+ }
+}
+resource "aws_route_table_association" "tgw_attachment2_rtb_assoc" {
+ subnet_id = var.transit_gateway_attachment_subnet_2_id
+ route_table_id = aws_route_table.tgw_attachment_subnet2_rtb.id
+}
+resource "aws_route_table" "tgw_attachment_subnet3_rtb" {
+ count = var.number_of_AZs >= 3 ? 1 :0
+ vpc_id = var.vpc_id
+ route{
+ cidr_block = "0.0.0.0/0"
+ vpc_endpoint_id = aws_vpc_endpoint.gwlb_endpoint3[0].id
+ }
+ tags = {
+ Name = "TGW Attachment Subnet 3 Route Table"
+ Network = "Private"
+ }
+}
+resource "aws_route_table_association" "tgw_attachment3_rtb_assoc" {
+ count = var.number_of_AZs >= 3 ? 1 :0
+ subnet_id = var.transit_gateway_attachment_subnet_3_id
+ route_table_id = aws_route_table.tgw_attachment_subnet3_rtb[0].id
+}
+resource "aws_route_table" "tgw_attachment_subnet4_rtb" {
+ count = var.number_of_AZs >= 4 ? 1 :0
+ vpc_id = var.vpc_id
+ route{
+ cidr_block = "0.0.0.0/0"
+ vpc_endpoint_id = aws_vpc_endpoint.gwlb_endpoint4[0].id
+ }
+ tags = {
+ Name = "TGW Attachment Subnet 4 Route Table"
+ Network = "Private"
+ }
+}
+resource "aws_route_table_association" "tgw_attachment4_rtb_assoc" {
+ count = var.number_of_AZs >= 4 ? 1 :0
+ subnet_id = var.transit_gateway_attachment_subnet_4_id
+ route_table_id = aws_route_table.tgw_attachment_subnet4_rtb[0].id
+}
+
+
+resource "aws_eip" "nat_gw_public_address1" {
+}
+resource "aws_eip" "nat_gw_public_address2" {
+}
+resource "aws_eip" "nat_gw_public_address3" {
+ count = var.number_of_AZs >= 3 ? 1 : 0
+}
+resource "aws_eip" "nat_gw_public_address4" {
+ count = var.number_of_AZs >= 4 ? 1 : 0
+}
+
+resource "aws_nat_gateway" "nat_gateway1" {
+ depends_on = [aws_subnet.nat_gw_subnet1, aws_eip.nat_gw_public_address1]
+ allocation_id = aws_eip.nat_gw_public_address1.id
+ subnet_id = aws_subnet.nat_gw_subnet1.id
+
+ tags = {
+ Name = "NatGW1"
+ }
+}
+resource "aws_nat_gateway" "nat_gateway2" {
+ depends_on = [aws_subnet.nat_gw_subnet2, aws_eip.nat_gw_public_address2]
+ allocation_id = aws_eip.nat_gw_public_address2.id
+ subnet_id = aws_subnet.nat_gw_subnet2.id
+
+ tags = {
+ Name = "NatGW2"
+ }
+}
+resource "aws_nat_gateway" "nat_gateway3" {
+ count = var.number_of_AZs >= 3 ? 1 :0
+ depends_on = [aws_subnet.nat_gw_subnet3, aws_eip.nat_gw_public_address3]
+ allocation_id = aws_eip.nat_gw_public_address3[0].id
+ subnet_id = aws_subnet.nat_gw_subnet3[0].id
+
+ tags = {
+ Name = "NatGW3"
+ }
+}
+resource "aws_nat_gateway" "nat_gateway4" {
+ count = var.number_of_AZs >= 4 ? 1 :0
+ depends_on = [aws_subnet.nat_gw_subnet4, aws_eip.nat_gw_public_address4]
+ allocation_id = aws_eip.nat_gw_public_address4[0].id
+ subnet_id = aws_subnet.nat_gw_subnet4[0].id
+
+ tags = {
+ Name = "NatGW4"
+ }
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/tgw-gwlb/output.tf b/deprecated/terraform/aws/R80.40/tgw-gwlb/output.tf
new file mode 100755
index 00000000..15cb48a3
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tgw-gwlb/output.tf
@@ -0,0 +1,24 @@
+output "Deployment" {
+ value = "Finalizing instances configuration may take up to 20 minutes after deployment is finished."
+}
+output "management_public_ip" {
+ depends_on = [module.gwlb]
+ value = module.gwlb[*].management_public_ip
+}
+output "gwlb_arn" {
+ depends_on = [module.gwlb]
+ value = module.gwlb[*].gwlb_arn
+}
+output "gwlb_service_name" {
+ depends_on = [module.gwlb]
+ value = module.gwlb[*].gwlb_service_name
+}
+output "gwlb_name" {
+ value = var.gateway_load_balancer_name
+}
+output "controller_name" {
+ value = "gwlb-controller"
+}
+output "template_name" {
+ value = var.configuration_template
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R80.40/tgw-gwlb/terraform.tfvars b/deprecated/terraform/aws/R80.40/tgw-gwlb/terraform.tfvars
new file mode 100755
index 00000000..266b4d1a
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tgw-gwlb/terraform.tfvars
@@ -0,0 +1,69 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- VPC Network Configuration ---
+vpc_id = "vpc-12345678"
+internet_gateway_id ="igw-12345"
+availability_zones = ["us-east-1a", "us-east-1b"]
+number_of_AZs = 2
+gateways_subnets= ["subnet-123456", "subnet-234567"]
+
+transit_gateway_attachment_subnet_1_id="subnet-3456"
+transit_gateway_attachment_subnet_2_id="subnet-4567"
+transit_gateway_attachment_subnet_3_id="subnet-5678"
+transit_gateway_attachment_subnet_4_id="subnet-6789"
+
+nat_gw_subnet_1_cidr ="10.0.13.0/24"
+nat_gw_subnet_2_cidr = "10.0.23.0/24"
+nat_gw_subnet_3_cidr = "10.0.33.0/24"
+nat_gw_subnet_4_cidr = "10.0.43.0/24"
+
+gwlbe_subnet_1_cidr = "10.0.14.0/24"
+gwlbe_subnet_2_cidr = "10.0.24.0/24"
+gwlbe_subnet_3_cidr = "10.0.34.0/24"
+gwlbe_subnet_4_cidr = "10.0.44.0/24"
+
+// --- General Settings ---
+key_name = "publickey"
+enable_volume_encryption = true
+volume_size = 100
+enable_instance_connect = false
+disable_instance_termination = false
+metadata_imdsv2_required = true
+allow_upload_download = true
+management_server = "CP-Management-gwlb-tf"
+configuration_template = "gwlb-configuration"
+admin_shell = "/etc/cli.sh"
+
+// --- Gateway Load Balancer Configuration ---
+gateway_load_balancer_name = "gwlb1"
+target_group_name = "tg1"
+enable_cross_zone_load_balancing = "true"
+
+// --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration ---
+gateway_name = "Check-Point-GW-tf"
+gateway_instance_type = "c5.xlarge"
+minimum_group_size = 2
+maximum_group_size = 10
+gateway_version = "R81.20-BYOL"
+gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+gateway_SICKey = "12345678"
+gateways_provision_address_type = "private"
+allocate_public_IP = false
+enable_cloudwatch = false
+gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+
+// --- Check Point CloudGuard IaaS Security Management Server Configuration ---
+management_deploy = true
+management_instance_type = "m5.xlarge"
+management_version = "R81.20-BYOL"
+management_password_hash = ""
+management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password.
+gateways_policy = "Standard"
+gateway_management = "Locally managed"
+admin_cidr = "0.0.0.0/0"
+gateways_addresses = "0.0.0.0/0"
+
+// --- Other parameters ---
+volume_type = "gp3"
+
diff --git a/deprecated/terraform/aws/R80.40/tgw-gwlb/variables.tf b/deprecated/terraform/aws/R80.40/tgw-gwlb/variables.tf
new file mode 100755
index 00000000..52b97b13
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tgw-gwlb/variables.tf
@@ -0,0 +1,333 @@
+// Module: Check Point CloudGuard Network Gateway Load Balancer into an existing VPC
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+// ---VPC Network Configuration ---
+variable "vpc_id" {
+ type = string
+}
+variable "internet_gateway_id" {
+ type = string
+ description = "VPC's Internet Gateway Id (e.g. igw-123a4567)"
+}
+variable "availability_zones"{
+ type = list(string)
+ description = "The Availability Zones (AZs) to use for the subnets in the VPC. Select two (the logical order is preserved)"
+}
+variable "number_of_AZs" {
+ type = number
+ description = "Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter"
+ default = 2
+}
+resource "null_resource" "availability_zones_validation1" {
+ count = var.number_of_AZs == length(var.availability_zones) ? 0 : "variable availability_zones list size must be equal to variable num_of_AZs"
+}
+
+variable "gateways_subnets" {
+ type = list(string)
+ description = "Select at least 2 public subnets in the VPC. If you choose to deploy a Security Management Server it will be deployed in the first subnet"
+}
+
+variable "transit_gateway_attachment_subnet_1_id" {
+ type = string
+ description = "The TGW attachment subnet ID located in the 1st Availability Zone"
+}
+variable "transit_gateway_attachment_subnet_2_id" {
+ type = string
+ description = "The TGW attachment subnet ID located in the 2st Availability Zone"
+}
+variable "transit_gateway_attachment_subnet_3_id" {
+ type = string
+ description = "The TGW attachment subnet ID located in the 3st Availability Zone"
+ default = ""
+}
+variable "transit_gateway_attachment_subnet_4_id" {
+ type = string
+ description = "The TGW attachment subnet ID located in the 4st Availability Zone"
+ default = ""
+}
+variable "nat_gw_subnet_1_cidr" {
+ type = string
+ description = "CIDR block for NAT subnet 1 located in the 1st Availability Zone"
+ default = "10.0.13.0/24"
+}
+variable "nat_gw_subnet_2_cidr" {
+ type = string
+ description = "CIDR block for NAT subnet 2 located in the 2st Availability Zone"
+ default = "10.0.23.0/24"
+}
+variable "nat_gw_subnet_3_cidr" {
+ type = string
+ description = "CIDR block for NAT subnet 3 located in the 3st Availability Zone"
+ default = "10.0.33.0/24"
+}
+variable "nat_gw_subnet_4_cidr" {
+ type = string
+ description = "CIDR block for NAT subnet 4 located in the 4st Availability Zone"
+ default = "10.0.43.0/24"
+}
+variable "gwlbe_subnet_1_cidr" {
+ type = string
+ description = "CIDR block for Gateway Loadbalancer endpoint subnet 1 located in the 1st Availability Zone"
+ default = "10.0.14.0/24"
+}
+variable "gwlbe_subnet_2_cidr" {
+ type = string
+ description = "CIDR block for Gateway Loadbalancer endpoint subnet 2 located in the 2st Availability Zone"
+ default = "10.0.24.0/24"
+}
+variable "gwlbe_subnet_3_cidr" {
+ type = string
+ description = "CIDR block for Gateway Loadbalancer endpoint subnet 3 located in the 3st Availability Zone"
+ default = "10.0.34.0/24"
+}
+variable "gwlbe_subnet_4_cidr" {
+ type = string
+ description = "CIDR block for Gateway Loadbalancer endpoint subnet 4 located in the 4st Availability Zone"
+ default = "10.0.44.0/24"
+}
+// --- General Settings ---
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instances"
+}
+variable "enable_volume_encryption" {
+ type = bool
+ description = "Encrypt Environment instances volume with default AWS KMS key"
+ default = true
+}
+variable "volume_size" {
+ type = number
+ description = "Root volume size (GB) - minimum 100"
+ default = 100
+}
+resource "null_resource" "volume_size_too_small" {
+ // Will fail if var.volume_size is less than 100
+ count = var.volume_size >= 100 ? 0 : "variable volume_size must be at least 100"
+}
+variable "volume_type" {
+ type = string
+ description = "General Purpose SSD Volume Type"
+ default = "gp3"
+}
+variable "enable_instance_connect" {
+ type = bool
+ description = "Enable SSH connection over AWS web console"
+ default = false
+}
+variable "disable_instance_termination" {
+ type = bool
+ description = "Prevents an instance from accidental termination"
+ default = false
+}
+variable "metadata_imdsv2_required" {
+ type = bool
+ description = "Set true to deploy the instance with metadata v2 token required"
+ default = true
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+variable "management_server" {
+ type = string
+ description = "The name that represents the Security Management Server in the automatic provisioning configuration."
+ default = "gwlb-management-server"
+}
+variable "configuration_template" {
+ type = string
+ description = "A name of a gateway configuration template in the automatic provisioning configuration."
+ default = "gwlb-ASG-configuration"
+ validation {
+ condition = length(var.configuration_template) < 31
+ error_message = "The configuration_template name can not exceed 30 characters"
+ }
+}
+variable "admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+ default = "/etc/cli.sh"
+}
+
+// --- Gateway Load Balancer Configuration ---
+
+variable "gateway_load_balancer_name" {
+ type = string
+ description = "Gateway Load Balancer name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen."
+ default = "gwlb1"
+}
+resource "null_resource" "gateway_load_balancer_name_too_long" {
+ // Will fail if gateway_load_balancer_name more than 32
+ count = length(var.gateway_load_balancer_name) <= 32 ? 0 : "variable gateway_load_balancer_name must be at most 32"
+}
+variable "target_group_name" {
+ type = string
+ description = "Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen."
+ default = "tg1"
+}
+resource "null_resource" "target_group_name_too_long" {
+ // Will fail if target_group_name more than 32
+ count = length(var.target_group_name) <= 32 ? 0 : "variable target_group_name must be at most 32"
+}
+variable "enable_cross_zone_load_balancing" {
+ type = bool
+ description = "Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges."
+ default = true
+}
+
+// --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration ---
+
+variable "gateway_name" {
+ type = string
+ description = "The name tag of the Security Gateway instances. (optional)"
+ default = "Check-Point-Gateway-tf"
+}
+variable "gateway_instance_type" {
+ type = string
+ description = "The EC2 instance type for the Security Gateways."
+ default = "c5.xlarge"
+}
+module "validate_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "gateway"
+ instance_type = var.gateway_instance_type
+}
+variable "minimum_group_size" {
+ type = number
+ description = "The minimal number of Security Gateways."
+ default = 2
+}
+variable "maximum_group_size" {
+ type = number
+ description = "The maximal number of Security Gateways."
+ default = 10
+}
+variable "gateway_version" {
+ type = string
+ description = "The version and license to install on the Security Gateways."
+ default = "R81.20-BYOL"
+}
+module "validate_gateway_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "gwlb_gw"
+ version_license = var.gateway_version
+}
+variable "gateway_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+}
+variable "gateway_maintenance_mode_password_hash" {
+ description = "Maintenance mode password hash for the gateway instances, relevant only for R81.20 and higher versions"
+ type = string
+ default = ""
+}
+variable "gateway_SICKey" {
+ type = string
+ description = "The Secure Internal Communication key for trusted connection between Check Point components (at least 8 alphanumeric characters)"
+}
+
+variable "gateways_provision_address_type" {
+ type = string
+ description = "Determines if the gateways are provisioned using their private or public address"
+ default = "private"
+}
+
+variable "allocate_public_IP" {
+ type = bool
+ description = "Allocate an Elastic IP for security gateway."
+ default = false
+}
+
+resource "null_resource" "invalid_allocation" {
+ // Will fail if var.gateways_provision_address_type is public and var.allocate_public_IP is false
+ count = var.gateways_provision_address_type != "public" ? 0 : var.allocate_public_IP == true ? 0 : "Gateway's selected to be provisioned by public IP, but [allocate_public_IP] parameter is false"
+}
+
+variable "enable_cloudwatch" {
+ type = bool
+ description = "Report Check Point specific CloudWatch metrics."
+ default = false
+}
+
+variable "gateway_bootstrap_script" {
+ type = string
+ description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot"
+ default = ""
+}
+
+// --- Check Point CloudGuard IaaS Security Management Server Configuration ---
+
+variable "management_deploy" {
+ type = bool
+ description = "Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section"
+ default = true
+}
+variable "management_instance_type" {
+ type = string
+ description = "The EC2 instance type of the Security Management Server"
+ default = "m5.xlarge"
+}
+module "validate_management_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "management"
+ instance_type = var.management_instance_type
+}
+variable "management_version" {
+ type = string
+ description = "The license to install on the Security Management Server"
+ default = "R81.20-BYOL"
+}
+module "validate_management_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "management"
+ version_license = var.management_version
+}
+variable "management_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "management_maintenance_mode_password_hash" {
+ description = "Maintenance mode password hash for the management instance, relevant only for R81.20 and higher versions"
+ type = string
+ default = ""
+}
+variable "gateways_policy" {
+ type = string
+ description = "The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group"
+ default = "Standard"
+}
+variable "gateway_management" {
+ type = string
+ description = "Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address."
+ default = "Locally managed"
+}
+variable "admin_cidr" {
+ type = string
+ description = "Allow web, ssh, and graphical clients only from this network to communicate with the Security Management Server"
+}
+variable "gateways_addresses" {
+ type = string
+ description = "Allow gateways only from this network to communicate with the Security Management Server"
+}
+
diff --git a/deprecated/terraform/aws/R80.40/tgw-gwlb/versions.tf b/deprecated/terraform/aws/R80.40/tgw-gwlb/versions.tf
new file mode 100755
index 00000000..dbebf275
--- /dev/null
+++ b/deprecated/terraform/aws/R80.40/tgw-gwlb/versions.tf
@@ -0,0 +1,15 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ http = {
+ version = "~> 3.4.0"
+ }
+ random = {
+ version = "~> 3.5.1"
+ }
+ }
+}
diff --git a/deprecated/terraform/aws/R81/autoscale-gwlb/README.md b/deprecated/terraform/aws/R81/autoscale-gwlb/README.md
new file mode 100755
index 00000000..fd28bd32
--- /dev/null
+++ b/deprecated/terraform/aws/R81/autoscale-gwlb/README.md
@@ -0,0 +1,186 @@
+# Check Point CloudGuard Network Auto Scaling GWLB Terraform module for AWS
+
+Terraform module which deploys an Auto Scaling Group of Check Point Security Gateways into an existing VPC.
+
+These types of Terraform resources are supported:
+* [Launch template](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template)
+* [Auto Scaling Group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group)
+* [Security group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group)
+* [CloudWatch Metric Alarm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm)
+
+
+See the [CloudGuard Auto Scaling for AWS](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CloudGuard_Network_for_AWS_AutoScaling_DeploymentGuide/Topics-AWS-AutoScale-DG/Check-Point-CloudGuard-Network-for-AWS.htm) for additional information
+
+This solution uses the following modules:
+- /terraform/aws/modules/amis
+
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.aws_access_key_ID
+ secret_key = var.aws_secret_access_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/autoscale/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.aws_access_key_ID
+ // secret_key = var.aws_secret_access_key
+ }
+ ```
+
+## Usage
+- Fill all variables in the /terraform/aws/autoscale/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+- Create or modify the deployment:
+ ```
+ terraform apply
+ ```
+
+- Variables are configured in /terraform/aws/autoscale/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+ // --- Environment ---
+ prefix = "env1"
+ asg_name = "autoscaling_group"
+
+ // --- VPC Network Configuration ---
+ vpc_id = "vpc-12345678"
+ subnet_ids = ["subnet-abc123", "subnet-def456"]
+
+ // --- Automatic Provisioning with Security Management Server Settings ---
+ gateways_provision_address_type = "private"
+ allocate_public_IP = false
+ management_server = "mgmt_env1"
+ configuration_template = "tmpl_env1"
+
+ // --- EC2 Instances Configuration ---
+ gateway_name = "asg_gateway"
+ gateway_instance_type = "c5.xlarge"
+ key_name = "publickey"
+ instances_tags = {
+ key1 = "value1"
+ key2 = "value2"
+ }
+
+ // --- Auto Scaling Configuration ---
+ minimum_group_size = 2
+ maximum_group_size = 10
+ target_groups = ["arn:aws:tg1/abc123", "arn:aws:tg2/def456"]
+
+ // --- Check Point Settings ---
+ gateway_version = "R81.20-BYOL"
+ admin_shell = "/etc/cli.sh"
+ gateway_password_hash = ""
+ gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+ gateway_SICKey = "12345678"
+ enable_instance_connect = false
+ allow_upload_download = true
+ enable_cloudwatch = false
+ gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+
+
+
+- Conditional creation
+ - To enable cloudwatch for ASG:
+ ```
+ enable_cloudwatch = true
+ ```
+ Note: enabling cloudwatch will automatically create IAM role with cloudwatch:PutMetricData permission
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+
+
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|----------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------|------------------|
+| prefix | (Optional) Instances name prefix | string | n/a | "" | no |
+| asg_name | Autoscaling Group name | string | n/a | Check-Point-ASG-tf | no |
+| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes |
+| subnet_ids | List of public subnet IDs to launch resources into. Recommended at least 2 | list(string) | n/a | n/a | yes |
+| gateways_provision_address_type | Determines if the gateways are provisioned using their private or public address. | string | - private
- public | private | no |
+| allocate_public_IP | Allocate a Public IP for gateway members. | bool | true/false | false | no |
+| management_server | The name that represents the Security Management Server in the CME configuration | string | n/a | n/a | yes |
+| configuration_template | Name of the provisioning template in the CME configuration | string | n/a | n/a | yes |
+| gateway_name | The name tag of the Security Gateways instances | string | n/a | Check-Point-ASG-gateway-tf | no |
+| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no |
+| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes |
+| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no |
+| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no |
+| instances_tags | (Optional) A map of tags as key=value pairs. All tags will be added on all AutoScaling Group instances | map(string) | n/a | {} | no |
+| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes |
+| minimum_group_size | The minimum number of instances in the Auto Scaling group | number | n/a | 2 | no |
+| maximum_group_size | The maximum number of instances in the Auto Scaling group | number | n/a | 10 | no |
+| target_groups | (Optional) List of Target Group ARNs to associate with the Auto Scaling group | list(string) | n/a | [] | no |
+| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no |
+| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no |
+| gateway_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no |
+| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components (at least 8 alphanumeric characters) | string | n/a | "12345678" | yes |
+| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no |
+| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no |
+| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no |
+| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no |
+| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here). | string | n/a | "" | no |
+
+## Outputs
+| Name | Description |
+|------------------------------------------------|-------------------------------------------------------------------|
+| autoscale_autoscaling_group_name | The name of the deployed AutoScaling Group |
+| autoscale_autoscaling_group_arn | The ARN for the deployed AutoScaling Group |
+| autoscale_autoscaling_group_availability_zones | The AZs on which the Autoscaling Group is configured |
+| autoscale_autoscaling_group_desired_capacity | The deployed AutoScaling Group's desired capacity of instances |
+| autoscale_autoscaling_group_min_size | The deployed AutoScaling Group's minimum number of instances |
+| autoscale_autoscaling_group_max_size | The deployed AutoScaling Group's maximum number of instances |
+| autoscale_autoscaling_group_target_group_arns | The deployed AutoScaling Group's configured target groups |
+| autoscale_autoscaling_group_subnets | The subnets on which the deployed AutoScaling Group is configured |
+| autoscale_launch_template_id | The id of the Launch Template |
+| autoscale_autoscale_security_group_id | The deployed AutoScaling Group's security group id |
+| autoscale_iam_role_name | The deployed AutoScaling Group's IAM role name (if created) |
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 20240704 | R80.40 version deprecation |
+| 20240417 | - Add support for Elastic Load Balancer Health Checks.
- EC2 Auto Scaling will start to detect and act on health checks performed by Elastic Load Balancing. |
+| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20231012 | Update AWS Terraform provider version to 5.20.1 |
+| 20230923 | Add support for C5d instance type |
+| 20230914 | Add support for maintenance mode password |
+| 20230829 | Change default Check Point version to R81.20 |
+| 20230806 | Add support for c6in instance type |
+| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname |
+| 20221226 | Support ASG Launch Template instead of Launch Configuration |
+| 20221123 | R81.20 version support |
+| 20220606 | New instance type support |
+| 20220414 | First release of Check Point Auto Scaling GWLB Terraform module for AWS |
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details
diff --git a/deprecated/terraform/aws/R81/autoscale-gwlb/asg_userdata.yaml b/deprecated/terraform/aws/R81/autoscale-gwlb/asg_userdata.yaml
new file mode 100755
index 00000000..bb095c01
--- /dev/null
+++ b/deprecated/terraform/aws/R81/autoscale-gwlb/asg_userdata.yaml
@@ -0,0 +1,29 @@
+#cloud-config
+network:
+ version: 1
+ config:
+ - type: bridge
+ name: br0
+ mtu: *eth0-mtu
+ subnets:
+ - address: *eth0-private
+ type: static
+ gateway: *default-gateway
+ dns_nameservers:
+ - *eth0-dns1
+ bridge_interfaces:
+ - eth0
+kernel_parameters:
+ sim:
+ - sim_geneve_enabled=1
+ - sim_geneve_br_dev=br0
+ fw:
+
+ - fwtls_bridge_mode_inspection=1
+ - fw_geneve_enabled=1
+bootcmd:
+ - echo "brctl hairpin br0 eth0 on" >> /etc/rc.local
+ - echo "cpprod_util CPPROD_SetValue \"fw1\" \"AwsGwlb\" 4 1 1" >> /etc/rc.local
+runcmd:
+ - |
+ python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" installationType=\"autoscale\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"autoscale_gwlb\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" bootstrapScript64=\"${BootstrapScript}\"
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/autoscale-gwlb/locals.tf b/deprecated/terraform/aws/R81/autoscale-gwlb/locals.tf
new file mode 100755
index 00000000..2c811532
--- /dev/null
+++ b/deprecated/terraform/aws/R81/autoscale-gwlb/locals.tf
@@ -0,0 +1,55 @@
+locals {
+ asg_name = format("%s%s", var.prefix != "" ? format("%s-", var.prefix) : "", var.asg_name)
+ create_iam_role = var.enable_cloudwatch ? 1 : 0
+
+ gateways_provision_address_type_allowed_values = [
+ "public",
+ "private"
+ ]
+ // Will fail if var.gateways_provision_address_type is invalid
+ validate_gateways_provision_address_type = index(local.gateways_provision_address_type_allowed_values, var.gateways_provision_address_type)
+
+ admin_shell_allowed_values = [
+ "/etc/cli.sh",
+ "/bin/bash",
+ "/bin/csh",
+ "/bin/tcsh"
+ ]
+ // Will fail if var.admin_shell is invalid
+ validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell)
+
+ regex_valid_key_name = "[\\S\\s]+[\\S]+"
+ // will fail if var.key_name is invalid
+ regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string"
+
+ regex_valid_sic_key = "^[a-zA-Z0-9]{8,}$"
+ // Will fail if var.gateway_SICKey is invalid
+ regex_sic_result = regex(local.regex_valid_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SICKey] must be at least 8 alphanumeric characters"
+
+ regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.gateway_password_hash is invalid
+ regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+ regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
+
+ regex_valid_cidr_range = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))?$"
+
+ tags_asg_format = null_resource.tags_as_list_of_maps.*.triggers
+
+ //Splits the version and licence and returns the os version
+ version_split = element(split("-", var.gateway_version), 0)
+
+ gateway_bootstrap_script64 = base64encode(var.gateway_bootstrap_script)
+ gateway_SICkey_base64 = base64encode(var.gateway_SICKey)
+ gateway_password_hash_base64 = base64encode(var.gateway_password_hash)
+ maintenance_mode_password_hash_base64 = base64encode(var.gateway_maintenance_mode_password_hash)
+
+}
+resource "null_resource" "tags_as_list_of_maps" {
+ count = length(keys(var.instances_tags))
+
+ triggers = {
+ "key" = keys(var.instances_tags)[count.index]
+ "value" = values(var.instances_tags)[count.index]
+ "propagate_at_launch" = "true"
+ }
+}
diff --git a/deprecated/terraform/aws/R81/autoscale-gwlb/main.tf b/deprecated/terraform/aws/R81/autoscale-gwlb/main.tf
new file mode 100755
index 00000000..67691dca
--- /dev/null
+++ b/deprecated/terraform/aws/R81/autoscale-gwlb/main.tf
@@ -0,0 +1,202 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+module "amis" {
+ source = "../modules/amis"
+ version_license = var.gateway_version
+ amis_url = "https://cgi-cfts-staging.s3.amazonaws.com/utils/amis.yaml"
+
+}
+
+resource "aws_security_group" "permissive_sg" {
+ name_prefix = format("%s_PermissiveSecurityGroup", local.asg_name)
+ description = "Permissive security group"
+ vpc_id = var.vpc_id
+ egress {
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+ ingress {
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+ tags = {
+ Name = format("%s_PermissiveSecurityGroup", local.asg_name)
+ }
+}
+
+resource "aws_launch_template" "asg_launch_template" {
+ name_prefix = local.asg_name
+ image_id = module.amis.ami_id
+ instance_type = var.gateway_instance_type
+ key_name = var.key_name
+ network_interfaces {
+ associate_public_ip_address = var.allocate_public_IP
+ security_groups = [aws_security_group.permissive_sg.id]
+ }
+ metadata_options {
+ http_tokens = var.metadata_imdsv2_required ? "required" : "optional"
+ }
+
+ iam_instance_profile {
+ name = ( var.enable_cloudwatch ? aws_iam_instance_profile.instance_profile[0].name : "")
+ }
+
+ monitoring {
+ enabled = true
+ }
+
+ block_device_mappings {
+ device_name = "/dev/xvda"
+ ebs {
+ volume_type = var.volume_type
+ volume_size = var.volume_size
+ encrypted = var.enable_volume_encryption
+ }
+ }
+
+ description = "Initial template version"
+
+ user_data = base64encode(templatefile("${path.module}/asg_userdata.yaml", {
+ // script's arguments
+ PasswordHash = local.gateway_password_hash_base64,
+ MaintenanceModePassword = local.maintenance_mode_password_hash_base64,
+ EnableCloudWatch = var.enable_cloudwatch,
+ EnableInstanceConnect = var.enable_instance_connect,
+ Shell = var.admin_shell,
+ SICKey = local.gateway_SICkey_base64,
+ AllowUploadDownload = var.allow_upload_download,
+ BootstrapScript = local.gateway_bootstrap_script64,
+ OsVersion = local.version_split
+ }))
+}
+resource "aws_autoscaling_group" "asg" {
+ name_prefix = local.asg_name
+ launch_template {
+ id = aws_launch_template.asg_launch_template.id
+ version = aws_launch_template.asg_launch_template.latest_version
+ }
+ min_size = var.minimum_group_size
+ max_size = var.maximum_group_size
+ target_group_arns = var.target_groups
+ vpc_zone_identifier = var.subnet_ids
+ health_check_grace_period = 3600
+ health_check_type = "ELB"
+
+ tag {
+ key = "Name"
+ value = format("%s%s", var.prefix != "" ? format("%s-", var.prefix) : "", var.gateway_name)
+ propagate_at_launch = true
+ }
+
+ tag {
+ key = "x-chkp-tags"
+ value = format("management=%s:template=%s:ip-address=%s", var.management_server, var.configuration_template, var.gateways_provision_address_type)
+ propagate_at_launch = true
+ }
+
+ tag {
+ key = "x-chkp-topology"
+ value = "internal"
+ propagate_at_launch = true
+ }
+
+ tag {
+ key = "x-chkp-solution"
+ value = "autoscale_gwlb"
+ propagate_at_launch = true
+ }
+
+ dynamic "tag" {
+ for_each = var.instances_tags
+ content {
+ key = tag.key
+ value = tag.value
+ propagate_at_launch = true
+ }
+ }
+}
+
+data "aws_iam_policy_document" "assume_role_policy_document" {
+ version = "2012-10-17"
+ statement {
+ actions = ["sts:AssumeRole"]
+ principals {
+ type = "Service"
+ identifiers = ["ec2.amazonaws.com"]
+ }
+ effect = "Allow"
+ }
+}
+
+resource "aws_iam_role" "role" {
+ count = local.create_iam_role
+ name_prefix = format("%s-iam_role", local.asg_name)
+ assume_role_policy = data.aws_iam_policy_document.assume_role_policy_document.json
+ path = "/"
+}
+module "attach_cloudwatch_policy" {
+ source = "../modules/cloudwatch-policy"
+ count = local.create_iam_role
+ role = aws_iam_role.role[count.index].name
+ tag_name = local.asg_name
+}
+resource "aws_iam_instance_profile" "instance_profile" {
+ count = local.create_iam_role
+ name_prefix = format("%s-iam_instance_profile", local.asg_name)
+ path = "/"
+ role = aws_iam_role.role[count.index].name
+}
+
+// Scaling metrics
+resource "aws_cloudwatch_metric_alarm" "cpu_alarm_low" {
+ alarm_name = format("%s_alarm_low", aws_autoscaling_group.asg.name)
+ metric_name = "CPUUtilization"
+ alarm_description = "Scale-down if CPU < 60% for 10 minutes"
+ namespace = "AWS/EC2"
+ statistic = "Average"
+ period = 300
+ evaluation_periods = 2
+ threshold = 60
+ alarm_actions = [aws_autoscaling_policy.scale_down_policy.arn]
+ dimensions = {
+ AutoScalingGroupName = aws_autoscaling_group.asg.name
+ }
+ comparison_operator = "LessThanThreshold"
+}
+resource "aws_autoscaling_policy" "scale_down_policy" {
+ autoscaling_group_name = aws_autoscaling_group.asg.name
+ name = format("%s_scale_down", aws_autoscaling_group.asg.name)
+ adjustment_type = "ChangeInCapacity"
+ cooldown = 300
+ scaling_adjustment = -1
+}
+resource "aws_cloudwatch_metric_alarm" "cpu_alarm_high" {
+ alarm_name = format("%s_alarm_high", aws_autoscaling_group.asg.name)
+ metric_name = "CPUUtilization"
+ alarm_description = "Scale-up if CPU > 80% for 10 minutes"
+ namespace = "AWS/EC2"
+ statistic = "Average"
+ period = 300
+ evaluation_periods = 2
+ threshold = 80
+ alarm_actions = [aws_autoscaling_policy.scale_up_policy.arn]
+ dimensions = {
+ AutoScalingGroupName = aws_autoscaling_group.asg.name
+ }
+ comparison_operator = "GreaterThanThreshold"
+}
+resource "aws_autoscaling_policy" "scale_up_policy" {
+ autoscaling_group_name = aws_autoscaling_group.asg.name
+ name = format("%s_scale_up", aws_autoscaling_group.asg.name)
+ adjustment_type = "ChangeInCapacity"
+ cooldown = 300
+ scaling_adjustment = 1
+}
diff --git a/deprecated/terraform/aws/R81/autoscale-gwlb/output.tf b/deprecated/terraform/aws/R81/autoscale-gwlb/output.tf
new file mode 100755
index 00000000..ce5f76ce
--- /dev/null
+++ b/deprecated/terraform/aws/R81/autoscale-gwlb/output.tf
@@ -0,0 +1,41 @@
+output "Deployment" {
+ value = "Finalizing instances configuration may take up to 20 minutes after deployment is finished."
+}
+
+output "autoscale_autoscaling_group_name" {
+ value = aws_autoscaling_group.asg.name
+}
+output "autoscale_autoscaling_group_arn" {
+ value = aws_autoscaling_group.asg.arn
+}
+output "autoscale_autoscaling_group_availability_zones" {
+ value = aws_autoscaling_group.asg.availability_zones
+}
+output "autoscale_autoscaling_group_desired_capacity" {
+ value = aws_autoscaling_group.asg.desired_capacity
+}
+output "autoscale_autoscaling_group_min_size" {
+ value = aws_autoscaling_group.asg.min_size
+}
+output "autoscale_autoscaling_group_max_size" {
+ value = aws_autoscaling_group.asg.max_size
+}
+output "autoscale_autoscaling_group_target_group_arns" {
+ value = aws_autoscaling_group.asg.target_group_arns
+}
+output "autoscale_autoscaling_group_subnets" {
+ value = aws_autoscaling_group.asg.vpc_zone_identifier
+}
+
+output "autoscale_launch_template_id" {
+ value = aws_launch_template.asg_launch_template.id
+}
+
+output "autoscale_security_group_id" {
+ value = aws_security_group.permissive_sg.id
+}
+
+output "autoscale_iam_role_name" {
+ value = aws_iam_role.role.*.name
+}
+
diff --git a/deprecated/terraform/aws/R81/autoscale-gwlb/terraform.tfvars b/deprecated/terraform/aws/R81/autoscale-gwlb/terraform.tfvars
new file mode 100755
index 00000000..4cced958
--- /dev/null
+++ b/deprecated/terraform/aws/R81/autoscale-gwlb/terraform.tfvars
@@ -0,0 +1,42 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- Environment ---
+prefix = "env1"
+asg_name = "autoscaling_group"
+
+// --- VPC Network Configuration ---
+vpc_id = "vpc-12345678"
+subnet_ids = ["subnet-abc123", "subnet-def456"]
+
+// --- Automatic Provisioning with Security Management Server Settings ---
+gateways_provision_address_type = "private"
+allocate_public_IP = false
+management_server = "mgmt_env1"
+configuration_template = "tmpl_env1"
+
+// --- EC2 Instances Configuration ---
+gateway_name = "asg_gateway"
+gateway_instance_type = "c5.xlarge"
+key_name = "publickey"
+instances_tags = {
+ key1 = "value1"
+ key2 = "value2"
+}
+metadata_imdsv2_required = true
+
+// --- Auto Scaling Configuration ---
+minimum_group_size = 2
+maximum_group_size = 10
+target_groups = ["arn:aws:tg1/abc123", "arn:aws:tg2/def456"]
+
+// --- Check Point Settings ---
+gateway_version = "R81.20-BYOL"
+admin_shell = "/etc/cli.sh"
+gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+gateway_SICKey = "12345678"
+enable_instance_connect = false
+allow_upload_download = true
+enable_cloudwatch = false
+gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+
diff --git a/deprecated/terraform/aws/R81/autoscale-gwlb/variables.tf b/deprecated/terraform/aws/R81/autoscale-gwlb/variables.tf
new file mode 100755
index 00000000..cb1a985c
--- /dev/null
+++ b/deprecated/terraform/aws/R81/autoscale-gwlb/variables.tf
@@ -0,0 +1,191 @@
+// Module: Check Point CloudGuard Network Auto Scaling Group into an existing VPC
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+// --- Environment ---
+variable "prefix" {
+ type = string
+ description = "(Optional) Instances name prefix"
+ default = ""
+}
+variable "asg_name" {
+ type = string
+ description = "Autoscaling Group name"
+ default = "Check-Point-ASG-tf"
+}
+
+// --- VPC Network Configuration ---
+variable "vpc_id" {
+ type = string
+}
+variable "subnet_ids" {
+ type = list(string)
+ description = "List of public subnet IDs to launch resources into. Recommended at least 2"
+}
+
+// --- Automatic Provisioning with Security Management Server Settings ---
+variable "gateways_provision_address_type" {
+ type = string
+ description = "Determines if the gateways are provisioned using their private or public address"
+ default = "private"
+}
+
+variable "allocate_public_IP" {
+ type = bool
+ description = "Allocate an Elastic IP for security gateway."
+ default = false
+}
+
+resource "null_resource" "invalid_allocation" {
+ // Will fail if var.gateways_provision_address_type is public and var.allocate_public_IP is false
+ count = var.gateways_provision_address_type != "public" ? 0 : var.allocate_public_IP == true ? 0 : "Gateway's selected to be provisioned by public IP, but [allocate_public_IP] parameter is false"
+}
+
+variable "management_server" {
+ type = string
+ description = "The name that represents the Security Management Server in the CME configuration"
+}
+variable "configuration_template" {
+ type = string
+ description = "Name of the provisioning template in the CME configuration"
+ validation {
+ condition = length(var.configuration_template) < 31
+ error_message = "The configuration_template name can not exceed 30 characters."
+ }
+}
+
+// --- EC2 Instances Configuration ---
+variable "gateway_name" {
+ type = string
+ description = "The name tag of the Security Gateways instances"
+ default = "Check-Point-ASG-gateway-tf"
+}
+variable "gateway_instance_type" {
+ type = string
+ description = "The instance type of the Security Gateways"
+ default = "c5.xlarge"
+}
+module "validate_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "gateway"
+ instance_type = var.gateway_instance_type
+}
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instances"
+}
+variable "volume_size" {
+ type = number
+ description = "Root volume size (GB) - minimum 100"
+ default = 100
+}
+resource "null_resource" "volume_size_too_small" {
+ // Will fail if var.volume_size is less than 100
+ count = var.volume_size >= 100 ? 0 : "variable volume_size must be at least 100"
+}
+variable "enable_volume_encryption" {
+ type = bool
+ description = "Encrypt Environment instances volume with default AWS KMS key"
+ default = true
+}
+variable "instances_tags" {
+ type = map(string)
+ description = "(Optional) A map of tags as key=value pairs. All tags will be added on all AutoScaling Group instances"
+ default = {}
+}
+variable "metadata_imdsv2_required" {
+ type = bool
+ description = "Set true to deploy the instance with metadata v2 token required"
+ default = true
+}
+
+// --- Auto Scaling Configuration ---
+variable "minimum_group_size" {
+ type = number
+ description = "The minimum number of instances in the Auto Scaling group"
+ default = 2
+}
+variable "maximum_group_size" {
+ type = number
+ description = "The maximum number of instances in the Auto Scaling group"
+ default = 10
+}
+variable "target_groups" {
+ type = list(string)
+ description = "(Optional) List of Target Group ARNs to associate with the Auto Scaling group"
+ default = []
+}
+
+// --- Check Point Settings ---
+variable "gateway_version" {
+ type = string
+ description = "Gateway version and license"
+ default = "R81.20-BYOL"
+}
+module "validate_gateway_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "gwlb_gw"
+ version_license = var.gateway_version
+}
+variable "admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+ default = "/etc/cli.sh"
+}
+variable "gateway_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "gateway_maintenance_mode_password_hash" {
+ description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+ type = string
+ default = ""
+}
+variable "gateway_SICKey" {
+ type = string
+ description = "The Secure Internal Communication key for trusted connection between Check Point components (at least 8 alphanumeric characters)"
+}
+variable "enable_instance_connect" {
+ type = bool
+ description = "Enable SSH connection over AWS web console"
+ default = false
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+variable "enable_cloudwatch" {
+ type = bool
+ description = "Report Check Point specific CloudWatch metrics"
+ default = false
+}
+variable "gateway_bootstrap_script" {
+ type = string
+ description = "(Optional) Semicolon (;) separated commands to run on the initial boot"
+ default = ""
+}
+
+variable "volume_type" {
+ type = string
+ description = "General Purpose SSD Volume Type"
+ default = "gp3"
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/autoscale-gwlb/versions.tf b/deprecated/terraform/aws/R81/autoscale-gwlb/versions.tf
new file mode 100755
index 00000000..dbebf275
--- /dev/null
+++ b/deprecated/terraform/aws/R81/autoscale-gwlb/versions.tf
@@ -0,0 +1,15 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ http = {
+ version = "~> 3.4.0"
+ }
+ random = {
+ version = "~> 3.5.1"
+ }
+ }
+}
diff --git a/deprecated/terraform/aws/R81/autoscale/README.md b/deprecated/terraform/aws/R81/autoscale/README.md
new file mode 100755
index 00000000..5062ec5d
--- /dev/null
+++ b/deprecated/terraform/aws/R81/autoscale/README.md
@@ -0,0 +1,201 @@
+# Check Point CloudGuard Network Auto Scaling Terraform module for AWS
+
+Terraform module which deploys an Auto Scaling Group of Check Point Security Gateways into an existing VPC.
+
+These types of Terraform resources are supported:
+* [Launch template](https://www.terraform.io/docs/providers/aws/r/launch_template.html)
+* [Auto Scaling Group](https://www.terraform.io/docs/providers/aws/r/autoscaling_group.html)
+* [Security group](https://www.terraform.io/docs/providers/aws/r/security_group.html)
+* [CloudWatch Metric Alarm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm)
+* [IAM Role](https://www.terraform.io/docs/providers/aws/r/iam_role.html) - conditional creation
+* [Proxy Elastic Load Balancer](https://www.terraform.io/docs/providers/aws/r/elb.html) - conditional creation
+
+
+See the [CloudGuard Auto Scaling for AWS](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CloudGuard_Network_for_AWS_AutoScaling_DeploymentGuide/Default.htm) for additional information
+
+This solution uses the following modules:
+- /terraform/aws/modules/amis
+
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.aws_access_key_ID
+ secret_key = var.aws_secret_access_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/autoscale/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.aws_access_key_ID
+ // secret_key = var.aws_secret_access_key
+ }
+ ```
+
+## Usage
+- Fill all variables in the /terraform/aws/autoscale/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+- Create or modify the deployment:
+ ```
+ terraform apply
+ ```
+
+- Variables are configured in /terraform/aws/autoscale/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+ // --- Environment ---
+ prefix = "env1"
+ asg_name = "autoscaling_group"
+
+ // --- VPC Network Configuration ---
+ vpc_id = "vpc-12345678"
+ subnet_ids = ["subnet-abc123", "subnet-def456"]
+
+ // --- Automatic Provisioning with Security Management Server Settings ---
+ gateways_provision_address_type = "private"
+ management_server = "mgmt_env1"
+ configuration_template = "tmpl_env1"
+
+ // --- EC2 Instances Configuration ---
+ gateway_name = "asg_gateway"
+ gateway_instance_type = "c5.xlarge"
+ key_name = "publickey"
+ instances_tags = {
+ key1 = "value1"
+ key2 = "value2"
+ }
+
+ // --- Auto Scaling Configuration ---
+ minimum_group_size = 2
+ maximum_group_size = 10
+ target_groups = ["arn:aws:tg1/abc123", "arn:aws:tg2/def456"]
+
+ // --- Check Point Settings ---
+ gateway_version = "R81.20-BYOL"
+ admin_shell = "/etc/cli.sh"
+ gateway_password_hash = ""
+ gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+ gateway_SICKey = "12345678"
+ enable_instance_connect = false
+ allow_upload_download = true
+ enable_cloudwatch = false
+ gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+
+ // --- Outbound Proxy Configuration (optional) ---
+ proxy_elb_type = "internet-facing"
+ proxy_elb_clients = "0.0.0.0/0"
+ proxy_elb_port = 8080
+ ```
+
+- Conditional creation
+ - To enable cloudwatch for ASG:
+ ```
+ enable_cloudwatch = true
+ ```
+ Note: enabling cloudwatch will automatically create IAM role with cloudwatch:PutMetricData permission
+ - To create an ASG configuration without a proxy ELB:
+ ```
+ proxy_elb_type= "none"
+ ```
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+
+
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|----------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------|----------|
+| prefix | (Optional) Instances name prefix | string | n/a | "" | no |
+| asg_name | Autoscaling Group name | string | n/a | Check-Point-ASG-tf | no |
+| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes |
+| subnet_ids | List of public subnet IDs to launch resources into. Recommended at least 2 | list(string) | n/a | n/a | yes |
+| gateways_provision_address_type | Determines if the gateways are provisioned using their private or public address. | string | - private
- public | private | no |
+| management_server | The name that represents the Security Management Server in the CME configuration | string | n/a | n/a | yes |
+| configuration_template | Name of the provisioning template in the CME configuration | string | n/a | n/a | yes |
+| gateway_name | The name tag of the Security Gateways instances | string | n/a | Check-Point-ASG-gateway-tf | no |
+| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no |
+| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes |
+| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no |
+| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no |
+| instances_tags | (Optional) A map of tags as key=value pairs. All tags will be added on all AutoScaling Group instances | map(string) | n/a | {} | no |
+| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes |
+| minimum_group_size | The minimum number of instances in the Auto Scaling group | number | n/a | 2 | no |
+| maximum_group_size | The maximum number of instances in the Auto Scaling group | number | n/a | 10 | no |
+| target_groups | (Optional) List of Target Group ARNs to associate with the Auto Scaling group | list(string) | n/a | [] | no |
+| gateway_version | Gateway version and license | string | - R81-BYOL
- R81-PAYG-NGTP
- R81-PAYG-NGTX
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no |
+| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no |
+| gateway_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no |
+| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components (at least 8 alphanumeric characters) | string | n/a | "12345678" | yes |
+| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no |
+| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no |
+| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no |
+| proxy_elb_type | Type of ELB to create as an HTTP/HTTPS outbound proxy | string | - none
- internal
- internet-facing | none | no |
+| proxy_elb_port | The TCP port on which the proxy will be listening | number | n/a | 8080 | no |
+| proxy_elb_clients | The CIDR range of the clients of the proxy | string | n/a | 0.0.0.0/0 | no |
+| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here). | string | n/a | "" | no |
+
+
+## Outputs
+| Name | Description |
+|------------------------------------------------|-------------------------------------------------------------------|
+| autoscale_autoscaling_group_name | The name of the deployed AutoScaling Group |
+| autoscale_autoscaling_group_arn | The ARN for the deployed AutoScaling Group |
+| autoscale_autoscaling_group_availability_zones | The AZs on which the Autoscaling Group is configured |
+| autoscale_autoscaling_group_desired_capacity | The deployed AutoScaling Group's desired capacity of instances |
+| autoscale_autoscaling_group_min_size | The deployed AutoScaling Group's minimum number of instances |
+| autoscale_autoscaling_group_max_size | The deployed AutoScaling Group's maximum number of instances |
+| autoscale_autoscaling_group_load_balancers | The deployed AutoScaling Group's configured load balancers |
+| autoscale_autoscaling_group_target_group_arns | The deployed AutoScaling Group's configured target groups |
+| autoscale_autoscaling_group_subnets | The subnets on which the deployed AutoScaling Group is configured |
+| autoscale_launch_template_id | The id of the Launch Template |
+| autoscale_autoscale_security_group_id | The deployed AutoScaling Group's security group id |
+| autoscale_iam_role_name | The deployed AutoScaling Group's IAM role name (if created) |
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 20240704 | R80.40 version deprecation |
+| 20240417 | - Add support for Elastic Load Balancer Health Checks.
- EC2 Auto Scaling will start to detect and act on health checks performed by Elastic Load Balancing. |
+| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20231012 | Update AWS Terraform provider version to 5.20.1 |
+| 20230923 | Add support for C5d instance type |
+| 20230914 | Add support for maintenance mode password |
+| 20230829 | Change default Check Point version to R81.20 |
+| 20230806 | Add support for c6in instance type |
+| 20230521 | Change default shell for the admin user to /etc/cli.sh |
+| 20221226 | Support ASG Launch Template instead of Launch Configuration |
+| 20221123 | R81.20 version support |
+| 20220606 | New instance type support |
+| 20210329 | Stability fixes |
+| 20210309 | AWS Terraform modules refactor |
+| 20200318 | First release of Check Point Auto Scaling Terraform module for AWS |
+
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details
diff --git a/deprecated/terraform/aws/R81/autoscale/asg_userdata.yaml b/deprecated/terraform/aws/R81/autoscale/asg_userdata.yaml
new file mode 100755
index 00000000..4c6633c3
--- /dev/null
+++ b/deprecated/terraform/aws/R81/autoscale/asg_userdata.yaml
@@ -0,0 +1,4 @@
+#cloud-config
+runcmd:
+ - |
+ python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" installationType=\"autoscale\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20240704\" templateName=\"autoscale\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" bootstrapScript64=\"${BootstrapScript}\"
diff --git a/deprecated/terraform/aws/R81/autoscale/locals.tf b/deprecated/terraform/aws/R81/autoscale/locals.tf
new file mode 100755
index 00000000..72fa5951
--- /dev/null
+++ b/deprecated/terraform/aws/R81/autoscale/locals.tf
@@ -0,0 +1,62 @@
+locals {
+ asg_name = format("%s%s", var.prefix != "" ? format("%s-", var.prefix) : "", var.asg_name)
+ create_iam_role = var.enable_cloudwatch ? 1 : 0
+
+ gateways_provision_address_type_allowed_values = [
+ "public",
+ "private"
+ ]
+ // Will fail if var.gateways_provision_address_type is invalid
+ validate_gateways_provision_address_type = index(local.gateways_provision_address_type_allowed_values, var.gateways_provision_address_type)
+
+ admin_shell_allowed_values = [
+ "/etc/cli.sh",
+ "/bin/bash",
+ "/bin/csh",
+ "/bin/tcsh"
+ ]
+ // Will fail if var.admin_shell is invalid
+ validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell)
+
+ regex_valid_key_name = "[\\S\\s]+[\\S]+"
+ // will fail if var.key_name is invalid
+ regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string"
+ regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.gateway_password_hash is invalid
+ regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+ regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
+
+ regex_valid_sic_key = "^[a-zA-Z0-9]{8,}$"
+ // Will fail if var.gateway_SICKey is invalid
+ regex_sic_result = regex(local.regex_valid_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SICKey] must be at least 8 alphanumeric characters"
+
+ proxy_elb_type_allowed_values = [
+ "none",
+ "internal",
+ "internet-facing"
+ ]
+ // Will fail if var.proxy_elb_type is invalid
+ validate_proxy_elb_type = index(local.proxy_elb_type_allowed_values, var.proxy_elb_type)
+
+ regex_valid_cidr_range = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))?$"
+ // Will fail if var.proxy_elb_clients is invalid
+ regex_cidr_result = regex(local.regex_valid_cidr_range, var.proxy_elb_clients) == var.proxy_elb_clients ? 0 : "Variable [proxy_elb_clients] must be a valid CIDR range"
+
+ tags_asg_format = null_resource.tags_as_list_of_maps.*.triggers
+
+ //Splits the version and licence and returns the os version
+ version_split = element(split("-", var.gateway_version), 0)
+ gateway_bootstrap_script64 = base64encode(var.gateway_bootstrap_script)
+ gateway_password_hash_base64 = base64encode(var.gateway_password_hash)
+ maintenance_mode_password_hash_base64 = base64encode(var.gateway_maintenance_mode_password_hash)
+ gateway_SICkey_base64 = base64encode(var.gateway_SICKey)
+}
+resource "null_resource" "tags_as_list_of_maps" {
+ count = length(keys(var.instances_tags))
+
+ triggers = {
+ "key" = keys(var.instances_tags)[count.index]
+ "value" = values(var.instances_tags)[count.index]
+ "propagate_at_launch" = "true"
+ }
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/autoscale/main.tf b/deprecated/terraform/aws/R81/autoscale/main.tf
new file mode 100755
index 00000000..68abbfe0
--- /dev/null
+++ b/deprecated/terraform/aws/R81/autoscale/main.tf
@@ -0,0 +1,248 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+module "amis" {
+ source = "../modules/amis"
+
+ version_license = var.gateway_version
+}
+
+resource "aws_security_group" "permissive_sg" {
+ name_prefix = format("%s_PermissiveSecurityGroup", local.asg_name)
+ description = "Permissive security group"
+ vpc_id = var.vpc_id
+ egress {
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+ ingress {
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+ tags = {
+ Name = format("%s_PermissiveSecurityGroup", local.asg_name)
+ }
+}
+
+resource "aws_launch_template" "asg_launch_template" {
+ name_prefix = local.asg_name
+ image_id = module.amis.ami_id
+ instance_type = var.gateway_instance_type
+ key_name = var.key_name
+ network_interfaces {
+ associate_public_ip_address = true
+ security_groups = [aws_security_group.permissive_sg.id]
+ }
+
+ metadata_options {
+ http_tokens = var.metadata_imdsv2_required ? "required" : "optional"
+ }
+
+ iam_instance_profile {
+ name = ( var.enable_cloudwatch ? aws_iam_instance_profile.instance_profile[0].name : "")
+ }
+ monitoring {
+ enabled = true
+ }
+
+ block_device_mappings {
+ device_name = "/dev/xvda"
+ ebs {
+ volume_type = "gp3"
+ volume_size = var.volume_size
+ encrypted = var.enable_volume_encryption
+ }
+ }
+ description = "Initial template version"
+
+
+ user_data = base64encode(templatefile("${path.module}/asg_userdata.yaml", {
+ // script's arguments
+ PasswordHash = local.gateway_password_hash_base64,
+ MaintenanceModePassword = local.maintenance_mode_password_hash_base64
+ EnableCloudWatch = var.enable_cloudwatch,
+ EnableInstanceConnect = var.enable_instance_connect,
+ Shell = var.admin_shell,
+ SICKey = local.gateway_SICkey_base64,
+ AllowUploadDownload = var.allow_upload_download,
+ BootstrapScript = local.gateway_bootstrap_script64,
+ OsVersion = local.version_split
+ }))
+}
+resource "aws_autoscaling_group" "asg" {
+ name_prefix = local.asg_name
+ launch_template {
+ id = aws_launch_template.asg_launch_template.id
+ version = aws_launch_template.asg_launch_template.latest_version
+ }
+ min_size = var.minimum_group_size
+ max_size = var.maximum_group_size
+ load_balancers = aws_elb.proxy_elb.*.name
+ target_group_arns = var.target_groups
+ vpc_zone_identifier = var.subnet_ids
+ health_check_grace_period = 3600
+ health_check_type = "ELB"
+
+ tag {
+ key = "Name"
+ value = format("%s%s", var.prefix != "" ? format("%s-", var.prefix) : "", var.gateway_name)
+ propagate_at_launch = true
+ }
+
+ tag {
+ key = "x-chkp-tags"
+ value = format("management=%s:template=%s:ip-address=%s", var.management_server, var.configuration_template, var.gateways_provision_address_type)
+ propagate_at_launch = true
+ }
+
+ dynamic "tag" {
+ for_each = var.instances_tags
+ content {
+ key = tag.key
+ value = tag.value
+ propagate_at_launch = true
+ }
+ }
+}
+
+data "aws_iam_policy_document" "assume_role_policy_document" {
+ version = "2012-10-17"
+ statement {
+ actions = ["sts:AssumeRole"]
+ principals {
+ type = "Service"
+ identifiers = ["ec2.amazonaws.com"]
+ }
+ effect = "Allow"
+ }
+}
+
+resource "aws_iam_role" "role" {
+ count = local.create_iam_role
+ name_prefix = format("%s-iam_role", local.asg_name)
+ assume_role_policy = data.aws_iam_policy_document.assume_role_policy_document.json
+ path = "/"
+}
+module "attach_cloudwatch_policy" {
+ source = "../modules/cloudwatch-policy"
+ count = local.create_iam_role
+ role = aws_iam_role.role[count.index].name
+ tag_name = local.asg_name
+}
+
+resource "aws_iam_instance_profile" "instance_profile" {
+ count = local.create_iam_role
+ name_prefix = format("%s-iam_instance_profile", local.asg_name)
+ path = "/"
+ role = aws_iam_role.role[count.index].name
+}
+
+// Proxy ELB
+locals {
+ proxy_elb_condition = var.proxy_elb_type != "none" ? 1 : 0
+}
+resource "random_id" "proxy_elb_uuid" {
+ byte_length = 5
+}
+resource "aws_elb" "proxy_elb" {
+ count = local.proxy_elb_condition
+ name = format("%s-proxy-elb-%s", var.prefix, random_id.proxy_elb_uuid.hex)
+ internal = var.proxy_elb_type == "internal"
+ cross_zone_load_balancing = true
+ listener {
+ instance_port = var.proxy_elb_port
+ instance_protocol = "TCP"
+ lb_port = var.proxy_elb_port
+ lb_protocol = "TCP"
+ }
+ health_check {
+ target = format("TCP:%s", var.proxy_elb_port)
+ healthy_threshold = 3
+ unhealthy_threshold = 5
+ interval = 30
+ timeout = 5
+ }
+ subnets = var.subnet_ids
+ security_groups = [aws_security_group.elb_security_group[count.index].id]
+}
+resource "aws_load_balancer_policy" "proxy_elb_policy" {
+ count = local.proxy_elb_condition
+ load_balancer_name = aws_elb.proxy_elb[count.index].name
+ policy_name = "EnableProxyProtocol"
+ policy_type_name = "ProxyProtocolPolicyType"
+
+ policy_attribute {
+ name = "ProxyProtocol"
+ value = "true"
+ }
+}
+resource "aws_security_group" "elb_security_group" {
+ count = local.proxy_elb_condition
+ description = "ELB security group"
+ vpc_id = var.vpc_id
+ egress {
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+ ingress {
+ protocol = "tcp"
+ cidr_blocks = [var.proxy_elb_clients]
+ from_port = var.proxy_elb_port
+ to_port = var.proxy_elb_port
+ }
+}
+
+// Scaling metrics
+resource "aws_cloudwatch_metric_alarm" "cpu_alarm_low" {
+ alarm_name = format("%s_alarm_low", aws_autoscaling_group.asg.name)
+ metric_name = "CPUUtilization"
+ alarm_description = "Scale-down if CPU < 60% for 10 minutes"
+ namespace = "AWS/EC2"
+ statistic = "Average"
+ period = 300
+ evaluation_periods = 2
+ threshold = 60
+ alarm_actions = [aws_autoscaling_policy.scale_down_policy.arn]
+ dimensions = {
+ AutoScalingGroupName = aws_autoscaling_group.asg.name
+ }
+ comparison_operator = "LessThanThreshold"
+}
+resource "aws_autoscaling_policy" "scale_down_policy" {
+ autoscaling_group_name = aws_autoscaling_group.asg.name
+ name = format("%s_scale_down", aws_autoscaling_group.asg.name)
+ adjustment_type = "ChangeInCapacity"
+ cooldown = 300
+ scaling_adjustment = -1
+}
+resource "aws_cloudwatch_metric_alarm" "cpu_alarm_high" {
+ alarm_name = format("%s_alarm_high", aws_autoscaling_group.asg.name)
+ metric_name = "CPUUtilization"
+ alarm_description = "Scale-up if CPU > 80% for 10 minutes"
+ namespace = "AWS/EC2"
+ statistic = "Average"
+ period = 300
+ evaluation_periods = 2
+ threshold = 80
+ alarm_actions = [aws_autoscaling_policy.scale_up_policy.arn]
+ dimensions = {
+ AutoScalingGroupName = aws_autoscaling_group.asg.name
+ }
+ comparison_operator = "GreaterThanThreshold"
+}
+resource "aws_autoscaling_policy" "scale_up_policy" {
+ autoscaling_group_name = aws_autoscaling_group.asg.name
+ name = format("%s_scale_up", aws_autoscaling_group.asg.name)
+ adjustment_type = "ChangeInCapacity"
+ cooldown = 300
+ scaling_adjustment = 1
+}
diff --git a/deprecated/terraform/aws/R81/autoscale/output.tf b/deprecated/terraform/aws/R81/autoscale/output.tf
new file mode 100755
index 00000000..152bb744
--- /dev/null
+++ b/deprecated/terraform/aws/R81/autoscale/output.tf
@@ -0,0 +1,43 @@
+output "Deployment" {
+ value = "Finalizing instances configuration may take up to 20 minutes after deployment is finished."
+}
+
+output "autoscale_autoscaling_group_name" {
+ value = aws_autoscaling_group.asg.name
+}
+output "autoscale_autoscaling_group_arn" {
+ value = aws_autoscaling_group.asg.arn
+}
+output "autoscale_autoscaling_group_availability_zones" {
+ value = aws_autoscaling_group.asg.availability_zones
+}
+output "autoscale_autoscaling_group_desired_capacity" {
+ value = aws_autoscaling_group.asg.desired_capacity
+}
+output "autoscale_autoscaling_group_min_size" {
+ value = aws_autoscaling_group.asg.min_size
+}
+output "autoscale_autoscaling_group_max_size" {
+ value = aws_autoscaling_group.asg.max_size
+}
+output "autoscale_autoscaling_group_load_balancers" {
+ value = aws_autoscaling_group.asg.load_balancers
+}
+output "autoscale_autoscaling_group_target_group_arns" {
+ value = aws_autoscaling_group.asg.target_group_arns
+}
+output "autoscale_autoscaling_group_subnets" {
+ value = aws_autoscaling_group.asg.vpc_zone_identifier
+}
+output "autoscale_launch_template_id" {
+ value = aws_launch_template.asg_launch_template.id
+}
+
+output "autoscale_security_group_id" {
+ value = aws_security_group.permissive_sg.id
+}
+
+output "autoscale_iam_role_name" {
+ value = aws_iam_role.role.*.name
+}
+
diff --git a/deprecated/terraform/aws/R81/autoscale/terraform.tfvars b/deprecated/terraform/aws/R81/autoscale/terraform.tfvars
new file mode 100755
index 00000000..d513fcd5
--- /dev/null
+++ b/deprecated/terraform/aws/R81/autoscale/terraform.tfvars
@@ -0,0 +1,45 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- Environment ---
+prefix = "env1"
+asg_name = "autoscaling_group"
+
+// --- VPC Network Configuration ---
+vpc_id = "vpc-12345678"
+subnet_ids = ["subnet-abc123", "subnet-def456"]
+
+// --- Automatic Provisioning with Security Management Server Settings ---
+gateways_provision_address_type = "private"
+management_server = "mgmt_env1"
+configuration_template = "tmpl_env1"
+
+// --- EC2 Instances Configuration ---
+gateway_name = "asg_gateway"
+gateway_instance_type = "c5.xlarge"
+key_name = "publickey"
+instances_tags = {
+ key1 = "value1"
+ key2 = "value2"
+}
+metadata_imdsv2_required = true
+
+// --- Auto Scaling Configuration ---
+minimum_group_size = 2
+maximum_group_size = 10
+target_groups = ["arn:aws:tg1/abc123", "arn:aws:tg2/def456"]
+
+// --- Check Point Settings ---
+gateway_version = "R81.20-BYOL"
+admin_shell = "/etc/cli.sh"
+gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+gateway_SICKey = "12345678"
+enable_instance_connect = false
+allow_upload_download = true
+enable_cloudwatch = false
+gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+
+// --- Outbound Proxy Configuration (optional) ---
+proxy_elb_type = "internet-facing"
+proxy_elb_clients = "0.0.0.0/0"
+proxy_elb_port = 8080
diff --git a/deprecated/terraform/aws/R81/autoscale/variables.tf b/deprecated/terraform/aws/R81/autoscale/variables.tf
new file mode 100755
index 00000000..81d256ab
--- /dev/null
+++ b/deprecated/terraform/aws/R81/autoscale/variables.tf
@@ -0,0 +1,190 @@
+// Module: Check Point CloudGuard Network Auto Scaling Group into an existing VPC
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+// --- Environment ---
+variable "prefix" {
+ type = string
+ description = "(Optional) Instances name prefix"
+ default = ""
+}
+variable "asg_name" {
+ type = string
+ description = "Autoscaling Group name"
+ default = "Check-Point-ASG-tf"
+}
+
+// --- VPC Network Configuration ---
+variable "vpc_id" {
+ type = string
+}
+variable "subnet_ids" {
+ type = list(string)
+ description = "List of public subnet IDs to launch resources into. Recommended at least 2"
+}
+
+// --- Automatic Provisioning with Security Management Server Settings ---
+variable "gateways_provision_address_type" {
+ type = string
+ description = "Determines if the gateways are provisioned using their private or public address"
+ default = "private"
+}
+variable "management_server" {
+ type = string
+ description = "The name that represents the Security Management Server in the CME configuration"
+}
+variable "configuration_template" {
+ type = string
+ description = "Name of the provisioning template in the CME configuration"
+ validation {
+ condition = length(var.configuration_template) < 31
+ error_message = "The configuration_template name can not exceed 30 characters."
+ }
+}
+
+// --- EC2 Instances Configuration ---
+variable "gateway_name" {
+ type = string
+ description = "The name tag of the Security Gateways instances"
+ default = "Check-Point-ASG-gateway-tf"
+}
+variable "gateway_instance_type" {
+ type = string
+ description = "The instance type of the Security Gateways"
+ default = "c5.xlarge"
+}
+module "validate_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "gateway"
+ instance_type = var.gateway_instance_type
+}
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instances"
+}
+variable "volume_size" {
+ type = number
+ description = "Root volume size (GB) - minimum 100"
+ default = 100
+}
+resource "null_resource" "volume_size_too_small" {
+ // Will fail if var.volume_size is less than 100
+ count = var.volume_size >= 100 ? 0 : "variable volume_size must be at least 100"
+}
+variable "enable_volume_encryption" {
+ type = bool
+ description = "Encrypt Environment instances volume with default AWS KMS key"
+ default = true
+}
+variable "instances_tags" {
+ type = map(string)
+ description = "(Optional) A map of tags as key=value pairs. All tags will be added on all AutoScaling Group instances"
+ default = {}
+}
+variable "metadata_imdsv2_required" {
+ type = bool
+ description = "Set true to deploy the instance with metadata v2 token required"
+ default = true
+}
+
+// --- Auto Scaling Configuration ---
+variable "minimum_group_size" {
+ type = number
+ description = "The minimum number of instances in the Auto Scaling group"
+ default = 2
+}
+variable "maximum_group_size" {
+ type = number
+ description = "The maximum number of instances in the Auto Scaling group"
+ default = 10
+}
+variable "target_groups" {
+ type = list(string)
+ description = "(Optional) List of Target Group ARNs to associate with the Auto Scaling group"
+ default = []
+}
+
+// --- Check Point Settings ---
+variable "gateway_version" {
+ type = string
+ description = "Gateway version and license"
+ default = "R81.20-BYOL"
+}
+module "validate_gateway_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "gateway"
+ version_license = var.gateway_version
+}
+variable "admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+ default = "/etc/cli.sh"
+}
+variable "gateway_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "gateway_maintenance_mode_password_hash" {
+ description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+ type = string
+ default = ""
+}
+variable "gateway_SICKey" {
+ type = string
+ description = "The Secure Internal Communication key for trusted connection between Check Point components (at least 8 alphanumeric characters)"
+}
+variable "enable_instance_connect" {
+ type = bool
+ description = "Enable SSH connection over AWS web console"
+ default = false
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+variable "enable_cloudwatch" {
+ type = bool
+ description = "Report Check Point specific CloudWatch metrics"
+ default = false
+}
+variable "gateway_bootstrap_script" {
+ type = string
+ description = "(Optional) Semicolon (;) separated commands to run on the initial boot"
+ default = ""
+}
+
+// --- (Optional) Outbound Proxy Configuration ---
+variable "proxy_elb_type" {
+ type = string
+ description = "Type of ELB to create as an HTTP/HTTPS outbound proxy"
+ default = "none"
+}
+variable "proxy_elb_port" {
+ type = number
+ description = "The TCP port on which the proxy will be listening"
+ default = 8080
+}
+variable "proxy_elb_clients" {
+ type = string
+ description = "The CIDR range of the clients of the proxy"
+ default = "0.0.0.0/0"
+}
diff --git a/deprecated/terraform/aws/R81/autoscale/versions.tf b/deprecated/terraform/aws/R81/autoscale/versions.tf
new file mode 100755
index 00000000..dbebf275
--- /dev/null
+++ b/deprecated/terraform/aws/R81/autoscale/versions.tf
@@ -0,0 +1,15 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ http = {
+ version = "~> 3.4.0"
+ }
+ random = {
+ version = "~> 3.5.1"
+ }
+ }
+}
diff --git a/deprecated/terraform/aws/R81/cluster-master/README.md b/deprecated/terraform/aws/R81/cluster-master/README.md
new file mode 100755
index 00000000..fb997341
--- /dev/null
+++ b/deprecated/terraform/aws/R81/cluster-master/README.md
@@ -0,0 +1,221 @@
+# Check Point CloudGuard Network Security Cluster Master Terraform module for AWS
+
+Terraform module which deploys a Check Point CloudGuard Network Security Cluster into a new VPC.
+
+These types of Terraform resources are supported:
+* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html)
+* [VPC](https://www.terraform.io/docs/providers/aws/r/vpc.html)
+* [Security Group](https://www.terraform.io/docs/providers/aws/r/security_group.html)
+* [Network interface](https://www.terraform.io/docs/providers/aws/r/network_interface.html)
+* [Route](https://www.terraform.io/docs/providers/aws/r/route.html)
+* [EIP](https://www.terraform.io/docs/providers/aws/r/eip.html) - conditional creation
+* [IAM Role](https://www.terraform.io/docs/providers/aws/r/iam_role.html) - conditional creation
+
+See the [Deploying a Check Point Cluster in AWS (Amazon Web Services)](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk104418) for additional information
+
+This solution uses the following modules:
+- /terraform/aws/cluster
+- /terraform/aws/modules/amis
+- /terraform/aws/modules/vpc
+- /terraform/aws/modules/cluster-iam-role
+
+
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/cluster-master/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Static credentials are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-module /terraform/aws/cluster:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+ b. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-module /terraform/aws/cluster:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+
+## Usage
+- Fill all variables in the /terraform/aws/cluster-master/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+- Create or modify the deployment:
+ - Due to terraform limitation, the apply command is:
+ ```
+ terraform apply -target=aws_route_table.private_subnet_rtb -auto-approve && terraform apply
+ ```
+ >Once terraform is updated, we will update accordingly.
+
+- Variables are configured in /terraform/aws/cluster-master/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+ // --- VPC Network Configuration ---
+ vpc_cidr = "10.0.0.0/16"
+ public_subnets_map = {
+ "us-east-1a" = 1
+ }
+ private_subnets_map = {
+ "us-east-1a" = 2
+ }
+ subnets_bit_length = 8
+
+ // --- EC2 Instance Configuration ---
+ gateway_name = "Check-Point-Cluster-tf"
+ gateway_instance_type = "c5.xlarge"
+ key_name = "publickey"
+ allocate_and_associate_eip = true
+ volume_size = 100
+ volume_encryption = "alias/aws/ebs"
+ enable_instance_connect = false
+ disable_instance_termination = false
+ instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+ }
+ predefined_role = ""
+
+ // --- Check Point Settings ---
+ gateway_version = "R81.20-BYOL"
+ admin_shell = "/etc/cli.sh"
+ gateway_SICKey = "12345678"
+ gateway_password_hash = ""
+ gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+
+ // --- Quick connect to Smart-1 Cloud (Recommended) ---
+ memberAToken = ""
+ memberBToken = ""
+
+ // --- Advanced Settings ---
+ resources_tag_name = "tag-name"
+ gateway_hostname = "gw-hostname"
+ allow_upload_download = true
+ enable_cloudwatch = false
+ gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+ primary_ntp = ""
+ secondary_ntp = ""
+ ```
+
+- Conditional creation
+ - To create an Elastic IP and associate it to each cluster member instance:
+ ```
+ allocate_and_associate_eip = "true"
+ ```
+ - To create IAM Role:
+ ```
+ predefined_role = ""
+ ```
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+ ### Optional re-deploy of cluster member:
+ In case of re-deploying one cluster member, make sure that it's in STANDBY state, and the second member is the ACTIVE one.
+ Follow the commands below in order to re-deploy (replace MEMBER with a or b):
+ - terraform taint module.launch_cluster_into_vpc.aws_instance.member-MEMBER-instance
+ - terraform plan (review the changes)
+ - terraform apply
+ - In Smart Console: reset SIC with the re-deployed member and install policy
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|----------|
+| vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes |
+| public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pairs. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes |
+| private_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pairs. (e.g. {\"us-east-1a\" = 2} ) | map | n/a | n/a | yes |
+| subnets_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20 | number | n/a | n/a | yes |
+| gateway_name | (Optional) The name tag of the Security Gateway instances | string | n/a | Check-Point-Cluster-tf | no |
+| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no |
+| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes |
+| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with each cluster member, in addition to the shared cluster Elastic IP | bool | true/false | true | no |
+| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no |
+| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no |
+| enable_instance_connect | Enable AWS Instance Connect. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no |
+| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no |
+| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes |
+| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances | map(string) | n/a | {} | no |
+| predefined_role | (Optional) A predefined IAM role to attach to the cluster profile | string | n/a | "" | no |
+| gateway_version | Gateway version and license | string | - R81-BYOL
- R81-PAYG-NGTP
- R81-PAYG-NGTX
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no |
+| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no |
+| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes |
+| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| memberAToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no |
+| memberBToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no |
+| resources_tag_name | (Optional) Name tag prefix of the resources | string | n/a | "" | no |
+| gateway_hostname | (Optional) The host name will be appended with member-a/b accordingly. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no |
+| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no |
+| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no |
+| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no |
+| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no |
+| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here). | string | n/a | "" | no |
+
+## Outputs
+| Name | Description |
+|--------------------|-----------------------------------------------------|
+| ami_id | The ami id of the deployed Security Cluster members |
+| cluster_public_ip | The public address of the cluster |
+| member_a_public_ip | The public address of member A |
+| member_b_public_ip | The public address of member B |
+| member_a_ssh | SSH command to member A |
+| member_b_ssh | SSH command to member B |
+| member_a_url | URL to the member A portal |
+| member_b_url | URL to the member B portal |
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|---------------------------------------------------------------------------------------------------------------|
+| 20240704 | R80.40 version deprecation |
+| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20231012 | Update AWS Terraform provider version to 5.20.1 |
+| 20230923 | Add support for C5d instance type |
+| 20230914 | Add support for maintenance mode password |
+| 20230829 | Change default Check Point version to R81.20 |
+| 20230806 | Add support for c6in instance type |
+| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname |
+| 20230503 | Smart-1 Cloud token validation |
+| 20230411 | Improved deployment experience for gateways and clusters managed by Smart-1 Cloud |
+| 20221123 | R81.20 version support |
+| 20220606 | New instance type support |
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details
diff --git a/deprecated/terraform/aws/R81/cluster-master/locals.tf b/deprecated/terraform/aws/R81/cluster-master/locals.tf
new file mode 100755
index 00000000..b77484fe
--- /dev/null
+++ b/deprecated/terraform/aws/R81/cluster-master/locals.tf
@@ -0,0 +1,52 @@
+locals {
+ regex_valid_vpc_cidr = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$"
+ // Will fail if var.vpc_cidr is invalid
+ regex_vpc_cidr = regex(local.regex_valid_vpc_cidr, var.vpc_cidr) == var.vpc_cidr ? 0 : "Variable [vpc_cidr] must be a valid vpc cidr"
+
+ admin_shell_allowed_values = [
+ "/etc/cli.sh",
+ "/bin/bash",
+ "/bin/csh",
+ "/bin/tcsh"]
+ // Will fail if var.admin_shell is invalid
+ validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell)
+
+ create_iam_role = var.predefined_role == "" ? 1 : 0
+
+ regex_valid_key_name = "[\\S\\s]+[\\S]+"
+ // will fail if var.key_name is invalid
+ regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string"
+
+ regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$"
+ // Will fail if var.gateway_SIC_Key is invalid
+ regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters"
+
+ is_both_tokens_used = length(var.memberAToken) > 0 == length(var.memberBToken) > 0
+ validation_message_both = "Smart-1 Cloud Tokens for member A and member B can not be empty."
+ //Will fail if var.memberAToken is empty and var.memberBToken isn't and vice versa
+ regex_s1c_validate = regex("^$", (local.is_both_tokens_used ? "" : local.validation_message_both))
+
+ is_tokens_used = length(var.memberAToken) > 0
+ is_both_tokens_the_same = var.memberAToken == var.memberBToken
+ validation_message_unique = "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+ //Will fail if both s1c tokens are the same
+ regex_s1c_unique = local.is_tokens_used ? regex("^$", (local.is_both_tokens_the_same ? local.validation_message_unique : "")) : ""
+
+ regex_valid_gateway_hostname = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$"
+ // Will fail if var.gateway_hostname is invalid
+ regex_gateway_hostname = regex(local.regex_valid_gateway_hostname, var.gateway_hostname) == var.gateway_hostname ? 0 : "Variable [gateway_hostname] must be a valid hostname label or an empty string"
+ volume_encryption_condition = var.volume_encryption != "" ? true : false
+
+ regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.gateway_password_hash is invalid
+ regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+ regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
+
+ regex_valid_primary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.primary_ntp is invalid
+ regex_primary_ntp = regex(local.regex_valid_primary_ntp, var.primary_ntp) == var.primary_ntp ? 0 : "Variable [primary_ntp] must be a valid ntp"
+
+ regex_valid_secondary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.secondary_ntp is invalid
+ regex_secondary_ntp = regex(local.regex_valid_secondary_ntp, var.secondary_ntp) == var.secondary_ntp ? 0 : "Variable [secondary_ntp] must be a valid ntp"
+}
diff --git a/deprecated/terraform/aws/R81/cluster-master/main.tf b/deprecated/terraform/aws/R81/cluster-master/main.tf
new file mode 100755
index 00000000..29746863
--- /dev/null
+++ b/deprecated/terraform/aws/R81/cluster-master/main.tf
@@ -0,0 +1,64 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+// --- VPC ---
+module "launch_vpc" {
+ source = "../modules/vpc"
+
+ vpc_cidr = var.vpc_cidr
+ public_subnets_map = var.public_subnets_map
+ private_subnets_map = var.private_subnets_map
+ subnets_bit_length = var.subnets_bit_length
+}
+
+resource "aws_route_table" "private_subnet_rtb" {
+ depends_on = [module.launch_vpc]
+ vpc_id = module.launch_vpc.vpc_id
+ tags = {
+ Name = "Private Subnets Route Table"
+ }
+}
+resource "aws_route_table_association" "private_rtb_to_private_subnets" {
+ depends_on = [module.launch_vpc, aws_route_table.private_subnet_rtb]
+ route_table_id = aws_route_table.private_subnet_rtb.id
+ subnet_id = module.launch_vpc.private_subnets_ids_list[0]
+}
+module "launch_cluster_into_vpc" {
+ source = "../cluster"
+ providers = {
+ aws = aws
+ }
+
+ vpc_id = module.launch_vpc.vpc_id
+ public_subnet_id = module.launch_vpc.public_subnets_ids_list[0]
+ private_subnet_id = module.launch_vpc.private_subnets_ids_list[0]
+ private_route_table = aws_route_table.private_subnet_rtb.id
+ gateway_name = var.gateway_name
+ gateway_instance_type = var.gateway_instance_type
+ key_name = var.key_name
+ allocate_and_associate_eip = var.allocate_and_associate_eip
+ volume_size = var.volume_size
+ volume_encryption = var.volume_encryption
+ enable_instance_connect = var.enable_instance_connect
+ disable_instance_termination = var.disable_instance_termination
+ metadata_imdsv2_required = var.metadata_imdsv2_required
+ instance_tags = var.instance_tags
+ predefined_role = var.predefined_role
+ gateway_version = var.gateway_version
+ admin_shell = var.admin_shell
+ gateway_SICKey = var.gateway_SICKey
+ gateway_password_hash = var.gateway_password_hash
+ gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash
+ memberAToken = var.memberAToken
+ memberBToken = var.memberBToken
+ resources_tag_name = var.resources_tag_name
+ gateway_hostname = var.gateway_hostname
+ allow_upload_download = var.allow_upload_download
+ enable_cloudwatch = var.enable_cloudwatch
+ gateway_bootstrap_script = var.gateway_bootstrap_script
+ primary_ntp = var.primary_ntp
+ secondary_ntp = var.secondary_ntp
+}
diff --git a/deprecated/terraform/aws/R81/cluster-master/output.tf b/deprecated/terraform/aws/R81/cluster-master/output.tf
new file mode 100755
index 00000000..c1f47385
--- /dev/null
+++ b/deprecated/terraform/aws/R81/cluster-master/output.tf
@@ -0,0 +1,24 @@
+output "ami_id" {
+ value = module.launch_cluster_into_vpc.ami_id
+}
+output "cluster_public_ip" {
+ value = module.launch_cluster_into_vpc.cluster_public_ip
+}
+output "member_a_public_ip" {
+ value = module.launch_cluster_into_vpc.member_a_public_ip
+}
+output "member_b_public_ip" {
+ value = module.launch_cluster_into_vpc.member_b_public_ip
+}
+output "member_a_ssh" {
+ value = module.launch_cluster_into_vpc.member_a_ssh
+}
+output "member_b_ssh" {
+ value = module.launch_cluster_into_vpc.member_b_ssh
+}
+output "member_a_url" {
+ value = module.launch_cluster_into_vpc.member_a_url
+}
+output "member_b_url" {
+ value = module.launch_cluster_into_vpc.member_b_url
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/cluster-master/terraform.tfvars b/deprecated/terraform/aws/R81/cluster-master/terraform.tfvars
new file mode 100755
index 00000000..1e7b2c78
--- /dev/null
+++ b/deprecated/terraform/aws/R81/cluster-master/terraform.tfvars
@@ -0,0 +1,47 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- VPC Network Configuration ---
+vpc_cidr = "10.0.0.0/16"
+public_subnets_map = {
+ "us-east-1a" = 1
+}
+private_subnets_map = {
+ "us-east-1a" = 2
+}
+subnets_bit_length = 8
+
+// --- EC2 Instance Configuration ---
+gateway_name = "Check-Point-Cluster-tf"
+gateway_instance_type = "c5.xlarge"
+key_name = "publickey"
+allocate_and_associate_eip = true
+volume_size = 100
+volume_encryption = "alias/aws/ebs"
+enable_instance_connect = false
+disable_instance_termination = false
+metadata_imdsv2_required = true
+instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+}
+predefined_role = ""
+
+// --- Check Point Settings ---
+gateway_version = "R81.20-BYOL"
+admin_shell = "/etc/cli.sh"
+gateway_SICKey = "12345678"
+gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+
+// --- Quick connect to Smart-1 Cloud (Recommended) ---
+memberAToken = ""
+memberBToken = ""
+
+// --- Advanced Settings ---
+resources_tag_name = "tag-name"
+gateway_hostname = "gw-hostname"
+allow_upload_download = true
+enable_cloudwatch = false
+gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+primary_ntp = ""
+secondary_ntp = ""
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/cluster-master/variables.tf b/deprecated/terraform/aws/R81/cluster-master/variables.tf
new file mode 100755
index 00000000..d1faf72c
--- /dev/null
+++ b/deprecated/terraform/aws/R81/cluster-master/variables.tf
@@ -0,0 +1,183 @@
+// Module: Check Point CloudGuard Network Security Cluster into a new VPC
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+// --- VPC Network Configuration ---
+variable "vpc_cidr" {
+ type = string
+ description = "The CIDR block of the VPC"
+ default = "10.0.0.0/16"
+}
+variable "public_subnets_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pairs. (e.g. {\"us-east-1a\" = 1} ) "
+}
+variable "private_subnets_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pairs. (e.g. {\"us-east-1a\" = 2} ) "
+
+}
+variable "subnets_bit_length" {
+ type = number
+ description = "Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20"
+}
+
+// --- EC2 Instance Configuration ---
+variable "gateway_name" {
+ type = string
+ description = "(Optional) The name tag of the Security Gateway instances"
+ default = "Check-Point-Cluster-tf"
+}
+variable "gateway_instance_type" {
+ type = string
+ description = "The instance type of the Security Gateways"
+ default = "c5.xlarge"
+}
+module "validate_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "gateway"
+ instance_type = var.gateway_instance_type
+}
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instance"
+}
+variable "allocate_and_associate_eip" {
+ type = bool
+ description = "If set to true, an elastic IP will be allocated and associated with each cluster member, in addition to the shared cluster Elastic IP"
+ default = true
+}
+variable "volume_size" {
+ type = number
+ description = "Root volume size (GB) - minimum 100"
+ default = 100
+}
+resource "null_resource" "volume_size_too_small" {
+ // Volume Size validation - resource will not be created if the volume size is smaller than 100
+ count = var.volume_size >= 100 ? 0 : "volume_size must be at least 100"
+}
+variable "volume_encryption" {
+ type = string
+ description = "KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs')"
+ default = "alias/aws/ebs"
+}
+variable "enable_instance_connect" {
+ type = bool
+ description = "Enable SSH connection over AWS web console"
+ default = false
+}
+variable "disable_instance_termination" {
+ type = bool
+ description = "Prevents an instance from accidental termination"
+ default = false
+}
+variable "metadata_imdsv2_required" {
+ type = bool
+ description = "Set true to deploy the instance with metadata v2 token required"
+ default = true
+}
+variable "instance_tags" {
+ type = map(string)
+ description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instance"
+ default = {}
+}
+variable "predefined_role" {
+ type = string
+ description = "(Optional) A predefined IAM role to attach to the cluster profile"
+ default = ""
+}
+
+// --- Check Point Settings ---
+variable "gateway_version" {
+ type = string
+ description = "Gateway version and license"
+ default = "R81.20-BYOL"
+}
+module "validate_gateway_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "gateway"
+ version_license = var.gateway_version
+}
+variable "admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+ default = "/etc/cli.sh"
+}
+variable "gateway_SICKey" {
+ type = string
+ description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters"
+}
+variable "gateway_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "gateway_maintenance_mode_password_hash" {
+ description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+ type = string
+ default = ""
+}
+
+// --- Quick connect to Smart-1 Cloud (Recommended) ---
+variable "memberAToken" {
+ type = string
+ description = "Follow the instructions in sk180501 to quickly connect this Single AZ Cluster to Smart-1 Cloud."
+}
+variable "memberBToken" {
+ type = string
+ description = "Follow the instructions in sk180501 to quickly connect this Single AZ Cluster to Smart-1 Cloud."
+}
+
+// --- Advanced Settings ---
+variable "resources_tag_name" {
+ type = string
+ description = "(Optional) Name tag prefix of the resources"
+ default = ""
+}
+variable "gateway_hostname" {
+ type = string
+ description = "(Optional) The host name will be appended with member-a/b accordingly"
+ default = ""
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+variable "enable_cloudwatch" {
+ type = bool
+ description = "Report Check Point specific CloudWatch metrics"
+ default = false
+}
+variable "gateway_bootstrap_script" {
+ type = string
+ description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot"
+ default = ""
+}
+variable "primary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol primary server"
+ default = "169.254.169.123"
+}
+variable "secondary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server"
+ default = "0.pool.ntp.org"
+}
diff --git a/deprecated/terraform/aws/R81/cluster-master/versions.tf b/deprecated/terraform/aws/R81/cluster-master/versions.tf
new file mode 100755
index 00000000..c138bbb3
--- /dev/null
+++ b/deprecated/terraform/aws/R81/cluster-master/versions.tf
@@ -0,0 +1,12 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ http = {
+ version = "~> 3.4.0"
+ }
+ }
+}
diff --git a/deprecated/terraform/aws/R81/cluster/README.md b/deprecated/terraform/aws/R81/cluster/README.md
new file mode 100755
index 00000000..4e6adbe2
--- /dev/null
+++ b/deprecated/terraform/aws/R81/cluster/README.md
@@ -0,0 +1,202 @@
+# Check Point CloudGuard Network Security Cluster Terraform module for AWS
+
+Terraform module which deploys a Check Point CloudGuard Network Security Cluster into an existing VPC on AWS.
+
+These types of Terraform resources are supported:
+* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html)
+* [Security Group](https://www.terraform.io/docs/providers/aws/r/security_group.html)
+* [Network interface](https://www.terraform.io/docs/providers/aws/r/network_interface.html)
+* [EIP](https://www.terraform.io/docs/providers/aws/r/eip.html) - conditional creation
+* [Route](https://www.terraform.io/docs/providers/aws/r/route.html) - conditional creation
+* [IAM Role](https://www.terraform.io/docs/providers/aws/r/iam_role.html) - conditional creation
+
+See the [Deploying a Check Point Cluster in AWS (Amazon Web Services)](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk104418) for additional information
+
+This solution uses the following modules:
+- /terraform/aws/modules/amis
+- /terraform/aws/modules/cluster-iam-role
+
+
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/cluster/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+
+## Usage
+- Fill all variables in the /terraform/aws/cluster/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+- Create or modify the deployment:
+ ```
+ terraform apply
+ ```
+
+- Variables are configured in /terraform/aws/cluster/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+ // --- VPC Network Configuration ---
+ vpc_id = "vpc-12345678"
+ public_subnet_id = "subnet-123456"
+ private_subnet_id = "subnet-345678"
+ private_route_table = "rtb-12345678"
+
+ // --- EC2 Instance Configuration ---
+ gateway_name = "Check-Point-Cluster-tf"
+ gateway_instance_type = "c5.xlarge"
+ key_name = "publickey"
+ allocate_and_associate_eip = true
+ volume_size = 100
+ volume_encryption = "alias/aws/ebs"
+ enable_instance_connect = false
+ disable_instance_termination = false
+ instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+ }
+ predefined_role = ""
+
+ // --- Check Point Settings ---
+ gateway_version = "R81.20-BYOL"
+ admin_shell = "/etc/cli.sh"
+ gateway_SICKey = "12345678"
+ gateway_password_hash = ""
+ gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+
+ // --- Quick connect to Smart-1 Cloud (Recommended) ---
+ memberAToken = ""
+ memberBToken = ""
+
+ // --- Advanced Settings ---
+ resources_tag_name = "tag-name"
+ gateway_hostname = "gw-hostname"
+ allow_upload_download = true
+ enable_cloudwatch = false
+ gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+ primary_ntp = ""
+ secondary_ntp = ""
+ ```
+
+- Conditional creation
+ - To create an Elastic IP and associate it to each cluster member instance:
+ ```
+ allocate_and_associate_eip = "true"
+ ```
+ - To create IAM Role:
+ ```
+ predefined_role = ""
+ ```
+ - To create route from '0.0.0.0/0' to the Active Cluster member instance, please provide route table:
+ ```
+ private_route_table = "rtb-12345678"
+ ```
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+ ### Optional re-deploy of cluster member:
+ In case of re-deploying one cluster member, make sure that it's in STANDBY state, and the second member is the ACTIVE one.
+ Follow the commands below in order to re-deploy (replace MEMBER with a or b):
+ - terraform taint aws_instance.member-MEMBER-instance
+ - terraform plan (review the changes)
+ - terraform apply
+ - In Smart Console: reset SIC with the re-deployed member and install policy
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|-----------|
+| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes |
+| public_subnet_id | The public subnet of the cluster. The cluster's public IPs will be generated from this subnet | string | n/a | n/a | yes |
+| private_subnet_id | The private subnet of the cluster. The cluster's private IPs will be generated from this subnet | string | n/a | n/a | yes |
+| private_route_table | (Optional) Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route | string | n/a | "" | no |
+| gateway_name | (Optional) The name tag of the Security Gateway instances | string | n/a | Check-Point-Cluster-tf | no |
+| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no |
+| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes |
+| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with each cluster member, in addition to the shared cluster Elastic IP | bool | true/false | true | no |
+| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no |
+| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no |
+| enable_instance_connect | Enable AWS Instance Connect. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no |
+| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no |
+| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes |
+| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances | map(string) | n/a | {} | no |
+| predefined_role | (Optional) A predefined IAM role to attach to the cluster profile | string | n/a | "" | no |
+| gateway_version | Gateway version and license | string | - R81-BYOL
- R81-PAYG-NGTP
- R81-PAYG-NGTX
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no |
+| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no |
+| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | no |
+| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| memberAToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no |
+| memberBToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no |
+| resources_tag_name | (Optional) Name tag prefix of the resources | string | n/a | "" | no |
+| gateway_hostname | (Optional) The host name will be appended with member-a/b accordingly. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no |
+| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no |
+| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no |
+| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no |
+| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no |
+| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here). | string | n/a | "" | no |
+
+## Outputs
+| Name | Description |
+|--------------------|-----------------------------------------------------|
+| ami_id | The ami id of the deployed Security Cluster members |
+| cluster_public_ip | The public address of the cluster |
+| member_a_public_ip | The public address of member A |
+| member_b_public_ip | The public address of member B |
+| member_a_ssh | SSH command to member A |
+| member_b_ssh | SSH command to member B |
+| member_a_url | URL to the member A portal |
+| member_b_url | URL to the member B portal |
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|---------------------------------------------------------------------------------------------------------------|
+| 20240704 | R80.40 version deprecation |
+| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20240304 | Add x-chkp-cluster-ips, x-chkp-member-ips tags to cluster members |
+| 20231012 | Update AWS Terraform provider version to 5.20.1 |
+| 20230923 | Add support for C5d instance type |
+| 20230914 | Add support for maintenance mode password |
+| 20230829 | Change default Check Point version to R81.20 |
+| 20230806 | Add support for c6in instance type |
+| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname |
+| 20230503 | Smart-1 Cloud token validation |
+| 20230411 | Improved deployment experience for gateways and clusters managed by Smart-1 Cloud |
+| 20221123 | R81.20 version support |
+| 20220606 | New instance type support |
+| 20210309 | First release of Check Point Security Cluster Terraform module for AWS |
+
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details
diff --git a/deprecated/terraform/aws/R81/cluster/cluster_member_a_userdata.yaml b/deprecated/terraform/aws/R81/cluster/cluster_member_a_userdata.yaml
new file mode 100755
index 00000000..1fa105c0
--- /dev/null
+++ b/deprecated/terraform/aws/R81/cluster/cluster_member_a_userdata.yaml
@@ -0,0 +1,4 @@
+#cloud-config
+runcmd:
+ - |
+ python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenA}\"" installationType=\"cluster\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" elasticIp=\"${MemberAPublicAddress}\" templateVersion=\"20240704\" templateName=\"cluster\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" allocatePublicAddress=\"${AllocateAddress}\" bootstrapScript64=\"${GatewayBootstrapScript}\"
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/cluster/cluster_member_b_userdata.yaml b/deprecated/terraform/aws/R81/cluster/cluster_member_b_userdata.yaml
new file mode 100755
index 00000000..36d29dc5
--- /dev/null
+++ b/deprecated/terraform/aws/R81/cluster/cluster_member_b_userdata.yaml
@@ -0,0 +1,4 @@
+#cloud-config
+runcmd:
+ - |
+ python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenB}\"" installationType=\"cluster\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" elasticIp=\"${MemberBPublicAddress}\" templateVersion=\"20231012\" templateName=\"cluster\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" allocatePublicAddress=\"${AllocateAddress}\" bootstrapScript64=\"${GatewayBootstrapScript}\"
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/cluster/locals.tf b/deprecated/terraform/aws/R81/cluster/locals.tf
new file mode 100755
index 00000000..d64b39e7
--- /dev/null
+++ b/deprecated/terraform/aws/R81/cluster/locals.tf
@@ -0,0 +1,69 @@
+locals {
+ admin_shell_allowed_values = [
+ "/etc/cli.sh",
+ "/bin/bash",
+ "/bin/csh",
+ "/bin/tcsh"]
+ // Will fail if var.admin_shell is invalid
+ validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell)
+
+ enable_cloudwatch_policy = var.enable_cloudwatch ? 1 : 0
+ create_iam_role = var.predefined_role == "" ? 1 : 0
+ provided_roue_table = var.private_route_table == "" ? 0 : 1
+ internal_route_table_condition = var.private_route_table != "" ? 1 : 0
+
+ regex_valid_key_name = "[\\S\\s]+[\\S]+"
+ // will fail if var.key_name is invalid
+ regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string"
+
+ regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$"
+ // Will fail if var.gateway_SIC_Key is invalid
+ regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters"
+
+ regex_token_valid = "(^https://(.+).checkpoint.com/app/maas/api/v1/tenant(.+)|^$)"
+ //TokenA: will fail if decode token should contain https:// and .checkpoint.com/app/maas/api/v1/tenant or empty string
+ split_tokenA = split(" ", var.memberAToken)
+ tokenA_decode = base64decode(element(local.split_tokenA, length(local.split_tokenA)-1))
+ regex_tokenA = regex(local.regex_token_valid, local.tokenA_decode) == local.tokenA_decode ? 0 : "Smart-1 Cloud token A is invalid format"
+
+ //TokenB: will fail if decode token should contain https:// and .checkpoint.com/app/maas/api/v1/tenant or empty string
+ split_tokenB = split(" ", var.memberBToken)
+ tokenB_decode = base64decode(element(local.split_tokenB, length(local.split_tokenB)-1))
+ regex_tokenB = regex(local.regex_token_valid, local.tokenB_decode) == local.tokenB_decode ? 0 : "Smart-1 Cloud token B is invalid format"
+
+ is_both_tokens_used = length(var.memberAToken) > 0 == length(var.memberBToken) > 0
+ validation_message_both = "Smart-1 Cloud Tokens for member A and member B can not be empty."
+ //Will fail if var.memberAToken is empty and var.memberBToken isn't and vice versa
+ regex_s1c_validate = regex("^$", (local.is_both_tokens_used ? "" : local.validation_message_both))
+
+ is_tokens_used = length(var.memberAToken) > 0
+ is_both_tokens_the_same = var.memberAToken == var.memberBToken
+ validation_message_unique = "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+ //Will fail if both s1c tokens are the same
+ regex_s1c_unique = local.is_tokens_used ? regex("^$", (local.is_both_tokens_the_same ? local.validation_message_unique : "")) : ""
+
+ regex_valid_gateway_hostname = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$"
+ // Will fail if var.gateway_hostname is invalid
+ regex_gateway_hostname = regex(local.regex_valid_gateway_hostname, var.gateway_hostname) == var.gateway_hostname ? 0 : "Variable [gateway_hostname] must be a valid hostname label or an empty string"
+ volume_encryption_condition = var.volume_encryption != "" ? true : false
+
+ regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.gateway_password_hash is invalid
+ regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+ regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
+
+ regex_valid_primary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.primary_ntp is invalid
+ regex_primary_ntp = regex(local.regex_valid_primary_ntp, var.primary_ntp) == var.primary_ntp ? 0 : "Variable [primary_ntp] must be a valid ntp"
+
+ regex_valid_secondary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.secondary_ntp is invalid
+ regex_secondary_ntp = regex(local.regex_valid_secondary_ntp, var.secondary_ntp) == var.secondary_ntp ? 0 : "Variable [secondary_ntp] must be a valid ntp"
+ //Splits the version and licence and returns the os version
+ version_split = element(split("-", var.gateway_version), 0)
+
+ gateway_bootstrap_script64 = base64encode(var.gateway_bootstrap_script)
+ gateway_SICkey_base64 = base64encode(var.gateway_SICKey)
+ gateway_password_hash_base64=base64encode(var.gateway_password_hash)
+ maintenance_mode_password_hash_base64 = base64encode(var.gateway_maintenance_mode_password_hash)
+}
diff --git a/deprecated/terraform/aws/R81/cluster/main.tf b/deprecated/terraform/aws/R81/cluster/main.tf
new file mode 100755
index 00000000..8282b24b
--- /dev/null
+++ b/deprecated/terraform/aws/R81/cluster/main.tf
@@ -0,0 +1,291 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+module "amis" {
+ source = "../modules/amis"
+
+ version_license = var.gateway_version
+ chkp_type = "gateway"
+}
+
+module "common_permissive_sg" {
+ source = "../modules/common/permissive_sg"
+
+ vpc_id = var.vpc_id
+ resources_tag_name = var.resources_tag_name
+ gateway_name = var.gateway_name
+}
+
+resource "aws_iam_instance_profile" "cluster_instance_profile" {
+ path = "/"
+ role = local.create_iam_role == 1 ? join("", module.cluster_iam_role.*.cluster_iam_role_name) : var.predefined_role
+}
+
+module "cluster_iam_role" {
+ source = "../modules/cluster-iam-role"
+ count = local.create_iam_role
+}
+
+module "attach_cloudwatch_policy" {
+ source = "../modules/cloudwatch-policy"
+ count = local.enable_cloudwatch_policy
+ role = aws_iam_instance_profile.cluster_instance_profile.role
+ tag_name = var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name
+}
+
+resource "aws_network_interface" "member_a_external_eni" {
+ subnet_id = var.public_subnet_id
+ security_groups = [module.common_permissive_sg.permissive_sg_id]
+ description = "Member A external"
+ source_dest_check = false
+ lifecycle {
+ ignore_changes = [private_ips_count,]
+ }
+ private_ips_count = 1
+ tags = {
+ Name = format("%s-Member_A_ExternalInterface", var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name) }
+}
+
+resource "aws_network_interface" "member_b_external_eni" {
+ subnet_id = var.public_subnet_id
+ security_groups = [module.common_permissive_sg.permissive_sg_id]
+ description = "Member B external"
+ source_dest_check = false
+ tags = {
+ Name = format("%s-Member_B_ExternalInterface", var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name) }
+}
+
+resource "aws_network_interface" "member_a_internal_eni" {
+ subnet_id = var.private_subnet_id
+ security_groups = [module.common_permissive_sg.permissive_sg_id]
+ description = "Member A internal"
+ source_dest_check = false
+ lifecycle {
+ ignore_changes = [private_ips_count,]
+ }
+ private_ips_count = 1
+ tags = {
+ Name = format("%s-Member_A_InternalInterface", var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name) }
+}
+
+resource "aws_network_interface" "member_b_internal_eni" {
+ subnet_id = var.private_subnet_id
+ security_groups = [module.common_permissive_sg.permissive_sg_id]
+ description = "Member B internal"
+ source_dest_check = false
+ tags = {
+ Name = format("%s-Member_B_InternalInterface", var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name) }
+}
+
+resource "aws_route" "internal_default_route" {
+ count = local.internal_route_table_condition
+ route_table_id = var.private_route_table
+ lifecycle {
+ ignore_changes = [network_interface_id,]
+ }
+ destination_cidr_block = "0.0.0.0/0"
+ network_interface_id = aws_network_interface.member_a_internal_eni.id
+}
+
+resource "aws_route_table_association" "private_rtb_to_private_subnet" {
+ count = var.private_route_table == "" ? 0 : 1
+ route_table_id = var.private_route_table
+ subnet_id = var.private_subnet_id
+}
+
+resource "aws_launch_template" "member_a_launch_template" {
+ instance_type = var.gateway_instance_type
+ key_name = var.key_name
+ image_id = module.amis.ami_id
+ description = "Initial launch template version"
+
+ iam_instance_profile {
+ name = aws_iam_instance_profile.cluster_instance_profile.id
+ }
+
+ metadata_options {
+ http_tokens = var.metadata_imdsv2_required ? "required" : "optional"
+ }
+
+ network_interfaces {
+ network_interface_id = aws_network_interface.member_a_external_eni.id
+ device_index = 0
+ }
+ network_interfaces {
+ network_interface_id = aws_network_interface.member_a_internal_eni.id
+ device_index = 1
+ }
+}
+
+resource "aws_launch_template" "member_b_launch_template" {
+ instance_type = var.gateway_instance_type
+ key_name = var.key_name
+ image_id = module.amis.ami_id
+ description = "Initial launch template version"
+
+ iam_instance_profile {
+ name = aws_iam_instance_profile.cluster_instance_profile.id
+ }
+
+ metadata_options {
+ http_tokens = var.metadata_imdsv2_required ? "required" : "optional"
+ }
+
+ network_interfaces {
+ network_interface_id = aws_network_interface.member_b_external_eni.id
+ device_index = 0
+ }
+ network_interfaces {
+ network_interface_id = aws_network_interface.member_b_internal_eni.id
+ device_index = 1
+ }
+}
+
+resource "aws_instance" "member-a-instance" {
+ depends_on = [
+ aws_network_interface.member_a_external_eni,
+ aws_network_interface.member_a_internal_eni
+ ]
+
+ launch_template {
+ id = aws_launch_template.member_a_launch_template.id
+ version = "$Latest"
+ }
+
+ disable_api_termination = var.disable_instance_termination
+
+ tags = merge({
+ Name = format("%s-Member-A",var.gateway_name),
+ x-chkp-member-ips = format("public-ip=%s:external-private-ip=%s:internal-private-ip=%s",
+ var.allocate_and_associate_eip ? aws_eip.member_a_eip[0].public_ip : "", aws_network_interface.member_a_external_eni.private_ip,aws_network_interface.member_a_internal_eni.private_ip),
+ x-chkp-cluster-ips = format("cluster-ip=%s:cluster-eth0-private-ip=%s:cluster-eth1-private-ip=%s",
+ aws_eip.cluster_eip.public_ip, element(tolist(setsubtract(tolist(aws_network_interface.member_a_external_eni.private_ips), [aws_network_interface.member_a_external_eni.private_ip])), 0),
+ element(tolist(setsubtract(tolist(aws_network_interface.member_a_internal_eni.private_ips), [aws_network_interface.member_a_internal_eni.private_ip])), 0))
+ }, var.instance_tags)
+
+ ebs_block_device {
+ device_name = "/dev/xvda"
+ volume_type = "gp2"
+ volume_size = var.volume_size
+ encrypted = local.volume_encryption_condition
+ kms_key_id = local.volume_encryption_condition ? var.volume_encryption : ""
+ }
+
+ lifecycle {
+ ignore_changes = [ebs_block_device,]
+ }
+
+ user_data = templatefile("${path.module}/cluster_member_a_userdata.yaml", {
+ // script's arguments
+ Hostname = var.gateway_hostname,
+ PasswordHash = local.gateway_password_hash_base64,
+ MaintenanceModePassword = local.maintenance_mode_password_hash_base64,
+ AllowUploadDownload = var.allow_upload_download,
+ EnableCloudWatch = var.enable_cloudwatch,
+ NTPPrimary = var.primary_ntp,
+ NTPSecondary = var.secondary_ntp,
+ Shell = var.admin_shell,
+ EnableInstanceConnect = var.enable_instance_connect,
+ GatewayBootstrapScript = local.gateway_bootstrap_script64,
+ SICKey = local.gateway_SICkey_base64,
+ TokenA = var.memberAToken,
+ MemberAPublicAddress = var.allocate_and_associate_eip ? aws_eip.member_a_eip[0].public_ip : "",
+ AllocateAddress = var.allocate_and_associate_eip,
+ OsVersion = local.version_split
+ })
+}
+
+resource "aws_instance" "member-b-instance" {
+ depends_on = [
+ aws_network_interface.member_b_external_eni,
+ aws_network_interface.member_b_internal_eni
+ ]
+
+ launch_template {
+ id = aws_launch_template.member_b_launch_template.id
+ version = "$Latest"
+ }
+
+ disable_api_termination = var.disable_instance_termination
+
+ tags = merge({
+ Name = format("%s-Member-B",var.gateway_name),
+ x-chkp-member-ips = format("public-ip=%s:external-private-ip=%s:internal-private-ip=%s",
+ var.allocate_and_associate_eip ? aws_eip.member_b_eip[0].public_ip : "", aws_network_interface.member_b_external_eni.private_ip,aws_network_interface.member_b_internal_eni.private_ip),
+ x-chkp-cluster-ips = format("cluster-ip=%s:cluster-eth0-private-ip=%s:cluster-eth1-private-ip=%s",
+ aws_eip.cluster_eip.public_ip, element(tolist(setsubtract(tolist(aws_network_interface.member_a_external_eni.private_ips), [aws_network_interface.member_a_external_eni.private_ip])), 0),
+ element(tolist(setsubtract(tolist(aws_network_interface.member_a_internal_eni.private_ips), [aws_network_interface.member_a_internal_eni.private_ip])), 0))
+ }, var.instance_tags)
+
+ ebs_block_device {
+ device_name = "/dev/xvda"
+ volume_type = "gp2"
+ volume_size = var.volume_size
+ encrypted = local.volume_encryption_condition
+ kms_key_id = local.volume_encryption_condition ? var.volume_encryption : ""
+ }
+
+ lifecycle {
+ ignore_changes = [ebs_block_device,]
+ }
+
+ user_data = templatefile("${path.module}/cluster_member_b_userdata.yaml", {
+ // script's arguments
+ Hostname = var.gateway_hostname,
+ PasswordHash = local.gateway_password_hash_base64,
+ MaintenanceModePassword = local.maintenance_mode_password_hash_base64,
+ AllowUploadDownload = var.allow_upload_download,
+ EnableCloudWatch = var.enable_cloudwatch,
+ NTPPrimary = var.primary_ntp,
+ NTPSecondary = var.secondary_ntp,
+ Shell = var.admin_shell,
+ EnableInstanceConnect = var.enable_instance_connect,
+ GatewayBootstrapScript = local.gateway_bootstrap_script64,
+ SICKey = local.gateway_SICkey_base64,
+ TokenB = var.memberBToken,
+ MemberBPublicAddress = var.allocate_and_associate_eip ? aws_eip.member_b_eip[0].public_ip : "",
+ AllocateAddress = var.allocate_and_associate_eip,
+ OsVersion = local.version_split
+ })
+}
+
+resource "aws_eip" "cluster_eip" {
+}
+
+resource "aws_eip" "member_a_eip" {
+ count = var.allocate_and_associate_eip ? 1 : 0
+}
+
+resource "aws_eip" "member_b_eip" {
+ count = var.allocate_and_associate_eip ? 1 : 0
+}
+
+resource "aws_eip_association" "cluster_address_assoc" {
+ depends_on = [aws_instance.member-a-instance]
+ allocation_id = aws_eip.cluster_eip.id
+ lifecycle {
+ ignore_changes = [
+ network_interface_id, private_ip_address
+ ]
+ }
+ network_interface_id = aws_network_interface.member_a_external_eni.id
+ private_ip_address = length(tolist(aws_network_interface.member_a_external_eni.private_ips)) > 1 ? element(tolist(setsubtract(tolist(aws_network_interface.member_a_external_eni.private_ips), [aws_network_interface.member_a_external_eni.private_ip])), 0) : ""//extracting member's secondary ip which represent the cluster ip
+}
+resource "aws_eip_association" "member_a_address_assoc" {
+ depends_on = [aws_instance.member-a-instance]
+ count = var.allocate_and_associate_eip ? 1 : 0
+ allocation_id = aws_eip.member_a_eip[0].id
+ network_interface_id = aws_network_interface.member_a_external_eni.id
+ private_ip_address = aws_network_interface.member_a_external_eni.private_ip //primary
+}
+resource "aws_eip_association" "member_b_address_assoc" {
+ depends_on = [aws_instance.member-b-instance]
+ count = var.allocate_and_associate_eip ? 1 : 0
+ allocation_id = aws_eip.member_b_eip[0].id
+ network_interface_id = aws_network_interface.member_b_external_eni.id
+ private_ip_address = aws_network_interface.member_b_external_eni.private_ip //primary
+}
+
diff --git a/deprecated/terraform/aws/R81/cluster/output.tf b/deprecated/terraform/aws/R81/cluster/output.tf
new file mode 100755
index 00000000..6e8f5cbf
--- /dev/null
+++ b/deprecated/terraform/aws/R81/cluster/output.tf
@@ -0,0 +1,24 @@
+output "ami_id" {
+ value = module.amis.ami_id
+}
+output "cluster_public_ip" {
+ value = aws_eip.cluster_eip.*.public_ip
+}
+output "member_a_public_ip" {
+ value = aws_eip.member_a_eip.*.public_ip
+}
+output "member_b_public_ip" {
+ value = aws_eip.member_b_eip.*.public_ip
+}
+output "member_a_ssh" {
+ value = var.allocate_and_associate_eip ? format("ssh -i %s admin@%s", var.key_name, aws_eip.member_a_eip[0].public_ip) : ""
+}
+output "member_b_ssh" {
+ value = var.allocate_and_associate_eip ? format("ssh -i %s admin@%s", var.key_name, aws_eip.member_b_eip[0].public_ip) : ""
+}
+output "member_a_url" {
+ value = var.allocate_and_associate_eip ? format("https://%s", aws_eip.member_a_eip[0].public_ip) : ""
+}
+output "member_b_url" {
+ value = var.allocate_and_associate_eip ? format("https://%s", aws_eip.member_b_eip[0].public_ip) : ""
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/cluster/terraform.tfvars b/deprecated/terraform/aws/R81/cluster/terraform.tfvars
new file mode 100755
index 00000000..179fe10b
--- /dev/null
+++ b/deprecated/terraform/aws/R81/cluster/terraform.tfvars
@@ -0,0 +1,43 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- VPC Network Configuration ---
+vpc_id = "vpc-12345678"
+public_subnet_id = "subnet-123456"
+private_subnet_id = "subnet-345678"
+private_route_table = "rtb-12345678"
+
+// --- EC2 Instance Configuration ---
+gateway_name = "Check-Point-Cluster-tf"
+gateway_instance_type = "c5.xlarge"
+key_name = "publickey"
+allocate_and_associate_eip = true
+volume_size = 100
+volume_encryption = "alias/aws/ebs"
+enable_instance_connect = false
+disable_instance_termination = false
+metadata_imdsv2_required = true
+instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+}
+predefined_role = ""
+
+// --- Check Point Settings ---
+gateway_version = "R81.20-BYOL"
+admin_shell = "/etc/cli.sh"
+gateway_SICKey = "12345678"
+gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+
+// --- Quick connect to Smart-1 Cloud (Recommended) ---
+memberAToken = ""
+memberBToken = ""
+
+// --- Advanced Settings ---
+resources_tag_name = "tag-name"
+gateway_hostname = "gw-hostname"
+allow_upload_download = true
+enable_cloudwatch = false
+gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+primary_ntp = ""
+secondary_ntp = ""
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/cluster/variables.tf b/deprecated/terraform/aws/R81/cluster/variables.tf
new file mode 100755
index 00000000..1b515744
--- /dev/null
+++ b/deprecated/terraform/aws/R81/cluster/variables.tf
@@ -0,0 +1,181 @@
+// Module: Check Point CloudGuard Network Security Cluster into an existing VPC
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+// --- VPC Network Configuration ---
+variable "vpc_id" {
+ type = string
+}
+variable "public_subnet_id" {
+ type = string
+ description = "The public subnet of the cluster. The cluster's public IPs will be generated from this subnet"
+}
+variable "private_subnet_id" {
+ type = string
+ description = "The private subnet of the cluster. The cluster's private IPs will be generated from this subnet"
+}
+variable "private_route_table" {
+ type = string
+ description = "(Optional) Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route"
+ default= ""
+}
+
+// --- EC2 Instance Configuration ---
+variable "gateway_name" {
+ type = string
+ description = "(Optional) The name tag of the Security Gateway instances"
+ default = "Check-Point-Cluster-tf"
+}
+variable "gateway_instance_type" {
+ type = string
+ description = "The instance type of the Security Gateways"
+ default = "c5.xlarge"
+}
+module "validate_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "gateway"
+ instance_type = var.gateway_instance_type
+}
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instance"
+}
+variable "allocate_and_associate_eip" {
+ type = bool
+ description = "If set to true, an elastic IP will be allocated and associated with each cluster member, in addition to the shared cluster Elastic IP"
+ default = true
+}
+variable "volume_size" {
+ type = number
+ description = "Root volume size (GB) - minimum 100"
+ default = 100
+}
+resource "null_resource" "volume_size_too_small" {
+ // Volume Size validation - resource will not be created if the volume size is smaller than 100
+ count = var.volume_size >= 100 ? 0 : "volume_size must be at least 100"
+}
+variable "volume_encryption" {
+ type = string
+ description = "KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs')"
+ default = "alias/aws/ebs"
+}
+variable "enable_instance_connect" {
+ type = bool
+ description = "Enable SSH connection over AWS web console"
+ default = false
+}
+variable "disable_instance_termination" {
+ type = bool
+ description = "Prevents an instance from accidental termination"
+ default = false
+}
+variable "metadata_imdsv2_required" {
+ type = bool
+ description = "Set true to deploy the instance with metadata v2 token required"
+ default = true
+}
+variable "instance_tags" {
+ type = map(string)
+ description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances"
+ default = {}
+}
+variable "predefined_role" {
+ type = string
+ description = "(Optional) A predefined IAM role to attach to the cluster profile"
+ default = ""
+}
+
+// --- Check Point Settings ---
+variable "gateway_version" {
+ type = string
+ description = "Gateway version and license"
+ default = "R81.20-BYOL"
+}
+module "validate_gateway_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "gateway"
+ version_license = var.gateway_version
+}
+variable "admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+ default = "/etc/cli.sh"
+}
+variable "gateway_SICKey" {
+ type = string
+ description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters"
+}
+variable "gateway_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "gateway_maintenance_mode_password_hash" {
+ description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+ type = string
+ default = ""
+}
+
+// --- Quick connect to Smart-1 Cloud (Recommended) ---
+variable "memberAToken" {
+ type = string
+ description = "Follow the instructions in sk180501 to quickly connect this Single AZ Cluster to Smart-1 Cloud."
+}
+variable "memberBToken" {
+ type = string
+ description = "Follow the instructions in sk180501 to quickly connect this Single AZ Cluster to Smart-1 Cloud."
+}
+
+// --- Advanced Settings ---
+variable "resources_tag_name" {
+ type = string
+ description = "(Optional) Name tag prefix of the resources"
+ default = ""
+}
+variable "gateway_hostname" {
+ type = string
+ description = "(Optional) The host name will be appended with member-a/b accordingly"
+ default = ""
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+variable "enable_cloudwatch" {
+ type = bool
+ description = "Report Check Point specific CloudWatch metrics"
+ default = false
+}
+variable "gateway_bootstrap_script" {
+ type = string
+ description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot"
+ default = ""
+}
+variable "primary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol primary server"
+ default = "169.254.169.123"
+}
+variable "secondary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server"
+ default = "0.pool.ntp.org"
+}
diff --git a/deprecated/terraform/aws/R81/cluster/versions.tf b/deprecated/terraform/aws/R81/cluster/versions.tf
new file mode 100755
index 00000000..c138bbb3
--- /dev/null
+++ b/deprecated/terraform/aws/R81/cluster/versions.tf
@@ -0,0 +1,12 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ http = {
+ version = "~> 3.4.0"
+ }
+ }
+}
diff --git a/deprecated/terraform/aws/R81/cme-iam-role-gwlb/README.md b/deprecated/terraform/aws/R81/cme-iam-role-gwlb/README.md
new file mode 100755
index 00000000..ae261614
--- /dev/null
+++ b/deprecated/terraform/aws/R81/cme-iam-role-gwlb/README.md
@@ -0,0 +1,100 @@
+# AWS IAM Role for Cloud Management Extension (CME) manages Gateway Load Balancer Auto Scale Group Terraform module
+
+Terraform module which creates an AWS IAM Role for Cloud Management Extension (CME) manages Gateway Load Balancer Auto Scale Group on Security Management Server.
+
+These types of Terraform resources are supported:
+* [AWS IAM role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role)
+* [AWS IAM policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy)
+* [AWS IAM policy attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment)
+
+This type of Terraform data source is supported:
+* [AWS IAM policy document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document)
+
+See the [Creating an AWS IAM Role for Security Management Server](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122074) for additional information
+
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/cme-iam-role-gwlb/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+
+## Usage
+- Fill all variables in the /terraform/aws/cme-iam-role-gwlb/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+- Create or modify the deployment:
+ ```
+ terraform apply
+ ```
+
+- Variables are configured in /terraform/aws/cme-iam-role-gwlb/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+ permissions = "Create with read permissions"
+ sts_roles = ['arn:aws:iam::111111111111:role/role_name']
+ trusted_account = ""
+ ```
+
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|-----------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|-------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------|----------|
+| permissions | The IAM role permissions | string | - Create with assume role permissions (specify an STS role ARN)
- Create with read permissions
- Create with read-write permissions | Create with read permissions | no |
+| sts_roles | The IAM role will be able to assume these STS Roles (map of string ARNs) | list(string) | n/a | [] | no |
+| trusted_account | A 12 digits number that represents the ID of a trusted account. IAM users in this account will be able assume the IAM role and receive the permissions attached to it | string | n/a | "" | no |
+
+
+## Outputs
+| Name | Description |
+|----------------------|---------------------------------------|
+| cme_iam_role_arn | The created AWS IAM Role arn |
+| cme_iam_role_name | The created AWS IAM Role name |
+| cme_iam_profile_name | The created AWS instance profile name |
+| cme_iam_profile_arn | The created AWS instance profile arn |
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|--------------------------------------------------------------------|
+| 20240507 | Add ec2:DescribeRegions read permission to the IAM role policy |
+| 20231012 | Update AWS Terraform provider version to 5.20.1 |
+| 20230926 | CME instance profile for IAM Role |
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details
diff --git a/deprecated/terraform/aws/R81/cme-iam-role-gwlb/main.tf b/deprecated/terraform/aws/R81/cme-iam-role-gwlb/main.tf
new file mode 100755
index 00000000..33ea37ab
--- /dev/null
+++ b/deprecated/terraform/aws/R81/cme-iam-role-gwlb/main.tf
@@ -0,0 +1,110 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+resource "aws_iam_role" "cme_iam_role_gwlb" {
+ assume_role_policy = data.aws_iam_policy_document.cme_role_assume_policy_document.json
+ path = "/"
+}
+
+data "aws_iam_policy_document" "cme_role_assume_policy_document" {
+ version = "2012-10-17"
+ statement {
+ effect = "Allow"
+ actions = ["sts:AssumeRole"]
+ principals {
+ type = var.trusted_account == "" ? "Service" : "AWS"
+ identifiers = var.trusted_account == "" ? ["ec2.amazonaws.com"] : [var.trusted_account]
+ }
+ }
+}
+
+locals {
+ provided_sts_roles = length(var.sts_roles) == 0 ? 0 : 1
+ allow_read_permissions = var.permissions == "Create with read-write permissions" || var.permissions == "Create with read permissions" ? 1 : 0
+ allow_write_permissions = var.permissions == "Create with read-write permissions" ? 1 : 0
+}
+
+data "aws_iam_policy_document" "cme_role_sts_policy_doc" {
+ version = "2012-10-17"
+ statement {
+ effect = "Allow"
+ actions = ["sts:AssumeRole"]
+ resources = var.sts_roles
+ }
+}
+resource "aws_iam_policy" "cme_role_sts_policy" {
+ count = local.provided_sts_roles
+ policy = data.aws_iam_policy_document.cme_role_sts_policy_doc.json
+
+}
+resource "aws_iam_role_policy_attachment" "attach_sts_policy" {
+ count = local.provided_sts_roles
+ policy_arn = aws_iam_policy.cme_role_sts_policy[0].arn
+ role = aws_iam_role.cme_iam_role_gwlb.id
+}
+
+data "aws_iam_policy_document" "cme_role_read_policy_doc" {
+ version = "2012-10-17"
+ statement {
+ effect = "Allow"
+ actions = [
+ "autoscaling:DescribeAutoScalingGroups",
+ "ec2:DescribeRegions",
+ "ec2:DescribeInstances",
+ "ec2:DescribeNetworkInterfaces",
+ "ec2:DescribeRouteTables",
+ "ec2:DescribeSecurityGroups",
+ "ec2:DescribeSubnets",
+ "ec2:DescribeVpcs",
+ "ec2:DescribeInternetGateways",
+ "ec2:DescribeVpcEndpoints",
+ "ec2:DescribeVpcEndpointServiceConfigurations",
+ "elasticloadbalancing:DescribeLoadBalancers",
+ "elasticloadbalancing:DescribeTags",
+ "elasticloadbalancing:DescribeListeners",
+ "elasticloadbalancing:DescribeTargetGroups",
+ "elasticloadbalancing:DescribeRules",
+ "elasticloadbalancing:DescribeTargetHealth"]
+ resources = ["*"]
+ }
+}
+resource "aws_iam_policy" "cme_role_read_policy" {
+ count = local.allow_read_permissions
+ policy = data.aws_iam_policy_document.cme_role_read_policy_doc.json
+}
+resource "aws_iam_role_policy_attachment" "attach_read_policy" {
+ count = local.allow_read_permissions
+ policy_arn = aws_iam_policy.cme_role_read_policy[0].arn
+ role = aws_iam_role.cme_iam_role_gwlb.id
+}
+
+data "aws_iam_policy_document" "cme_role_write_policy_doc" {
+ version = "2012-10-17"
+ statement {
+ effect = "Allow"
+ actions = [
+ "ec2:CreateRoute",
+ "ec2:ReplaceRoute",
+ "ec2:DeleteRoute",
+ "ec2:CreateRouteTable",
+ "ec2:AssociateRouteTable",
+ "ec2:CreateTags"
+]
+ resources = ["*"]
+ }
+}
+resource "aws_iam_policy" "cme_role_write_policy" {
+ count = local.allow_write_permissions
+ policy = data.aws_iam_policy_document.cme_role_write_policy_doc.json
+}
+resource "aws_iam_role_policy_attachment" "attach_write_policy" {
+ count = local.allow_write_permissions
+ policy_arn = aws_iam_policy.cme_role_write_policy[0].arn
+ role = aws_iam_role.cme_iam_role_gwlb.id
+}
+resource "aws_iam_instance_profile" "iam_instance_profile" {
+ role = aws_iam_role.cme_iam_role_gwlb.id
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/cme-iam-role-gwlb/output.tf b/deprecated/terraform/aws/R81/cme-iam-role-gwlb/output.tf
new file mode 100755
index 00000000..8c86901a
--- /dev/null
+++ b/deprecated/terraform/aws/R81/cme-iam-role-gwlb/output.tf
@@ -0,0 +1,13 @@
+output "cme_iam_role_arn" {
+ value = aws_iam_role.cme_iam_role_gwlb.arn
+}
+output "cme_iam_role_name" {
+ value = aws_iam_role.cme_iam_role_gwlb.name
+}
+output "cme_iam_profile_name" {
+ value = aws_iam_instance_profile.iam_instance_profile.name
+}
+output "cme_iam_profile_arn" {
+ value = aws_iam_instance_profile.iam_instance_profile.arn
+}
+
diff --git a/deprecated/terraform/aws/R81/cme-iam-role-gwlb/terraform.tfvars b/deprecated/terraform/aws/R81/cme-iam-role-gwlb/terraform.tfvars
new file mode 100755
index 00000000..9914eae9
--- /dev/null
+++ b/deprecated/terraform/aws/R81/cme-iam-role-gwlb/terraform.tfvars
@@ -0,0 +1,5 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+permissions = "Create with read permissions"
+sts_roles = []
+trusted_account = ""
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/cme-iam-role-gwlb/variables.tf b/deprecated/terraform/aws/R81/cme-iam-role-gwlb/variables.tf
new file mode 100755
index 00000000..3a0fe740
--- /dev/null
+++ b/deprecated/terraform/aws/R81/cme-iam-role-gwlb/variables.tf
@@ -0,0 +1,42 @@
+// Module: IAM role for selected permissions
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+variable "permissions" {
+ type = string
+ description = "The IAM role permissions"
+ default = "Create with read permissions"
+}
+locals {
+ permissions_allowed_values = [
+ "Create with assume role permissions (specify an STS role ARN)",
+ "Create with read permissions",
+ "Create with read-write permissions"]
+ // Will fail if var.permissions is invalid
+ validate_permissions = index(local.permissions_allowed_values, var.permissions)
+}
+variable "sts_roles" {
+ type = list(string)
+ description = "The IAM role will be able to assume these STS Roles (map of string ARNs)"
+ default = []
+}
+variable "trusted_account" {
+ type = string
+ description = "A 12 digits number that represents the ID of a trusted account. IAM users in this account will be able assume the IAM role and receive the permissions attached to it"
+ default = ""
+}
diff --git a/deprecated/terraform/aws/R81/cme-iam-role-gwlb/versions.tf b/deprecated/terraform/aws/R81/cme-iam-role-gwlb/versions.tf
new file mode 100755
index 00000000..b3e24059
--- /dev/null
+++ b/deprecated/terraform/aws/R81/cme-iam-role-gwlb/versions.tf
@@ -0,0 +1,9 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ }
+}
diff --git a/deprecated/terraform/aws/R81/cme-iam-role/README.md b/deprecated/terraform/aws/R81/cme-iam-role/README.md
new file mode 100755
index 00000000..5aa02a68
--- /dev/null
+++ b/deprecated/terraform/aws/R81/cme-iam-role/README.md
@@ -0,0 +1,102 @@
+# AWS IAM Role for Cloud Management Extension (CME) Terraform module
+
+Terraform module which creates an AWS IAM Role for Cloud Management Extension (CME) on Security Management Server.
+
+These types of Terraform resources are supported:
+* [AWS IAM role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role)
+* [AWS IAM policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy)
+* [AWS IAM policy attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment)
+
+This type of Terraform data source is supported:
+* [AWS IAM policy document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document)
+
+See the [Creating an AWS IAM Role for Security Management Server](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122074) for additional information
+
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/cme-iam-role/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+
+## Usage
+- Fill all variables in the /terraform/aws/cme-iam-role/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+- Create or modify the deployment:
+ ```
+ terraform apply
+ ```
+
+- Variables are configured in /terraform/aws/cme-iam-role/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+ permissions = "Create with read permissions"
+ sts_roles = ['arn:aws:iam::111111111111:role/role_name']
+ trusted_account = ""
+ ```
+
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|-----------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|-------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------|----------|
+| permissions | The IAM role permissions | string | - Create with assume role permissions (specify an STS role ARN)
- Create with read permissions
- Create with read-write permissions | Create with read permissions | no |
+| sts_roles | The IAM role will be able to assume these STS Roles (map of string ARNs) | list(string) | n/a | [] | no |
+| trusted_account | A 12 digits number that represents the ID of a trusted account. IAM users in this account will be able assume the IAM role and receive the permissions attached to it | string | n/a | "" | no |
+
+
+## Outputs
+| Name | Description |
+|----------------------|---------------------------------------|
+| cme_iam_role_arn | The created AWS IAM Role arn |
+| cme_iam_role_name | The created AWS IAM Role name |
+| cme_iam_profile_name | The created AWS instance profile name |
+| cme_iam_profile_arn | The created AWS instance profile arn |
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|--------------------------------------------------------------------|
+| 20240507 | Add ec2:DescribeRegions read permission to the IAM role policy |
+| 20231012 | Update AWS Terraform provider version to 5.20.1 |
+| 20230514 | CME instance profile for IAM Role |
+| 20210309 | First release of Check Point CME IAM Role Terraform module for AWS |
+
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details
diff --git a/deprecated/terraform/aws/R81/cme-iam-role/main.tf b/deprecated/terraform/aws/R81/cme-iam-role/main.tf
new file mode 100755
index 00000000..817e3b90
--- /dev/null
+++ b/deprecated/terraform/aws/R81/cme-iam-role/main.tf
@@ -0,0 +1,136 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+resource "aws_iam_role" "cme_iam_role" {
+ assume_role_policy = data.aws_iam_policy_document.cme_role_assume_policy_document.json
+ path = "/"
+}
+
+data "aws_iam_policy_document" "cme_role_assume_policy_document" {
+ version = "2012-10-17"
+ statement {
+ effect = "Allow"
+ actions = ["sts:AssumeRole"]
+ principals {
+ type = var.trusted_account == "" ? "Service" : "AWS"
+ identifiers = var.trusted_account == "" ? ["ec2.amazonaws.com"] : [var.trusted_account]
+ }
+ }
+}
+
+locals {
+ provided_sts_roles = length(var.sts_roles) == 0 ? 0 : 1
+ allow_read_permissions = var.permissions == "Create with read-write permissions" || var.permissions == "Create with read permissions" ? 1 : 0
+ allow_write_permissions = var.permissions == "Create with read-write permissions" ? 1 : 0
+}
+
+data "aws_iam_policy_document" "cme_role_sts_policy_doc" {
+ version = "2012-10-17"
+ statement {
+ effect = "Allow"
+ actions = ["sts:AssumeRole"]
+ resources = var.sts_roles
+ }
+}
+resource "aws_iam_policy" "cme_role_sts_policy" {
+ count = local.provided_sts_roles
+ policy = data.aws_iam_policy_document.cme_role_sts_policy_doc.json
+
+}
+resource "aws_iam_role_policy_attachment" "attach_sts_policy" {
+ count = local.provided_sts_roles
+ policy_arn = aws_iam_policy.cme_role_sts_policy[0].arn
+ role = aws_iam_role.cme_iam_role.id
+}
+
+data "aws_iam_policy_document" "cme_role_read_policy_doc" {
+ version = "2012-10-17"
+ statement {
+ effect = "Allow"
+ actions = [
+ "autoscaling:DescribeAutoScalingGroups",
+ "ec2:DescribeRegions",
+ "ec2:DescribeCustomerGateways",
+ "ec2:DescribeInstances",
+ "ec2:DescribeNetworkInterfaces",
+ "ec2:DescribeRouteTables",
+ "ec2:DescribeSecurityGroups",
+ "ec2:DescribeSubnets",
+ "ec2:DescribeTransitGateways",
+ "ec2:DescribeTransitGatewayAttachments",
+ "ec2:DescribeTransitGatewayRouteTables",
+ "ec2:DescribeVpcs",
+ "ec2:DescribeVpnGateways",
+ "ec2:DescribeVpnConnections",
+ "ec2:GetTransitGatewayAttachmentPropagations",
+ "elasticloadbalancing:DescribeLoadBalancers",
+ "elasticloadbalancing:DescribeTags",
+ "elasticloadbalancing:DescribeListeners",
+ "elasticloadbalancing:DescribeTargetGroups",
+ "elasticloadbalancing:DescribeRules",
+ "elasticloadbalancing:DescribeTargetHealth"]
+ resources = ["*"]
+ }
+}
+resource "aws_iam_policy" "cme_role_read_policy" {
+ count = local.allow_read_permissions
+ policy = data.aws_iam_policy_document.cme_role_read_policy_doc.json
+}
+resource "aws_iam_role_policy_attachment" "attach_read_policy" {
+ count = local.allow_read_permissions
+ policy_arn = aws_iam_policy.cme_role_read_policy[0].arn
+ role = aws_iam_role.cme_iam_role.id
+}
+
+data "aws_iam_policy_document" "cme_role_write_policy_doc" {
+ version = "2012-10-17"
+ statement {
+ effect = "Allow"
+ actions = [
+ "ec2:AssociateTransitGatewayRouteTable",
+ "ec2:AttachVpnGateway",
+ "ec2:CreateCustomerGateway",
+ "ec2:CreateVpnConnection",
+ "ec2:CreateVpnGateway",
+ "ec2:DeleteCustomerGateway",
+ "ec2:DeleteVpnConnection",
+ "ec2:DeleteVpnGateway",
+ "ec2:DetachVpnGateway",
+ "ec2:DisableTransitGatewayRouteTablePropagation",
+ "ec2:DisableVgwRoutePropagation",
+ "ec2:DisassociateTransitGatewayRouteTable",
+ "ec2:EnableTransitGatewayRouteTablePropagation",
+ "ec2:EnableVgwRoutePropagation"]
+ resources = ["*"]
+ }
+ statement {
+ effect = "Allow"
+ actions = [
+ "cloudformation:DescribeStacks",
+ "cloudformation:DescribeStackResources",
+ "cloudformation:ListStacks"]
+ resources = ["*"]
+ }
+ statement {
+ effect = "Allow"
+ actions = [
+ "cloudformation:CreateStack",
+ "cloudformation:DeleteStack"]
+ resources = ["arn:aws:cloudformation:*:*:stack/vpn-by-tag--*/*"]
+ }
+}
+resource "aws_iam_policy" "cme_role_write_policy" {
+ count = local.allow_write_permissions
+ policy = data.aws_iam_policy_document.cme_role_write_policy_doc.json
+}
+resource "aws_iam_role_policy_attachment" "attach_write_policy" {
+ count = local.allow_write_permissions
+ policy_arn = aws_iam_policy.cme_role_write_policy[0].arn
+ role = aws_iam_role.cme_iam_role.id
+}
+resource "aws_iam_instance_profile" "iam_instance_profile" {
+ role = aws_iam_role.cme_iam_role.id
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/cme-iam-role/output.tf b/deprecated/terraform/aws/R81/cme-iam-role/output.tf
new file mode 100755
index 00000000..cad35709
--- /dev/null
+++ b/deprecated/terraform/aws/R81/cme-iam-role/output.tf
@@ -0,0 +1,12 @@
+output "cme_iam_role_arn" {
+ value = aws_iam_role.cme_iam_role.arn
+}
+output "cme_iam_role_name" {
+ value = aws_iam_role.cme_iam_role.name
+}
+output "cme_iam_profile_name" {
+ value = aws_iam_instance_profile.iam_instance_profile.name
+}
+output "cme_iam_profile_arn" {
+ value = aws_iam_instance_profile.iam_instance_profile.arn
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/cme-iam-role/terraform.tfvars b/deprecated/terraform/aws/R81/cme-iam-role/terraform.tfvars
new file mode 100755
index 00000000..9914eae9
--- /dev/null
+++ b/deprecated/terraform/aws/R81/cme-iam-role/terraform.tfvars
@@ -0,0 +1,5 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+permissions = "Create with read permissions"
+sts_roles = []
+trusted_account = ""
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/cme-iam-role/variables.tf b/deprecated/terraform/aws/R81/cme-iam-role/variables.tf
new file mode 100755
index 00000000..3a0fe740
--- /dev/null
+++ b/deprecated/terraform/aws/R81/cme-iam-role/variables.tf
@@ -0,0 +1,42 @@
+// Module: IAM role for selected permissions
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+variable "permissions" {
+ type = string
+ description = "The IAM role permissions"
+ default = "Create with read permissions"
+}
+locals {
+ permissions_allowed_values = [
+ "Create with assume role permissions (specify an STS role ARN)",
+ "Create with read permissions",
+ "Create with read-write permissions"]
+ // Will fail if var.permissions is invalid
+ validate_permissions = index(local.permissions_allowed_values, var.permissions)
+}
+variable "sts_roles" {
+ type = list(string)
+ description = "The IAM role will be able to assume these STS Roles (map of string ARNs)"
+ default = []
+}
+variable "trusted_account" {
+ type = string
+ description = "A 12 digits number that represents the ID of a trusted account. IAM users in this account will be able assume the IAM role and receive the permissions attached to it"
+ default = ""
+}
diff --git a/deprecated/terraform/aws/R81/cme-iam-role/versions.tf b/deprecated/terraform/aws/R81/cme-iam-role/versions.tf
new file mode 100755
index 00000000..b3e24059
--- /dev/null
+++ b/deprecated/terraform/aws/R81/cme-iam-role/versions.tf
@@ -0,0 +1,9 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ }
+}
diff --git a/deprecated/terraform/aws/R81/cross-az-cluster-master/README.md b/deprecated/terraform/aws/R81/cross-az-cluster-master/README.md
new file mode 100755
index 00000000..7ab3bd65
--- /dev/null
+++ b/deprecated/terraform/aws/R81/cross-az-cluster-master/README.md
@@ -0,0 +1,219 @@
+# Check Point CloudGuard Network Security Cross AZ Cluster Master Terraform module for AWS
+
+Terraform module which deploys a Check Point CloudGuard Network Security Cross AZ Cluster into into a new VPC.
+
+These types of Terraform resources are supported:
+* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html)
+* [VPC](https://www.terraform.io/docs/providers/aws/r/vpc.html)
+* [Security Group](https://www.terraform.io/docs/providers/aws/r/security_group.html)
+* [Network interface](https://www.terraform.io/docs/providers/aws/r/network_interface.html)
+* [Route](https://www.terraform.io/docs/providers/aws/r/route.html)
+* [EIP](https://www.terraform.io/docs/providers/aws/r/eip.html)
+* [IAM Role](https://www.terraform.io/docs/providers/aws/r/iam_role.html) - conditional creation
+
+See the [Deploying a Check Point Cluster in AWS (Amazon Web Services)](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Cross_AZ_Cluster/Default.htm) for additional information
+
+This solution uses the following modules:
+- /terraform/aws/cross-az-cluster
+- /terraform/aws/modules/amis
+- /terraform/aws/modules/vpc
+- /terraform/aws/modules/cluster-iam-role
+
+
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/cross-az-cluster-master/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Static credentials are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-module /terraform/aws/cross-az-cluster:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+ b. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-module /terraform/aws/cross-az-cluster:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+
+## Usage
+- Fill all variables in the /terraform/aws/cross-az-cluster-master/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+- Create or modify the deployment:
+ - Due to terraform limitation, the apply command is:
+ ```
+ terraform apply -target=aws_route_table.private_subnet_rtb -auto-approve && terraform apply
+ ```
+ >Once terraform is updated, we will update accordingly.
+
+- Variables are configured in /terraform/aws/cross-az-cluster-master/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+ // --- VPC Network Configuration ---
+ vpc_cidr = "10.0.0.0/16"
+ public_subnets_map = {
+ "us-east-1a" = 1
+ "us-east-1b" = 2
+ }
+ private_subnets_map = {
+ "us-east-1a" = 3
+ "us-east-1a" = 4
+ }
+ subnets_bit_length = 8
+
+
+
+ // --- EC2 Instance Configuration ---
+ gateway_name = "Check-Point-Cluster-tf"
+ gateway_instance_type = "c5.xlarge"
+ key_name = "publickey"
+ volume_size = 100
+ volume_encryption = "alias/aws/ebs"
+ enable_instance_connect = false
+ disable_instance_termination = false
+ instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+ }
+ predefined_role = ""
+
+ // --- Check Point Settings ---
+ gateway_version = "R81.20-BYOL"
+ admin_shell = "/etc/cli.sh"
+ gateway_SICKey = "12345678"
+ gateway_password_hash = ""
+ gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+
+ // --- Quick connect to Smart-1 Cloud (Recommended) ---
+ memberAToken = ""
+ memberBToken = ""
+
+ // --- Advanced Settings ---
+ resources_tag_name = "tag-name"
+ gateway_hostname = "gw-hostname"
+ allow_upload_download = true
+ enable_cloudwatch = false
+ gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+ primary_ntp = ""
+ secondary_ntp = ""
+ ```
+
+- Conditional creation
+ - To create IAM Role:
+ ```
+ predefined_role = ""
+ ```
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+ ### Optional re-deploy of cluster member:
+ In case of re-deploying one cluster member, make sure that it's in STANDBY state, and the second member is the ACTIVE one.
+ Follow the commands below in order to re-deploy (replace MEMBER with a or b):
+ - terraform taint module.launch_cluster_into_vpc.aws_instance.member-MEMBER-instance
+ - terraform plan (review the changes)
+ - terraform apply
+ - In Smart Console: reset SIC with the re-deployed member and install policy
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|----------|
+| vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes |
+| public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1 \"us-east-1b\" = 2} ) | map | n/a | n/a | yes |
+| private_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 3 \"us-east-1b\" = 4} ) | map | n/a | n/a | yes |
+| subnets_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20 | number | n/a | n/a | yes |
+| gateway_name | (Optional) The name tag of the Security Gateway instances | string | n/a | Check-Point-Cluster-tf | no |
+| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no |
+| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes |
+| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no |
+| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no |
+| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no |
+| enable_instance_connect | Enable AWS Instance Connect. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no |
+| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no |
+| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes |
+| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances | map(string) | n/a | {} | no |
+| predefined_role | (Optional) A predefined IAM role to attach to the cluster profile | string | n/a | "" | no |
+| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX - R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no |
+| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no |
+| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes |
+| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| memberAToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no |
+| memberBToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no |
+| resources_tag_name | (Optional) Name tag prefix of the resources | string | n/a | "" | no |
+| gateway_hostname | (Optional) The host name will be appended with member-a/b accordingly. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no |
+| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no |
+| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no |
+| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no |
+| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no |
+| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here). | string | n/a | "" | no |
+
+## Outputs
+| Name | Description |
+|--------------------|--------------------------------------------------------------|
+| ami_id | The ami id of the deployed Security Cross AZ Cluster members |
+| cluster_public_ip | The public address of the cluster |
+| member_a_public_ip | The public address of member A |
+| member_b_public_ip | The public address of member B |
+| member_a_ssh | SSH command to member A |
+| member_b_ssh | SSH command to member B |
+| member_a_url | URL to the member A portal |
+| member_b_url | URL to the member B portal |
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20231012 | Update AWS Terraform provider version to 5.20.1 |
+| 20230923 | Add support for C5d instance type |
+| 20230914 | Add support for maintenance mode password |
+| 20230806 | Add support for c6in instance type |
+| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname |
+| 20230503 | Smart-1 Cloud token validation |
+| 20230411 | - Improved deployment experience for gateways and clusters managed by Smart-1 Cloud
- Multiple VIPs support for Cross Availability Zone Cluster. For more details refer to the [Cross Availability Zone Cluster for AWS R81.20 Administration Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Cross_AZ_Cluster/Content/Topics-AWS-CrossAZ-Cluster-AG/Check-Point-CloudGuard-for-AWS.htm) -> "Deploying Cross AZ Cluster with multiple VIPs" section. |
+| 20221123 | R81.20 version support |
+| 20221123 | Changed default version and added instances types |
+| 20221123 | First release of Check Point Security Cross AZ Cluster Master Terraform module for AWS |
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../../cross-az/LICENSE) file for details
diff --git a/deprecated/terraform/aws/R81/cross-az-cluster-master/locals.tf b/deprecated/terraform/aws/R81/cross-az-cluster-master/locals.tf
new file mode 100755
index 00000000..68e4523f
--- /dev/null
+++ b/deprecated/terraform/aws/R81/cross-az-cluster-master/locals.tf
@@ -0,0 +1,58 @@
+locals {
+ regex_valid_vpc_cidr = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$"
+ // Will fail if var.vpc_cidr is invalid
+ regex_vpc_cidr = regex(local.regex_valid_vpc_cidr, var.vpc_cidr) == var.vpc_cidr ? 0 : "Variable [vpc_cidr] must be a valid vpc cidr"
+
+ admin_shell_allowed_values = [
+ "/etc/cli.sh",
+ "/bin/bash",
+ "/bin/csh",
+ "/bin/tcsh"]
+ // Will fail if var.admin_shell is invalid
+ validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell)
+
+ create_iam_role = var.predefined_role == "" ? 1 : 0
+
+ regex_valid_key_name = "[\\S\\s]+[\\S]+"
+ // will fail if var.key_name is invalid
+ regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string"
+
+ regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$"
+ // Will fail if var.gateway_SIC_Key is invalid
+ regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters"
+
+ is_both_tokens_used = length(var.memberAToken) > 0 == length(var.memberBToken) > 0
+ validation_message_both = "Smart-1 Cloud Tokens for member A and member B can not be empty."
+ //Will fail if var.memberAToken is empty and var.memberBToken isn't and vice versa
+ regex_s1c_validate = regex("^$", (local.is_both_tokens_used ? "" : local.validation_message_both))
+
+ is_tokens_used = length(var.memberAToken) > 0
+ is_both_tokens_the_same = var.memberAToken == var.memberBToken
+ validation_message_unique = "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+ //Will fail if both s1c tokens are the same
+ regex_s1c_unique = local.is_tokens_used ? regex("^$", (local.is_both_tokens_the_same ? local.validation_message_unique : "")) : ""
+
+ regex_valid_gateway_hostname = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$"
+ // Will fail if var.gateway_hostname is invalid
+ regex_gateway_hostname = regex(local.regex_valid_gateway_hostname, var.gateway_hostname) == var.gateway_hostname ? 0 : "Variable [gateway_hostname] must be a valid hostname label or an empty string"
+ volume_encryption_condition = var.volume_encryption != "" ? true : false
+
+ regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.gateway_password_hash is invalid
+ regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+ regex_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
+
+ regex_valid_primary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.primary_ntp is invalid
+ regex_primary_ntp = regex(local.regex_valid_primary_ntp, var.primary_ntp) == var.primary_ntp ? 0 : "Variable [primary_ntp] must be a valid ntp"
+
+ regex_valid_secondary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.secondary_ntp is invalid
+ regex_secondary_ntp = regex(local.regex_valid_secondary_ntp, var.secondary_ntp) == var.secondary_ntp ? 0 : "Variable [secondary_ntp] must be a valid ntp"
+
+ volume_type_allowed_values = [
+ "gp3",
+ "gp2"]
+ // will fail if [var.VolumeType] is invalid:
+ validate_volume_type = index(local.volume_type_allowed_values, var.volume_type)
+}
diff --git a/deprecated/terraform/aws/R81/cross-az-cluster-master/main.tf b/deprecated/terraform/aws/R81/cross-az-cluster-master/main.tf
new file mode 100755
index 00000000..f12ae536
--- /dev/null
+++ b/deprecated/terraform/aws/R81/cross-az-cluster-master/main.tf
@@ -0,0 +1,70 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+// --- VPC ---
+module "launch_vpc" {
+ source = "../modules/vpc"
+
+ vpc_cidr = var.vpc_cidr
+ public_subnets_map = var.public_subnets_map
+ private_subnets_map = var.private_subnets_map
+ subnets_bit_length = var.subnets_bit_length
+}
+
+resource "aws_route_table" "private_subnet_rtb" {
+ depends_on = [module.launch_vpc]
+ vpc_id = module.launch_vpc.vpc_id
+ tags = {
+ Name = "Private Subnets Route Table"
+ }
+}
+resource "aws_route_table_association" "private_rtb_to_private_subnets_a" {
+ depends_on = [module.launch_vpc, aws_route_table.private_subnet_rtb]
+ route_table_id = aws_route_table.private_subnet_rtb.id
+ subnet_id = module.launch_vpc.private_subnets_ids_list[0]
+}
+resource "aws_route_table_association" "private_rtb_to_private_subnets_b" {
+ depends_on = [module.launch_vpc, aws_route_table.private_subnet_rtb]
+ route_table_id = aws_route_table.private_subnet_rtb.id
+ subnet_id = module.launch_vpc.private_subnets_ids_list[1]
+}
+
+module "launch_cluster_into_vpc" {
+ source = "../cross-az-cluster"
+ providers = {
+ aws = aws
+ }
+
+ vpc_id = module.launch_vpc.vpc_id
+ public_subnet_ids = module.launch_vpc.public_subnets_ids_list
+ private_subnet_ids = module.launch_vpc.private_subnets_ids_list
+ private_route_table = aws_route_table.private_subnet_rtb.id
+ gateway_name = var.gateway_name
+ gateway_instance_type = var.gateway_instance_type
+ key_name = var.key_name
+ volume_size = var.volume_size
+ volume_encryption = var.volume_encryption
+ enable_instance_connect = var.enable_instance_connect
+ disable_instance_termination = var.disable_instance_termination
+ metadata_imdsv2_required = var.metadata_imdsv2_required
+ instance_tags = var.instance_tags
+ predefined_role = var.predefined_role
+ gateway_version = var.gateway_version
+ admin_shell = var.admin_shell
+ gateway_SICKey = var.gateway_SICKey
+ memberAToken = var.memberAToken
+ memberBToken = var.memberBToken
+ gateway_password_hash = var.gateway_password_hash
+ gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash
+ resources_tag_name = var.resources_tag_name
+ gateway_hostname = var.gateway_hostname
+ allow_upload_download = var.allow_upload_download
+ enable_cloudwatch = var.enable_cloudwatch
+ gateway_bootstrap_script = var.gateway_bootstrap_script
+ primary_ntp = var.primary_ntp
+ secondary_ntp = var.secondary_ntp
+ volume_type = var.volume_type
+}
diff --git a/deprecated/terraform/aws/R81/cross-az-cluster-master/output.tf b/deprecated/terraform/aws/R81/cross-az-cluster-master/output.tf
new file mode 100755
index 00000000..c1f47385
--- /dev/null
+++ b/deprecated/terraform/aws/R81/cross-az-cluster-master/output.tf
@@ -0,0 +1,24 @@
+output "ami_id" {
+ value = module.launch_cluster_into_vpc.ami_id
+}
+output "cluster_public_ip" {
+ value = module.launch_cluster_into_vpc.cluster_public_ip
+}
+output "member_a_public_ip" {
+ value = module.launch_cluster_into_vpc.member_a_public_ip
+}
+output "member_b_public_ip" {
+ value = module.launch_cluster_into_vpc.member_b_public_ip
+}
+output "member_a_ssh" {
+ value = module.launch_cluster_into_vpc.member_a_ssh
+}
+output "member_b_ssh" {
+ value = module.launch_cluster_into_vpc.member_b_ssh
+}
+output "member_a_url" {
+ value = module.launch_cluster_into_vpc.member_a_url
+}
+output "member_b_url" {
+ value = module.launch_cluster_into_vpc.member_b_url
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/cross-az-cluster-master/terraform.tfvars b/deprecated/terraform/aws/R81/cross-az-cluster-master/terraform.tfvars
new file mode 100755
index 00000000..28cb64a3
--- /dev/null
+++ b/deprecated/terraform/aws/R81/cross-az-cluster-master/terraform.tfvars
@@ -0,0 +1,48 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- VPC Network Configuration ---
+vpc_cidr = "10.0.0.0/16"
+public_subnets_map = {
+ "us-east-1a" = 1
+ "us-east-1b" = 2
+}
+private_subnets_map = {
+ "us-east-1a" = 3
+ "us-east-1b" = 4
+}
+subnets_bit_length = 8
+
+// --- EC2 Instance Configuration ---
+gateway_name = "Check-Point-Cluster-tf"
+gateway_instance_type = "c5.xlarge"
+key_name = "publickey"
+volume_size = 100
+volume_encryption = "alias/aws/ebs"
+enable_instance_connect = false
+disable_instance_termination = false
+metadata_imdsv2_required = true
+instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+}
+predefined_role = ""
+
+// --- Check Point Settings ---
+gateway_version = "R81.20-BYOL"
+admin_shell = "/etc/cli.sh"
+gateway_SICKey = "12345678"
+gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+
+// --- Quick connect to Smart-1 Cloud (Recommended) ---
+memberAToken = ""
+memberBToken = ""
+
+// --- Advanced Settings ---
+resources_tag_name = "tag-name"
+gateway_hostname = "gw-hostname"
+allow_upload_download = true
+enable_cloudwatch = false
+gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+primary_ntp = ""
+secondary_ntp = ""
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/cross-az-cluster-master/variables.tf b/deprecated/terraform/aws/R81/cross-az-cluster-master/variables.tf
new file mode 100755
index 00000000..d49cf50c
--- /dev/null
+++ b/deprecated/terraform/aws/R81/cross-az-cluster-master/variables.tf
@@ -0,0 +1,183 @@
+// Module: Check Point CloudGuard Network Security Cross AZ Cluster into a new VPC
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+// --- VPC Network Configuration ---
+variable "vpc_cidr" {
+ type = string
+ description = "The CIDR block of the VPC"
+ default = "10.0.0.0/16"
+}
+variable "public_subnets_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1 \"us-east-1b\" = 2} ) "
+}
+variable "private_subnets_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 3 \"us-east-1b\" = 4} ) "
+
+}
+variable "subnets_bit_length" {
+ type = number
+ description = "Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20"
+}
+
+// --- EC2 Instance Configuration ---
+variable "gateway_name" {
+ type = string
+ description = "(Optional) The name tag of the Security Gateway instances"
+ default = "Check-Point-Cluster-tf"
+}
+variable "gateway_instance_type" {
+ type = string
+ description = "The instance type of the Security Gateways"
+ default = "c5.xlarge"
+}
+module "validate_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "gateway"
+ instance_type = var.gateway_instance_type
+}
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instance"
+}
+variable "volume_size" {
+ type = number
+ description = "Root volume size (GB) - minimum 100"
+ default = 100
+}
+resource "null_resource" "volume_size_too_small" {
+ // Volume Size validation - resource will not be created if the volume size is smaller than 100
+ count = var.volume_size >= 100 ? 0 : "volume_size must be at least 100"
+}
+variable "volume_type" {
+ type = string
+ description = "General Purpose SSD Volume Type"
+ default = "gp3"
+}
+variable "volume_encryption" {
+ type = string
+ description = "KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs')"
+ default = "alias/aws/ebs"
+}
+variable "enable_instance_connect" {
+ type = bool
+ description = "Enable SSH connection over AWS web console"
+ default = false
+}
+variable "disable_instance_termination" {
+ type = bool
+ description = "Prevents an instance from accidental termination"
+ default = false
+}
+variable "metadata_imdsv2_required" {
+ type = bool
+ description = "Set true to deploy the instance with metadata v2 token required"
+ default = true
+}
+variable "instance_tags" {
+ type = map(string)
+ description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instance"
+ default = {}
+}
+variable "predefined_role" {
+ type = string
+ description = "(Optional) A predefined IAM role to attach to the cluster profile"
+ default = ""
+}
+
+// --- Check Point Settings ---
+variable "gateway_version" {
+ type = string
+ description = "Gateway version and license"
+ default = "R81.20-BYOL"
+}
+module "validate_gateway_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "gateway"
+ version_license = var.gateway_version
+}
+variable "admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+ default = "/etc/cli.sh"
+}
+variable "gateway_SICKey" {
+ type = string
+ description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters"
+}
+variable "gateway_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "gateway_maintenance_mode_password_hash" {
+ description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+ type = string
+ default = ""
+}
+
+// --- Quick connect to Smart-1 Cloud (Recommended) ---
+variable "memberAToken" {
+ type = string
+ description = "Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud."
+}
+variable "memberBToken" {
+ type = string
+ description = "Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud."
+}
+
+// --- Advanced Settings ---
+variable "resources_tag_name" {
+ type = string
+ description = "(Optional) Name tag prefix of the resources"
+ default = ""
+}
+variable "gateway_hostname" {
+ type = string
+ description = "(Optional) The host name will be appended with member-a/b accordingly"
+ default = ""
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+variable "enable_cloudwatch" {
+ type = bool
+ description = "Report Check Point specific CloudWatch metrics"
+ default = false
+}
+variable "gateway_bootstrap_script" {
+ type = string
+ description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot"
+ default = ""
+}
+variable "primary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol primary server"
+ default = "169.254.169.123"
+}
+variable "secondary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server"
+ default = "0.pool.ntp.org"
+}
diff --git a/deprecated/terraform/aws/R81/cross-az-cluster-master/versions.tf b/deprecated/terraform/aws/R81/cross-az-cluster-master/versions.tf
new file mode 100755
index 00000000..c138bbb3
--- /dev/null
+++ b/deprecated/terraform/aws/R81/cross-az-cluster-master/versions.tf
@@ -0,0 +1,12 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ http = {
+ version = "~> 3.4.0"
+ }
+ }
+}
diff --git a/deprecated/terraform/aws/R81/cross-az-cluster/README.md b/deprecated/terraform/aws/R81/cross-az-cluster/README.md
new file mode 100755
index 00000000..9e5b3c7e
--- /dev/null
+++ b/deprecated/terraform/aws/R81/cross-az-cluster/README.md
@@ -0,0 +1,196 @@
+# Check Point CloudGuard Network Security Cross AZ Cluster Terraform module for AWS
+
+Terraform module which deploys a Check Point CloudGuard Network Security Cross AZ Cluster into an existing VPC on AWS.
+
+These types of Terraform resources are supported:
+* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html)
+* [Security Group](https://www.terraform.io/docs/providers/aws/r/security_group.html)
+* [Network interface](https://www.terraform.io/docs/providers/aws/r/network_interface.html)
+* [EIP](https://www.terraform.io/docs/providers/aws/r/eip.html)
+* [Route](https://www.terraform.io/docs/providers/aws/r/route.html) - conditional creation
+* [IAM Role](https://www.terraform.io/docs/providers/aws/r/iam_role.html) - conditional creation
+
+See the [Deploying a Check Point Cluster in AWS (Amazon Web Services)](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Cross_AZ_Cluster/Default.htm) for additional information
+
+This solution uses the following modules:
+- /terraform/aws/modules/amis
+- /terraform/aws/modules/cluster-iam-role
+
+
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/cross-az-cluster/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+
+## Usage
+- Fill all variables in the /terraform/aws/cross-az-cluster/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+- Create or modify the deployment:
+ ```
+ terraform apply
+ ```
+
+- Variables are configured in /terraform/aws/cross-az-cluster/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+ // --- VPC Network Configuration ---
+ vpc_id = "vpc-12345678"
+ public_subnet_ids = ["subnet-abc123", "subnet-def456"]
+ private_subnet_ids = ["subnet-abc234", "subnet-def567"]
+ private_route_table = "rtb-12345678"
+
+
+ // --- EC2 Instance Configuration ---
+ gateway_name = "Check-Point-Cluster-tf"
+ gateway_instance_type = "c5.xlarge"
+ key_name = "publickey"
+ volume_size = 100
+ volume_encryption = "alias/aws/ebs"
+ enable_instance_connect = false
+ disable_instance_termination = false
+ instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+ }
+ predefined_role = ""
+
+ // --- Check Point Settings ---
+ gateway_version = "R81.20-BYOL"
+ admin_shell = "/etc/cli.sh"
+ gateway_SICKey = "12345678"
+ gateway_password_hash = ""
+
+ // --- Quick connect to Smart-1 Cloud (Recommended) ---
+ memberAToken = ""
+ memberBToken = ""
+ gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+
+ // --- Advanced Settings ---
+ resources_tag_name = "tag-name"
+ gateway_hostname = "gw-hostname"
+ allow_upload_download = true
+ enable_cloudwatch = false
+ gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+ primary_ntp = ""
+ secondary_ntp = ""
+ ```
+
+- Conditional creation
+ - To create IAM Role:
+ ```
+ predefined_role = ""
+ ```
+ - To create route from '0.0.0.0/0' to the Active Cluster member instance, please provide route table:
+ ```
+ private_route_table = "rtb-12345678"
+ ```
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+ ### Optional re-deploy of cluster member:
+ In case of re-deploying one cluster member, make sure that it's in STANDBY state, and the second member is the ACTIVE one.
+ Follow the commands below in order to re-deploy (replace MEMBER with a or b):
+ - terraform taint aws_instance.member-MEMBER-instance
+ - terraform plan (review the changes)
+ - terraform apply
+ - In Smart Console: reset SIC with the re-deployed member and install policy
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|----------|
+| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes |
+| public_subnet_ids | List of public subnet IDs to launch resources into. At least 2 | list(string) | n/a | n/a | yes |
+| private_subnet_ids | List of private subnet IDs to launch resources into. At least 2 | list(string) | n/a | n/a | yes | |
+| private_route_table | (Optional) Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route | string | n/a | "" | no |
+| gateway_name | (Optional) The name tag of the Security Gateway instances | string | n/a | Check-Point-Cluster-tf | no |
+| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no |
+| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes |
+| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no |
+| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no |
+| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no |
+| enable_instance_connect | Enable AWS Instance Connect. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no |
+| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no |
+| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes |
+| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances | map(string) | n/a | {} | no |
+| predefined_role | (Optional) A predefined IAM role to attach to the cluster profile | string | n/a | "" | no |
+| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX - R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no |
+| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no |
+| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes |
+| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| memberAToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no |
+| memberBToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no |
+| resources_tag_name | (Optional) Name tag prefix of the resources | string | n/a | "" | no |
+| gateway_hostname | (Optional) The host name will be appended with member-a/b accordingly. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no |
+| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no |
+| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no |
+| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no |
+| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no |
+| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here). | string | n/a | "" | no |
+
+
+## Outputs
+| Name | Description |
+|--------------------|--------------------------------------------------------------|
+| ami_id | The ami id of the deployed Security Cross AZ Cluster members |
+| cluster_public_ip | The public address of the cluster |
+| member_a_public_ip | The public address of member A |
+| member_b_public_ip | The public address of member B |
+| member_a_ssh | SSH command to member A |
+| member_b_ssh | SSH command to member B |
+| member_a_url | URL to the member A portal |
+| member_b_url | URL to the member B portal |
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20240304 | Add x-chkp-cluster-ips, x-chkp-member-ips tags to cluster members |
+| 20231012 | Update AWS Terraform provider version to 5.20.1 |
+| 20230923 | Add support for C5d instance type |
+| 20230914 | Add support for maintenance mode password |
+| 20230806 | Add support for c6in instance type |
+| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname |
+| 20230503 | Smart-1 Cloud token validation |
+| 20230411 | - Improved deployment experience for gateways and clusters managed by Smart-1 Cloud
- Multiple VIPs support for Cross Availability Zone Cluster. For more details refer to the [Cross Availability Zone Cluster for AWS R81.20 Administration Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Cross_AZ_Cluster/Content/Topics-AWS-CrossAZ-Cluster-AG/Check-Point-CloudGuard-for-AWS.htm) -> "Deploying Cross AZ Cluster with multiple VIPs" section. |
+| 20221123 | R81.20 version support |
+| 20221123 | Changed default version and added instances types |
+| 20221123 | First release of Check Point Security Cross AZ Cluster Terraform module for AWS |
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../../cross-az/LICENSE) file for details
diff --git a/deprecated/terraform/aws/R81/cross-az-cluster/cluster_member_a_userdata.yaml b/deprecated/terraform/aws/R81/cross-az-cluster/cluster_member_a_userdata.yaml
new file mode 100755
index 00000000..f9a926c5
--- /dev/null
+++ b/deprecated/terraform/aws/R81/cross-az-cluster/cluster_member_a_userdata.yaml
@@ -0,0 +1,4 @@
+#cloud-config
+runcmd:
+ - |
+ python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenA}\"" installationType=\"cross-az-cluster\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20240310\" templateName=\"cross_az_cluster\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" elasticIp=\"${MemberAPublicAddress}\" otherMemberIp=\"${MemberBPrivateAddressCluster}\" clusterIp=\"${PublicAddressCluster}\" secondaryIp=\"${MemberAPrivateAddressSecondary}\" otherMemberPrivateClusterIp=\"${MemberBPrivateAddressSecondary}\" bootstrapScript64=\"${GatewayBootstrapScript}\"
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/cross-az-cluster/cluster_member_b_userdata.yaml b/deprecated/terraform/aws/R81/cross-az-cluster/cluster_member_b_userdata.yaml
new file mode 100755
index 00000000..a374aaa6
--- /dev/null
+++ b/deprecated/terraform/aws/R81/cross-az-cluster/cluster_member_b_userdata.yaml
@@ -0,0 +1,4 @@
+#cloud-config
+runcmd:
+ - |
+ python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenB}\"" installationType=\"cross-az-cluster\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20240310\" templateName=\"cross_az_cluster\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" elasticIp=\"${MemberBPublicAddress}\" otherMemberIp=\"${MemberAPrivateAddressCluster}\" clusterIp=\"${PublicAddressCluster}\" secondaryIp=\"${MemberBPrivateAddressSecondary}\" otherMemberPrivateClusterIp=\"${MemberAPrivateAddressSecondary}\" bootstrapScript64=\"${GatewayBootstrapScript}\"
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/cross-az-cluster/locals.tf b/deprecated/terraform/aws/R81/cross-az-cluster/locals.tf
new file mode 100755
index 00000000..19f67f30
--- /dev/null
+++ b/deprecated/terraform/aws/R81/cross-az-cluster/locals.tf
@@ -0,0 +1,75 @@
+locals {
+ admin_shell_allowed_values = [
+ "/etc/cli.sh",
+ "/bin/bash",
+ "/bin/csh",
+ "/bin/tcsh"]
+ // Will fail if var.admin_shell is invalid
+ validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell)
+
+ enable_cloudwatch_policy = var.enable_cloudwatch ? 1 : 0
+ create_iam_role = var.predefined_role == "" ? 1 : 0
+ provided_roue_table = var.private_route_table == "" ? 0 : 1
+ internal_route_table_condition = var.private_route_table != "" ? 1 : 0
+
+ regex_valid_key_name = "[\\S\\s]+[\\S]+"
+ // will fail if var.key_name is invalid
+ regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string"
+
+ regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$"
+ // Will fail if var.gateway_SIC_Key is invalid
+ regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters"
+
+ regex_token_valid = "(^https://(.+).checkpoint.com/app/maas/api/v1/tenant(.+)|^$)"
+ //TokenA: will fail if decode token should contain https:// and .checkpoint.com/app/maas/api/v1/tenant or empty string
+ split_tokenA = split(" ", var.memberAToken)
+ tokenA_decode = base64decode(element(local.split_tokenA, length(local.split_tokenA)-1))
+ regex_tokenA = regex(local.regex_token_valid, local.tokenA_decode) == local.tokenA_decode ? 0 : "Smart-1 Cloud token A is invalid format"
+
+ //TokenB: will fail if decode token should contain https:// and .checkpoint.com/app/maas/api/v1/tenant or empty string
+ split_tokenB = split(" ", var.memberBToken)
+ tokenB_decode = base64decode(element(local.split_tokenB, length(local.split_tokenB)-1))
+ regex_tokenB = regex(local.regex_token_valid, local.tokenB_decode) == local.tokenB_decode ? 0 : "Smart-1 Cloud token B is invalid format"
+
+ is_both_tokens_used = length(var.memberAToken) > 0 == length(var.memberBToken) > 0
+ validation_message_both = "Smart-1 Cloud Tokens for member A and member B can not be empty."
+ //Will fail if var.memberAToken is empty and var.memberBToken isn't and vice versa
+ regex_s1c_validate = regex("^$", (local.is_both_tokens_used ? "" : local.validation_message_both))
+
+ is_tokens_used = length(var.memberAToken) > 0
+ is_both_tokens_the_same = var.memberAToken == var.memberBToken
+ validation_message_unique = "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+ //Will fail if both s1c tokens are the same
+ regex_s1c_unique = local.is_tokens_used ? regex("^$", (local.is_both_tokens_the_same ? local.validation_message_unique : "")) : ""
+
+ regex_valid_gateway_hostname = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$"
+ // Will fail if var.gateway_hostname is invalid
+ regex_gateway_hostname = regex(local.regex_valid_gateway_hostname, var.gateway_hostname) == var.gateway_hostname ? 0 : "Variable [gateway_hostname] must be a valid hostname label or an empty string"
+ volume_encryption_condition = var.volume_encryption != "" ? true : false
+
+ regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.gateway_password_hash is invalid
+ regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+ regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
+
+ regex_valid_primary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.primary_ntp is invalid
+ regex_primary_ntp = regex(local.regex_valid_primary_ntp, var.primary_ntp) == var.primary_ntp ? 0 : "Variable [primary_ntp] must be a valid ntp"
+
+ regex_valid_secondary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.secondary_ntp is invalid
+ regex_secondary_ntp = regex(local.regex_valid_secondary_ntp, var.secondary_ntp) == var.secondary_ntp ? 0 : "Variable [secondary_ntp] must be a valid ntp"
+
+ gateway_bootstrap_script64 = base64encode(var.gateway_bootstrap_script)
+ gateway_SICkey_base64=base64encode(var.gateway_SICKey)
+ gateway_password_hash_base64=base64encode(var.gateway_password_hash)
+ maintenance_mode_password_hash_base64 = base64encode(var.gateway_maintenance_mode_password_hash)
+
+ //Splits the version and licence and returns the os version
+ version_split = element(split("-", var.gateway_version), 0)
+ volume_type_allowed_values = [
+ "gp3",
+ "gp2"]
+ // will fail if [var.VolumeType] is invalid:
+ validate_volume_type = index(local.volume_type_allowed_values, var.volume_type)
+}
diff --git a/deprecated/terraform/aws/R81/cross-az-cluster/main.tf b/deprecated/terraform/aws/R81/cross-az-cluster/main.tf
new file mode 100755
index 00000000..d6a3bda3
--- /dev/null
+++ b/deprecated/terraform/aws/R81/cross-az-cluster/main.tf
@@ -0,0 +1,294 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+module "amis" {
+ source = "../modules/amis"
+
+ version_license = var.gateway_version
+ chkp_type = "gateway"
+}
+
+module "common_permissive_sg" {
+ source = "../modules/common/permissive_sg"
+
+ vpc_id = var.vpc_id
+ resources_tag_name = var.resources_tag_name
+ gateway_name = var.gateway_name
+}
+
+resource "aws_iam_instance_profile" "cluster_instance_profile" {
+ path = "/"
+ role = local.create_iam_role == 1 ? join("", module.cluster_iam_role.*.cluster_iam_role_name) : var.predefined_role
+}
+
+module "cluster_iam_role" {
+ source = "../modules/cluster-iam-role"
+ count = local.create_iam_role
+}
+
+module "attach_cloudwatch_policy" {
+ source = "../modules/cloudwatch-policy"
+ count = local.enable_cloudwatch_policy
+ role = aws_iam_instance_profile.cluster_instance_profile.role
+ tag_name = var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name
+}
+
+resource "aws_network_interface" "member_a_external_eni" {
+ subnet_id = var.public_subnet_ids[0]
+ security_groups = [module.common_permissive_sg.permissive_sg_id]
+ description = "Member A external"
+ source_dest_check = false
+ private_ips_count = 1
+ tags = {
+ x-chkp-interface-type = "external" }
+}
+
+resource "aws_network_interface" "member_b_external_eni" {
+ subnet_id = var.public_subnet_ids[1]
+ security_groups = [module.common_permissive_sg.permissive_sg_id]
+ description = "Member B external"
+ source_dest_check = false
+ private_ips_count = 1
+ tags = {
+ x-chkp-interface-type = "external" }
+}
+
+resource "aws_network_interface" "member_a_internal_eni" {
+ subnet_id = var.private_subnet_ids[0]
+ security_groups = [module.common_permissive_sg.permissive_sg_id]
+ description = "Member A internal"
+ source_dest_check = false
+ tags = {
+ x-chkp-interface-type = "internal" }
+}
+
+resource "aws_network_interface" "member_b_internal_eni" {
+ subnet_id = var.private_subnet_ids[1]
+ security_groups = [module.common_permissive_sg.permissive_sg_id]
+ description = "Member B internal"
+ source_dest_check = false
+ tags = {
+ x-chkp-interface-type = "internal" }
+}
+
+resource "aws_route" "internal_default_route" {
+ count = local.internal_route_table_condition
+ route_table_id = var.private_route_table
+ lifecycle {
+ ignore_changes = [network_interface_id,]
+ }
+ destination_cidr_block = "0.0.0.0/0"
+ network_interface_id = aws_network_interface.member_a_internal_eni.id
+}
+
+resource "aws_route_table_association" "private_rtb_a" {
+ count = var.private_route_table == "" ? 0 : 1
+ route_table_id = var.private_route_table
+ subnet_id = var.private_subnet_ids[0]
+}
+resource "aws_route_table_association" "private_rtb_b" {
+ count = var.private_route_table == "" ? 0 : 1
+ route_table_id = var.private_route_table
+ subnet_id = var.private_subnet_ids[1]
+}
+
+resource "aws_launch_template" "member_a_launch_template" {
+ depends_on = [
+ aws_network_interface.member_a_external_eni,
+ aws_network_interface.member_a_internal_eni
+ ]
+ instance_type = var.gateway_instance_type
+ key_name = var.key_name
+ image_id = module.amis.ami_id
+ description = "Initial launch template version"
+
+ iam_instance_profile {
+ name = aws_iam_instance_profile.cluster_instance_profile.id
+ }
+
+ metadata_options {
+ http_tokens = var.metadata_imdsv2_required ? "required" : "optional"
+ }
+
+ network_interfaces {
+ network_interface_id = aws_network_interface.member_a_external_eni.id
+ device_index = 0
+ }
+ network_interfaces {
+ network_interface_id = aws_network_interface.member_a_internal_eni.id
+ device_index = 1
+ }
+}
+
+resource "aws_launch_template" "member_b_launch_template" {
+ depends_on = [
+ aws_network_interface.member_b_external_eni,
+ aws_network_interface.member_b_internal_eni
+ ]
+ instance_type = var.gateway_instance_type
+ key_name = var.key_name
+ image_id = module.amis.ami_id
+ description = "Initial launch template version"
+
+ iam_instance_profile {
+ name = aws_iam_instance_profile.cluster_instance_profile.id
+ }
+
+ metadata_options {
+ http_tokens = var.metadata_imdsv2_required ? "required" : "optional"
+ }
+
+ network_interfaces {
+ network_interface_id = aws_network_interface.member_b_external_eni.id
+ device_index = 0
+ }
+ network_interfaces {
+ network_interface_id = aws_network_interface.member_b_internal_eni.id
+ device_index = 1
+ }
+}
+
+resource "aws_instance" "member-a-instance" {
+ depends_on = [
+ aws_launch_template.member_a_launch_template
+ ]
+
+ launch_template {
+ id = aws_launch_template.member_a_launch_template.id
+ version = "$Latest"
+ }
+
+ disable_api_termination = var.disable_instance_termination
+
+ tags = merge({
+ Name = format("%s-Member-A",var.gateway_name),
+ x-chkp-member-ips = format("public-ip=%s:external-private-ip=%s:internal-private-ip=%s",
+ aws_eip.member_a_eip.public_ip, aws_network_interface.member_a_external_eni.private_ip,aws_network_interface.member_a_internal_eni.private_ip),
+ x-chkp-cluster-ips = format("cluster-ip=%s:secondary-external-private-ip=%s",
+ aws_eip.cluster_eip.public_ip, element(tolist(setsubtract(tolist(aws_network_interface.member_a_external_eni.private_ips), [aws_network_interface.member_a_external_eni.private_ip])), 0))
+ }, var.instance_tags)
+
+ ebs_block_device {
+ device_name = "/dev/xvda"
+ volume_type = "gp2"
+ volume_size = var.volume_size
+ encrypted = local.volume_encryption_condition
+ kms_key_id = local.volume_encryption_condition ? var.volume_encryption : ""
+ }
+
+ lifecycle {
+ ignore_changes = [ebs_block_device,]
+ }
+
+ user_data = templatefile("${path.module}/cluster_member_a_userdata.yaml", {
+ // script's arguments
+ Hostname = var.gateway_hostname,
+ PasswordHash = local.gateway_password_hash_base64,
+ MaintenanceModePassword = local.maintenance_mode_password_hash_base64
+ AllowUploadDownload = var.allow_upload_download,
+ EnableCloudWatch = var.enable_cloudwatch,
+ NTPPrimary = var.primary_ntp,
+ NTPSecondary = var.secondary_ntp,
+ Shell = var.admin_shell,
+ EnableInstanceConnect = var.enable_instance_connect,
+ GatewayBootstrapScript = local.gateway_bootstrap_script64,
+ SICKey = local.gateway_SICkey_base64,
+ TokenA = var.memberAToken,
+ MemberAPublicAddress = aws_eip.member_a_eip.public_ip,
+ PublicAddressCluster = aws_eip.cluster_eip.public_ip,
+ MemberAPrivateAddressSecondary = length(tolist(aws_network_interface.member_a_external_eni.private_ips)) > 1 ? element(tolist(setsubtract(tolist(aws_network_interface.member_a_external_eni.private_ips), [aws_network_interface.member_a_external_eni.private_ip])), 0) : "",//extracting member's secondary ip which represent the cluster ip
+ MemberBPrivateAddressCluster = aws_network_interface.member_b_internal_eni.private_ip,
+ MemberBPrivateAddressSecondary = length(tolist(aws_network_interface.member_b_external_eni.private_ips)) > 1 ? element(tolist(setsubtract(tolist(aws_network_interface.member_b_external_eni.private_ips), [aws_network_interface.member_b_external_eni.private_ip])), 0) : "",
+ AllocateAddress = true,
+ OsVersion = local.version_split
+ })
+}
+
+resource "aws_instance" "member-b-instance" {
+ depends_on = [
+ aws_launch_template.member_b_launch_template
+ ]
+
+ launch_template {
+ id = aws_launch_template.member_b_launch_template.id
+ version = "$Latest"
+ }
+
+ disable_api_termination = var.disable_instance_termination
+
+ tags = merge({
+ Name = format("%s-Member-B",var.gateway_name),
+ x-chkp-member-ips = format("public-ip=%s:external-private-ip=%s:internal-private-ip=%s",
+ aws_eip.member_b_eip.public_ip, aws_network_interface.member_b_external_eni.private_ip,aws_network_interface.member_b_internal_eni.private_ip),
+ x-chkp-cluster-ips = format("cluster-ip=%s:secondary-external-private-ip=%s",
+ aws_eip.cluster_eip.public_ip, element(tolist(setsubtract(tolist(aws_network_interface.member_b_external_eni.private_ips), [aws_network_interface.member_b_external_eni.private_ip])), 0))
+ }, var.instance_tags)
+
+ ebs_block_device {
+ device_name = "/dev/xvda"
+ volume_type = "gp2"
+ volume_size = var.volume_size
+ encrypted = local.volume_encryption_condition
+ kms_key_id = local.volume_encryption_condition ? var.volume_encryption : ""
+ }
+ lifecycle {
+ ignore_changes = [ebs_block_device,]
+ }
+
+ user_data = templatefile("${path.module}/cluster_member_b_userdata.yaml", {
+ // script's arguments
+ Hostname = var.gateway_hostname,
+ PasswordHash = local.gateway_password_hash_base64,
+ MaintenanceModePassword = local.maintenance_mode_password_hash_base64
+ AllowUploadDownload = var.allow_upload_download,
+ EnableCloudWatch = var.enable_cloudwatch,
+ NTPPrimary = var.primary_ntp,
+ NTPSecondary = var.secondary_ntp,
+ Shell = var.admin_shell,
+ EnableInstanceConnect = var.enable_instance_connect,
+ GatewayBootstrapScript = local.gateway_bootstrap_script64,
+ SICKey = local.gateway_SICkey_base64,
+ TokenB = var.memberBToken,
+ MemberBPublicAddress = aws_eip.member_b_eip.public_ip,
+ PublicAddressCluster=aws_eip.cluster_eip.public_ip,
+ MemberBPrivateAddressSecondary = length(tolist(aws_network_interface.member_b_external_eni.private_ips)) > 1 ? element(tolist(setsubtract(tolist(aws_network_interface.member_b_external_eni.private_ips), [aws_network_interface.member_b_external_eni.private_ip])), 0) : "", //extracting member's secondary ip which represent the member ip
+ MemberAPrivateAddressCluster=aws_network_interface.member_a_internal_eni.private_ip,
+ MemberAPrivateAddressSecondary = length(tolist(aws_network_interface.member_a_external_eni.private_ips)) > 1 ? element(tolist(setsubtract(tolist(aws_network_interface.member_a_external_eni.private_ips), [aws_network_interface.member_a_external_eni.private_ip])), 0) : "",
+ AllocateAddress = true,
+ OsVersion = local.version_split
+ })
+}
+
+resource "aws_eip" "cluster_eip" {
+}
+resource "aws_eip" "member_a_eip" {
+}
+resource "aws_eip" "member_b_eip" {
+}
+
+resource "aws_eip_association" "cluster_address_assoc" {
+ depends_on = [aws_instance.member-a-instance]
+ allocation_id = aws_eip.cluster_eip.id
+ lifecycle {
+ ignore_changes = [
+ network_interface_id, private_ip_address
+ ]
+ }
+ network_interface_id = aws_network_interface.member_a_external_eni.id
+ private_ip_address = length(tolist(aws_network_interface.member_a_external_eni.private_ips)) > 1 ? element(tolist(setsubtract(tolist(aws_network_interface.member_a_external_eni.private_ips), [aws_network_interface.member_a_external_eni.private_ip])), 0) : ""//extracting member's secondary ip which represent the cluster ip
+}
+resource "aws_eip_association" "member_a_address_assoc" {
+ depends_on = [aws_instance.member-a-instance]
+ allocation_id = aws_eip.member_a_eip.id
+ network_interface_id = aws_network_interface.member_a_external_eni.id
+ private_ip_address = aws_network_interface.member_a_external_eni.private_ip //primary
+}
+resource "aws_eip_association" "member_b_address_assoc" {
+ depends_on = [aws_instance.member-b-instance]
+ allocation_id = aws_eip.member_b_eip.id
+ network_interface_id = aws_network_interface.member_b_external_eni.id
+ private_ip_address = aws_network_interface.member_b_external_eni.private_ip //primary
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/cross-az-cluster/output.tf b/deprecated/terraform/aws/R81/cross-az-cluster/output.tf
new file mode 100755
index 00000000..e475a650
--- /dev/null
+++ b/deprecated/terraform/aws/R81/cross-az-cluster/output.tf
@@ -0,0 +1,30 @@
+output "ami_id" {
+ value = module.amis.ami_id
+}
+output "cluster_public_ip" {
+ value = aws_eip.cluster_eip.*.public_ip
+}
+output "member_a_public_ip" {
+ value = aws_eip.member_a_eip.*.public_ip
+}
+output "member_b_public_ip" {
+ value = aws_eip.member_b_eip.*.public_ip
+}
+output "member_a_eni" {
+ value = aws_network_interface.member_a_external_eni.id
+}
+output "member_a_ssh" {
+ value = format("ssh -i %s admin@%s", var.key_name, aws_eip.member_a_eip.public_ip)
+}
+output "member_b_ssh" {
+ value = format("ssh -i %s admin@%s", var.key_name, aws_eip.member_b_eip.public_ip)
+}
+output "member_a_url" {
+ value = format("https://%s", aws_eip.member_a_eip.public_ip)
+}
+output "member_b_url" {
+ value = format("https://%s", aws_eip.member_b_eip.public_ip)
+}
+output "member_b_eni" {
+ value = aws_network_interface.member_b_external_eni.id
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/cross-az-cluster/terraform.tfvars b/deprecated/terraform/aws/R81/cross-az-cluster/terraform.tfvars
new file mode 100755
index 00000000..8c6aff9b
--- /dev/null
+++ b/deprecated/terraform/aws/R81/cross-az-cluster/terraform.tfvars
@@ -0,0 +1,42 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- VPC Network Configuration ---
+vpc_id = "vpc-12345678"
+public_subnet_ids = ["subnet-abc123", "subnet-def456"]
+private_subnet_ids = ["subnet-abc234", "subnet-def567"]
+private_route_table = "rtb-12345678"
+
+// --- EC2 Instance Configuration ---
+gateway_name = "Check-Point-Cluster-tf"
+gateway_instance_type = "c5.xlarge"
+key_name = "publickey"
+volume_size = 100
+volume_encryption = "alias/aws/ebs"
+enable_instance_connect = false
+disable_instance_termination = false
+metadata_imdsv2_required = true
+instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+}
+predefined_role = ""
+
+// --- Check Point Settings ---
+gateway_version = "R81.20-BYOL"
+admin_shell = "/etc/cli.sh"
+gateway_SICKey = "12345678"
+gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+
+// --- Quick connect to Smart-1 Cloud (Recommended) ---
+memberAToken = ""
+memberBToken = ""
+
+// --- Advanced Settings ---
+resources_tag_name = "tag-name"
+gateway_hostname = "gw-hostname"
+allow_upload_download = true
+enable_cloudwatch = false
+gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+primary_ntp = ""
+secondary_ntp = ""
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/cross-az-cluster/variables.tf b/deprecated/terraform/aws/R81/cross-az-cluster/variables.tf
new file mode 100755
index 00000000..c2d66839
--- /dev/null
+++ b/deprecated/terraform/aws/R81/cross-az-cluster/variables.tf
@@ -0,0 +1,181 @@
+// Module: Check Point CloudGuard Network Security Cross AZ Cluster into an existing VPC
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+// --- VPC Network Configuration ---
+variable "vpc_id" {
+ type = string
+}
+variable "public_subnet_ids" {
+ type = list(string)
+ description = "List of public subnet IDs to launch resources into. At least 2"
+}
+variable "private_subnet_ids" {
+ type = list(string)
+ description = "List of public subnet IDs to launch resources into. At least 2"
+}
+variable "private_route_table" {
+ type = string
+ description = "(Optional) Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route"
+ default= ""
+}
+
+// --- EC2 Instance Configuration ---
+variable "gateway_name" {
+ type = string
+ description = "(Optional) The name tag of the Security Gateway instances"
+ default = "Check-Point-Cluster-tf"
+}
+variable "gateway_instance_type" {
+ type = string
+ description = "The instance type of the Security Gateways"
+ default = "c5.xlarge"
+}
+module "validate_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "gateway"
+ instance_type = var.gateway_instance_type
+}
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instance"
+}
+variable "volume_size" {
+ type = number
+ description = "Root volume size (GB) - minimum 100"
+ default = 100
+}
+resource "null_resource" "volume_size_too_small" {
+ // Volume Size validation - resource will not be created if the volume size is smaller than 100
+ count = var.volume_size >= 100 ? 0 : "volume_size must be at least 100"
+}
+variable "volume_type" {
+ type = string
+ description = "General Purpose SSD Volume Type"
+ default = "gp3"
+}
+variable "volume_encryption" {
+ type = string
+ description = "KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs')"
+ default = "alias/aws/ebs"
+}
+variable "enable_instance_connect" {
+ type = bool
+ description = "Enable SSH connection over AWS web console"
+ default = false
+}
+variable "disable_instance_termination" {
+ type = bool
+ description = "Prevents an instance from accidental termination"
+ default = false
+}
+variable "metadata_imdsv2_required" {
+ type = bool
+ description = "Set true to deploy the instance with metadata v2 token required"
+ default = true
+}
+variable "instance_tags" {
+ type = map(string)
+ description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances"
+ default = {}
+}
+variable "predefined_role" {
+ type = string
+ description = "(Optional) A predefined IAM role to attach to the cluster profile"
+ default = ""
+}
+
+// --- Check Point Settings ---
+variable "gateway_version" {
+ type = string
+ description = "Gateway version and license"
+ default = "R81.20-BYOL"
+}
+module "validate_gateway_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "gateway"
+ version_license = var.gateway_version
+}
+variable "admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+ default = "/etc/cli.sh"
+}
+variable "gateway_SICKey" {
+ type = string
+ description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters"
+}
+variable "gateway_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "gateway_maintenance_mode_password_hash" {
+ description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+ type = string
+ default = ""
+}
+
+// --- Quick connect to Smart-1 Cloud (Recommended) ---
+variable "memberAToken" {
+ type = string
+ description = "Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud."
+}
+variable "memberBToken" {
+ type = string
+ description = "Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud."
+}
+
+// --- Advanced Settings ---
+variable "resources_tag_name" {
+ type = string
+ description = "(Optional) Name tag prefix of the resources"
+ default = ""
+}
+variable "gateway_hostname" {
+ type = string
+ description = "(Optional) The host name will be appended with member-a/b accordingly"
+ default = ""
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+variable "enable_cloudwatch" {
+ type = bool
+ description = "Report Check Point specific CloudWatch metrics"
+ default = false
+}
+variable "gateway_bootstrap_script" {
+ type = string
+ description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot"
+ default = ""
+}
+variable "primary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol primary server"
+ default = "169.254.169.123"
+}
+variable "secondary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server"
+ default = "0.pool.ntp.org"
+}
diff --git a/deprecated/terraform/aws/R81/cross-az-cluster/versions.tf b/deprecated/terraform/aws/R81/cross-az-cluster/versions.tf
new file mode 100755
index 00000000..c138bbb3
--- /dev/null
+++ b/deprecated/terraform/aws/R81/cross-az-cluster/versions.tf
@@ -0,0 +1,12 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ http = {
+ version = "~> 3.4.0"
+ }
+ }
+}
diff --git a/deprecated/terraform/aws/R81/gateway-master/README.md b/deprecated/terraform/aws/R81/gateway-master/README.md
new file mode 100755
index 00000000..c3f4952d
--- /dev/null
+++ b/deprecated/terraform/aws/R81/gateway-master/README.md
@@ -0,0 +1,217 @@
+# Check Point CloudGuard Network Security Gateway Master Terraform module for AWS
+
+Terraform module which deploys a Check Point CloudGuard Network Security Gateway into a new VPC.
+
+These types of Terraform resources are supported:
+* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html)
+* [VPC](https://www.terraform.io/docs/providers/aws/r/vpc.html)
+* [Security group](https://www.terraform.io/docs/providers/aws/r/security_group.html)
+* [Network interface](https://www.terraform.io/docs/providers/aws/r/network_interface.html)
+* [Route](https://www.terraform.io/docs/providers/aws/r/route.html)
+* [EIP](https://www.terraform.io/docs/providers/aws/r/eip.html) - conditional creation
+
+
+See the [Automatically Provision a CloudGuard Security Gateway in AWS](https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk131434) for additional information
+
+This solution uses the following modules:
+- /terraform/aws/gateway
+- /terraform/aws/modules/amis
+- /terraform/aws/modules/vpc
+
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/gateway-master/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Static credentials are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-module /terraform/aws/gateway:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+ b. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-module /terraform/aws/gateway:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+
+
+## Usage
+- Fill all variables in the /terraform/aws/gateway-master/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+- Create or modify the deployment:
+ - Due to terraform limitation, the apply command is:
+ ```
+ terraform apply -target=aws_route_table.private_subnet_rtb -auto-approve && terraform apply
+ ```
+ >Once terraform is updated, we will update accordingly.
+
+- Variables are configured in /terraform/aws/gateway-master/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+ // --- VPC Network Configuration ---
+ vpc_cidr = "10.0.0.0/16"
+ public_subnets_map = {
+ "us-east-1a" = 1
+ }
+ private_subnets_map = {
+ "us-east-1a" = 2
+ }
+ subnets_bit_length = 8
+
+ // --- EC2 Instance Configuration ---
+ gateway_name = "Check-Point-Gateway-tf"
+ gateway_instance_type = "c5.xlarge"
+ key_name = "publickey"
+ allocate_and_associate_eip = true
+ volume_size = 100
+ volume_encryption = ""
+ enable_instance_connect = false
+ disable_instance_termination = false
+ instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+ }
+
+ // --- Check Point Settings ---
+ gateway_version = "R81.20-BYOL"
+ admin_shell = "/etc/cli.sh"
+ gateway_SICKey = "12345678"
+ gateway_password_hash = ""
+ gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+ // --- Quick connect to Smart-1 Cloud (Recommended) ---
+ gateway_TokenKey = ""
+
+ // --- Advanced Settings ---
+ resources_tag_name = "tag-name"
+ gateway_hostname = "gw-hostname"
+ allow_upload_download = true
+ enable_cloudwatch = false
+ gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+ primary_ntp = ""
+ secondary_ntp = ""
+
+ // --- (Optional) Automatic Provisioning with Security Management Server Settings ---
+ control_gateway_over_public_or_private_address = "private"
+ management_server = ""
+ configuration_template = ""
+ ```
+
+- Conditional creation
+ - To create an Elastic IP and associate it to the Gateway instance:
+ ```
+ allocate_and_associate_eip = true
+ ```
+
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|----------|
+| vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes |
+| public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes |
+| private_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 2} ) | map | n/a | n/a | yes |
+| subnets_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20 | number | n/a | n/a | yes |
+| gateway_name | (Optional) The name tag of the Security Gateway instance | string | n/a | Check-Point-Gateway-tf | no |
+| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no |
+| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes |
+| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with the launched instance | bool | true/false | true | no |
+| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no |
+| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no |
+| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no |
+| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no |
+| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes |
+| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Security Gateway EC2 Instance | map(string) | n/a | {} | no |
+| gateway_version | Gateway version and license | string | - R81-BYOL
- R81-PAYG-NGTP
- R81-PAYG-NGTX
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no |
+| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no |
+| gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes |
+| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| gateway_TokenKey | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no |
+| resources_tag_name | (optional) | string | n/a | "" | no |
+| gateway_hostname | (Optional) Security Gateway prompt hostname. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no |
+| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no |
+| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no |
+| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no |
+| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no |
+| control_gateway_over_public_or_private_address | Determines if the Security Gateway is provisioned using its private or public address | string | - public
- private | private | no |
+| management_server | (Optional) The name that represents the Security Management Server in the automatic provisioning configuration | string | n/a | "" | no |
+| configuration_template | (Optional) A name of a Security Gateway configuration template in the automatic provisioning configuration | string | n/a | "" | no |
+| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here). | string | n/a | "" | no |
+
+## Outputs
+| Name | Description |
+|------------------------------|----------------------------------------------------|
+| vpc_id | The id of the deployed vpc |
+| internal_rt_id | The internal route table id |
+| vpc_public_subnets_ids_list | A list of the public subnets ids |
+| vpc_private_subnets_ids_list | A list of the private subnets ids |
+| ami_id | The ami id of the deployed Security Gateway |
+| permissive_sg_id | The permissive security group id |
+| permissive_sg_name | The permissive security group id name |
+| gateway_url | URL to the portal of the deployed Security Gateway |
+| gateway_public_ip | The deployed Security Gateway Server AWS public ip |
+| gateway_instance_id | The deployed Security Gateway AWS instance id |
+| gateway_instance_name | The deployed Security Gateway AWS instance name |
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|---------------------------------------------------------------------------------------------------------------|
+| 20240704 | R80.40 version deprecation |
+| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20231012 | Update AWS Terraform provider version to 5.20.1 |
+| 20230923 | Add support for C5d instance type |
+| 20230914 | Add support for maintenance mode password |
+| 20230829 | Change default Check Point version to R81.20 |
+| 20230806 | Add support for c6in instance type |
+| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname |
+| 20230503 | Smart-1 Cloud token validation |
+| 20230411 | Improved deployment experience for gateways and clusters managed by Smart-1 Cloud |
+| 20221123 | R81.20 version support |
+| 20220606 | New instance type support |
+| 20210309 | First release of Check Point Security Gateway Master Terraform module for AWS |
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/gateway-master/locals.tf b/deprecated/terraform/aws/R81/gateway-master/locals.tf
new file mode 100755
index 00000000..0ca4134f
--- /dev/null
+++ b/deprecated/terraform/aws/R81/gateway-master/locals.tf
@@ -0,0 +1,48 @@
+locals {
+ regex_valid_vpc_cidr = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$"
+ // Will fail if var.vpc_cidr is invalid
+ regex_vpc_cidr = regex(local.regex_valid_vpc_cidr, var.vpc_cidr) == var.vpc_cidr ? 0 : "Variable [vpc_cidr] must be a valid vpc cidr"
+
+ admin_shell_allowed_values = [
+ "/etc/cli.sh",
+ "/bin/bash",
+ "/bin/csh",
+ "/bin/tcsh"]
+ // Will fail if var.admin_shell is invalid
+ validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell)
+
+ regex_valid_key_name = "[\\S\\s]+[\\S]+"
+ // will fail if var.key_name is invalid
+ regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string"
+
+ regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$"
+ // Will fail if var.gateway_SIC_Key is invalid
+ regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters."
+
+ regex_valid_gateway_hostname = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$"
+ // Will fail if var.gateway_hostname is invalid
+ regex_gateway_hostname = regex(local.regex_valid_gateway_hostname, var.gateway_hostname) == var.gateway_hostname ? 0 : "Variable [gateway_hostname] must be a valid hostname label or an empty string"
+
+ regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.gateway_password_hash is invalid
+ regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+ regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
+
+ control_over_public_or_private_allowed_values = [
+ "public",
+ "private"]
+ // will fail if [var.control_gateway_over_public_or_private_address] is invalid:
+ validate_control_over_public_or_private = index(local.control_over_public_or_private_allowed_values, var.control_gateway_over_public_or_private_address)
+
+ regex_valid_primary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.primary_ntp is invalid
+ regex_primary_ntp = regex(local.regex_valid_primary_ntp, var.primary_ntp) == var.primary_ntp ? 0 : "Variable [primary_ntp] must be a valid ntp"
+
+ regex_valid_secondary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.secondary_ntp is invalid
+ regex_secondary_ntp = regex(local.regex_valid_secondary_ntp, var.secondary_ntp) == var.secondary_ntp ? 0 : "Variable [secondary_ntp] must be a valid ntp"
+
+ regex_valid_sic_key = "^[a-zA-Z0-9]{8,}$"
+ // Will fail if var.gateway_SICKey is invalid
+ regex_sic_result = regex(local.regex_valid_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SICKey] must be at least 8 alphanumeric characters"
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/gateway-master/main.tf b/deprecated/terraform/aws/R81/gateway-master/main.tf
new file mode 100755
index 00000000..dd09ebb4
--- /dev/null
+++ b/deprecated/terraform/aws/R81/gateway-master/main.tf
@@ -0,0 +1,66 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+// --- VPC ---
+module "launch_vpc" {
+ source = "../modules/vpc"
+
+ vpc_cidr = var.vpc_cidr
+ public_subnets_map = var.public_subnets_map
+ private_subnets_map = var.private_subnets_map
+ subnets_bit_length = var.subnets_bit_length
+}
+
+resource "aws_route_table" "private_subnet_rtb" {
+ depends_on = [module.launch_vpc]
+ vpc_id = module.launch_vpc.vpc_id
+ tags = {
+ Name = "Private Subnets Route Table"
+ }
+}
+resource "aws_route_table_association" "private_rtb_to_private_subnets" {
+ depends_on = [module.launch_vpc, aws_route_table.private_subnet_rtb]
+ route_table_id = aws_route_table.private_subnet_rtb.id
+ subnet_id = module.launch_vpc.private_subnets_ids_list[0]
+}
+
+module "launch_gateway_into_vpc" {
+ source = "../gateway"
+ providers = {
+ aws = aws
+ }
+
+ vpc_id = module.launch_vpc.vpc_id
+ public_subnet_id = module.launch_vpc.public_subnets_ids_list[0]
+ private_subnet_id = module.launch_vpc.private_subnets_ids_list[0]
+ private_route_table = aws_route_table.private_subnet_rtb.id
+ resources_tag_name = var.resources_tag_name
+ gateway_name = var.gateway_name
+ gateway_instance_type = var.gateway_instance_type
+ key_name = var.key_name
+ allocate_and_associate_eip = var.allocate_and_associate_eip
+ volume_size = var.volume_size
+ volume_encryption = var.volume_encryption
+ enable_instance_connect = var.enable_instance_connect
+ disable_instance_termination = var.disable_instance_termination
+ metadata_imdsv2_required = var.metadata_imdsv2_required
+ instance_tags = var.instance_tags
+ gateway_version = var.gateway_version
+ admin_shell = var.admin_shell
+ gateway_SICKey = var.gateway_SICKey
+ gateway_password_hash = var.gateway_password_hash
+ gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash
+ gateway_TokenKey = var.gateway_TokenKey
+ gateway_hostname = var.gateway_hostname
+ allow_upload_download = var.allow_upload_download
+ enable_cloudwatch = var.enable_cloudwatch
+ gateway_bootstrap_script = var.gateway_bootstrap_script
+ primary_ntp = var.primary_ntp
+ secondary_ntp = var.secondary_ntp
+ control_gateway_over_public_or_private_address = var.control_gateway_over_public_or_private_address
+ management_server = var.management_server
+ configuration_template = var.configuration_template
+}
diff --git a/deprecated/terraform/aws/R81/gateway-master/output.tf b/deprecated/terraform/aws/R81/gateway-master/output.tf
new file mode 100755
index 00000000..2d8a716c
--- /dev/null
+++ b/deprecated/terraform/aws/R81/gateway-master/output.tf
@@ -0,0 +1,33 @@
+output "vpc_id" {
+ value = module.launch_vpc.vpc_id
+}
+output "internal_rtb_id" {
+ value = aws_route_table.private_subnet_rtb.id
+}
+output "vpc_public_subnets_ids_list" {
+ value = module.launch_vpc.public_subnets_ids_list
+}
+output "vpc_private_subnets_ids_list" {
+ value = module.launch_vpc.private_subnets_ids_list
+}
+output "ami_id" {
+ value = module.launch_gateway_into_vpc.ami_id
+}
+output "permissive_sg_id" {
+ value = module.launch_gateway_into_vpc.permissive_sg_id
+}
+output "permissive_sg_name" {
+ value = module.launch_gateway_into_vpc.permissive_sg_name
+}
+output "gateway_url" {
+ value = module.launch_gateway_into_vpc.gateway_url
+}
+output "gateway_public_ip" {
+ value = module.launch_gateway_into_vpc.gateway_public_ip
+}
+output "gateway_instance_id" {
+ value = module.launch_gateway_into_vpc.gateway_instance_id
+}
+output "gateway_instance_name" {
+ value = module.launch_gateway_into_vpc.gateway_instance_name
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/gateway-master/terraform.tfvars b/deprecated/terraform/aws/R81/gateway-master/terraform.tfvars
new file mode 100755
index 00000000..a8eb1d58
--- /dev/null
+++ b/deprecated/terraform/aws/R81/gateway-master/terraform.tfvars
@@ -0,0 +1,50 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- VPC Network Configuration ---
+vpc_cidr = "10.0.0.0/16"
+public_subnets_map = {
+ "us-east-1a" = 1
+}
+private_subnets_map = {
+ "us-east-1a" = 2
+}
+subnets_bit_length = 8
+
+// --- EC2 Instance Configuration ---
+gateway_name = "Check-Point-Gateway-tf"
+gateway_instance_type = "c5.xlarge"
+key_name = "publickey"
+allocate_and_associate_eip = true
+volume_size = 100
+volume_encryption = ""
+enable_instance_connect = false
+disable_instance_termination = false
+metadata_imdsv2_required = true
+instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+}
+
+// --- Check Point Settings ---
+gateway_version = "R81.20-BYOL"
+admin_shell = "/etc/cli.sh"
+gateway_SICKey = "12345678"
+gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+
+// --- Quick connect to Smart-1 Cloud (Recommended) ---
+gateway_TokenKey = ""
+
+// --- Advanced Settings ---
+resources_tag_name = "tag-name"
+gateway_hostname = "gw-hostname"
+allow_upload_download = true
+enable_cloudwatch = false
+gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+primary_ntp = ""
+secondary_ntp = ""
+
+// --- (Optional) Automatic Provisioning with Security Management Server Settings ---
+control_gateway_over_public_or_private_address = "private"
+management_server = ""
+configuration_template = ""
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/gateway-master/variables.tf b/deprecated/terraform/aws/R81/gateway-master/variables.tf
new file mode 100755
index 00000000..1c00c4f3
--- /dev/null
+++ b/deprecated/terraform/aws/R81/gateway-master/variables.tf
@@ -0,0 +1,195 @@
+// Module: Check Point CloudGuard Network Security Gateway into a new VPC
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+// --- VPC Network Configuration ---
+variable "vpc_cidr" {
+ type = string
+ description = "The CIDR block of the VPC"
+ default = "10.0.0.0/16"
+}
+variable "public_subnets_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 1} ) "
+}
+variable "private_subnets_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 2} ) "
+
+}
+variable "subnets_bit_length" {
+ type = number
+ description = "Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20."
+}
+
+// --- EC2 Instance Configuration ---
+variable "gateway_name" {
+ type = string
+ description = "(Optional) The name tag of the Security Gateway instance"
+ default = "Check-Point-Gateway-tf"
+}
+variable "gateway_instance_type" {
+ type = string
+ description = "The instance type of the Security Gateway"
+ default = "c5.xlarge"
+}
+module "validate_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "gateway"
+ instance_type = var.gateway_instance_type
+}
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instance"
+}
+variable "allocate_and_associate_eip" {
+ type = bool
+ description = "If set to true, an elastic IP will be allocated and associated with the launched instance"
+ default = true
+}
+variable "volume_size" {
+ type = number
+ description = "Root volume size (GB) - minimum 100"
+ default = 100
+}
+resource "null_resource" "volume_size_too_small" {
+ // Volume Size validation - resource will not be created if the volume size is smaller than 100
+ count = var.volume_size >= 100 ? 0 : "volume_size must be at least 100"
+}
+variable "volume_encryption" {
+ type = string
+ description = "KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs')"
+ default = "alias/aws/ebs"
+}
+variable "enable_instance_connect" {
+ type = bool
+ description = "Enable SSH connection over AWS web console"
+ default = false
+}
+variable "disable_instance_termination" {
+ type = bool
+ description = "Prevents an instance from accidental termination"
+ default = false
+}
+variable "metadata_imdsv2_required" {
+ type = bool
+ description = "Set true to deploy the instance with metadata v2 token required"
+ default = true
+}
+variable "instance_tags" {
+ type = map(string)
+ description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instance"
+ default = {}
+}
+
+// --- Check Point Settings ---
+variable "gateway_version" {
+ type = string
+ description = "Gateway version and license"
+ default = "R81.20-BYOL"
+}
+module "validate_gateway_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "gateway"
+ version_license = var.gateway_version
+}
+variable "admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+ default = "/etc/cli.sh"
+}
+variable "gateway_SICKey" {
+ type = string
+ description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters"
+}
+variable "gateway_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "gateway_maintenance_mode_password_hash" {
+ description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+ type = string
+ default = ""
+}
+
+// --- Quick connect to Smart-1 Cloud (Recommended) ---
+variable "gateway_TokenKey" {
+ type = string
+ description = "Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud."
+}
+
+// --- Advanced Settings ---
+variable "resources_tag_name" {
+ type = string
+ description = "(Optional)"
+ default = ""
+}
+variable "gateway_hostname" {
+ type = string
+ description = "(Optional) Security Gateway prompt hostname"
+ default = ""
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+variable "enable_cloudwatch" {
+ type = bool
+ description = "Report Check Point specific CloudWatch metrics"
+ default = false
+}
+variable "gateway_bootstrap_script" {
+ type = string
+ description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot"
+ default = ""
+}
+variable "primary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol primary server"
+ default = "169.254.169.123"
+}
+variable "secondary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server"
+ default = "0.pool.ntp.org"
+}
+
+// --- (Optional) Automatic Provisioning with Security Management Server Settings ---
+variable "control_gateway_over_public_or_private_address" {
+ type = string
+ description = "Determines if the Security Gateway is provisioned using its private or public address"
+ default = "private"
+}
+variable "management_server" {
+ type = string
+ description = "(Optional) The name that represents the Security Management Server in the automatic provisioning configuration"
+ default = ""
+}
+variable "configuration_template" {
+ type = string
+ description = "(Optional) A name of a Security Gateway configuration template in the automatic provisioning configuration"
+ default = ""
+ validation {
+ condition = length(var.configuration_template) < 31
+ error_message = "The configuration_template name can not exceed 30 characters."
+ }
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/gateway-master/versions.tf b/deprecated/terraform/aws/R81/gateway-master/versions.tf
new file mode 100755
index 00000000..c138bbb3
--- /dev/null
+++ b/deprecated/terraform/aws/R81/gateway-master/versions.tf
@@ -0,0 +1,12 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ http = {
+ version = "~> 3.4.0"
+ }
+ }
+}
diff --git a/deprecated/terraform/aws/R81/gateway/README.md b/deprecated/terraform/aws/R81/gateway/README.md
new file mode 100755
index 00000000..c9052114
--- /dev/null
+++ b/deprecated/terraform/aws/R81/gateway/README.md
@@ -0,0 +1,192 @@
+# Check Point CloudGuard Network Security Gateway Terraform module for AWS
+
+Terraform module which deploys a Check Point CloudGuard Network Security Gateway into an existing VPC.
+
+These types of Terraform resources are supported:
+* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html)
+* [Security group](https://www.terraform.io/docs/providers/aws/r/security_group.html)
+* [Network interface](https://www.terraform.io/docs/providers/aws/r/network_interface.html)
+* [EIP](https://www.terraform.io/docs/providers/aws/r/eip.html) - conditional creation
+* [Route](https://www.terraform.io/docs/providers/aws/r/route.html) - conditional creation
+
+See the [Automatically Provision a CloudGuard Security Gateway in AWS](https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk131434) for additional information
+
+This solution uses the following modules:
+- /terraform/aws/modules/amis
+
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/gateway/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+
+## Usage
+- Fill all variables in the /terraform/aws/gateway/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+- Create or modify the deployment:
+ ```
+ terraform apply
+ ```
+
+- Variables are configured in /terraform/aws/gateway/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+ // --- VPC Network Configuration ---
+ vpc_id = "vpc-12345678"
+ public_subnet_id = "subnet-123456"
+ private_subnet_id = "subnet-345678"
+ private_route_table = "rtb-12345678"
+
+ // --- EC2 Instance Configuration ---
+ gateway_name = "Check-Point-Gateway-tf"
+ gateway_instance_type = "c5.xlarge"
+ key_name = "publickey"
+ allocate_and_associate_eip = true
+ volume_size = 100
+ volume_encryption = "alias/aws/ebs"
+ enable_instance_connect = false
+ disable_instance_termination = false
+ instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+ }
+
+ // --- Check Point Settings ---
+ gateway_version = "R81.20-BYOL"
+ admin_shell = "/etc/cli.sh"
+ gateway_SICKey = "12345678"
+ gateway_password_hash = ""
+ gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+
+ // --- Quick connect to Smart-1 Cloud (Recommended) ---
+ gateway_TokenKey = ""
+
+ // --- Advanced Settings ---
+ resources_tag_name = "tag-name"
+ gateway_hostname = "gw-hostname"
+ allow_upload_download = true
+ enable_cloudwatch = false
+ gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+ primary_ntp = ""
+ secondary_ntp = ""
+
+ // --- Automatic Provisioning with Security Management Server Settings (optional) ---
+ control_gateway_over_public_or_private_address = "private"
+ management_server = ""
+ configuration_template = ""
+ ```
+
+- Conditional creation
+ - To create an Elastic IP and associate it to the Gateway instance:
+ ```
+ allocate_and_associate_eip = true
+ ```
+ - To create route from '0.0.0.0/0' to the Security Gateway instance, please provide route table:
+ ```
+ private_route_table = "rtb-12345678"
+ ```
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+
+
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|----------|
+| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes |
+| public_subnet_id | The public subnet of the security gateway | string | n/a | n/a | yes |
+| private_subnet_id | The private subnet of the security gateway | string | n/a | n/a | yes |
+| private_route_table | Sets '0.0.0.0/0' route to the Gateway instance in the specified route table (e.g. rtb-12a34567) | string | n/a | "" | no |
+| gateway_name | (Optional) The name tag of the Security Gateway instance | string | n/a | Check-Point-Gateway-tf | no |
+| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no |
+| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes |
+| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with the launched instance | bool | true/false | true | no |
+| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no |
+| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no |
+| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no |
+| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no |
+| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes |
+| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Security Gateway EC2 Instance | map(string) | n/a | {} | no |
+| gateway_version | Gateway version and license | string | - R81-BYOL
- R81-PAYG-NGTP
- R81-PAYG-NGTX
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no |
+| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no |
+| gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes |
+| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| gateway_TokenKey | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no |
+| resources_tag_name | (optional) | string | n/a | "" | no |
+| gateway_hostname | (Optional) Security Gateway prompt hostname. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no |
+| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no |
+| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no |
+| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no |
+| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no |
+| control_gateway_over_public_or_private_address | Determines if the Security Gateway is provisioned using its private or public address | string | - public
- private | private | no |
+| management_server | (Optional) The name that represents the Security Management Server in the automatic provisioning configuration | string | n/a | "" | no |
+| configuration_template | (Optional) A name of a Security Gateway configuration template in the automatic provisioning configuration | string | n/a | "" | no |
+| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here). | string | n/a | "" | no |
+
+
+## Outputs
+| Name | Description |
+|-----------------------|----------------------------------------------------|
+| ami_id | The ami id of the deployed Security Gateway |
+| permissive_sg_id | The permissive security group id |
+| permissive_sg_name | The permissive security group id name |
+| gateway_url | URL to the portal of the deployed Security Gateway |
+| gateway_public_ip | The deployed Security Gateway Server AWS public ip |
+| gateway_instance_id | The deployed Security Gateway AWS instance id |
+| gateway_instance_name | The deployed Security Gateway AWS instance name |
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|---------------------------------------------------------------------------------------------------------------|
+| 20240704 | R80.40 version deprecation |
+| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20231012 | Update AWS Terraform provider version to 5.20.1 |
+| 20230923 | Add support for C5d instance type |
+| 20230914 | Add support for maintenance mode password |
+| 20230829 | Change default Check Point version to R81.20 |
+| 20230806 | Add support for c6in instance type |
+| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname |
+| 20230503 | Smart-1 Cloud token validation |
+| 20230411 | Improved deployment experience for gateways and clusters managed by Smart-1 Cloud |
+| 20221123 | R81.20 version support |
+| 20220606 | New instance type support |
+| 20210309 | First release of Check Point Security Gateway Terraform module for AWS |
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/gateway/locals.tf b/deprecated/terraform/aws/R81/gateway/locals.tf
new file mode 100755
index 00000000..79c894db
--- /dev/null
+++ b/deprecated/terraform/aws/R81/gateway/locals.tf
@@ -0,0 +1,48 @@
+locals {
+ admin_shell_allowed_values = [
+ "/etc/cli.sh",
+ "/bin/bash",
+ "/bin/csh",
+ "/bin/tcsh"]
+ // Will fail if var.admin_shell is invalid
+ validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell)
+
+ enable_cloudwatch_policy = var.enable_cloudwatch ? 1 : 0
+
+ regex_valid_key_name = "[\\S\\s]+[\\S]+"
+ // will fail if var.key_name is invalid
+ regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string"
+
+ regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$"
+ // Will fail if var.gateway_SIC_Key is invalid
+ regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters"
+
+ //will fail if decode token should contain https:// and .checkpoint.com/app/maas/api/v1/tenant or empty string
+ split_token = split(" ", var.gateway_TokenKey)
+ token_decode = base64decode(element(local.split_token, length(local.split_token)-1))
+ regex_token_valid = "(^https://(.+).checkpoint.com/app/maas/api/v1/tenant(.+)|^$)"
+ regex_token = regex(local.regex_token_valid, local.token_decode) == local.token_decode ? 0 : "Smart-1 Cloud token is invalid format"
+
+ regex_valid_gateway_hostname = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$"
+ // Will fail if var.gateway_hostname is invalid
+ regex_gateway_hostname = regex(local.regex_valid_gateway_hostname, var.gateway_hostname) == var.gateway_hostname ? 0 : "Variable [gateway_hostname] must be a valid hostname label or an empty string"
+
+ regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.gateway_password_hash is invalid
+ regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+ regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
+
+ control_over_public_or_private_allowed_values = [
+ "public",
+ "private"]
+ // will fail if [var.control_gateway_over_public_or_private_address] is invalid:
+ validate_control_over_public_or_private = index(local.control_over_public_or_private_allowed_values, var.control_gateway_over_public_or_private_address)
+
+ regex_valid_primary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.primary_ntp is invalid
+ regex_primary_ntp = regex(local.regex_valid_primary_ntp, var.primary_ntp) == var.primary_ntp ? 0 : "Variable [primary_ntp] must be a valid ntp"
+
+ regex_valid_secondary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.secondary_ntp is invalid
+ regex_secondary_ntp = regex(local.regex_valid_secondary_ntp, var.secondary_ntp) == var.secondary_ntp ? 0 : "Variable [secondary_ntp] must be a valid ntp"
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/gateway/main.tf b/deprecated/terraform/aws/R81/gateway/main.tf
new file mode 100755
index 00000000..164d6bf0
--- /dev/null
+++ b/deprecated/terraform/aws/R81/gateway/main.tf
@@ -0,0 +1,119 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+module "amis" {
+ source = "../modules/amis"
+
+ version_license = var.gateway_version
+ chkp_type = "gateway"
+}
+
+module "common_permissive_sg" {
+ source = "../modules/common/permissive_sg"
+
+ vpc_id = var.vpc_id
+ resources_tag_name = var.resources_tag_name
+ gateway_name = var.gateway_name
+}
+
+resource "aws_iam_instance_profile" "gateway_instance_profile" {
+ count = local.enable_cloudwatch_policy
+ path = "/"
+ role = aws_iam_role.gateway_iam_role[count.index].name
+}
+
+resource "aws_iam_role" "gateway_iam_role" {
+ count = local.enable_cloudwatch_policy
+ assume_role_policy = data.aws_iam_policy_document.gateway_role_assume_policy_document.json
+ path = "/"
+}
+
+data "aws_iam_policy_document" "gateway_role_assume_policy_document" {
+ version = "2012-10-17"
+ statement {
+ effect = "Allow"
+ actions = ["sts:AssumeRole"]
+ principals {
+ type = "Service"
+ identifiers = ["ec2.amazonaws.com"]
+ }
+ }
+}
+
+module "attach_cloudwatch_policy" {
+ source = "../modules/cloudwatch-policy"
+ count = local.enable_cloudwatch_policy
+ role = aws_iam_role.gateway_iam_role[count.index].name
+ tag_name = var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name
+}
+
+resource "aws_network_interface" "public_eni" {
+ subnet_id = var.public_subnet_id
+ security_groups = [module.common_permissive_sg.permissive_sg_id]
+ description = "eth0"
+ source_dest_check = false
+ tags = {
+ Name = format("%s-external-eni", var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name) }
+}
+resource "aws_network_interface" "private_eni" {
+ subnet_id = var.private_subnet_id
+ security_groups = [module.common_permissive_sg.permissive_sg_id]
+ description = "eth1"
+ source_dest_check = false
+ tags = {
+ Name = format("%s-internal-eni", var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name) }
+}
+
+module "common_eip" {
+ source = "../modules/common/elastic_ip"
+ depends_on = [
+ module.common_gateway_instance
+ ]
+
+ allocate_and_associate_eip = var.allocate_and_associate_eip
+ external_eni_id = aws_network_interface.public_eni.id
+ private_ip_address = aws_network_interface.public_eni.private_ip
+}
+
+module "common_internal_default_route" {
+ source = "../modules/common/internal_default_route"
+
+ private_route_table = var.private_route_table
+ internal_eni_id = aws_network_interface.private_eni.id
+}
+
+module "common_gateway_instance" {
+ source = "../modules/common/gateway_instance"
+
+ external_eni_id = aws_network_interface.public_eni.id
+ internal_eni_id = aws_network_interface.private_eni.id
+ gateway_name = var.gateway_name
+ management_server = var.management_server
+ configuration_template = var.configuration_template
+ control_gateway_over_public_or_private_address = var.control_gateway_over_public_or_private_address
+ volume_size = var.volume_size
+ volume_encryption = var.volume_encryption
+ gateway_version = module.amis.version_license_with_suffix
+ gateway_instance_type = var.gateway_instance_type
+ instance_tags = var.instance_tags
+ key_name = var.key_name
+ iam_instance_profile_id = (local.enable_cloudwatch_policy == 1 ? aws_iam_instance_profile.gateway_instance_profile[0].id : "")
+ ami_id = module.amis.ami_id
+ gateway_password_hash = var.gateway_password_hash
+ gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash
+ admin_shell = var.admin_shell
+ gateway_SICKey = var.gateway_SICKey
+ gateway_TokenKey = var.gateway_TokenKey
+ gateway_bootstrap_script = var.gateway_bootstrap_script
+ gateway_hostname = var.gateway_hostname
+ allow_upload_download = var.allow_upload_download
+ enable_cloudwatch = var.enable_cloudwatch
+ primary_ntp = var.primary_ntp
+ secondary_ntp = var.secondary_ntp
+ enable_instance_connect = var.enable_instance_connect
+ disable_instance_termination = var.disable_instance_termination
+ metadata_imdsv2_required = var.metadata_imdsv2_required
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/gateway/output.tf b/deprecated/terraform/aws/R81/gateway/output.tf
new file mode 100755
index 00000000..ab3c934f
--- /dev/null
+++ b/deprecated/terraform/aws/R81/gateway/output.tf
@@ -0,0 +1,21 @@
+output "ami_id" {
+ value = module.amis.ami_id
+}
+output "permissive_sg_id" {
+ value = module.common_permissive_sg.permissive_sg_id
+}
+output "permissive_sg_name" {
+ value = module.common_permissive_sg.permissive_sg_name
+}
+output "gateway_url" {
+ value = format("https://%s", module.common_eip.gateway_eip_public_ip[0])
+}
+output "gateway_public_ip" {
+ value = module.common_eip.gateway_eip_public_ip
+}
+output "gateway_instance_id" {
+ value = module.common_gateway_instance.gateway_instance_id
+}
+output "gateway_instance_name" {
+ value = module.common_gateway_instance.gateway_instance_name
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/gateway/terraform.tfvars b/deprecated/terraform/aws/R81/gateway/terraform.tfvars
new file mode 100755
index 00000000..02b1f781
--- /dev/null
+++ b/deprecated/terraform/aws/R81/gateway/terraform.tfvars
@@ -0,0 +1,46 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- VPC Network Configuration ---
+vpc_id = "vpc-12345678"
+public_subnet_id = "subnet-123456"
+private_subnet_id = "subnet-345678"
+private_route_table = "rtb-12345678"
+
+// --- EC2 Instance Configuration ---
+gateway_name = "Check-Point-Gateway-tf"
+gateway_instance_type = "c5.xlarge"
+key_name = "publickey"
+allocate_and_associate_eip = true
+volume_size = 100
+volume_encryption = "alias/aws/ebs"
+enable_instance_connect = false
+disable_instance_termination = false
+metadata_imdsv2_required = true
+instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+}
+
+// --- Check Point Settings ---
+gateway_version = "R81.20-BYOL"
+admin_shell = "/etc/cli.sh"
+gateway_SICKey = "12345678"
+gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+
+// --- Quick connect to Smart-1 Cloud (Recommended) ---
+gateway_TokenKey = ""
+
+// --- Advanced Settings ---
+resources_tag_name = "tag-name"
+gateway_hostname = "gw-hostname"
+allow_upload_download = true
+enable_cloudwatch = false
+gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+primary_ntp = ""
+secondary_ntp = ""
+
+// --- Automatic Provisioning with Security Management Server Settings (optional) ---
+control_gateway_over_public_or_private_address = "private"
+management_server = ""
+configuration_template = ""
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/gateway/variables.tf b/deprecated/terraform/aws/R81/gateway/variables.tf
new file mode 100755
index 00000000..7d32ab1a
--- /dev/null
+++ b/deprecated/terraform/aws/R81/gateway/variables.tf
@@ -0,0 +1,192 @@
+// Module: Check Point CloudGuard Network Security Gateway into an existing VPC
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+// --- VPC Network Configuration ---
+variable "vpc_id" {
+ type = string
+}
+variable "public_subnet_id" {
+ type = string
+ description = "The public subnet of the security gateway"
+}
+variable "private_subnet_id" {
+ type = string
+ description = "The private subnet of the security gateway"
+}
+variable "private_route_table" {
+ type = string
+ description = "Sets '0.0.0.0/0' route to the Security Gateway instance in the specified route table (e.g. rtb-12a34567)"
+ default= ""
+}
+
+// --- EC2 Instance Configuration ---
+variable "gateway_name" {
+ type = string
+ description = "(Optional) The name tag of the Security Gateway instance"
+ default = "Check-Point-Gateway-tf"
+}
+variable "gateway_instance_type" {
+ type = string
+ description = "The instance type of the Security Gateway"
+ default = "c5.xlarge"
+}
+module "validate_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "gateway"
+ instance_type = var.gateway_instance_type
+}
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instance"
+}
+variable "allocate_and_associate_eip" {
+ type = bool
+ description = "If set to true, an elastic IP will be allocated and associated with the launched instance"
+ default = true
+}
+variable "volume_size" {
+ type = number
+ description = "Root volume size (GB) - minimum 100"
+ default = 100
+}
+resource "null_resource" "volume_size_too_small" {
+ // Volume Size validation - resource will not be created if the volume size is smaller than 100
+ count = var.volume_size >= 100 ? 0 : "volume_size must be at least 100"
+}
+variable "volume_encryption" {
+ type = string
+ description = "KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs')"
+ default = "alias/aws/ebs"
+}
+variable "enable_instance_connect" {
+ type = bool
+ description = "Enable SSH connection over AWS web console"
+ default = false
+}
+variable "disable_instance_termination" {
+ type = bool
+ description = "Prevents an instance from accidental termination"
+ default = false
+}
+variable "metadata_imdsv2_required" {
+ type = bool
+ description = "Set true to deploy the instance with metadata v2 token required"
+ default = true
+}
+variable "instance_tags" {
+ type = map(string)
+ description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Security Gateway EC2 Instance"
+ default = {}
+}
+
+// --- Check Point Settings ---
+variable "gateway_version" {
+ type = string
+ description = "Gateway version and license"
+ default = "R81.20-BYOL"
+}
+module "validate_gateway_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "gateway"
+ version_license = var.gateway_version
+}
+variable "admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+ default = "/etc/cli.sh"
+}
+variable "gateway_SICKey" {
+ type = string
+ description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters"
+}
+variable "gateway_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "gateway_maintenance_mode_password_hash" {
+ description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+ type = string
+ default = ""
+}
+// --- Quick connect to Smart-1 Cloud (Recommended) ---
+variable "gateway_TokenKey" {
+ type = string
+ description = "Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud."
+}
+
+// --- Advanced Settings ---
+variable "resources_tag_name" {
+ type = string
+ description = "(Optional)"
+ default = ""
+}
+variable "gateway_hostname" {
+ type = string
+ description = "(Optional) Security Gateway prompt hostname"
+ default = ""
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+variable "enable_cloudwatch" {
+ type = bool
+ description = "Report Check Point specific CloudWatch metrics"
+ default = false
+}
+variable "gateway_bootstrap_script" {
+ type = string
+ description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot"
+ default = ""
+}
+variable "primary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol primary server"
+ default = "169.254.169.123"
+}
+variable "secondary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server"
+ default = "0.pool.ntp.org"
+}
+
+// --- (Optional) Automatic Provisioning with Security Management Server Settings ---
+variable "control_gateway_over_public_or_private_address" {
+ type = string
+ description = "Determines if the Security Gateway is provisioned using its private or public address"
+ default = "private"
+}
+variable "management_server" {
+ type = string
+ description = "(Optional) The name that represents the Security Management Server in the automatic provisioning configuration"
+ default = ""
+}
+variable "configuration_template" {
+ type = string
+ description = "(Optional) A name of a Security Gateway configuration template in the automatic provisioning configuration"
+ default = ""
+ validation {
+ condition = length(var.configuration_template) < 31
+ error_message = "The configuration_template name can not exceed 30 characters."
+ }
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/gateway/versions.tf b/deprecated/terraform/aws/R81/gateway/versions.tf
new file mode 100755
index 00000000..c138bbb3
--- /dev/null
+++ b/deprecated/terraform/aws/R81/gateway/versions.tf
@@ -0,0 +1,12 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ http = {
+ version = "~> 3.4.0"
+ }
+ }
+}
diff --git a/deprecated/terraform/aws/R81/gwlb-master/README.md b/deprecated/terraform/aws/R81/gwlb-master/README.md
new file mode 100755
index 00000000..61bfad54
--- /dev/null
+++ b/deprecated/terraform/aws/R81/gwlb-master/README.md
@@ -0,0 +1,236 @@
+# Check Point CloudGuard Network Gateway Load Balancer Master Terraform module for AWS
+
+Terraform module which deploys an AWS Auto Scaling group configured for Gateway Load Balancer into a new VPC.
+
+These types of Terraform resources are supported:
+* [AWS Instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance)
+* [VPC](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc)
+* [Security Group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group)
+* [Load Balancer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb)
+* [Load Balancer Target Group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group)
+* [Launch template](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template)
+* [Auto Scaling Group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group)
+* [IAM Role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) - conditional creation
+
+See the [Check Point CloudGuard Gateway Load Balancer on AWS](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_AWS_Centralized_Gateway_Load_Balancer/Content/Topics-AWS-GWLB-VPC-DG/Introduction.htm) for additional information
+
+This solution uses the following modules:
+- /terraform/aws/autoscale-gwlb
+- /terraform/aws/management
+- /terraform/aws/cme-iam-role-gwlb
+- /terraform/aws/modules/amis
+- /terraform/aws/modules/vpc
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.aws_access_key_ID
+ secret_key = var.aws_secret_access_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/qs-autoscale/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Static credentials are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/autoscale-gwlb, /terraform/aws/management and /terraform/aws/cme-iam-role-gwlb:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.aws_access_key_ID
+ // secret_key = var.aws_secret_access_key
+ }
+ ```
+ b. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/autoscale, /terraform/aws/management and /terraform/aws/cme-iam-role-gwlb:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.aws_access_key_ID
+ // secret_key = var.aws_secret_access_key
+ }
+ ```
+
+## Usage
+- Fill all variables in the /terraform/aws/gwlb/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+ - Create or modify the deployment:
+ ```
+ terraform apply
+ ```
+
+ - Variables are configured in /terraform/aws/qs-autoscale/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+
+ // --- Network Configuration ---
+ vpc_cidr = "10.0.0.0/16"
+ public_subnets_map = {
+ "us-east-1a" = 1
+ "us-east-1b" = 2
+ }
+ subnets_bit_length = 8
+
+ // --- General Settings ---
+ key_name = "publickey"
+ enable_volume_encryption = true
+ volume_size = 100
+ enable_instance_connect = false
+ disable_instance_termination = false
+ allow_upload_download = true
+ management_server = "CP-Management-gwlb-tf"
+ configuration_template = "gwlb-configuration"
+ admin_shell = "/etc/cli.sh"
+
+ // --- Gateway Load Balancer Configuration ---
+ gateway_load_balancer_name = "gwlb1"
+ target_group_name = "tg1"
+ connection_acceptance_required = "false"
+ enable_cross_zone_load_balancing = "true"
+
+ // --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration ---
+ gateway_name = "Check-Point-GW-tf"
+ gateway_instance_type = "c5.xlarge"
+ minimum_group_size = 2
+ maximum_group_size = 10
+ gateway_version = "R81.20-BYOL"
+ gateway_password_hash = ""
+ gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+ gateway_SICKey = "12345678"
+ gateways_provision_address_type = "private"
+ allocate_public_IP = false
+ enable_cloudwatch = false
+ gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+
+ // --- Check Point CloudGuard IaaS Security Management Server Configuration ---
+ management_deploy = true
+ management_instance_type = "m5.xlarge"
+ management_version = "R81.20-BYOL"
+ management_password_hash = ""
+ management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password.
+ gateways_policy = "Standard"
+ gateway_management = "Locally managed"
+ admin_cidr = ""
+ gateways_addresses = ""
+
+ // --- Other parameters ---
+ volume_type = "gp3"
+
+
+ ```
+
+- Conditional creation
+ - To enable cloudwatch for gwlb-master:
+ ```
+ enable_cloudwatch = true
+ ```
+ Note: enabling cloudwatch will automatically create IAM role with cloudwatch:PutMetricData permission
+ - To deploy Security Management Server:
+ ```
+ management_deploy = true
+ ```
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|----------|
+| vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes |
+| public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes |
+| subnets_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20 | number | n/a | n/a | yes |
+| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes |
+| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no |
+| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no |
+| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no |
+| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes |
+| volume_size | Instances volume size | number | n/a | 100 | no |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no |
+| management_server | The name that represents the Security Management Server in the automatic provisioning configuration. | string | n/a | CP-Management-gwlb-tf | yes |
+| configuration_template | The tag is used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each Quick Start deployment | string | n/a | gwlb-configuration | no |
+| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no |
+| gateway_load_balancer_name | Load Balancer name in AWS | string | n/a | gwlb1 | yes |
+| target_group_name | Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. | string | n/a | tg1 | yes |
+| connection_acceptance_required | Indicate whether requests from service consumers to create an endpoint to your service must be accepted. Default is set to false(acceptance not required). | bool | true/false | false | yes |
+| enable_cross_zone_load_balancing | Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges. | bool | true/false | true | yes |
+| gateway_name | The name tag of the Security Gateway instances. (optional) | string | n/a | Check-Point-GW-tf | yes |
+| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no |
+| gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no |
+| gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no |
+| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no |
+| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes |
+| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no |
+| gateway_bootstrap_script | (Optional) An optional script with semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no |
+| gateways_provision_address_type | Determines if the gateways are provisioned using their private or public address. | string | - private
- public | private | no |
+| allocate_public_IP | Allocate a Public IP for gateway members. | bool | true/false | false | no |
+| management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no |
+| management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no |
+| management_version | The license to install on the Security Management Server | string | - R81-BYOL
- R81-PAYG
- R81.10-BYOL
- R81.10-PAYG | R81.20-BYOL | no |
+| management_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no |
+| gateways_policy | The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group | string | n/a | Standard | no |
+| gateway_management | Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. | string | - Locally managed
- Over the internet | Locally managed | no |
+| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR | n/a | no |
+| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | valid CIDR | n/a | no |
+| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no |
+| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no |
+| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no |
+
+
+## Outputs
+| Name | Description |
+|---------------------|---------------------------------------------------------------------------------------|
+| managment_public_ip | The deployed Security Management AWS instance public IP |
+| load_balancer_url | The URL of the external Load Balancer |
+| template_name | Name of a gateway configuration template in the automatic provisioning configuration. |
+| controller_name | The controller name in CME. |
+| gwlb_name | The name of the deployed Gateway Load Balancer |
+| gwlb_service_name | The service name for the deployed Gateway Load Balancer |
+| gwlb_arn | The arn for the deployed Gateway Load Balancer |
+
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|---------------------------------------------------------------------------------------------|
+| 20240704 | R80.40 version deprecation |
+| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20231012 | Update AWS Terraform provider version to 5.20.1 |
+| 20230923 | Add support for C5d instance type |
+| 20230914 | Add support for maintenance mode password |
+| 20230910 | Add bootstrap script execution option for deployed gateways |
+| 20230829 | Change default Check Point version to R81.20 |
+| 20230806 | Add support for c6in instance type |
+| 20230521 | Change default shell for the admin user to /etc/cli.sh |
+| 20221215 | Support ASG Launch Template instead of Launch Configuration |
+| 20221123 | R81.20 version support |
+| 20220606 | New instance type support |
+| 20220414 | First release of Check Point CloudGuard Network Gateway Load Balancer master module for AWS |
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details
diff --git a/deprecated/terraform/aws/R81/gwlb-master/locals.tf b/deprecated/terraform/aws/R81/gwlb-master/locals.tf
new file mode 100755
index 00000000..29a557ee
--- /dev/null
+++ b/deprecated/terraform/aws/R81/gwlb-master/locals.tf
@@ -0,0 +1,61 @@
+locals {
+ regex_valid_vpc_cidr = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$"
+ // Will fail if var.vpc_cidr is invalid
+ regex_vpc_cidr = regex(local.regex_valid_vpc_cidr, var.vpc_cidr) == var.vpc_cidr ? 0 : "Variable [vpc_cidr] must be a valid vpc cidr"
+
+ regex_valid_key_name = "[\\S\\s]+[\\S]+"
+ // will fail if var.key_name is invalid
+ regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string"
+
+ regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$"
+ // Will fail if var.gateway_SIC_Key is invalid
+ regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters"
+
+ control_over_public_or_private_allowed_values = [
+ "public",
+ "private"]
+ // will fail if [var.control_gateway_over_public_or_private_address] is invalid:
+ validate_control_over_public_or_private = index(local.control_over_public_or_private_allowed_values, var.gateways_provision_address_type)
+
+ gateway_management_allowed_values = [
+ "Locally managed",
+ "Over the internet"]
+ // will fail if [var.gateway_management] is invalid:
+ validate_gateway_management = index(local.gateway_management_allowed_values, var.gateway_management)
+
+ regex_valid_management_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.management_password_hash is invalid
+ regex_management_password_hash = regex(local.regex_valid_management_password_hash, var.management_password_hash) == var.management_password_hash ? 0 : "Variable [management_password_hash] must be a valid password hash"
+ regex_management_maintenance_mode_password_hash = regex(local.regex_valid_management_password_hash, var.management_maintenance_mode_password_hash) == var.management_maintenance_mode_password_hash ? 0 : "Variable [management_maintenance_mode_password_hash] must be a valid password hash"
+
+ regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.gateway_password_hash is invalid
+ regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+ regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_management_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
+
+
+ regex_valid_admin_cidr = "^([0-9]{1,3}\\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$"
+ // Will fail if var.admin_cidr is invalid
+ regex_admin_cidr = regex(local.regex_valid_admin_cidr, var.admin_cidr) == var.admin_cidr ? 0 : "Variable [admin_cidr] must be a valid CIDR"
+
+ regex_valid_gateways_addresses = "^([0-9]{1,3}\\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$"
+ // Will fail if var.gateways_addresses is invalid
+ regex_gateways_addresses = regex(local.regex_valid_gateways_addresses, var.gateways_addresses) == var.gateways_addresses ? 0 : "Variable [gateways_addresses] must be a valid gateways addresses"
+
+ regex_valid_management_server = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$"
+ // Will fail if var.management_server is invalid
+ regex_management_server = regex(local.regex_valid_management_server, var.management_server) == var.management_server ? 0 : "Variable [management_server] can not be an empty string"
+
+ regex_valid_configuration_template = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$"
+ // Will fail if var.configuration_template is invalid
+ regex_configuration_template = regex(local.regex_valid_configuration_template, var.configuration_template) == var.configuration_template ? 0 : "Variable [configuration_template] can not be an empty string"
+
+ deploy_management_condition = var.management_deploy == true
+
+ volume_type_allowed_values = [
+ "gp3",
+ "gp2"]
+ // will fail if [var.VolumeType] is invalid:
+ validate_volume_type = index(local.volume_type_allowed_values, var.volume_type)
+
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/gwlb-master/main.tf b/deprecated/terraform/aws/R81/gwlb-master/main.tf
new file mode 100755
index 00000000..da8bf39c
--- /dev/null
+++ b/deprecated/terraform/aws/R81/gwlb-master/main.tf
@@ -0,0 +1,69 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+
+module "launch_vpc" {
+ source = "../modules/vpc"
+
+ vpc_cidr = var.vpc_cidr
+ public_subnets_map = var.public_subnets_map
+ private_subnets_map = {}
+ subnets_bit_length = var.subnets_bit_length
+}
+
+module "gwlb" {
+ source = "../gwlb"
+ providers = {
+ aws = aws
+ }
+ vpc_id = module.launch_vpc.vpc_id
+ subnet_ids = module.launch_vpc.public_subnets_ids_list
+
+ // --- General Settings ---
+ key_name = var.key_name
+ enable_volume_encryption = var.enable_volume_encryption
+ volume_size = var.volume_size
+ enable_instance_connect = var.enable_instance_connect
+ disable_instance_termination = var.disable_instance_termination
+ metadata_imdsv2_required = var.metadata_imdsv2_required
+ allow_upload_download = var.allow_upload_download
+ management_server = var.management_server
+ configuration_template = var.configuration_template
+ admin_shell = var.admin_shell
+
+ // --- Gateway Load Balancer Configuration ---
+ gateway_load_balancer_name = var.gateway_load_balancer_name
+ target_group_name = var.target_group_name
+ connection_acceptance_required = false
+ enable_cross_zone_load_balancing = var.enable_cross_zone_load_balancing
+
+ // --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration ---
+ gateway_name = var.gateway_name
+ gateway_instance_type = var.gateway_instance_type
+ minimum_group_size = var.minimum_group_size
+ maximum_group_size = var.maximum_group_size
+ gateway_version = var.gateway_version
+ gateway_password_hash = var.gateway_password_hash
+ gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash
+ gateway_SICKey = var.gateway_SICKey
+ gateways_provision_address_type = var.gateways_provision_address_type
+ allocate_public_IP = var.allocate_public_IP
+ enable_cloudwatch = var.enable_cloudwatch
+ gateway_bootstrap_script = var.gateway_bootstrap_script
+
+ // --- Check Point CloudGuard IaaS Security Management Server Configuration ---
+ management_deploy = var.management_deploy
+ management_instance_type = var.management_instance_type
+ management_version = var.management_version
+ management_password_hash = var.management_password_hash
+ management_maintenance_mode_password_hash = var.management_maintenance_mode_password_hash
+ gateways_policy = var.gateways_policy
+ gateway_management = var.gateway_management
+ admin_cidr = var.admin_cidr
+ gateways_addresses = var.gateways_addresses
+
+ volume_type = var.volume_type
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/gwlb-master/output.tf b/deprecated/terraform/aws/R81/gwlb-master/output.tf
new file mode 100755
index 00000000..15cb48a3
--- /dev/null
+++ b/deprecated/terraform/aws/R81/gwlb-master/output.tf
@@ -0,0 +1,24 @@
+output "Deployment" {
+ value = "Finalizing instances configuration may take up to 20 minutes after deployment is finished."
+}
+output "management_public_ip" {
+ depends_on = [module.gwlb]
+ value = module.gwlb[*].management_public_ip
+}
+output "gwlb_arn" {
+ depends_on = [module.gwlb]
+ value = module.gwlb[*].gwlb_arn
+}
+output "gwlb_service_name" {
+ depends_on = [module.gwlb]
+ value = module.gwlb[*].gwlb_service_name
+}
+output "gwlb_name" {
+ value = var.gateway_load_balancer_name
+}
+output "controller_name" {
+ value = "gwlb-controller"
+}
+output "template_name" {
+ value = var.configuration_template
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/gwlb-master/terraform.tfvars b/deprecated/terraform/aws/R81/gwlb-master/terraform.tfvars
new file mode 100755
index 00000000..f0f13c92
--- /dev/null
+++ b/deprecated/terraform/aws/R81/gwlb-master/terraform.tfvars
@@ -0,0 +1,56 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- Network Configuration ---
+vpc_cidr = "10.0.0.0/16"
+public_subnets_map = {
+ "us-east-1a" = 1
+ "us-east-1b" = 2
+}
+subnets_bit_length = 8
+
+// --- General Settings ---
+key_name = "publickey"
+enable_volume_encryption = true
+volume_size = 100
+enable_instance_connect = false
+disable_instance_termination = false
+metadata_imdsv2_required = true
+allow_upload_download = true
+management_server = "CP-Management-gwlb-tf"
+configuration_template = "gwlb-configuration"
+admin_shell = "/etc/cli.sh"
+
+// --- Gateway Load Balancer Configuration ---
+gateway_load_balancer_name = "gwlb1"
+target_group_name = "tg1"
+connection_acceptance_required = "false"
+enable_cross_zone_load_balancing = "true"
+
+// --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration ---
+gateway_name = "Check-Point-GW-tf"
+gateway_instance_type = "c5.xlarge"
+minimum_group_size = 2
+maximum_group_size = 10
+gateway_version = "R81.20-BYOL"
+gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+gateway_SICKey = "12345678"
+gateways_provision_address_type = "private"
+allocate_public_IP = false
+enable_cloudwatch = false
+gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+
+// --- Check Point CloudGuard IaaS Security Management Server Configuration ---
+management_deploy = true
+management_instance_type = "m5.xlarge"
+management_version = "R81.20-BYOL"
+management_password_hash = ""
+management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password.
+gateways_policy = "Standard"
+gateway_management = "Locally managed"
+admin_cidr = "0.0.0.0/0"
+gateways_addresses = "0.0.0.0/0"
+
+// --- Other parameters ---
+volume_type = "gp3"
+
diff --git a/deprecated/terraform/aws/R81/gwlb-master/variables.tf b/deprecated/terraform/aws/R81/gwlb-master/variables.tf
new file mode 100755
index 00000000..fd72c46c
--- /dev/null
+++ b/deprecated/terraform/aws/R81/gwlb-master/variables.tf
@@ -0,0 +1,274 @@
+// Module: Check Point CloudGuard Network Gateway Load Balancer into an existing VPC
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+// --- Network Configuration ---
+variable "number_of_AZs" {
+ type = number
+ description = "Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter"
+ default = 2
+}
+variable "vpc_cidr" {
+ type = string
+ description = "The CIDR block of the VPC"
+ default = "10.0.0.0/16"
+}
+variable "public_subnets_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1} ) "
+}
+variable "subnets_bit_length" {
+ type = number
+ description = "Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20"
+}
+
+// --- General Settings ---
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instances"
+}
+variable "enable_volume_encryption" {
+ type = bool
+ description = "Encrypt Environment instances volume with default AWS KMS key"
+ default = true
+}
+variable "volume_size" {
+ type = number
+ description = "Root volume size (GB) - minimum 100"
+ default = 100
+}
+resource "null_resource" "volume_size_too_small" {
+ // Will fail if var.volume_size is less than 100
+ count = var.volume_size >= 100 ? 0 : "variable volume_size must be at least 100"
+}
+variable "enable_instance_connect" {
+ type = bool
+ description = "Enable SSH connection over AWS web console"
+ default = false
+}
+variable "disable_instance_termination" {
+ type = bool
+ description = "Prevents an instance from accidental termination"
+ default = false
+}
+variable "metadata_imdsv2_required" {
+ type = bool
+ description = "Set true to deploy the instance with metadata v2 token required"
+ default = true
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+variable "management_server" {
+ type = string
+ description = "The name that represents the Security Management Server in the automatic provisioning configuration."
+}
+variable "configuration_template" {
+ type = string
+ description = "A name of a gateway configuration template in the automatic provisioning configuration."
+ validation {
+ condition = length(var.configuration_template) < 31
+ error_message = "The configuration_template name can not exceed 30 characters"
+ }
+}
+variable "admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+ default = "/etc/cli.sh"
+}
+
+// --- Gateway Load Balancer Configuration ---
+
+variable "gateway_load_balancer_name" {
+ type = string
+ description = "Gateway Load Balancer name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen."
+ default = "gwlb1"
+}
+resource "null_resource" "gateway_load_balancer_name_too_long" {
+ // Will fail if gateway_load_balancer_name more than 32
+ count = length(var.gateway_load_balancer_name) <= 32 ? 0 : "variable gateway_load_balancer_name must be at most 32"
+}
+variable "target_group_name" {
+ type = string
+ description = "Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen."
+ default = "tg1"
+}
+resource "null_resource" "target_group_name_too_long" {
+ // Will fail if target_group_name more than 32
+ count = length(var.target_group_name) <= 32 ? 0 : "variable target_group_name must be at most 32"
+}
+variable "connection_acceptance_required" {
+ type = bool
+ description = "Indicate whether requests from service consumers to create an endpoint to your service must be accepted. Default is set to false(acceptance not required)."
+ default = false
+}
+variable "enable_cross_zone_load_balancing" {
+ type = bool
+ description = "Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges."
+ default = true
+}
+
+// --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration ---
+
+variable "gateway_name" {
+ type = string
+ description = "The name tag of the Security Gateway instances. (optional)"
+ default = "Check-Point-Gateway-tf"
+}
+variable "gateway_instance_type" {
+ type = string
+ description = "The EC2 instance type for the Security Gateways."
+ default = "c5.xlarge"
+}
+module "validate_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "gateway"
+ instance_type = var.gateway_instance_type
+}
+variable "minimum_group_size" {
+ type = number
+ description = "The minimal number of Security Gateways."
+ default = 2
+}
+variable "maximum_group_size" {
+ type = number
+ description = "The maximal number of Security Gateways."
+ default = 10
+}
+variable "gateway_version" {
+ type = string
+ description = "The version and license to install on the Security Gateways."
+ default = "R81.20-BYOL"
+}
+module "validate_gateway_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "gwlb_gw"
+ version_license = var.gateway_version
+}
+variable "gateway_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "gateway_maintenance_mode_password_hash" {
+ description = "Maintenance mode password hash for the gateway instances, relevant only for R81.20 and higher versions"
+ type = string
+ default = ""
+}
+variable "gateway_SICKey" {
+ type = string
+ description = "The Secure Internal Communication key for trusted connection between Check Point components (at least 8 alphanumeric characters)"
+}
+
+variable "gateways_provision_address_type" {
+ type = string
+ description = "Determines if the gateways are provisioned using their private or public address"
+ default = "private"
+}
+
+variable "allocate_public_IP" {
+ type = bool
+ description = "Allocate an Elastic IP for security gateway."
+ default = false
+}
+
+resource "null_resource" "invalid_allocation" {
+ // Will fail if var.gateways_provision_address_type is public and var.allocate_public_IP is false
+ count = var.gateways_provision_address_type != "public" ? 0 : var.allocate_public_IP == true ? 0 : "Gateway's selected to be provisioned by public IP, but [allocate_public_IP] parameter is false"
+}
+
+variable "enable_cloudwatch" {
+ type = bool
+ description = "Report Check Point specific CloudWatch metrics."
+ default = false
+}
+
+variable "gateway_bootstrap_script" {
+ type = string
+ description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot"
+ default = ""
+}
+
+// --- Check Point CloudGuard IaaS Security Management Server Configuration ---
+
+variable "management_deploy" {
+ type = bool
+ description = "Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section"
+ default = true
+}
+variable "management_instance_type" {
+ type = string
+ description = "The EC2 instance type of the Security Management Server"
+ default = "m5.xlarge"
+}
+module "validate_management_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "management"
+ instance_type = var.management_instance_type
+}
+variable "management_version" {
+ type = string
+ description = "The license to install on the Security Management Server"
+ default = "R81.20-BYOL"
+}
+module "validate_management_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "management"
+ version_license = var.management_version
+}
+variable "management_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "management_maintenance_mode_password_hash" {
+ description = "Maintenance mode password hash for the management instance, relevant only for R81.20 and higher versions"
+ type = string
+ default = ""
+}
+variable "gateways_policy" {
+ type = string
+ description = "The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group"
+ default = "Standard"
+}
+variable "gateway_management" {
+ type = string
+ description = "Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address."
+ default = "Locally managed"
+}
+variable "admin_cidr" {
+ type = string
+ description = "Allow web, ssh, and graphical clients only from this network to communicate with the Security Management Server"
+}
+variable "gateways_addresses" {
+ type = string
+ description = "Allow gateways only from this network to communicate with the Security Management Server"
+}
+
+// --- Other parameters ---
+variable "volume_type" {
+ type = string
+ description = "General Purpose SSD Volume Type"
+ default = "gp3"
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/gwlb-master/versions.tf b/deprecated/terraform/aws/R81/gwlb-master/versions.tf
new file mode 100755
index 00000000..dbebf275
--- /dev/null
+++ b/deprecated/terraform/aws/R81/gwlb-master/versions.tf
@@ -0,0 +1,15 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ http = {
+ version = "~> 3.4.0"
+ }
+ random = {
+ version = "~> 3.5.1"
+ }
+ }
+}
diff --git a/deprecated/terraform/aws/R81/gwlb/README.md b/deprecated/terraform/aws/R81/gwlb/README.md
new file mode 100755
index 00000000..de0e043e
--- /dev/null
+++ b/deprecated/terraform/aws/R81/gwlb/README.md
@@ -0,0 +1,229 @@
+# Check Point CloudGuard Network Gateway Load Balancer Terraform module for AWS
+
+Terraform module which deploys an AWS Auto Scaling group configured for Gateway Load Balancer into an existing VPC.
+
+These types of Terraform resources are supported:
+* [AWS Instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance)
+* [Security Group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group)
+* [Load Balancer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb)
+* [Load Balancer Target Group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group)
+* [Launch template](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template)
+* [Auto Scaling Group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group)
+* [IAM Role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) - conditional creation
+
+See the [Check Point CloudGuard Gateway Load Balancer on AWS](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_AWS_Centralized_Gateway_Load_Balancer/Content/Topics-AWS-GWLB-VPC-DG/Introduction.htm) for additional information
+
+This solution uses the following modules:
+- /terraform/aws/autoscale-gwlb
+- /terraform/aws/management
+- /terraform/aws/cme-iam-role-gwlb
+- /terraform/aws/modules/amis
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.aws_access_key_ID
+ secret_key = var.aws_secret_access_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/qs-autoscale/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Static credentials are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/autoscale-gwlb, /terraform/aws/management and /terraform/aws/cme-iam-role-gwlb:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.aws_access_key_ID
+ // secret_key = var.aws_secret_access_key
+ }
+ ```
+ b. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/autoscale, /terraform/aws/management and /terraform/aws/cme-iam-role-gwlb:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.aws_access_key_ID
+ // secret_key = var.aws_secret_access_key
+ }
+ ```
+
+## Usage
+- Fill all variables in the /terraform/aws/gwlb/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+- Create or modify the deployment:
+ ```
+ terraform apply
+ ```
+
+ - Variables are configured in /terraform/aws/qs-autoscale/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+ // --- VPC Network Configuration ---
+ vpc_id = "vpc-12345"
+ subnet_ids = ["subnet-123457", "subnet-123456"]
+
+ // --- General Settings ---
+ key_name = "publickey"
+ enable_volume_encryption = true
+ volume_size = 100
+ enable_instance_connect = false
+ disable_instance_termination = false
+ allow_upload_download = true
+ management_server = "CP-Management-gwlb-tf"
+ configuration_template = "gwlb-configuration"
+ admin_shell = "/etc/cli.sh"
+
+ // --- Gateway Load Balancer Configuration ---
+ gateway_load_balancer_name = "gwlb1"
+ target_group_name = "tg1"
+ connection_acceptance_required = "false"
+ enable_cross_zone_load_balancing = "true"
+
+ // --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration ---
+ gateway_name = "Check-Point-GW-tf"
+ gateway_instance_type = "c5.xlarge"
+ minimum_group_size = 2
+ maximum_group_size = 10
+ gateway_version = "R81.20-BYOL"
+ gateway_password_hash = ""
+ gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+ gateway_SICKey = "12345678"
+ gateways_provision_address_type = "private"
+ allocate_public_IP = false
+ enable_cloudwatch = false
+ gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+
+ // --- Check Point CloudGuard IaaS Security Management Server Configuration ---
+ management_deploy = true
+ management_instance_type = "m5.xlarge"
+ management_version = "R81.20-BYOL"
+ management_password_hash = ""
+ management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password.
+ gateways_policy = "Standard"
+ gateway_management = "Locally managed"
+ admin_cidr = ""
+ gateways_addresses = ""
+
+ // --- Other parameters ---
+ volume_type = "gp3"
+
+
+ ```
+
+- Conditional creation
+ - To enable cloudwatch for GWLB:
+ ```
+ enable_cloudwatch = true
+ ```
+ Note: enabling cloudwatch will automatically create IAM role with cloudwatch:PutMetricData permission
+ - To deploy Security Management Server:
+ ```
+ management_deploy = true
+ ```
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|----------|
+| vpc_id | Select an existing VPC | string | n/a | n/a | yes |
+| subnet_ids | The VPC subnets ID | string | n/a | n/a | yes |
+| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes |
+| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no |
+| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no |
+| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no |
+| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes |
+| volume_size | Instances volume size | number | n/a | 100 | no |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no |
+| management_server | The name that represents the Security Management Server in the automatic provisioning configuration. | string | n/a | CP-Management-gwlb-tf | yes |
+| configuration_template | The tag is used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each Quick Start deployment | string | n/a | gwlb-configuration | no |
+| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no |
+| gateway_load_balancer_name | Load Balancer name in AWS | string | n/a | gwlb1 | yes |
+| target_group_name | Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. | string | n/a | tg1 | yes |
+| connection_acceptance_required | Indicate whether requests from service consumers to create an endpoint to your service must be accepted. Default is set to false(acceptance not required). | bool | true/false | false | yes |
+| enable_cross_zone_load_balancing | Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges. | bool | true/false | true | yes |
+| gateway_name | The name tag of the Security Gateway instances. (optional) | string | n/a | Check-Point-GW-tf | yes |
+| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no |
+| gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no |
+| gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no |
+| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no |
+| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes |
+| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no |
+| gateway_bootstrap_script | (Optional) An optional script with semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no |
+| gateways_provision_address_type | Determines if the gateways are provisioned using their private or public address. | string | - private
- public | private | no |
+| allocate_public_IP | Allocate a Public IP for gateway members. | bool | true/false | false | no |
+| management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no |
+| management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no |
+| management_version | The license to install on the Security Management Server | string | - R81-BYOL
- R81-PAYG
- R81.10-BYOL
- R81.10-PAYG | R81.20-BYOL | no |
+| management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| gateways_policy | The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group | string | n/a | Standard | no |
+| gateway_management | Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. | string | - Locally managed
- Over the internet | Locally managed | no |
+| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR | n/a | no |
+| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | valid CIDR | n/a | no |
+| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no |
+| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no |
+| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no |
+
+## Outputs
+| Name | Description |
+|---------------------|---------------------------------------------------------------------------------------|
+| managment_public_ip | The deployed Security Management AWS instance public IP |
+| load_balancer_url | The URL of the external Load Balancer |
+| template_name | Name of a gateway configuration template in the automatic provisioning configuration. |
+| controller_name | The controller name in CME. |
+| gwlb_name | The name of the deployed Gateway Load Balancer |
+| gwlb_service_name | The service name for the deployed Gateway Load Balancer |
+| gwlb_arn | The arn for the deployed Gateway Load Balancer |
+
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|---------------------------------------------------------------------------------------|
+| 20240704 | R80.40 version deprecation |
+| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20231022 | Fixed template to populate x-chkp-tags correctly |
+| 20231012 | Update AWS Terraform provider version to 5.20.1 |
+| 20230923 | Add support for C5d instance type |
+| 20230914 | Add support for maintenance mode password |
+| 20230910 | Add bootstrap script execution option for deployed gateways |
+| 20230829 | Change default Check Point version to R81.20 |
+| 20230806 | Add support for c6in instance type |
+| 20230521 | Change default shell for the admin user to /etc/cli.sh |
+| 20221226 | Support ASG Launch Template instead of Launch Configuration |
+| 20221123 | R81.20 version support |
+| 20220606 | New instance type support |
+| 20220523 | Add support for cross zone load balancing |
+| 20220414 | First release of Check Point CloudGuard Network Gateway Load Balancer module for AWS |
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details
diff --git a/deprecated/terraform/aws/R81/gwlb/locals.tf b/deprecated/terraform/aws/R81/gwlb/locals.tf
new file mode 100755
index 00000000..44363311
--- /dev/null
+++ b/deprecated/terraform/aws/R81/gwlb/locals.tf
@@ -0,0 +1,55 @@
+locals {
+
+ regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$"
+ // Will fail if var.gateway_SIC_Key is invalid
+ regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters"
+
+ control_over_public_or_private_allowed_values = [
+ "public",
+ "private"]
+ // will fail if [var.control_gateway_over_public_or_private_address] is invalid:
+ validate_control_over_public_or_private = index(local.control_over_public_or_private_allowed_values, var.gateways_provision_address_type)
+
+ gateway_management_allowed_values = [
+ "Locally managed",
+ "Over the internet"]
+ // will fail if [var.gateway_management] is invalid:
+ validate_gateway_management = index(local.gateway_management_allowed_values, var.gateway_management)
+
+ regex_valid_key_name = "[\\S\\s]+[\\S]+"
+ // will fail if var.key_name is invalid
+ regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string"
+
+ regex_valid_management_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.management_password_hash is invalid
+ regex_management_password_hash = regex(local.regex_valid_management_password_hash, var.management_password_hash) == var.management_password_hash ? 0 : "Variable [management_password_hash] must be a valid password hash"
+ regex_management_maintenance_mode_password_hash = regex(local.regex_valid_management_password_hash, var.management_maintenance_mode_password_hash) == var.management_maintenance_mode_password_hash ? 0 : "Variable [management_maintenance_mode_password_hash] must be a valid password hash"
+ regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.gateway_password_hash is invalid
+ regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+ regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_management_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
+
+ regex_valid_admin_cidr = "^([0-9]{1,3}\\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$"
+ // Will fail if var.admin_cidr is invalid
+ regex_admin_cidr = regex(local.regex_valid_admin_cidr, var.admin_cidr) == var.admin_cidr ? 0 : "Variable [admin_cidr] must be a valid CIDR"
+
+ regex_valid_gateways_addresses = "^([0-9]{1,3}\\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$"
+ // Will fail if var.gateways_addresses is invalid
+ regex_gateways_addresses = regex(local.regex_valid_gateways_addresses, var.gateways_addresses) == var.gateways_addresses ? 0 : "Variable [gateways_addresses] must be a valid gateways addresses"
+
+ regex_valid_management_server = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$"
+ // Will fail if var.management_server is invalid
+ regex_management_server = regex(local.regex_valid_management_server, var.management_server) == var.management_server ? 0 : "Variable [management_server] can not be an empty string"
+
+ regex_valid_configuration_template = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$"
+ // Will fail if var.configuration_template is invalid
+ regex_configuration_template = regex(local.regex_valid_configuration_template, var.configuration_template) == var.configuration_template ? 0 : "Variable [configuration_template] can not be an empty string"
+
+ deploy_management_condition = var.management_deploy == true
+
+ volume_type_allowed_values = [
+ "gp3",
+ "gp2"]
+ // will fail if [var.VolumeType] is invalid:
+ validate_volume_type = index(local.volume_type_allowed_values, var.volume_type)
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/gwlb/main.tf b/deprecated/terraform/aws/R81/gwlb/main.tf
new file mode 100755
index 00000000..7c4e4616
--- /dev/null
+++ b/deprecated/terraform/aws/R81/gwlb/main.tf
@@ -0,0 +1,99 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+module "gateway_load_balancer" {
+ source = "../modules/common/load_balancer"
+
+ load_balancers_type = "gateway"
+ instances_subnets = var.subnet_ids
+ prefix_name = var.gateway_load_balancer_name
+ internal = true
+
+ security_groups = []
+ tags = {
+ x-chkp-management = var.management_server
+ x-chkp-template = var.configuration_template
+ }
+ vpc_id = var.vpc_id
+ load_balancer_protocol = "GENEVE"
+ target_group_port = 6081
+ listener_port = 6081
+ cross_zone_load_balancing = var.enable_cross_zone_load_balancing
+}
+
+resource "aws_vpc_endpoint_service" "gwlb_endpoint_service" {
+depends_on = [module.gateway_load_balancer]
+ gateway_load_balancer_arns = module.gateway_load_balancer[*].load_balancer_arn
+ acceptance_required = var.connection_acceptance_required
+
+ tags = {
+ "Name" = "gwlb-endpoint-service-${var.gateway_load_balancer_name}"
+ }
+}
+
+module "autoscale_gwlb" {
+ source = "../autoscale-gwlb"
+ providers = {
+ aws = aws
+ }
+ depends_on = [module.gateway_load_balancer]
+
+ target_groups = module.gateway_load_balancer[*].target_group_arn
+ vpc_id = var.vpc_id
+ subnet_ids = var.subnet_ids
+ gateway_name = var.gateway_name
+ gateway_instance_type = var.gateway_instance_type
+ key_name = var.key_name
+ enable_volume_encryption = var.enable_volume_encryption
+ enable_instance_connect = var.enable_instance_connect
+ metadata_imdsv2_required = var.metadata_imdsv2_required
+ minimum_group_size = var.minimum_group_size
+ maximum_group_size = var.maximum_group_size
+ gateway_version = var.gateway_version
+ gateway_password_hash = var.gateway_password_hash
+ gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash
+ gateway_SICKey = var.gateway_SICKey
+ allow_upload_download = var.allow_upload_download
+ enable_cloudwatch = var.enable_cloudwatch
+ gateway_bootstrap_script = var.gateway_bootstrap_script
+ admin_shell = var.admin_shell
+ gateways_provision_address_type = var.gateways_provision_address_type
+ allocate_public_IP = var.allocate_public_IP
+ management_server = var.management_server
+ configuration_template = var.configuration_template
+ volume_type = var.volume_type
+}
+
+data "aws_region" "current"{}
+
+module "management" {
+ providers = {
+ aws = aws
+ }
+ count = local.deploy_management_condition ? 1 : 0
+ source = "../management"
+
+ vpc_id = var.vpc_id
+ subnet_id = var.subnet_ids[0]
+ management_name = var.management_server
+ management_instance_type = var.management_instance_type
+ key_name = var.key_name
+ allocate_and_associate_eip = true
+ volume_encryption = var.enable_volume_encryption ? "alias/aws/ebs" : ""
+ enable_instance_connect = var.enable_instance_connect
+ disable_instance_termination = var.disable_instance_termination
+ metadata_imdsv2_required = var.metadata_imdsv2_required
+ management_version = var.management_version
+ management_password_hash = var.management_password_hash
+ management_maintenance_mode_password_hash = var.management_maintenance_mode_password_hash
+ allow_upload_download = var.allow_upload_download
+ admin_cidr = var.admin_cidr
+ admin_shell = var.admin_shell
+ gateway_addresses = var.gateways_addresses
+ gateway_management = var.gateway_management
+ management_bootstrap_script = "echo -e '\nStarting Bootstrap script\n'; cv_json_path='/etc/cloud-version.json'\n cv_json_path_tmp='/etc/cloud-version-tmp.json'\n if test -f \"$cv_json_path\"; then cat \"$cv_json_path\" | jq '.template_name = \"'\"management_gwlb\"'\"' > \"$cv_json_path_tmp\"; mv \"$cv_json_path_tmp\" \"$cv_json_path\"; fi; autoprov_cfg -f init AWS -mn ${var.management_server} -tn ${var.configuration_template} -cn gwlb-controller -po ${var.gateways_policy} -otp ${var.gateway_SICKey} -r ${data.aws_region.current.name} -ver ${split("-", var.gateway_version)[0]} -iam; echo -e '\nFinished Bootstrap script\n'"
+ volume_type = var.volume_type
+ is_gwlb_iam = true
+}
diff --git a/deprecated/terraform/aws/R81/gwlb/output.tf b/deprecated/terraform/aws/R81/gwlb/output.tf
new file mode 100755
index 00000000..3beba7ee
--- /dev/null
+++ b/deprecated/terraform/aws/R81/gwlb/output.tf
@@ -0,0 +1,22 @@
+output "Deployment" {
+ value = "Finalizing instances configuration may take up to 20 minutes after deployment is finished."
+}
+output "gwlb_arn" {
+ value = module.gateway_load_balancer.load_balancer_arn
+}
+output "gwlb_service_name" {
+ value = "com.amazonaws.vpce.${data.aws_region.current.name}.${aws_vpc_endpoint_service.gwlb_endpoint_service.id}"
+}
+output "management_public_ip" {
+ depends_on = [module.management]
+ value = module.management[*].management_public_ip
+}
+output "gwlb_name" {
+ value = var.gateway_load_balancer_name
+}
+output "controller_name" {
+ value = "gwlb-controller"
+}
+output "template_name" {
+ value = var.configuration_template
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/gwlb/terraform.tfvars b/deprecated/terraform/aws/R81/gwlb/terraform.tfvars
new file mode 100755
index 00000000..0e26ad11
--- /dev/null
+++ b/deprecated/terraform/aws/R81/gwlb/terraform.tfvars
@@ -0,0 +1,52 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- VPC Network Configuration ---
+vpc_id = "vpc-12345678"
+subnet_ids = ["subnet-123456", "subnet-345678"]
+
+// --- General Settings ---
+key_name = "publickey"
+enable_volume_encryption = true
+volume_size = 100
+enable_instance_connect = false
+disable_instance_termination = false
+metadata_imdsv2_required = true
+allow_upload_download = true
+management_server = "CP-Management-gwlb-tf"
+configuration_template = "gwlb-configuration"
+admin_shell = "/etc/cli.sh"
+
+// --- Gateway Load Balancer Configuration ---
+gateway_load_balancer_name = "gwlb1"
+target_group_name = "tg1"
+connection_acceptance_required = "false"
+enable_cross_zone_load_balancing = "true"
+
+// --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration ---
+gateway_name = "Check-Point-GW-tf"
+gateway_instance_type = "c5.xlarge"
+minimum_group_size = 2
+maximum_group_size = 10
+gateway_version = "R81.20-BYOL"
+gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+gateway_SICKey = "12345678"
+gateways_provision_address_type = "private"
+allocate_public_IP = false
+enable_cloudwatch = false
+gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+
+// --- Check Point CloudGuard IaaS Security Management Server Configuration ---
+management_deploy = true
+management_instance_type = "m5.xlarge"
+management_version = "R81.20-BYOL"
+management_password_hash = ""
+management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password.
+gateways_policy = "Standard"
+gateway_management = "Locally managed"
+admin_cidr = "0.0.0.0/0"
+gateways_addresses = "0.0.0.0/0"
+
+// --- Other parameters ---
+volume_type = "gp3"
+
diff --git a/deprecated/terraform/aws/R81/gwlb/variables.tf b/deprecated/terraform/aws/R81/gwlb/variables.tf
new file mode 100755
index 00000000..5f099c6c
--- /dev/null
+++ b/deprecated/terraform/aws/R81/gwlb/variables.tf
@@ -0,0 +1,263 @@
+// Module: Check Point CloudGuard Network Gateway Load Balancer into an existing VPC
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+// --- Network Configuration ---
+variable "vpc_id" {
+ type = string
+}
+variable "subnet_ids" {
+ type = list(string)
+ description = "List of public subnet IDs to launch resources into. Recommended at least 2"
+}
+
+// --- General Settings ---
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instances"
+}
+variable "enable_volume_encryption" {
+ type = bool
+ description = "Encrypt Environment instances volume with default AWS KMS key"
+ default = true
+}
+variable "volume_size" {
+ type = number
+ description = "Root volume size (GB) - minimum 100"
+ default = 100
+}
+resource "null_resource" "volume_size_too_small" {
+ // Will fail if var.volume_size is less than 100
+ count = var.volume_size >= 100 ? 0 : "variable volume_size must be at least 100"
+}
+variable "enable_instance_connect" {
+ type = bool
+ description = "Enable SSH connection over AWS web console"
+ default = false
+}
+variable "disable_instance_termination" {
+ type = bool
+ description = "Prevents an instance from accidental termination"
+ default = false
+}
+variable "metadata_imdsv2_required" {
+ type = bool
+ description = "Set true to deploy the instance with metadata v2 token required"
+ default = true
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+variable "management_server" {
+ type = string
+ description = "The name that represents the Security Management Server in the automatic provisioning configuration."
+}
+variable "configuration_template" {
+ type = string
+ description = "A name of a gateway configuration template in the automatic provisioning configuration."
+ validation {
+ condition = length(var.configuration_template) < 31
+ error_message = "The configuration_template name can not exceed 30 characters"
+ }
+}
+variable "admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+ default = "/etc/cli.sh"
+}
+
+// --- Gateway Load Balancer Configuration ---
+
+variable "gateway_load_balancer_name" {
+ type = string
+ description = "Gateway Load Balancer name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen."
+ default = "gwlb1"
+}
+resource "null_resource" "gateway_load_balancer_name_too_long" {
+ // Will fail if gateway_load_balancer_name more than 32
+ count = length(var.gateway_load_balancer_name) <= 32 ? 0 : "variable gateway_load_balancer_name must be at most 32"
+}
+variable "target_group_name" {
+ type = string
+ description = "Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen."
+ default = "tg1"
+}
+resource "null_resource" "target_group_name_too_long" {
+ // Will fail if target_group_name more than 32
+ count = length(var.target_group_name) <= 32 ? 0 : "variable target_group_name must be at most 32"
+}
+variable "connection_acceptance_required" {
+ type = bool
+ description = "Indicate whether requests from service consumers to create an endpoint to your service must be accepted. Default is set to false(acceptance not required)."
+ default = false
+}
+variable "enable_cross_zone_load_balancing" {
+ type = bool
+ description = "Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges."
+ default = true
+}
+
+// --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration ---
+
+variable "gateway_name" {
+ type = string
+ description = "The name tag of the Security Gateway instances. (optional)"
+ default = "Check-Point-Gateway-tf"
+}
+variable "gateway_instance_type" {
+ type = string
+ description = "The EC2 instance type for the Security Gateways."
+ default = "c5.xlarge"
+}
+module "validate_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "gateway"
+ instance_type = var.gateway_instance_type
+}
+variable "minimum_group_size" {
+ type = number
+ description = "The minimal number of Security Gateways."
+ default = 2
+}
+variable "maximum_group_size" {
+ type = number
+ description = "The maximal number of Security Gateways."
+ default = 10
+}
+variable "gateway_version" {
+ type = string
+ description = "The version and license to install on the Security Gateways."
+ default = "R81.20-BYOL"
+}
+module "validate_gateway_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "gwlb_gw"
+ version_license = var.gateway_version
+}
+variable "gateway_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "gateway_maintenance_mode_password_hash" {
+ description = "Maintenance mode password hash for the gateway instances, relevant only for R81.20 and higher versions"
+ type = string
+ default = ""
+}
+variable "gateway_SICKey" {
+ type = string
+ description = "The Secure Internal Communication key for trusted connection between Check Point components (at least 8 alphanumeric characters)"
+}
+
+variable "gateways_provision_address_type" {
+ type = string
+ description = "Determines if the gateways are provisioned using their private or public address"
+ default = "private"
+}
+
+variable "allocate_public_IP" {
+ type = bool
+ description = "Allocate an Elastic IP for security gateway."
+ default = false
+}
+
+resource "null_resource" "invalid_allocation" {
+ // Will fail if var.gateways_provision_address_type is public and var.allocate_public_IP is false
+ count = var.gateways_provision_address_type != "public" ? 0 : var.allocate_public_IP == true ? 0 : "Gateway's selected to be provisioned by public IP, but [allocate_public_IP] parameter is false"
+}
+
+variable "enable_cloudwatch" {
+ type = bool
+ description = "Report Check Point specific CloudWatch metrics."
+ default = false
+}
+
+variable "gateway_bootstrap_script" {
+ type = string
+ description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot"
+ default = ""
+}
+
+// --- Check Point CloudGuard IaaS Security Management Server Configuration ---
+
+variable "management_deploy" {
+ type = bool
+ description = "Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section"
+ default = true
+}
+variable "management_instance_type" {
+ type = string
+ description = "The EC2 instance type of the Security Management Server"
+ default = "m5.xlarge"
+}
+module "validate_management_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "management"
+ instance_type = var.management_instance_type
+}
+variable "management_version" {
+ type = string
+ description = "The license to install on the Security Management Server"
+ default = "R81.20-BYOL"
+}
+module "validate_management_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "management"
+ version_license = var.management_version
+}
+variable "management_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "management_maintenance_mode_password_hash" {
+ description = "Maintenance mode password hash for the management instance, relevant only for R81.20 and higher versions"
+ type = string
+ default = ""
+}
+variable "gateways_policy" {
+ type = string
+ description = "The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group"
+ default = "Standard"
+}
+variable "gateway_management" {
+ type = string
+ description = "Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address."
+ default = "Locally managed"
+}
+variable "admin_cidr" {
+ type = string
+ description = "Allow web, ssh, and graphical clients only from this network to communicate with the Security Management Server"
+}
+variable "gateways_addresses" {
+ type = string
+ description = "Allow gateways only from this network to communicate with the Security Management Server"
+}
+
+// --- Other parameters ---
+variable "volume_type" {
+ type = string
+ description = "General Purpose SSD Volume Type"
+ default = "gp3"
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/gwlb/versions.tf b/deprecated/terraform/aws/R81/gwlb/versions.tf
new file mode 100755
index 00000000..dbebf275
--- /dev/null
+++ b/deprecated/terraform/aws/R81/gwlb/versions.tf
@@ -0,0 +1,15 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ http = {
+ version = "~> 3.4.0"
+ }
+ random = {
+ version = "~> 3.5.1"
+ }
+ }
+}
diff --git a/deprecated/terraform/aws/R81/management/README.md b/deprecated/terraform/aws/R81/management/README.md
new file mode 100755
index 00000000..6d2dc8a6
--- /dev/null
+++ b/deprecated/terraform/aws/R81/management/README.md
@@ -0,0 +1,201 @@
+# Check Point CloudGuard Network Security Management Server Terraform module for AWS
+
+Terraform module which deploys a Check Point CloudGuard Network Security Management Server into an existing VPC.
+
+These types of Terraform resources are supported:
+* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html)
+* [Security Group](https://www.terraform.io/docs/providers/aws/r/security_group.html)
+* [Network interface](https://www.terraform.io/docs/providers/aws/r/network_interface.html)
+* [EIP](https://www.terraform.io/docs/providers/aws/r/eip.html) - conditional creation
+* [IAM Role](https://www.terraform.io/docs/providers/aws/r/iam_role.html) - conditional creation
+
+See the [Security Management Server with CloudGuard for AWS](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk130372) for additional information
+
+This solution uses the following modules:
+- /terraform/aws/modules/amis
+- /terraform/aws/cme-iam-role
+
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/management/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Static credentials are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-module /terraform/aws/cme-iam-role:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+ b. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-module /terraform/aws/cme-iam-role:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+
+## Usage
+- Fill all variables in the /terraform/aws/management/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+- Create or modify the deployment:
+ ```
+ terraform apply
+ ```
+
+- Variables are configured in /terraform/aws/management/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+ // --- VPC Network Configuration ---
+ vpc_id = "vpc-12345678"
+ subnet_id = "subnet-abc123"
+
+ // --- EC2 Instances Configuration ---
+ management_name = "CP-Management-tf"
+ management_instance_type = "m5.xlarge"
+ key_name = "publickey"
+ allocate_and_associate_eip = true
+ volume_size = 100
+ volume_encryption = "alias/aws/ebs"
+ enable_instance_connect = false
+ disable_instance_termination = false
+ instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+ }
+
+ // --- IAM Permissions ---
+ iam_permissions = "Create with read permissions"
+ predefined_role = ""
+ sts_roles = []
+
+ // --- Check Point Settings ---
+ management_version = "R81.20-BYOL"
+ admin_shell = "/etc/cli.sh"
+ management_password_hash = ""
+ management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password.
+ // --- Security Management Server Settings ---
+ management_hostname = "mgmt-tf"
+ management_installation_type = "Primary management"
+ SICKey = ""
+ allow_upload_download = "true"
+ gateway_management = "Locally managed"
+ admin_cidr = "0.0.0.0/0"
+ gateway_addresses = "0.0.0.0/0"
+ primary_ntp = ""
+ secondary_ntp = ""
+ management_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+ ```
+
+- Conditional creation
+ - To create an Elastic IP and associate it to the Management instance:
+ ```
+ allocate_and_associate_eip = true
+ ```
+ - To create IAM Role:
+ ```
+ iam_permissions = "Create with read permissions" | "Create with read-write permissions" | "Create with assume role permissions (specify an STS role ARN)"
+ ```
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------|----------|
+| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes |
+| subnet_id | To access the instance from the internet, make sure the subnet has a route to the internet | string | n/a | n/a | yes |
+| management_name | (Optional) The name tag of the Security Management instance | string | n/a | Check-Point-Management-tf | no |
+| management_instance_type | The instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no |
+| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes |
+| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with the launched instance | bool | true/false | true | yes |
+| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no |
+| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no |
+| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no |
+| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no |
+| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes |
+| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Management EC2 Instance | map(string) | n/a | {} | no |
+| iam_permissions | IAM role to attach to the instance profile | string | - None (configure later)
- Use existing (specify an existing IAM role name)
- Create with assume role permissions (specify an STS role ARN)
- Create with read permissions
- Create with read-write permissions | Create with read permissions | no |
+| predefined_role | (Optional) A predefined IAM role to attach to the instance profile. Ignored if var.iam_permissions is not set to 'Use existing' | string | n/a | "" | no |
+| sts_roles | (Optional) The IAM role will be able to assume these STS Roles (list of ARNs). Ignored if var.iam_permissions is set to 'None' or 'Use existing' | list(string) | n/a | [] | no |
+| management_version | Management version and license | string | - R81-BYOL
- R81-PAYG
- R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG
- R82-BYOL
- R82-PAYG | R81.20-BYOL | no |
+| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no |
+| management_password_hash | (Optional) Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash) | string | n/a | "" | no |
+| management_hostname | (Optional) Security Management Server prompt hostname. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no |
+| management_installation_type | Determines if this is the primary management server, secondary management server or log server | string | - Primary management
- Secondary management
- Log Server | Primary management | yes |
+| SICKey | Mandatory only when deploying a secondary Management Server, the Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "" | no |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no |
+| gateway_management | Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address | string | - Locally managed
- Over the internet | Locally managed | no |
+| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Security Management Server | string | valid CIDR | 0.0.0.0/0 | no |
+| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Security Management Server | string | valid CIDR | 0.0.0.0/0 | no |
+| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no |
+| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no |
+| management_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no |
+| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no |
+
+
+## Outputs
+| Name | Description |
+|--------------------------|--------------------------------------------------------------|
+| management_instance_id | The deployed Security Management Server AWS instance id |
+| management_instance_name | The deployed Security Management AWS instance name |
+| management_instance_tags | The deployed Security Management Server AWS tags |
+| management_public_ip | The deployed Security Management Server AWS public ip |
+| management_url | URL to the portal of the deployed Security Management Server |
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|---------------------------------------------------------------------------------------------------------------|
+| 20240704 | R80.40 version deprecation |
+| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20240207 | Added Log Server installation support |
+| 20231012 | Update AWS Terraform provider version to 5.20.1 |
+| 20230923 | Add support for C5d instance type |
+| 20230914 | Add support for maintenance mode password |
+| 20230829 | Change default Check Point version to R81.20 |
+| 20230806 | Add support for c6in instance type |
+| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname |
+| 20221123 | R81.20 version support |
+| 20220606 | New instance type support |
+| 20210329 | Stability fixes |
+| 20210309 | First release of Check Point Security Management Server Terraform module for AWS |
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details
diff --git a/deprecated/terraform/aws/R81/management/locals.tf b/deprecated/terraform/aws/R81/management/locals.tf
new file mode 100755
index 00000000..896719ba
--- /dev/null
+++ b/deprecated/terraform/aws/R81/management/locals.tf
@@ -0,0 +1,76 @@
+locals {
+ permissions_allowed_values = [
+ "None (configure later)",
+ "Use existing (specify an existing IAM role name)",
+ "Create with assume role permissions (specify an STS role ARN)",
+ "Create with read permissions",
+ "Create with read-write permissions"]
+ // Will fail if var.permissions is invalid
+ validate_permissions = index(local.permissions_allowed_values, var.iam_permissions)
+
+ use_role = var.iam_permissions == "None (configure later)" ? 0 : 1
+ create_iam_role = var.iam_permissions == "Create with assume role permissions (specify an STS role ARN)" || var.iam_permissions == "Create with read permissions" || var.iam_permissions == "Create with read-write permissions"
+ pre_role = (local.use_role == 1 && local.create_iam_role == false) ? 1 : 0
+ new_instance_profile = (local.create_iam_role == true && local.use_role == 1) ? 1 : 0
+
+ new_instance_profile_general = local.new_instance_profile == 1 && var.is_gwlb_iam == false ? 1 : 0
+ new_instance_profile_gwlb = local.new_instance_profile == 1 && var.is_gwlb_iam ? 1 : 0
+
+ admin_shell_allowed_values = [
+ "/etc/cli.sh",
+ "/bin/bash",
+ "/bin/csh",
+ "/bin/tcsh"]
+ // Will fail if var.admin_shell is invalid
+ validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell)
+
+ regex_valid_key_name = "[\\S\\s]+[\\S]+"
+ // will fail if var.key_name is invalid
+ regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string"
+
+ gateway_management_allowed_values = [
+ "Locally managed",
+ "Over the internet"]
+ // Will fail if var.gateway_management is invalid
+ validate_gateway_management = index(local.gateway_management_allowed_values, var.gateway_management)
+
+ regex_valid_cidr_range = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))?$"
+ // Will fail if var.admin_subnet or var.gateway_addresses are invalid
+ mgmt_subnet_regex_result = regex(local.regex_valid_cidr_range, var.admin_cidr) == var.admin_cidr ? 0 : "var.admin_subnet must be a valid CIDR range"
+ gw_addr_regex_result = regex(local.regex_valid_cidr_range, var.gateway_addresses) == var.gateway_addresses ? 0 : "var.gateway_addresses must be a valid CIDR range"
+ volume_encryption_condition = var.volume_encryption != "" ? true : false
+
+ regex_valid_primary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.primary_ntp is invalid
+ regex_primary_ntp = regex(local.regex_valid_primary_ntp, var.primary_ntp) == var.primary_ntp ? 0 : "Variable [primary_ntp] must be a valid ntp"
+
+ regex_valid_secondary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.secondary_ntp is invalid
+ regex_secondary_ntp = regex(local.regex_valid_secondary_ntp, var.secondary_ntp) == var.secondary_ntp ? 0 : "Variable [secondary_ntp] must be a valid ntp"
+
+ regex_valid_management_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.management_password_hash is invalid
+ regex_management_password_hash = regex(local.regex_valid_management_password_hash, var.management_password_hash) == var.management_password_hash ? 0 : "Variable [management_password_hash] must be a valid password hash"
+ regex_maintenance_mode_password_hash = regex(local.regex_valid_management_password_hash, var.management_maintenance_mode_password_hash) == var.management_maintenance_mode_password_hash ? 0 : "Variable [management_maintenance_mode_password_hash] must be a valid password hash"
+ regex_valid_sic_key = "(|[a-zA-Z0-9]{8,})"
+ // Will fail if var.SICKey is invalid
+ regex_sic_result = regex(local.regex_valid_sic_key, var.SICKey) == var.SICKey ? 0 : "Variable [SICKey] must be at least 8 alphanumeric characters"
+
+ //Splits the version and licence and returns the os version
+ version_split = element(split("-", var.management_version), 0)
+
+ management_bootstrap_script64 = base64encode(var.management_bootstrap_script)
+ management_SICkey_base64=base64encode(var.SICKey)
+ management_password_hash_base64=base64encode(var.management_password_hash)
+ maintenance_mode_password_hash_base64=base64encode(var.management_maintenance_mode_password_hash)
+
+ manage_over_the_internet = var.gateway_management == "Over the internet" ? true : false
+ manage_over_internet_and_EIP = var.allocate_and_associate_eip && local.manage_over_the_internet ? true : false
+ pub_mgmt = local.manage_over_internet_and_EIP ? true : false
+
+ management_installation_type_allowed_values = [
+ "Primary management",
+ "Secondary management",
+ "Log Server"]
+ validate_management_installation_type = index(local.management_installation_type_allowed_values, var.management_installation_type)
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/management/main.tf b/deprecated/terraform/aws/R81/management/main.tf
new file mode 100755
index 00000000..3714dfa2
--- /dev/null
+++ b/deprecated/terraform/aws/R81/management/main.tf
@@ -0,0 +1,221 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+module "amis" {
+ source = "../modules/amis"
+
+ version_license = var.management_version
+ chkp_type = "management"
+}
+
+resource "aws_security_group" "management_sg" {
+ description = "terraform Management security group"
+ vpc_id = var.vpc_id
+ name_prefix = format("%s_SecurityGroup", var.management_name)
+ // Group name
+ tags = {
+ Name = format("%s_SecurityGroup", var.management_name)
+ // Resource name
+ }
+ ingress {
+ from_port = 257
+ to_port = 257
+ protocol = "tcp"
+ cidr_blocks = [var.gateway_addresses]
+ }
+ ingress {
+ from_port = 18191
+ to_port = 18191
+ protocol = "tcp"
+ cidr_blocks = [var.gateway_addresses]
+ }
+ ingress {
+ from_port = 18192
+ to_port = 18192
+ protocol = "tcp"
+ cidr_blocks = [var.gateway_addresses]
+ }
+ ingress {
+ from_port = 18208
+ to_port = 18208
+ protocol = "tcp"
+ cidr_blocks = [var.gateway_addresses]
+ }
+ ingress {
+ from_port = 18210
+ to_port = 18210
+ protocol = "tcp"
+ cidr_blocks = [var.gateway_addresses]
+ }
+ ingress {
+ from_port = 18211
+ to_port = 18211
+ protocol = "tcp"
+ cidr_blocks = [var.gateway_addresses]
+ }
+ ingress {
+ from_port = 18221
+ to_port = 18221
+ protocol = "tcp"
+ cidr_blocks = [var.gateway_addresses]
+ }
+ ingress {
+ from_port = 18264
+ to_port = 18264
+ protocol = "tcp"
+ cidr_blocks = [var.gateway_addresses]
+ }
+
+ ingress {
+ from_port = 22
+ to_port = 22
+ protocol = "tcp"
+ cidr_blocks = [var.admin_cidr]
+ }
+ ingress {
+ from_port = 443
+ to_port = 443
+ protocol = "tcp"
+ cidr_blocks = [var.admin_cidr]
+ }
+ ingress {
+ from_port = 18190
+ to_port = 18190
+ protocol = "tcp"
+ cidr_blocks = [var.admin_cidr]
+ }
+ ingress {
+ from_port = 19009
+ to_port = 19009
+ protocol = "tcp"
+ cidr_blocks = [var.admin_cidr]
+ }
+
+ egress {
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+}
+
+resource "aws_network_interface" "external-eni" {
+ subnet_id = var.subnet_id
+ security_groups = [aws_security_group.management_sg.id]
+ description = "eth0"
+ source_dest_check = true
+ tags = {
+ Name = format("%s-network_interface", var.management_name)
+ }
+}
+
+resource "aws_eip" "eip" {
+ count = var.allocate_and_associate_eip ? 1 : 0
+ network_interface = aws_network_interface.external-eni.id
+}
+
+resource "aws_iam_instance_profile" "management_instance_profile" {
+ count = local.pre_role
+ path = "/"
+ role = var.predefined_role
+}
+
+resource "aws_launch_template" "management_launch_template" {
+ depends_on = [
+ aws_network_interface.external-eni,
+ aws_eip.eip
+ ]
+
+ instance_type = var.management_instance_type
+ key_name = var.key_name
+ image_id = module.amis.ami_id
+ description = "Initial launch template version"
+
+ iam_instance_profile {
+ name = local.use_role == 1 ? (local.pre_role == 1 ? aws_iam_instance_profile.management_instance_profile[0].id : join("", (var.is_gwlb_iam == true ? module.cme_iam_role_gwlb.*.cme_iam_profile_name : module.cme_iam_role.*.cme_iam_profile_name))): ""
+ }
+
+ metadata_options {
+ http_tokens = var.metadata_imdsv2_required ? "required" : "optional"
+ }
+
+ network_interfaces {
+ network_interface_id = aws_network_interface.external-eni.id
+ device_index = 0
+ }
+}
+
+resource "aws_instance" "management-instance" {
+ depends_on = [
+ aws_launch_template.management_launch_template
+ ]
+
+ launch_template {
+ id = aws_launch_template.management_launch_template.id
+ version = "$Latest"
+ }
+
+ disable_api_termination = var.disable_instance_termination
+
+ tags = merge({
+ Name = var.management_name
+ }, var.instance_tags)
+
+ ebs_block_device {
+ device_name = "/dev/xvda"
+ volume_type = var.volume_type
+ volume_size = var.volume_size
+ encrypted = local.volume_encryption_condition
+ kms_key_id = local.volume_encryption_condition ? var.volume_encryption : ""
+ }
+
+ lifecycle {
+ ignore_changes = [ebs_block_device,]
+ }
+
+ user_data = templatefile("${path.module}/management_userdata.yaml", {
+ // script's arguments
+ Hostname = var.management_hostname,
+ PasswordHash = local.management_password_hash_base64,
+ MaintenanceModePassword = local.maintenance_mode_password_hash_base64,
+ AllowUploadDownload = var.allow_upload_download,
+ NTPPrimary = var.primary_ntp
+ NTPSecondary = var.secondary_ntp
+ Shell = var.admin_shell,
+ AdminSubnet = var.admin_cidr
+ ManagementInstallationType = var.management_installation_type
+ SICKey = local.management_SICkey_base64,
+ OsVersion = local.version_split
+ EnableInstanceConnect = var.enable_instance_connect
+ AllocateElasticIP = var.allocate_and_associate_eip
+ GatewayManagement = var.gateway_management
+ BootstrapScript = local.management_bootstrap_script64
+ PubMgmt = local.pub_mgmt
+
+ })
+}
+
+module "cme_iam_role" {
+ source = "../cme-iam-role"
+ providers = {
+ aws = aws
+ }
+ count = local.new_instance_profile_general
+
+ sts_roles = var.sts_roles
+ permissions = var.iam_permissions
+}
+
+module "cme_iam_role_gwlb" {
+ source = "../cme-iam-role-gwlb"
+ providers = {
+ aws = aws
+ }
+ count = local.new_instance_profile_gwlb
+
+ sts_roles = var.sts_roles
+ permissions = var.iam_permissions
+}
diff --git a/deprecated/terraform/aws/R81/management/management_userdata.yaml b/deprecated/terraform/aws/R81/management/management_userdata.yaml
new file mode 100755
index 00000000..cfd9e5dc
--- /dev/null
+++ b/deprecated/terraform/aws/R81/management/management_userdata.yaml
@@ -0,0 +1,4 @@
+#cloud-config
+runcmd:
+ - |
+ python3 /etc/cloud_config.py sicKey=\"${SICKey}\" installationType=\"management\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20240704\" templateName=\"management\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" "management_installation_type=\"${ManagementInstallationType}\"" adminSubnet=\"${AdminSubnet}\" allocatePublicAddress=\"${AllocateElasticIP}\" overTheInternet=\"${PubMgmt}\" bootstrapScript64=\"${BootstrapScript}\"
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/management/output.tf b/deprecated/terraform/aws/R81/management/output.tf
new file mode 100755
index 00000000..da20727b
--- /dev/null
+++ b/deprecated/terraform/aws/R81/management/output.tf
@@ -0,0 +1,19 @@
+output "Deployment" {
+ value = "Finalizing configuration may take up to 20 minutes after deployment is finished."
+}
+
+output "management_instance_id" {
+ value = aws_instance.management-instance.id
+}
+output "management_instance_name" {
+ value = aws_instance.management-instance.tags["Name"]
+}
+output "management_instance_tags" {
+ value = aws_instance.management-instance.tags
+}
+output "management_public_ip" {
+ value = aws_instance.management-instance.public_ip
+}
+output "management_url" {
+ value = format("https://%s", aws_instance.management-instance.public_ip)
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/management/terraform.tfvars b/deprecated/terraform/aws/R81/management/terraform.tfvars
new file mode 100755
index 00000000..81891681
--- /dev/null
+++ b/deprecated/terraform/aws/R81/management/terraform.tfvars
@@ -0,0 +1,42 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- VPC Network Configuration ---
+vpc_id = "vpc-12345678"
+subnet_id = "subnet-abc123"
+
+// --- EC2 Instances Configuration ---
+management_name = "CP-Management-tf"
+management_instance_type = "m5.xlarge"
+key_name = "publickey"
+allocate_and_associate_eip = true
+volume_size = 100
+volume_encryption = "alias/aws/ebs"
+enable_instance_connect = false
+disable_instance_termination = false
+metadata_imdsv2_required = true
+instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+}
+
+// --- IAM Permissions ---
+iam_permissions = "Create with read permissions"
+predefined_role = ""
+sts_roles = []
+
+// --- Check Point Settings ---
+management_version = "R81.20-BYOL"
+admin_shell = "/etc/cli.sh"
+management_password_hash = ""
+management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password.
+// --- Security Management Server Settings ---
+management_hostname = "mgmt-tf"
+management_installation_type = "Primary management"
+SICKey = ""
+allow_upload_download = "true"
+gateway_management = "Locally managed"
+admin_cidr = "0.0.0.0/0"
+gateway_addresses = "0.0.0.0/0"
+primary_ntp = ""
+secondary_ntp = ""
+management_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
diff --git a/deprecated/terraform/aws/R81/management/variables.tf b/deprecated/terraform/aws/R81/management/variables.tf
new file mode 100755
index 00000000..763918f0
--- /dev/null
+++ b/deprecated/terraform/aws/R81/management/variables.tf
@@ -0,0 +1,194 @@
+// Module: Check Point CloudGuard Network Security Management Server into an existing VPC
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+// --- VPC Network Configuration ---
+variable "vpc_id" {
+ type = string
+}
+variable "subnet_id" {
+ type = string
+ description = "To access the instance from the internet, make sure the subnet has a route to the internet"
+}
+
+// --- EC2 Instance Configuration ---
+variable "management_name" {
+ type = string
+ description = "(Optional) The name tag of the Security Management instance"
+ default = "Check-Point-Management-tf"
+}
+variable "management_instance_type" {
+ type = string
+ description = "The instance type of the Security Management Server"
+ default = "m5.xlarge"
+}
+module "validate_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "management"
+ instance_type = var.management_instance_type
+}
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instances"
+}
+variable "allocate_and_associate_eip" {
+ type = bool
+ description = "If set to true, an elastic IP will be allocated and associated with the launched instance"
+ default = true
+}
+variable "volume_size" {
+ type = number
+ description = "Root volume size (GB) - minimum 100"
+ default = 100
+}
+resource "null_resource" "volume_size_too_small" {
+ // Will fail if var.volume_size is less than 100
+ count = var.volume_size >= 100 ? 0 : "variable volume_size must be at least 100"
+}
+variable "volume_encryption" {
+ type = string
+ description = "KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs')"
+ default = "alias/aws/ebs"
+}
+variable "enable_instance_connect" {
+ type = bool
+ description = "Enable AWS Instance Connect - Ec2 Instance Connect is not supported with versions prior to R80.40"
+ default = false
+}
+variable "disable_instance_termination" {
+ type = bool
+ description = "Prevents an instance from accidental termination"
+ default = false
+}
+variable "metadata_imdsv2_required" {
+ type = bool
+ description = "Set true to deploy the instance with metadata v2 token required"
+ default = true
+}
+variable "instance_tags" {
+ type = map(string)
+ description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Management EC2 Instance"
+ default = {}
+}
+
+// --- IAM Permissions (ignored when the installation is not Primary Management Server) ---
+variable "iam_permissions" {
+ type = string
+ description = "IAM role to attach to the instance profile"
+ default = "Create with read permissions"
+}
+variable "predefined_role" {
+ type = string
+ description = "(Optional) A predefined IAM role to attach to the instance profile. Ignored if var.iam_permissions is not set to 'Use existing'"
+ default = ""
+}
+variable "sts_roles" {
+ type = list(string)
+ description = "(Optional) The IAM role will be able to assume these STS Roles (list of ARNs). Ignored if var.iam_permissions is set to 'None' or 'Use existing'"
+ default = []
+}
+
+// --- Check Point Settings ---
+variable "management_version" {
+ type = string
+ description = "Management version and license"
+ default = "R81.20-BYOL"
+}
+module "validate_management_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "management"
+ version_license = var.management_version
+}
+variable "admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+ default = "/etc/cli.sh"
+}
+variable "management_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "management_maintenance_mode_password_hash" {
+ description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+ type = string
+ default = ""
+}
+
+// --- Security Management Server Settings ---
+variable "management_hostname" {
+ type = string
+ description = "(Optional) Security Management Server prompt hostname"
+ default = ""
+}
+variable "management_installation_type" {
+ type = string
+ description = "Determines the Management Server installation type: Primary management, Secondary management, Log Server"
+ default = "Primary management"
+}
+variable "SICKey" {
+ type = string
+ description = "Mandatory only when deploying a secondary Management Server, the Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters"
+ default = ""
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+variable "gateway_management" {
+ type = string
+ description = "Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address"
+ default = "Locally managed"
+}
+variable "admin_cidr" {
+ type = string
+ description = "(CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Security Management Server"
+ default = "0.0.0.0/0"
+}
+variable "gateway_addresses" {
+ type = string
+ description = "(CIDR) Allow gateways only from this network to communicate with the Security Management Server"
+ default = "0.0.0.0/0"
+}
+variable "primary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol primary server"
+ default = "169.254.169.123"
+}
+variable "secondary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server"
+ default = "0.pool.ntp.org"
+}
+variable "management_bootstrap_script" {
+ type = string
+ description = "(Optional) Semicolon (;) separated commands to run on the initial boot"
+ default = ""
+}
+variable "volume_type" {
+ type = string
+ description = "General Purpose SSD Volume Type"
+ default = "gp3"
+}
+variable "is_gwlb_iam" {
+ type = bool
+ default = false
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/management/versions.tf b/deprecated/terraform/aws/R81/management/versions.tf
new file mode 100755
index 00000000..c138bbb3
--- /dev/null
+++ b/deprecated/terraform/aws/R81/management/versions.tf
@@ -0,0 +1,12 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ http = {
+ version = "~> 3.4.0"
+ }
+ }
+}
diff --git a/deprecated/terraform/aws/R81/mds/README.md b/deprecated/terraform/aws/R81/mds/README.md
new file mode 100755
index 00000000..518acc19
--- /dev/null
+++ b/deprecated/terraform/aws/R81/mds/README.md
@@ -0,0 +1,191 @@
+# Check Point CloudGuard Network Multi-Domain Server Terraform module for AWS
+
+Terraform module which deploys a Check Point CloudGuard Network Multi-Domain Server into an existing VPC.
+
+These types of Terraform resources are supported:
+* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html)
+* [Security Group](https://www.terraform.io/docs/providers/aws/r/security_group.html)
+* [Network interface](https://www.terraform.io/docs/providers/aws/r/network_interface.html)
+* [IAM Role](https://www.terraform.io/docs/providers/aws/r/iam_role.html) - conditional creation
+
+See the [Multi-Domain Management Deployment on AWS](https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk143213) for additional information
+
+This solution uses the following modules:
+- /terraform/aws/modules/amis
+- /terraform/aws/cme-iam-role
+
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/mds/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Static credentials are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-module /terraform/aws/cme-iam-role:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+ b. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-module /terraform/aws/cme-iam-role:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+
+## Usage
+- Fill all variables in the /terraform/aws/mds/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+- Create or modify the deployment:
+ ```
+ terraform apply
+ ```
+
+- Variables are configured in /terraform/aws/mds/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+ // --- VPC Network Configuration ---
+ vpc_id = "vpc-12345678"
+ subnet_id = "subnet-abc123"
+
+ // --- EC2 Instances Configuration ---
+ mds_name = "CP-MDS-tf"
+ mds_instance_type = "m5.12xlarge"
+ key_name = "publickey"
+ volume_size = 100
+ volume_encryption = "alias/aws/ebs"
+ enable_instance_connect = false
+ disable_instance_termination = false
+ instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+ }
+
+ // --- IAM Permissions ---
+ iam_permissions = "Create with read permissions"
+ predefined_role = ""
+ sts_roles = []
+
+ // --- Check Point Settings ---
+ mds_version = "R81.20-BYOL"
+ mds_admin_shell = "/etc/cli.sh"
+ mds_password_hash = ""
+ mds_maintenance_mode_password_hash = ""
+
+ // --- Multi-Domain Server Settings ---
+ mds_hostname = "mds-tf"
+ mds_SICKey = ""
+ allow_upload_download = "true"
+ mds_installation_type = "Primary Multi-Domain Server"
+ admin_cidr = "0.0.0.0/0"
+ gateway_addresses = "0.0.0.0/0"
+ primary_ntp = ""
+ secondary_ntp = ""
+ mds_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+ ```
+
+- Conditional creation
+ - To create IAM Role:
+ ```
+ iam_permissions = "Create with read permissions" | "Create with read-write permissions" | "Create with assume role permissions (specify an STS role ARN)"
+ and
+ mds_installation_type = "Primary Multi-Domain Server"
+ ```
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------|----------|
+| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes |
+| subnet_id | To access the instance from the internet, make sure the subnet has a route to the internet | string | n/a | n/a | yes |
+| mds_name | (Optional) The name tag of the Multi-Domain Server instance | string | n/a | Check-Point-MDS-tf | no |
+| mds_instance_type | The instance type of the Multi-Domain Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.12xlarge | no |
+| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes |
+| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no |
+| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no |
+| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no |
+| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no |
+| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Multi-Domain Server EC2 Instance | map(string) | n/a | {} | no |
+| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes |
+| iam_permissions | IAM role to attach to the instance profile | string | - None (configure later)
- Use existing (specify an existing IAM role name)
- Create with assume role permissions (specify an STS role ARN)
- Create with read permissions
- Create with read-write permissions | Create with read permissions | no |
+| predefined_role | (Optional) A predefined IAM role to attach to the instance profile. Ignored if var.iam_permissions is not set to 'Use existing' | string | n/a | "" | no |
+| sts_roles | (Optional) The IAM role will be able to assume these STS Roles (list of ARNs). Ignored if var.iam_permissions is set to 'None' or 'Use existing' | list(string) | n/a | [] | no |
+| mds_version | Multi-Domain Server version and license | string | - R81-BYOL
- R81.10-BYOL
- R81.20-BYOL
- R82-BYOL
- R82-PAYG | R81.20-BYOL | no |
+| mds_admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no |
+| mds_password_hash | (Optional) Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash) | string | n/a | "" | no |
+| mds_hostname | (Optional) Multi-Domain Server prompt hostname. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no |
+| mds_SICKey | Mandatory if deploying a Secondary Multi-Domain Server or Multi-Domain Log Server, the Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "" | no |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no |
+| mds_installation_type | Determines the Multi-Domain Server installation type | string | - Primary Multi-Domain Server
- Secondary Multi-Domain Server
- Multi-Domain Log Server | Primary Multi-Domain Server | no |
+| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Multi-Domain Server | string | valid CIDR | 0.0.0.0/0 | no |
+| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Multi-Domain Server | string | valid CIDR | 0.0.0.0/0 | no |
+| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no |
+| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no |
+| mds_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no |
+| mds_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here). | string | n/a | "" | no |
+
+
+## Outputs
+| Name | Description |
+|-------------------|----------------------------------------------------|
+| mds_instance_id | The deployed Multi-Domain Server AWS instance id |
+| mds_instance_name | The deployed Multi-Domain Server AWS instance name |
+| mds_instance_tags | The deployed Multi-Domain Server AWS tags |
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|---------------------------------------------------------------------------------------------------------------|
+| 20240704 | R80.40 version deprecation |
+| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20231012 | Update AWS Terraform provider version to 5.20.1 |
+| 20230923 | Add support for C5d instance type |
+| 20230914 | Add support for maintenance mode password |
+| 20230829 | Change default Check Point version to R81.20 |
+| 20230806 | Add support for c6in instance type |
+| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname |
+| 20221123 | R81.20 version support |
+| 20210329 | Stability fixes |
+| 20210309 | First release of Check Point Multi-Domain Server Terraform module for AWS |
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details
diff --git a/deprecated/terraform/aws/R81/mds/locals.tf b/deprecated/terraform/aws/R81/mds/locals.tf
new file mode 100755
index 00000000..7dd690a2
--- /dev/null
+++ b/deprecated/terraform/aws/R81/mds/locals.tf
@@ -0,0 +1,69 @@
+locals {
+ permissions_allowed_values = [
+ "None (configure later)",
+ "Use existing (specify an existing IAM role name)",
+ "Create with assume role permissions (specify an STS role ARN)",
+ "Create with read permissions",
+ "Create with read-write permissions"]
+ // Will fail if var.iam_permissions is invalid
+ validate_permissions = index(local.permissions_allowed_values, var.iam_permissions)
+
+ installation_type_allowed_values = [
+ "Primary Multi-Domain Server",
+ "Secondary Multi-Domain Server",
+ "Multi-Domain Log Server"]
+ // Will fail if var.mds_installation_type is invalid
+ validate_installation_type = index(local.installation_type_allowed_values, var.mds_installation_type)
+
+ primary_mds = var.mds_installation_type == "Primary Multi-Domain Server"
+ secondary_mds = var.mds_installation_type == "Secondary Multi-Domain Server"
+
+ use_role = var.iam_permissions != "None (configure later)" && local.primary_mds ? 1 : 0
+ create_iam_role = (local.primary_mds) && (var.iam_permissions == "Create with assume role permissions (specify an STS role ARN)" || var.iam_permissions == "Create with read permissions" || var.iam_permissions == "Create with read-write permissions")
+
+ admin_shell_allowed_values = [
+ "/etc/cli.sh",
+ "/bin/bash",
+ "/bin/csh",
+ "/bin/tcsh"]
+ // Will fail if var.admin_shell is invalid
+ validate_admin_shell = index(local.admin_shell_allowed_values, var.mds_admin_shell)
+
+ regex_valid_key_name = "[\\S\\s]+[\\S]+"
+ // will fail if var.key_name is invalid
+ regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string"
+
+ regex_valid_cidr_range = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))?$"
+ // Will fail if var.admin_subnet or var.gateway_addresses are invalid
+ mgmt_subnet_regex_result = regex(local.regex_valid_cidr_range, var.admin_cidr) == var.admin_cidr ? 0 : "var.admin_subnet must be a valid CIDR range"
+ gw_addr_regex_result = regex(local.regex_valid_cidr_range, var.gateway_addresses) == var.gateway_addresses ? 0 : "var.gateway_addresses must be a valid CIDR range"
+ volume_encryption_condition = var.volume_encryption != "" ? true : false
+
+ regex_valid_gateway_hostname = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$"
+ // Will fail if var.mds_hostname is invalid
+ regex_gateway_hostname = regex(local.regex_valid_gateway_hostname, var.mds_hostname) == var.mds_hostname ? 0 : "Variable [mds_hostname] must be a valid hostname label or an empty string"
+
+ regex_valid_primary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.primary_ntp is invalid
+ regex_primary_ntp = regex(local.regex_valid_primary_ntp, var.primary_ntp) == var.primary_ntp ? 0 : "Variable [primary_ntp] must be a valid ntp"
+
+ regex_valid_secondary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.secondary_ntp is invalid
+ regex_secondary_ntp = regex(local.regex_valid_secondary_ntp, var.secondary_ntp) == var.secondary_ntp ? 0 : "Variable [secondary_ntp] must be a valid ntp"
+
+ regex_valid_mds_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.mds_password_hash is invalid
+ regex_mds_password_hash = regex(local.regex_valid_mds_password_hash, var.mds_password_hash) == var.mds_password_hash ? 0 : "Variable [mds_password_hash] must be a valid password hash"
+ regex_maintenance_mode_password_hash = regex(local.regex_valid_mds_password_hash, var.mds_maintenance_mode_password_hash) == var.mds_maintenance_mode_password_hash ? 0 : "Variable [mds_maintenance_mode_password_hash] must be a valid password hash"
+
+ regex_valid_sic_key = "(|[a-zA-Z0-9]{8,})"
+ // Will fail if var.mds_SICKey is invalid
+ regex_sic_result = regex(local.regex_valid_sic_key, var.mds_SICKey) == var.mds_SICKey ? 0 : "Variable [mds_SICKey] must be at least 8 alphanumeric characters"
+ //Splits the version and licence and returns the os version
+ version_split = element(split("-", var.mds_version), 0)
+
+ mds_bootstrap_script64 = base64encode(var.mds_bootstrap_script)
+ mds_SICkey_base64 = base64encode(var.mds_SICKey)
+ mds_password_hash_base64 =base64encode(var.mds_password_hash)
+ maintenance_mode_password_hash_base64 = base64encode(var.mds_maintenance_mode_password_hash)
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/mds/main.tf b/deprecated/terraform/aws/R81/mds/main.tf
new file mode 100755
index 00000000..8a22b264
--- /dev/null
+++ b/deprecated/terraform/aws/R81/mds/main.tf
@@ -0,0 +1,194 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+module "amis" {
+ source = "../modules/amis"
+
+ version_license = var.mds_version
+ chkp_type = "mds"
+}
+
+resource "aws_security_group" "mds_sg" {
+ description = "terraform Multi-Domain Server security group"
+ vpc_id = var.vpc_id
+ name_prefix = format("%s_SecurityGroup", var.mds_name)
+ // Group name
+ tags = {
+ Name = format("%s_SecurityGroup", var.mds_name)
+ // Resource name
+ }
+ ingress {
+ from_port = 257
+ to_port = 257
+ protocol = "tcp"
+ cidr_blocks = [var.gateway_addresses]
+ }
+ ingress {
+ from_port = 8211
+ to_port = 8211
+ protocol = "tcp"
+ cidr_blocks = [var.gateway_addresses]
+ }
+ ingress {
+ from_port = 18191
+ to_port = 18191
+ protocol = "tcp"
+ cidr_blocks = [var.gateway_addresses]
+ }
+ ingress {
+ from_port = 18192
+ to_port = 18192
+ protocol = "tcp"
+ cidr_blocks = [var.gateway_addresses]
+ }
+ ingress {
+ from_port = 18208
+ to_port = 18208
+ protocol = "tcp"
+ cidr_blocks = [var.gateway_addresses]
+ }
+ ingress {
+ from_port = 18210
+ to_port = 18210
+ protocol = "tcp"
+ cidr_blocks = [var.gateway_addresses]
+ }
+ ingress {
+ from_port = 18211
+ to_port = 18211
+ protocol = "tcp"
+ cidr_blocks = [var.gateway_addresses]
+ }
+ ingress {
+ from_port = 18221
+ to_port = 18221
+ protocol = "tcp"
+ cidr_blocks = [var.gateway_addresses]
+ }
+ ingress {
+ from_port = 18264
+ to_port = 18264
+ protocol = "tcp"
+ cidr_blocks = [var.gateway_addresses]
+ }
+ ingress {
+ from_port = 22
+ to_port = 22
+ protocol = "tcp"
+ cidr_blocks = [var.admin_cidr]
+ }
+ ingress {
+ from_port = 443
+ to_port = 443
+ protocol = "tcp"
+ cidr_blocks = [var.admin_cidr]
+ }
+ ingress {
+ from_port = 18190
+ to_port = 18190
+ protocol = "tcp"
+ cidr_blocks = [var.admin_cidr]
+ }
+ ingress {
+ from_port = 19009
+ to_port = 19009
+ protocol = "tcp"
+ cidr_blocks = [var.admin_cidr]
+ }
+
+ egress {
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+}
+
+resource "aws_iam_instance_profile" "mds_instance_profile" {
+ count = local.use_role
+ path = "/"
+ role = local.create_iam_role ? join("", module.cme_iam_role.*.cme_iam_role_name) : var.predefined_role
+}
+
+resource "aws_network_interface" "external-eni" {
+ subnet_id = var.subnet_id
+ security_groups = [aws_security_group.mds_sg.id]
+ description = "eth0"
+ source_dest_check = true
+ tags = {
+ Name = format("%s-network_interface", var.mds_name)
+ }
+}
+
+resource "aws_launch_template" "mds_launch_template" {
+ instance_type = var.mds_instance_type
+ key_name = var.key_name
+ image_id = module.amis.ami_id
+ description = "Initial launch template version"
+
+ iam_instance_profile {
+ name = local.use_role == 1 ? aws_iam_instance_profile.mds_instance_profile[0].id : ""
+ }
+
+ metadata_options {
+ http_tokens = var.metadata_imdsv2_required ? "required" : "optional"
+ }
+
+ network_interfaces {
+ network_interface_id = aws_network_interface.external-eni.id
+ device_index = 0
+ }
+}
+
+resource "aws_instance" "mds-instance" {
+ launch_template {
+ id = aws_launch_template.mds_launch_template.id
+ version = "$Latest"
+ }
+
+ disable_api_termination = var.disable_instance_termination
+
+ tags = merge({
+ Name = var.mds_name
+ }, var.instance_tags)
+
+ ebs_block_device {
+ device_name = "/dev/xvda"
+ volume_type = "gp2"
+ volume_size = var.volume_size
+ encrypted = local.volume_encryption_condition
+ kms_key_id = local.volume_encryption_condition ? var.volume_encryption : ""
+ }
+
+ user_data = templatefile("${path.module}/mds_userdata.yaml", {
+ // script's arguments
+ Hostname = var.mds_hostname,
+ PasswordHash = local.mds_password_hash_base64
+ MaintenanceModePassword = local.maintenance_mode_password_hash_base64
+ AllowUploadDownload = var.allow_upload_download,
+ NTPPrimary = var.primary_ntp
+ NTPSecondary = var.secondary_ntp
+ Shell = var.mds_admin_shell,
+ AdminSubnet = var.admin_cidr
+ IsPrimary = local.primary_mds
+ IsSecondary = local.secondary_mds
+ SICKey = local.mds_SICkey_base64,
+ EnableInstanceConnect = var.enable_instance_connect
+ BootstrapScript = local.mds_bootstrap_script64
+ OsVersion = local.version_split
+ })
+}
+
+module "cme_iam_role" {
+ source = "../cme-iam-role"
+ providers = {
+ aws = aws
+ }
+ count = local.create_iam_role ? 1 : 0
+
+ sts_roles = var.sts_roles
+ permissions = var.iam_permissions
+}
diff --git a/deprecated/terraform/aws/R81/mds/mds_userdata.yaml b/deprecated/terraform/aws/R81/mds/mds_userdata.yaml
new file mode 100755
index 00000000..cd0085c6
--- /dev/null
+++ b/deprecated/terraform/aws/R81/mds/mds_userdata.yaml
@@ -0,0 +1,4 @@
+#cloud-config
+runcmd:
+ - |
+ python3 /etc/cloud_config.py sicKey=\"${SICKey}\" installationType=\"mds\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20240704\" templateName=\"mds\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" primary=\"${IsPrimary}\" secondary=\"${IsSecondary}\" adminSubnet=\"${AdminSubnet}\" bootstrapScript64=\"${BootstrapScript}\"
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/mds/output.tf b/deprecated/terraform/aws/R81/mds/output.tf
new file mode 100755
index 00000000..c1d3783a
--- /dev/null
+++ b/deprecated/terraform/aws/R81/mds/output.tf
@@ -0,0 +1,13 @@
+output "Deployment" {
+ value = "Finalizing configuration may take up to 20 minutes after deployment is finished."
+}
+
+output "mds_instance_id" {
+ value = aws_instance.mds-instance.id
+}
+output "mds_instance_name" {
+ value = aws_instance.mds-instance.tags["Name"]
+}
+output "mds_instance_tags" {
+ value = aws_instance.mds-instance.tags
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/mds/terraform.tfvars b/deprecated/terraform/aws/R81/mds/terraform.tfvars
new file mode 100755
index 00000000..e79af359
--- /dev/null
+++ b/deprecated/terraform/aws/R81/mds/terraform.tfvars
@@ -0,0 +1,41 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- VPC Network Configuration ---
+vpc_id = "vpc-12345678"
+subnet_id = "subnet-abc123"
+
+// --- EC2 Instances Configuration ---
+mds_name = "CP-MDS-tf"
+mds_instance_type = "m5.12xlarge"
+key_name = "publickey"
+volume_size = 100
+volume_encryption = "alias/aws/ebs"
+enable_instance_connect = false
+disable_instance_termination = false
+metadata_imdsv2_required = true
+instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+}
+
+// --- IAM Permissions ---
+iam_permissions = "Create with read permissions"
+predefined_role = ""
+sts_roles = []
+
+// --- Check Point Settings ---
+mds_version = "R81.20-BYOL"
+mds_admin_shell = "/etc/cli.sh"
+mds_password_hash = ""
+mds_maintenance_mode_password_hash = ""
+
+// --- Multi-Domain Server Settings ---
+mds_hostname = "mds-tf"
+mds_SICKey = ""
+allow_upload_download = "true"
+mds_installation_type = "Primary Multi-Domain Server"
+admin_cidr = "0.0.0.0/0"
+gateway_addresses = "0.0.0.0/0"
+primary_ntp = ""
+secondary_ntp = ""
+mds_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
diff --git a/deprecated/terraform/aws/R81/mds/variables.tf b/deprecated/terraform/aws/R81/mds/variables.tf
new file mode 100755
index 00000000..f4218e4c
--- /dev/null
+++ b/deprecated/terraform/aws/R81/mds/variables.tf
@@ -0,0 +1,175 @@
+// Module: Check Point CloudGuard Network Multi-Domain Server into an existing VPC
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+// --- VPC Network Configuration ---
+variable "vpc_id" {
+ type = string
+}
+variable "subnet_id" {
+ type = string
+ description = "To access the instance from the internet, make sure the subnet has a route to the internet"
+}
+
+// --- EC2 Instance Configuration ---
+variable "mds_name" {
+ type = string
+ description = "(Optional) The name tag of the Multi-Domain Server instance"
+ default = "Check-Point-MDS-tf"
+}
+variable "mds_instance_type" {
+ type = string
+ description = "The instance type of the Multi-Domain Server"
+ default = "m5.2xlarge"
+}
+module "validate_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "mds"
+ instance_type = var.mds_instance_type
+}
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instance"
+}
+variable "volume_size" {
+ type = number
+ description = "Root volume size (GB) - minimum 100"
+ default = 100
+}
+resource "null_resource" "volume_size_too_small" {
+ // Will fail if var.volume_size is less than 100
+ count = var.volume_size >= 100 ? 0 : "variable volume_size must be at least 100"
+}
+variable "volume_encryption" {
+ type = string
+ description = "KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs')"
+ default = "alias/aws/ebs"
+}
+variable "enable_instance_connect" {
+ type = bool
+ description = "Enable SSH connection over AWS web console"
+ default = false
+}
+variable "disable_instance_termination" {
+ type = bool
+ description = "Prevents an instance from accidental termination"
+ default = false
+}
+variable "metadata_imdsv2_required" {
+ type = bool
+ description = "Set true to deploy the instance with metadata v2 token required"
+ default = true
+}
+variable "instance_tags" {
+ type = map(string)
+ description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Multi-Domain Server EC2 Instance"
+ default = {}
+}
+
+// --- IAM Permissions (ignored when the installation type is not Primary Multi-Domain Server) ---
+variable "iam_permissions" {
+ type = string
+ description = "IAM role to attach to the instance profile"
+ default = "Create with read permissions"
+}
+variable "predefined_role" {
+ type = string
+ description = "(Optional) A predefined IAM role to attach to the instance profile. Ignored if var.iam_permissions is not set to 'Use existing'"
+ default = ""
+}
+variable "sts_roles" {
+ type = list(string)
+ description = "(Optional) The IAM role will be able to assume these STS Roles (list of ARNs). Ignored if var.iam_permissions is set to 'None' or 'Use existing'"
+ default = []
+}
+
+// --- Check Point Settings ---
+variable "mds_version" {
+ type = string
+ description = "Multi-Domain Server version and license"
+ default = "R81.20-BYOL"
+}
+module "validate_mds_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "mds"
+ version_license = var.mds_version
+}
+variable "mds_admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+ default = "/etc/cli.sh"
+}
+variable "mds_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "mds_maintenance_mode_password_hash" {
+ description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+ type = string
+ default = ""
+}
+
+// --- Multi-Domain Server Settings ---
+variable "mds_hostname" {
+ type = string
+ description = "(Optional) Multi-Domain Server prompt hostname"
+ default = ""
+}
+variable "mds_SICKey" {
+ type = string
+ description = "Mandatory if deploying a Secondary Multi-Domain Server or Multi-Domain Log Server, the Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters"
+ default = ""
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+variable "mds_installation_type" {
+ type = string
+ description = "Determines the Multi-Domain Server installation type"
+ default = "Primary Multi-Domain Server"
+}
+variable "admin_cidr" {
+ type = string
+ description = "(CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Multi-Domain Server"
+ default = "0.0.0.0/0"
+}
+variable "gateway_addresses" {
+ type = string
+ description = "(CIDR) Allow gateways only from this network to communicate with the Multi-Domain Server"
+ default = "0.0.0.0/0"
+}
+variable "primary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol primary server"
+ default = "169.254.169.123"
+}
+variable "secondary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server"
+ default = "0.pool.ntp.org"
+}
+variable "mds_bootstrap_script" {
+ type = string
+ description = "(Optional) Semicolon (;) separated commands to run on the initial boot"
+ default = ""
+}
diff --git a/deprecated/terraform/aws/R81/mds/versions.tf b/deprecated/terraform/aws/R81/mds/versions.tf
new file mode 100755
index 00000000..c138bbb3
--- /dev/null
+++ b/deprecated/terraform/aws/R81/mds/versions.tf
@@ -0,0 +1,12 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ http = {
+ version = "~> 3.4.0"
+ }
+ }
+}
diff --git a/deprecated/terraform/aws/R81/modules/amis/main.tf b/deprecated/terraform/aws/R81/modules/amis/main.tf
new file mode 100755
index 00000000..b97de4e1
--- /dev/null
+++ b/deprecated/terraform/aws/R81/modules/amis/main.tf
@@ -0,0 +1,23 @@
+locals {
+ amis_yaml_regionMap = yamldecode(split("Resources", data.http.amis_yaml_http.response_body)[0]).Mappings.RegionMap
+ amis_yaml_converterMap = yamldecode(split("Resources", data.http.amis_yaml_http.response_body)[0]).Mappings.ConverterMap
+
+
+ // Variables example:
+ // version_license = "R81.10-PAYG-NGTX"
+ // RESULT:
+ // version_license_key = "R81.10-PAYG-NGTX-GW"
+
+ // version_license_value = "R8110PAYGNGTXGW"
+
+ version_license_key_mgmt_gw = format("%s%s", var.version_license, var.chkp_type == "gateway" ? "-GW" : var.chkp_type == "management"? "-MGMT" : var.chkp_type == "mds" ? "-MGMT" : "")
+ version_license_key = var.chkp_type == "standalone" ? format("%s%s", var.version_license, element(split("-", var.version_license), 1) == "BYOL" ? "-MGMT" : "") : local.version_license_key_mgmt_gw
+
+ version_license_value = local.amis_yaml_converterMap[local.version_license_key]["Value"]
+
+ // Variables example:
+ // region = "us-east-1"
+ // version_license_key - see above
+ // RESULT: local.ami_id = "ami-1234567"
+ ami_id = local.amis_yaml_regionMap[local.region][local.version_license_value]
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/modules/amis/output.tf b/deprecated/terraform/aws/R81/modules/amis/output.tf
new file mode 100755
index 00000000..0be16a15
--- /dev/null
+++ b/deprecated/terraform/aws/R81/modules/amis/output.tf
@@ -0,0 +1,6 @@
+output "ami_id" {
+ value = local.ami_id
+}
+output "version_license_with_suffix" {
+ value = local.version_license_key
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/modules/amis/variables.tf b/deprecated/terraform/aws/R81/modules/amis/variables.tf
new file mode 100755
index 00000000..3cbf7b1b
--- /dev/null
+++ b/deprecated/terraform/aws/R81/modules/amis/variables.tf
@@ -0,0 +1,26 @@
+variable "amis_url" {
+ type = string
+ description = "URL to amis.yaml"
+ default = "https://cgi-cfts-staging.s3.amazonaws.com/utils/amis.yaml"
+}
+
+data "http" "amis_yaml_http" {
+ url = var.amis_url
+}
+
+data "aws_region" "current" {}
+locals {
+ region = data.aws_region.current.name
+}
+
+// --- Version & License ---
+variable "chkp_type" {
+ type = string
+ description = "The Check Point machine type"
+ default = "gateway"
+}
+variable "version_license" {
+ type = string
+ description = "Version and license"
+}
+
diff --git a/deprecated/terraform/aws/R81/modules/cloudwatch-policy/main.tf b/deprecated/terraform/aws/R81/modules/cloudwatch-policy/main.tf
new file mode 100755
index 00000000..3d191a01
--- /dev/null
+++ b/deprecated/terraform/aws/R81/modules/cloudwatch-policy/main.tf
@@ -0,0 +1,18 @@
+data "aws_iam_policy_document" "policy_document" {
+ version = "2012-10-17"
+ statement {
+ actions = ["cloudwatch:PutMetricData"]
+ effect = "Allow"
+ resources = ["*"]
+ }
+}
+
+resource "aws_iam_policy" "policy" {
+ name_prefix = format("%s-iam_policy", var.tag_name)
+ policy = data.aws_iam_policy_document.policy_document.json
+}
+
+resource "aws_iam_role_policy_attachment" "attachment" {
+ role = var.role
+ policy_arn = aws_iam_policy.policy.arn
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/modules/cloudwatch-policy/variables.tf b/deprecated/terraform/aws/R81/modules/cloudwatch-policy/variables.tf
new file mode 100755
index 00000000..2d3f9452
--- /dev/null
+++ b/deprecated/terraform/aws/R81/modules/cloudwatch-policy/variables.tf
@@ -0,0 +1,9 @@
+variable "tag_name" {
+ type = string
+ description = "(Optional) IAM policy name prefix"
+ default = "cloudwatch"
+}
+variable "role" {
+ type = string
+ description = "A IAM role to attach the cloudwatch policy to it"
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/modules/cluster-iam-role/main.tf b/deprecated/terraform/aws/R81/modules/cluster-iam-role/main.tf
new file mode 100755
index 00000000..b56eacd6
--- /dev/null
+++ b/deprecated/terraform/aws/R81/modules/cluster-iam-role/main.tf
@@ -0,0 +1,38 @@
+resource "aws_iam_role" "cluster_iam_role" {
+ assume_role_policy = data.aws_iam_policy_document.cluster_role_assume_policy_document.json
+ path = "/"
+}
+
+data "aws_iam_policy_document" "cluster_role_assume_policy_document" {
+ version = "2012-10-17"
+ statement {
+ effect = "Allow"
+ actions = ["sts:AssumeRole"]
+ principals {
+ type = "Service"
+ identifiers = ["ec2.amazonaws.com"]
+ }
+ }
+}
+
+data "aws_iam_policy_document" "cluster_role_policy_doc" {
+ version = "2012-10-17"
+ statement {
+ effect = "Allow"
+ actions = [
+ "ec2:AssignPrivateIpAddresses",
+ "ec2:AssociateAddress",
+ "ec2:CreateRoute",
+ "ec2:DescribeNetworkInterfaces",
+ "ec2:DescribeRouteTables",
+ "ec2:ReplaceRoute"]
+ resources = ["*"]
+ }
+}
+resource "aws_iam_policy" "cluster_role_policy" {
+ policy = data.aws_iam_policy_document.cluster_role_policy_doc.json
+}
+resource "aws_iam_role_policy_attachment" "attach_policy" {
+ policy_arn = aws_iam_policy.cluster_role_policy.arn
+ role = aws_iam_role.cluster_iam_role.id
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/modules/cluster-iam-role/output.tf b/deprecated/terraform/aws/R81/modules/cluster-iam-role/output.tf
new file mode 100755
index 00000000..7bbf0351
--- /dev/null
+++ b/deprecated/terraform/aws/R81/modules/cluster-iam-role/output.tf
@@ -0,0 +1,9 @@
+output "cluster_iam_role" {
+ value = aws_iam_role.cluster_iam_role
+}
+output "cluster_iam_role_arn" {
+ value = aws_iam_role.cluster_iam_role.arn
+}
+output "cluster_iam_role_name" {
+ value = aws_iam_role.cluster_iam_role.name
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/modules/common/elastic_ip/locals.tf b/deprecated/terraform/aws/R81/modules/common/elastic_ip/locals.tf
new file mode 100755
index 00000000..c4af5bca
--- /dev/null
+++ b/deprecated/terraform/aws/R81/modules/common/elastic_ip/locals.tf
@@ -0,0 +1,3 @@
+locals {
+ allocate_and_associate_eip_condition = var.allocate_and_associate_eip == true ? 1 : 0
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/modules/common/elastic_ip/main.tf b/deprecated/terraform/aws/R81/modules/common/elastic_ip/main.tf
new file mode 100755
index 00000000..879748a9
--- /dev/null
+++ b/deprecated/terraform/aws/R81/modules/common/elastic_ip/main.tf
@@ -0,0 +1,10 @@
+resource "aws_eip" "gateway_eip" {
+ count = local.allocate_and_associate_eip_condition
+ network_interface = var.external_eni_id
+}
+resource "aws_eip_association" "address_assoc" {
+ count = local.allocate_and_associate_eip_condition
+ allocation_id = aws_eip.gateway_eip[count.index].id
+ network_interface_id = var.external_eni_id
+ private_ip_address = var.private_ip_address
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/modules/common/elastic_ip/output.tf b/deprecated/terraform/aws/R81/modules/common/elastic_ip/output.tf
new file mode 100755
index 00000000..31857b83
--- /dev/null
+++ b/deprecated/terraform/aws/R81/modules/common/elastic_ip/output.tf
@@ -0,0 +1,9 @@
+output "gateway_eip_id" {
+ value = aws_eip.gateway_eip.*.id
+}
+output "gateway_eip_public_ip" {
+ value = aws_eip.gateway_eip.*.public_ip
+}
+output "gateway_eip_attached_instance" {
+ value = aws_eip.gateway_eip.*.instance
+}
diff --git a/deprecated/terraform/aws/R81/modules/common/elastic_ip/variables.tf b/deprecated/terraform/aws/R81/modules/common/elastic_ip/variables.tf
new file mode 100755
index 00000000..c6881436
--- /dev/null
+++ b/deprecated/terraform/aws/R81/modules/common/elastic_ip/variables.tf
@@ -0,0 +1,13 @@
+variable "allocate_and_associate_eip" {
+ type = bool
+ description = "If set to TRUE, an elastic IP will be allocated and associated with the launched instance"
+ default = true
+}
+variable "external_eni_id" {
+ type = string
+ description = "The external-eni of the security gateway"
+}
+variable "private_ip_address" {
+ type = string
+ description = "The primary or secondary private IP address to associate with the Elastic IP address. "
+}
diff --git a/deprecated/terraform/aws/R81/modules/common/gateway_instance/gateway_userdata.yaml b/deprecated/terraform/aws/R81/modules/common/gateway_instance/gateway_userdata.yaml
new file mode 100755
index 00000000..ba55e025
--- /dev/null
+++ b/deprecated/terraform/aws/R81/modules/common/gateway_instance/gateway_userdata.yaml
@@ -0,0 +1,4 @@
+#cloud-config
+runcmd:
+ - |
+ python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenKey}\"" installationType=\"gateway\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20240704\" templateName=\"gateway\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" bootstrapScript64=\"${GatewayBootstrapScript}\"
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/modules/common/gateway_instance/locals.tf b/deprecated/terraform/aws/R81/modules/common/gateway_instance/locals.tf
new file mode 100755
index 00000000..a0d9034d
--- /dev/null
+++ b/deprecated/terraform/aws/R81/modules/common/gateway_instance/locals.tf
@@ -0,0 +1,39 @@
+locals {
+ control_over_public_or_private_allowed_values = [
+ "public",
+ "private"]
+ // will fail if [var.control_gateway_over_public_or_private_address] is invalid:
+ validate_control_over_public_or_private = index(local.control_over_public_or_private_allowed_values, var.control_gateway_over_public_or_private_address)
+
+ admin_shell_allowed_values = [
+ "/etc/cli.sh",
+ "/bin/bash",
+ "/bin/csh",
+ "/bin/tcsh"]
+ // Will fail if var.admin_shell is invalid
+ validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell)
+
+ regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$"
+ // Will fail if var.gateway_SIC_Key is invalid
+ regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters"
+
+ regex_valid_gateway_hostname = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$"
+ // Will fail if var.gateway_hostname is invalid
+ regex_gateway_hostname = regex(local.regex_valid_gateway_hostname, var.gateway_hostname) == var.gateway_hostname ? 0 : "Variable [lambda_scheduled_interval] must be a valid hostname label or an empty string"
+
+ regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.gateway_password_hash is invalid
+ regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+ regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
+
+
+ volume_encryption_condition = var.volume_encryption != "" ? true : false
+
+ //Splits the version and licence and returns the os version
+ version_split = element(split("-", var.gateway_version), 0)
+
+ gateway_bootstrap_script64 = base64encode(var.gateway_bootstrap_script)
+ gateway_SICkey_base64 = base64encode(var.gateway_SICKey)
+ gateway_password_hash_base64 = base64encode(var.gateway_password_hash)
+ gateway_maintenance_mode_password_hash_base64 = base64encode(var.gateway_maintenance_mode_password_hash)
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/modules/common/gateway_instance/main.tf b/deprecated/terraform/aws/R81/modules/common/gateway_instance/main.tf
new file mode 100755
index 00000000..38382cc2
--- /dev/null
+++ b/deprecated/terraform/aws/R81/modules/common/gateway_instance/main.tf
@@ -0,0 +1,63 @@
+resource "aws_launch_template" "gateway_launch_template" {
+ key_name = var.key_name
+ image_id = var.ami_id
+ instance_type = var.gateway_instance_type
+ description = "Initial launch template version"
+
+ iam_instance_profile {
+ name = var.iam_instance_profile_id
+ }
+
+ network_interfaces {
+ network_interface_id = var.external_eni_id
+ device_index = 0
+ }
+
+ network_interfaces {
+ network_interface_id = var.internal_eni_id
+ device_index = 1
+ }
+
+ metadata_options {
+ http_tokens = var.metadata_imdsv2_required ? "required" : "optional"
+ }
+}
+
+resource "aws_instance" "gateway_instance" {
+ launch_template {
+ id = aws_launch_template.gateway_launch_template.id
+ version = "$Latest"
+ }
+
+ disable_api_termination = var.disable_instance_termination
+
+ tags = merge({
+ Name = var.gateway_name
+ x-chkp-tags = format("management=%s:template=%s:ip-address=%s", var.management_server, var.configuration_template, var.control_gateway_over_public_or_private_address)
+ }, var.instance_tags)
+
+ ebs_block_device {
+ device_name = "/dev/xvda"
+ volume_type = "gp2"
+ volume_size = var.volume_size
+ encrypted = local.volume_encryption_condition ? true : false
+ kms_key_id = local.volume_encryption_condition ? var.volume_encryption : ""
+ }
+
+ user_data = templatefile("${path.module}/gateway_userdata.yaml", {
+ // script's arguments
+ PasswordHash = local.gateway_password_hash_base64,
+ MaintenanceModePassword = local.gateway_maintenance_mode_password_hash_base64,
+ Shell = var.admin_shell,
+ SICKey = local.gateway_SICkey_base64,
+ TokenKey = var.gateway_TokenKey,
+ GatewayBootstrapScript = local.gateway_bootstrap_script64,
+ Hostname = var.gateway_hostname,
+ AllowUploadDownload = var.allow_upload_download,
+ EnableCloudWatch = var.enable_cloudwatch,
+ NTPPrimary = var.primary_ntp,
+ NTPSecondary = var.secondary_ntp,
+ EnableInstanceConnect = var.enable_instance_connect,
+ OsVersion = local.version_split
+ })
+}
diff --git a/deprecated/terraform/aws/R81/modules/common/gateway_instance/output.tf b/deprecated/terraform/aws/R81/modules/common/gateway_instance/output.tf
new file mode 100755
index 00000000..0c5f6d02
--- /dev/null
+++ b/deprecated/terraform/aws/R81/modules/common/gateway_instance/output.tf
@@ -0,0 +1,9 @@
+output "gateway_instance_id" {
+ value = aws_instance.gateway_instance.id
+}
+output "gateway_instance_arn" {
+ value = aws_instance.gateway_instance.arn
+}
+output "gateway_instance_name" {
+ value = aws_instance.gateway_instance.tags["Name"]
+}
diff --git a/deprecated/terraform/aws/R81/modules/common/gateway_instance/variables.tf b/deprecated/terraform/aws/R81/modules/common/gateway_instance/variables.tf
new file mode 100755
index 00000000..0e1a010c
--- /dev/null
+++ b/deprecated/terraform/aws/R81/modules/common/gateway_instance/variables.tf
@@ -0,0 +1,147 @@
+variable "external_eni_id" {
+ type = string
+ description = "The external-eni of the security gateway"
+}
+variable "internal_eni_id" {
+ type = string
+ description = "The internal-eni of the security gateway"
+}
+variable "gateway_name" {
+ type = string
+ description = "(Optional) The name tag of the Security Gateway instances"
+ default = "Check-Point-Gateway-tf"
+}
+variable "management_server" {
+ type = string
+ description = "(Optional) The name that represents the Security Management Server in the automatic provisioning configuration"
+ default = ""
+}
+variable "configuration_template" {
+ type = string
+ description = "(Optional) A name of a Security Gateway configuration template in the automatic provisioning configuration"
+ default = ""
+ validation {
+ condition = length(var.configuration_template) < 31
+ error_message = "The configuration_template name can not exceed 30 characters."
+ }
+}
+variable "control_gateway_over_public_or_private_address" {
+ type = string
+ description = "Determines if the Security Gateway is provisioned using its private or public address"
+ default = "private"
+}
+variable "volume_size" {
+ type = number
+ description = "Root volume size (GB) - minimum 100"
+ default = 100
+}
+resource "null_resource" "volume_size_too_small" {
+ // Volume Size validation - resource will not be created if the volume size is smaller than 100
+ count = var.volume_size >= 100 ? 0 : "volume_size must be at least 100"
+}
+variable "volume_encryption" {
+ type = string
+ description = "KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs')."
+ default = "alias/aws/ebs"
+}
+variable "gateway_version" {
+ type = string
+ description = "Gateway version & license"
+ default = "R81.20-BYOL"
+}
+variable "gateway_instance_type" {
+ type = string
+ description = "The instance type of the Security Gateways"
+ default = "c5.xlarge"
+}
+module "validate_instance_type" {
+ source = "../instance_type"
+
+ chkp_type = "gateway"
+ instance_type = var.gateway_instance_type
+}
+variable "instance_tags" {
+ type = map(string)
+ description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instance."
+ default = {}
+}
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instance"
+}
+variable "ami_id" {
+ type = string
+ description = "The AMI to use for the instance"
+}
+variable "iam_instance_profile_id" {
+ type = string
+ description = "The IAM instance profile id"
+}
+variable "gateway_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "gateway_maintenance_mode_password_hash" {
+ description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+ type = string
+ default = ""
+}
+variable "admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+ default = "/etc/cli.sh"
+}
+variable "gateway_SICKey" {
+ type = string
+ description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters"
+}
+variable "gateway_TokenKey" {
+ type = string
+ description = "Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud."
+}
+variable "gateway_bootstrap_script" {
+ type = string
+ description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot"
+ default = ""
+}
+variable "gateway_hostname" {
+ type = string
+ description = "(Optional)"
+ default = ""
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+variable "enable_cloudwatch" {
+ type = bool
+ description = "Report Check Point specific CloudWatch metrics"
+ default = false
+}
+variable "primary_ntp" {
+ type = string
+ description = "(Optional)"
+ default = ""
+}
+variable "secondary_ntp" {
+ type = string
+ description = "(Optional)"
+ default = ""
+}
+variable "enable_instance_connect" {
+ type = bool
+ description = "Enable SSH connection over AWS web console"
+ default = false
+}
+variable "disable_instance_termination" {
+ type = bool
+ description = "Prevents an instance from accidental termination"
+ default = false
+}
+variable "metadata_imdsv2_required" {
+ type = bool
+ description = "Set true to deploy the instance with metadata v2 token required"
+ default = true
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/modules/common/instance_type/main.tf b/deprecated/terraform/aws/R81/modules/common/instance_type/main.tf
new file mode 100755
index 00000000..22fffe49
--- /dev/null
+++ b/deprecated/terraform/aws/R81/modules/common/instance_type/main.tf
@@ -0,0 +1,353 @@
+locals {
+ gw_types = [
+ "c4.large",
+ "c4.xlarge",
+ "c5.large",
+ "c5.xlarge",
+ "c5.2xlarge",
+ "c5.4xlarge",
+ "c5.9xlarge",
+ "c5.12xlarge",
+ "c5.18xlarge",
+ "c5.24xlarge",
+ "c5n.large",
+ "c5n.xlarge",
+ "c5n.2xlarge",
+ "c5n.4xlarge",
+ "c5n.9xlarge",
+ "c5n.18xlarge",
+ "c5d.large",
+ "c5d.xlarge",
+ "c5d.2xlarge",
+ "c5d.4xlarge",
+ "c5d.9xlarge",
+ "c5d.12xlarge",
+ "c5d.18xlarge",
+ "c5d.24xlarge",
+ "m5.large",
+ "m5.xlarge",
+ "m5.2xlarge",
+ "m5.4xlarge",
+ "m5.8xlarge",
+ "m5.12xlarge",
+ "m5.16xlarge",
+ "m5.24xlarge",
+ "m6i.large",
+ "m6i.xlarge",
+ "m6i.2xlarge",
+ "m6i.4xlarge",
+ "m6i.8xlarge",
+ "m6i.12xlarge",
+ "m6i.16xlarge",
+ "m6i.24xlarge",
+ "m6i.32xlarge",
+ "c6i.large",
+ "c6i.xlarge",
+ "c6i.2xlarge",
+ "c6i.4xlarge",
+ "c6i.8xlarge",
+ "c6i.12xlarge",
+ "c6i.16xlarge",
+ "c6i.24xlarge",
+ "c6i.32xlarge",
+ "c6in.large",
+ "c6in.xlarge",
+ "c6in.2xlarge",
+ "c6in.4xlarge",
+ "c6in.8xlarge",
+ "c6in.12xlarge",
+ "c6in.16xlarge",
+ "c6in.24xlarge",
+ "c6in.32xlarge",
+ "r5.large",
+ "r5.xlarge",
+ "r5.2xlarge",
+ "r5.4xlarge",
+ "r5.8xlarge",
+ "r5.12xlarge",
+ "r5.16xlarge",
+ "r5.24xlarge",
+ "r5a.large",
+ "r5a.xlarge",
+ "r5a.2xlarge",
+ "r5a.4xlarge",
+ "r5a.8xlarge",
+ "r5a.12xlarge",
+ "r5a.16xlarge",
+ "r5a.24xlarge",
+ "r5b.large",
+ "r5b.xlarge",
+ "r5b.2xlarge",
+ "r5b.4xlarge",
+ "r5b.8xlarge",
+ "r5b.12xlarge",
+ "r5b.16xlarge",
+ "r5b.24xlarge",
+ "r5n.large",
+ "r5n.xlarge",
+ "r5n.2xlarge",
+ "r5n.4xlarge",
+ "r5n.8xlarge",
+ "r5n.12xlarge",
+ "r5n.16xlarge",
+ "r5n.24xlarge",
+ "r6i.large",
+ "r6i.xlarge",
+ "r6i.2xlarge",
+ "r6i.4xlarge",
+ "r6i.8xlarge",
+ "r6i.12xlarge",
+ "r6i.16xlarge",
+ "r6i.24xlarge",
+ "r6i.32xlarge",
+ "m6a.large",
+ "m6a.xlarge",
+ "m6a.2xlarge",
+ "m6a.4xlarge",
+ "m6a.8xlarge",
+ "m6a.12xlarge",
+ "m6a.16xlarge",
+ "m6a.24xlarge",
+ "m6a.32xlarge",
+ "m6a.48xlarge"
+ ]
+ mgmt_types = [
+ "c5.large",
+ "c5.xlarge",
+ "c5.2xlarge",
+ "c5.4xlarge",
+ "c5.9xlarge",
+ "c5.12xlarge",
+ "c5.18xlarge",
+ "c5.24xlarge",
+ "c5n.large",
+ "c5n.xlarge",
+ "c5n.2xlarge",
+ "c5n.4xlarge",
+ "c5n.9xlarge",
+ "c5n.18xlarge",
+ "c5d.large",
+ "c5d.xlarge",
+ "c5d.2xlarge",
+ "c5d.4xlarge",
+ "c5d.9xlarge",
+ "c5d.12xlarge",
+ "c5d.18xlarge",
+ "c5d.24xlarge",
+ "m5.large",
+ "m5.xlarge",
+ "m5.2xlarge",
+ "m5.4xlarge",
+ "m5.8xlarge",
+ "m5.12xlarge",
+ "m5.16xlarge",
+ "m5.24xlarge",
+ "m6i.large",
+ "m6i.xlarge",
+ "m6i.2xlarge",
+ "m6i.4xlarge",
+ "m6i.8xlarge",
+ "m6i.12xlarge",
+ "m6i.16xlarge",
+ "m6i.24xlarge",
+ "m6i.32xlarge",
+ "c6i.large",
+ "c6i.xlarge",
+ "c6i.2xlarge",
+ "c6i.4xlarge",
+ "c6i.8xlarge",
+ "c6i.12xlarge",
+ "c6i.16xlarge",
+ "c6i.24xlarge",
+ "c6i.32xlarge",
+ "c6in.large",
+ "c6in.xlarge",
+ "c6in.2xlarge",
+ "c6in.4xlarge",
+ "c6in.8xlarge",
+ "c6in.12xlarge",
+ "c6in.16xlarge",
+ "c6in.24xlarge",
+ "c6in.32xlarge",
+ "r5.large",
+ "r5.xlarge",
+ "r5.2xlarge",
+ "r5.4xlarge",
+ "r5.8xlarge",
+ "r5.12xlarge",
+ "r5.16xlarge",
+ "r5.24xlarge",
+ "r5a.large",
+ "r5a.xlarge",
+ "r5a.2xlarge",
+ "r5a.4xlarge",
+ "r5a.8xlarge",
+ "r5a.12xlarge",
+ "r5a.16xlarge",
+ "r5a.24xlarge",
+ "r5b.large",
+ "r5b.xlarge",
+ "r5b.2xlarge",
+ "r5b.4xlarge",
+ "r5b.8xlarge",
+ "r5b.12xlarge",
+ "r5b.16xlarge",
+ "r5b.24xlarge",
+ "r5n.large",
+ "r5n.xlarge",
+ "r5n.2xlarge",
+ "r5n.4xlarge",
+ "r5n.8xlarge",
+ "r5n.12xlarge",
+ "r5n.16xlarge",
+ "r5n.24xlarge",
+ "r6i.large",
+ "r6i.xlarge",
+ "r6i.2xlarge",
+ "r6i.4xlarge",
+ "r6i.8xlarge",
+ "r6i.12xlarge",
+ "r6i.16xlarge",
+ "r6i.24xlarge",
+ "r6i.32xlarge",
+ "m6a.large",
+ "m6a.xlarge",
+ "m6a.2xlarge",
+ "m6a.4xlarge",
+ "m6a.8xlarge",
+ "m6a.12xlarge",
+ "m6a.16xlarge",
+ "m6a.24xlarge",
+ "m6a.32xlarge",
+ "m6a.48xlarge"
+ ]
+ mds_types = [
+ "c5.large",
+ "c5.xlarge",
+ "c5.2xlarge",
+ "c5.4xlarge",
+ "c5.9xlarge",
+ "c5.12xlarge",
+ "c5.18xlarge",
+ "c5.24xlarge",
+ "c5n.large",
+ "c5n.xlarge",
+ "c5n.2xlarge",
+ "c5n.4xlarge",
+ "c5n.9xlarge",
+ "c5n.18xlarge",
+ "c5d.large",
+ "c5d.xlarge",
+ "c5d.2xlarge",
+ "c5d.4xlarge",
+ "c5d.9xlarge",
+ "c5d.12xlarge",
+ "c5d.18xlarge",
+ "c5d.24xlarge",
+ "m5.large",
+ "m5.xlarge",
+ "m5.2xlarge",
+ "m5.4xlarge",
+ "m5.8xlarge",
+ "m5.12xlarge",
+ "m5.16xlarge",
+ "m5.24xlarge",
+ "m6i.large",
+ "m6i.xlarge",
+ "m6i.2xlarge",
+ "m6i.4xlarge",
+ "m6i.8xlarge",
+ "m6i.12xlarge",
+ "m6i.16xlarge",
+ "m6i.24xlarge",
+ "m6i.32xlarge",
+ "c6i.large",
+ "c6i.xlarge",
+ "c6i.2xlarge",
+ "c6i.4xlarge",
+ "c6i.8xlarge",
+ "c6i.12xlarge",
+ "c6i.16xlarge",
+ "c6i.24xlarge",
+ "c6i.32xlarge",
+ "c6in.large",
+ "c6in.xlarge",
+ "c6in.2xlarge",
+ "c6in.4xlarge",
+ "c6in.8xlarge",
+ "c6in.12xlarge",
+ "c6in.16xlarge",
+ "c6in.24xlarge",
+ "c6in.32xlarge",
+ "r5.large",
+ "r5.xlarge",
+ "r5.2xlarge",
+ "r5.4xlarge",
+ "r5.8xlarge",
+ "r5.12xlarge",
+ "r5.16xlarge",
+ "r5.24xlarge",
+ "r5a.large",
+ "r5a.xlarge",
+ "r5a.2xlarge",
+ "r5a.4xlarge",
+ "r5a.8xlarge",
+ "r5a.12xlarge",
+ "r5a.16xlarge",
+ "r5a.24xlarge",
+ "r5b.large",
+ "r5b.xlarge",
+ "r5b.2xlarge",
+ "r5b.4xlarge",
+ "r5b.8xlarge",
+ "r5b.12xlarge",
+ "r5b.16xlarge",
+ "r5b.24xlarge",
+ "r5n.large",
+ "r5n.xlarge",
+ "r5n.2xlarge",
+ "r5n.4xlarge",
+ "r5n.8xlarge",
+ "r5n.12xlarge",
+ "r5n.16xlarge",
+ "r5n.24xlarge",
+ "r6i.large",
+ "r6i.xlarge",
+ "r6i.2xlarge",
+ "r6i.4xlarge",
+ "r6i.8xlarge",
+ "r6i.12xlarge",
+ "r6i.16xlarge",
+ "r6i.24xlarge",
+ "r6i.32xlarge",
+ "m6a.large",
+ "m6a.xlarge",
+ "m6a.2xlarge",
+ "m6a.4xlarge",
+ "m6a.8xlarge",
+ "m6a.12xlarge",
+ "m6a.16xlarge",
+ "m6a.24xlarge",
+ "m6a.32xlarge",
+ "m6a.48xlarge"
+ ]
+ server_types = [
+ "t3.nano",
+ "t3.micro",
+ "t3.small",
+ "t3.medium",
+ "t3.large",
+ "t3.xlarge",
+ "t3.2xlarge"
+ ]
+}
+
+locals {
+ gw_values = var.chkp_type == "gateway" ? local.gw_types : []
+ mgmt_values = var.chkp_type == "management" ? local.mgmt_types : []
+ mds_values = var.chkp_type == "mds" ? local.mds_types : []
+ server_values = var.chkp_type == "server" ? local.server_types : []
+ sa_values = var.chkp_type == "standalone" ? concat(local.gw_types, local.mgmt_types) : []
+ allowed_values = coalescelist(local.gw_values, local.mgmt_values, local.mds_values, local.sa_values , local.server_types)
+ is_allowed_type = index(local.allowed_values, var.instance_type)
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/modules/common/instance_type/variables.tf b/deprecated/terraform/aws/R81/modules/common/instance_type/variables.tf
new file mode 100755
index 00000000..1711c3f7
--- /dev/null
+++ b/deprecated/terraform/aws/R81/modules/common/instance_type/variables.tf
@@ -0,0 +1,22 @@
+variable "chkp_type" {
+ type = string
+ description = "The Check Point machine type"
+ default = "gateway"
+}
+locals {
+ type_allowed_values = [
+ "gateway",
+ "management",
+ "mds",
+ "standalone",
+ "server"
+ ]
+ // Will fail if var.chkp_type is invalid
+ validate_instance_type = index(local.type_allowed_values, var.chkp_type)
+}
+
+variable "instance_type" {
+ type = string
+ description = "AWS Instance type"
+}
+
diff --git a/deprecated/terraform/aws/R81/modules/common/internal_default_route/locals.tf b/deprecated/terraform/aws/R81/modules/common/internal_default_route/locals.tf
new file mode 100755
index 00000000..493c4d9a
--- /dev/null
+++ b/deprecated/terraform/aws/R81/modules/common/internal_default_route/locals.tf
@@ -0,0 +1,3 @@
+locals {
+ internal_route_table_condition = var.private_route_table != "" ? 1 : 0
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/modules/common/internal_default_route/main.tf b/deprecated/terraform/aws/R81/modules/common/internal_default_route/main.tf
new file mode 100755
index 00000000..ddcb5bd8
--- /dev/null
+++ b/deprecated/terraform/aws/R81/modules/common/internal_default_route/main.tf
@@ -0,0 +1,6 @@
+resource "aws_route" "internal_default_route" {
+ count = local.internal_route_table_condition
+ route_table_id = var.private_route_table
+ destination_cidr_block = "0.0.0.0/0"
+ network_interface_id = var.internal_eni_id
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/modules/common/internal_default_route/output.tf b/deprecated/terraform/aws/R81/modules/common/internal_default_route/output.tf
new file mode 100755
index 00000000..fa691b92
--- /dev/null
+++ b/deprecated/terraform/aws/R81/modules/common/internal_default_route/output.tf
@@ -0,0 +1,3 @@
+output "internal_default_route_id" {
+ value = aws_route.internal_default_route.*.id
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/modules/common/internal_default_route/variables.tf b/deprecated/terraform/aws/R81/modules/common/internal_default_route/variables.tf
new file mode 100755
index 00000000..b8e2f458
--- /dev/null
+++ b/deprecated/terraform/aws/R81/modules/common/internal_default_route/variables.tf
@@ -0,0 +1,9 @@
+variable "private_route_table" {
+ type = string
+ description = "Sets '0.0.0.0/0' route to the Gateway instance in the specified route table (e.g. rtb-12a34567)"
+ default=""
+}
+variable "internal_eni_id" {
+ type = string
+ description = "The internal-eni of the security gateway"
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/modules/common/load_balancer/main.tf b/deprecated/terraform/aws/R81/modules/common/load_balancer/main.tf
new file mode 100755
index 00000000..18b3b753
--- /dev/null
+++ b/deprecated/terraform/aws/R81/modules/common/load_balancer/main.tf
@@ -0,0 +1,36 @@
+resource "random_id" "unique_lb_id" {
+ keepers = {
+ prefix = var.prefix_name
+ }
+ byte_length = 8
+}
+resource "aws_lb" "load_balancer" {
+ name = substr(format("%s-%s", "${var.prefix_name}-LB", random_id.unique_lb_id.hex), 0, 32)
+ load_balancer_type = var.load_balancers_type == "gateway" ? "gateway" : var.load_balancers_type == "Network Load Balancer" ? "network": "application"
+ internal = var.load_balancers_type == "gateway" ? "false" : var.internal
+ subnets = var.instances_subnets
+ security_groups = var.security_groups
+ tags = var.tags
+ enable_cross_zone_load_balancing = var.cross_zone_load_balancing
+}
+resource "aws_lb_target_group" "lb_target_group" {
+ name = substr(format("%s-%s", "${var.prefix_name}-TG", random_id.unique_lb_id.hex), 0, 32)
+ vpc_id = var.vpc_id
+ protocol = var.load_balancer_protocol
+ port = var.target_group_port
+ health_check {
+ port = var.load_balancers_type != "gateway" ? var.health_check_port : 8117
+ protocol = var.load_balancers_type != "gateway" ? var.health_check_protocol : "TCP"
+ }
+}
+resource "aws_lb_listener" "lb_listener" {
+ depends_on = [aws_lb.load_balancer, aws_lb_target_group.lb_target_group]
+ load_balancer_arn = aws_lb.load_balancer.arn
+ certificate_arn = var.certificate_arn
+ protocol = var.load_balancers_type != "gateway" ? var.load_balancer_protocol : null
+ port = var.load_balancers_type != "gateway" ? var.listener_port : null
+ default_action {
+ type = "forward"
+ target_group_arn = aws_lb_target_group.lb_target_group.arn
+ }
+}
diff --git a/deprecated/terraform/aws/R81/modules/common/load_balancer/output.tf b/deprecated/terraform/aws/R81/modules/common/load_balancer/output.tf
new file mode 100755
index 00000000..63123606
--- /dev/null
+++ b/deprecated/terraform/aws/R81/modules/common/load_balancer/output.tf
@@ -0,0 +1,18 @@
+output "load_balancer_id" {
+ value = aws_lb.load_balancer.id
+}
+output "load_balancer_arn" {
+ value = aws_lb.load_balancer.arn
+}
+output "load_balancer_url" {
+ value = aws_lb.load_balancer.dns_name
+}
+output "target_group_id" {
+ value = aws_lb_target_group.lb_target_group.id
+}
+output "target_group_arn" {
+ value = aws_lb_target_group.lb_target_group.arn
+}
+output "load_balancer_tags" {
+ value = aws_lb.load_balancer.tags
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/modules/common/load_balancer/variables.tf b/deprecated/terraform/aws/R81/modules/common/load_balancer/variables.tf
new file mode 100755
index 00000000..2e143fc7
--- /dev/null
+++ b/deprecated/terraform/aws/R81/modules/common/load_balancer/variables.tf
@@ -0,0 +1,62 @@
+variable "instances_subnets" {
+ type = list(string)
+ description = "Select at least 2 public subnets in the VPC. If you choose to deploy a Security Management Server it will be deployed in the first subnet"
+}
+variable "prefix_name" {
+ type = string
+ description = "Load Balancer and Target Group prefix name"
+ default = "quickstart"
+}
+variable "internal" {
+ type = bool
+ description = "Select 'true' to create an Internal Load Balancer."
+ default = false
+}
+variable "security_groups" {
+ type = list(string)
+ description = "A list of security group IDs to assign to the LB. Only valid for Load Balancers of type application"
+}
+variable "tags" {
+ type = map(string)
+ description = "A map of tags to assign to the load balancer."
+}
+variable "vpc_id" {
+ type = string
+}
+variable "load_balancers_type" {
+ type = string
+ description = "Use Network Load Balancer if you wish to preserve the source IP address and Application Load Balancer if you wish to use content based routing"
+ default = "Network Load Balancer"
+}
+variable "load_balancer_protocol" {
+ type = string
+ description = "The protocol to use on the Load Balancer."
+}
+variable "target_group_port" {
+ type = number
+ description = "The port on which targets receive traffic."
+}
+variable "listener_port" {
+ type = string
+ description = "The port on which the load balancer is listening."
+}
+variable "certificate_arn" {
+ type = string
+ description = "The ARN of the default server certificate. Exactly one certificate is required if the protocol is HTTPS or TLS. "
+ default = ""
+}
+variable "cross_zone_load_balancing"{
+ type = bool
+ default = false
+ description = "Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges."
+}
+variable "health_check_port" {
+ description = "The health check port"
+ type = number
+ default = null
+}
+variable "health_check_protocol" {
+ description = "The health check protocol"
+ type = string
+ default = null
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/modules/common/permissive_sg/main.tf b/deprecated/terraform/aws/R81/modules/common/permissive_sg/main.tf
new file mode 100755
index 00000000..265f3c56
--- /dev/null
+++ b/deprecated/terraform/aws/R81/modules/common/permissive_sg/main.tf
@@ -0,0 +1,20 @@
+resource "aws_security_group" "permissive_sg" {
+ description = "Permissive security group"
+ vpc_id = var.vpc_id
+ egress {
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+ ingress {
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+ name_prefix = format("%s-PermissiveSecurityGroup", var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name) // Group name
+ tags = {
+ Name = format("%s-PermissiveSecurityGroup", var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name) // Resource name
+ }
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/modules/common/permissive_sg/output.tf b/deprecated/terraform/aws/R81/modules/common/permissive_sg/output.tf
new file mode 100755
index 00000000..83541c15
--- /dev/null
+++ b/deprecated/terraform/aws/R81/modules/common/permissive_sg/output.tf
@@ -0,0 +1,9 @@
+output "permissive_sg_id" {
+ value = aws_security_group.permissive_sg.id
+}
+output "permissive_sg_name" {
+ value = aws_security_group.permissive_sg.name
+}
+output "permissive_sg_arn" {
+ value = aws_security_group.permissive_sg.arn
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/modules/common/permissive_sg/variables.tf b/deprecated/terraform/aws/R81/modules/common/permissive_sg/variables.tf
new file mode 100755
index 00000000..d2afaad2
--- /dev/null
+++ b/deprecated/terraform/aws/R81/modules/common/permissive_sg/variables.tf
@@ -0,0 +1,13 @@
+variable "vpc_id" {
+ type = string
+}
+variable "resources_tag_name" {
+ type = string
+ description = "(Optional)"
+ default = ""
+}
+variable "gateway_name" {
+ type = string
+ description = "(Optional) The name tag of the Security Gateway instances"
+ default = "Check-Point-Gateway-tf"
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/modules/common/version_license/main.tf b/deprecated/terraform/aws/R81/modules/common/version_license/main.tf
new file mode 100755
index 00000000..c8fe1838
--- /dev/null
+++ b/deprecated/terraform/aws/R81/modules/common/version_license/main.tf
@@ -0,0 +1,60 @@
+locals {
+ gw_versions = [
+ "R81-BYOL",
+ "R81-PAYG-NGTP",
+ "R81-PAYG-NGTX",
+ "R81.10-BYOL",
+ "R81.10-PAYG-NGTP",
+ "R81.10-PAYG-NGTX",
+ "R81.20-BYOL",
+ "R81.20-PAYG-NGTP",
+ "R81.20-PAYG-NGTX",
+ "R82-BYOL",
+ "R82-PAYG-NGTP",
+ "R82-PAYG-NGTX"
+ ]
+ mgmt_versions = [
+ "R81-BYOL",
+ "R81-PAYG",
+ "R81.10-BYOL",
+ "R81.10-PAYG",
+ "R81.20-BYOL",
+ "R81.20-PAYG",
+ "R82-BYOL",
+ "R82-PAYG"
+ ]
+ mds_versions = [
+ "R81-BYOL",
+ "R81.10-BYOL",
+ "R81.20-BYOL",
+ "R82-BYOL"
+ ]
+ standalone_versions = [
+ "R81-BYOL",
+ "R81-PAYG-NGTP",
+ "R81.10-BYOL",
+ "R81.10-PAYG-NGTP",
+ "R81.20-BYOL",
+ "R81.20-PAYG-NGTP",
+ "R82-BYOL",
+ "R82-PAYG-NGTP"
+ ]
+ gwlb_gw_versions = [
+ "R81.20-BYOL",
+ "R81.20-PAYG-NGTP",
+ "R81.20-PAYG-NGTX",
+ "R82-BYOL",
+ "R82-PAYG-NGTP",
+ "R82-PAYG-NGTX"
+ ]
+}
+
+locals {
+ gw_values = var.chkp_type == "gateway" ? local.gw_versions : []
+ mgmt_values = var.chkp_type == "management" ? local.mgmt_versions : []
+ mds_values = var.chkp_type == "mds" ? local.mds_versions : []
+ standalone_values = var.chkp_type == "standalone" ? local.standalone_versions : []
+ gwlb_gw_values = var.chkp_type == "gwlb_gw" ? local.gwlb_gw_versions : []
+ allowed_values = coalescelist(local.gw_values, local.mgmt_values, local.standalone_values, local.mds_values, local.gwlb_gw_values)
+ is_allowed_type = index(local.allowed_values, var.version_license)
+}
diff --git a/deprecated/terraform/aws/R81/modules/common/version_license/variables.tf b/deprecated/terraform/aws/R81/modules/common/version_license/variables.tf
new file mode 100755
index 00000000..9467e232
--- /dev/null
+++ b/deprecated/terraform/aws/R81/modules/common/version_license/variables.tf
@@ -0,0 +1,21 @@
+variable "chkp_type" {
+ type = string
+ description = "The Check Point machine type"
+ default = "gateway"
+}
+locals {
+ type_allowed_values = [
+ "gateway",
+ "management",
+ "mds",
+ "standalone",
+ "gwlb_gw"]
+ // Will fail if var.chkp_type is invalid
+ validate_chkp_type = index(local.type_allowed_values, var.chkp_type)
+}
+
+variable "version_license" {
+ type = string
+ description = "AWS Version license"
+}
+
diff --git a/deprecated/terraform/aws/R81/modules/custom-autoscale/locals.tf b/deprecated/terraform/aws/R81/modules/custom-autoscale/locals.tf
new file mode 100755
index 00000000..1a9b6900
--- /dev/null
+++ b/deprecated/terraform/aws/R81/modules/custom-autoscale/locals.tf
@@ -0,0 +1,9 @@
+locals {
+ asg_name = format("%s%s-servers", var.prefix != "" ? format("%s-", var.prefix) : "", var.asg_name)
+
+ regex_valid_server_ami = "^(ami-(([0-9a-f]{8})|([0-9a-f]{17})))?$"
+ // Will fail if var.server_ami is invalid
+ regex_server_ami = regex(local.regex_valid_server_ami, var.server_ami) == var.server_ami ? 0 : "Amazon Machine Image ID must be in the form ami-xxxxxxxx or ami-xxxxxxxxxxxxxxxxx"
+
+ provided_target_groups_condition = var.servers_target_groups != "" ? true : false
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/modules/custom-autoscale/main.tf b/deprecated/terraform/aws/R81/modules/custom-autoscale/main.tf
new file mode 100755
index 00000000..c361388d
--- /dev/null
+++ b/deprecated/terraform/aws/R81/modules/custom-autoscale/main.tf
@@ -0,0 +1,94 @@
+resource "aws_security_group" "servers_security_group" {
+ count = var.deploy_internal_security_group ? 1 : 0
+ name_prefix = format("%s_ServersSecurityGroup", local.asg_name)
+ description = "Servers security group"
+ vpc_id = var.vpc_id
+
+ ingress {
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ tags = {
+ Name = format("%s_ServersSecurityGroup", local.asg_name)
+ }
+}
+
+
+resource "aws_launch_template" "servers_launch_template" {
+ name_prefix = local.asg_name
+ network_interfaces {
+ associate_public_ip_address = var.allocate_public_address
+ security_groups = var.deploy_internal_security_group ? [aws_security_group.servers_security_group[0].id] : [var.source_security_group]
+ }
+ key_name = var.key_name
+ image_id = var.server_ami
+ description = "Initial template version"
+ monitoring {
+ enabled = true
+ }
+ instance_type = var.servers_instance_type
+}
+resource "aws_autoscaling_group" "servers_group" {
+ name_prefix = local.asg_name
+ vpc_zone_identifier = var.servers_subnets
+ launch_template {
+ name = aws_launch_template.servers_launch_template.name
+ version = aws_launch_template.servers_launch_template.latest_version
+ }
+ min_size = var.servers_min_group_size
+ max_size = var.servers_max_group_size
+ target_group_arns = local.provided_target_groups_condition ? [var.servers_target_groups] : []
+
+ tag {
+ key = "Name"
+ value = format("%s%s", var.prefix != "" ? format("%s-", var.prefix) : "", var.server_name)
+ propagate_at_launch = true
+ }
+}
+resource "aws_autoscaling_policy" "scale_up_policy" {
+ adjustment_type = "ChangeInCapacity"
+ autoscaling_group_name = aws_autoscaling_group.servers_group.name
+ name = "scale_up_policy"
+ cooldown = 300
+ scaling_adjustment = 1
+}
+resource "aws_autoscaling_policy" "scale_down_policy" {
+ adjustment_type = "ChangeInCapacity"
+ autoscaling_group_name = aws_autoscaling_group.servers_group.name
+ name = "scale_down_policy"
+ cooldown = 300
+ scaling_adjustment = -1
+}
+resource "aws_cloudwatch_metric_alarm" "cpu_alarm_high" {
+ alarm_description = "Scale-up if CPU > 80% for 10 minutes"
+ metric_name = "CPUUtilization"
+ namespace = "AWS/EC2"
+ statistic = "Average"
+ period = "300"
+ evaluation_periods = "2"
+ threshold = "80"
+ alarm_actions = [aws_autoscaling_policy.scale_up_policy.arn]
+ dimensions = {
+ AutoScalingGroupName = aws_autoscaling_group.servers_group.name
+ }
+ comparison_operator = "GreaterThanThreshold"
+ alarm_name = "cpu_alarm_high"
+}
+resource "aws_cloudwatch_metric_alarm" "cpu_alarm_low" {
+ alarm_description = "Scale-down if CPU < 60% for 10 minutes"
+ metric_name = "CPUUtilization"
+ namespace = "AWS/EC2"
+ statistic = "Average"
+ period = "300"
+ evaluation_periods = "2"
+ threshold = "60"
+ alarm_actions = [aws_autoscaling_policy.scale_down_policy.arn]
+ dimensions = {
+ AutoScalingGroupName = aws_autoscaling_group.servers_group.name
+ }
+ comparison_operator = "LessThanThreshold"
+ alarm_name = "cpu_alarm_low"
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/modules/custom-autoscale/variables.tf b/deprecated/terraform/aws/R81/modules/custom-autoscale/variables.tf
new file mode 100755
index 00000000..a99cb9a5
--- /dev/null
+++ b/deprecated/terraform/aws/R81/modules/custom-autoscale/variables.tf
@@ -0,0 +1,89 @@
+// Module: Auto Scaling group of workload servers
+
+// --- Environment ---
+variable "prefix" {
+ type = string
+ description = "(Optional) Instances name prefix"
+ default = ""
+}
+variable "asg_name" {
+ type = string
+ description = "Autoscaling Group name"
+ default = "Check-Point-ASG-tf"
+}
+
+// --- VPC Network Configuration ---
+variable "vpc_id" {
+ type = string
+ description = "Select an existing VPC"
+}
+variable "servers_subnets" {
+ type = list(string)
+ description = "Provide at least 2 private subnet IDs in the chosen VPC, separated by commas (e.g. subnet-0d72417c,subnet-1f61306f,subnet-1061d06f)"
+}
+
+// --- EC2 Instances Configuration ---
+variable "server_ami" {
+ type = string
+ description = "The Amazon Machine Image ID of a preconfigured web server (e.g. ami-0dc7dc63)"
+}
+variable "server_name" {
+ type = string
+ description = "AMI of the servers"
+ default = "Server-tf"
+}
+variable "servers_instance_type" {
+ type = string
+ description = "The EC2 instance type for the web servers"
+ default = "t3.micro"
+}
+module "validate_servers_instance_type" {
+ source = "../common/instance_type"
+
+ chkp_type = "server"
+ instance_type = var.servers_instance_type
+}
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instances"
+}
+variable "allocate_public_address" {
+ type = bool
+ description = "Allocate an elastic IP for each server"
+ default = false
+}
+
+// --- Auto Scaling Configuration ---
+variable "servers_min_group_size" {
+ type = number
+ description = "The minimal number of servers in the Auto Scaling group"
+ default = 2
+}
+resource "null_resource" "servers_min_group_size_too_small" {
+ // servers_min_group_size validation - resource will not be created if the size is smaller than 1
+ count = var.servers_min_group_size >= 1 ? 0 : "servers_min_group_size must be at least 1"
+}
+variable "servers_max_group_size" {
+ type = number
+ description = "The maximal number of servers in the Auto Scaling group"
+ default = 10
+}
+resource "null_resource" "servers_max_group_size_too_small" {
+ // servers_max_group_size validation - resource will not be created if the size is smaller than 1
+ count = var.servers_max_group_size >= 1 ? 0 : "servers_max_group_size must be at least 1"
+}
+variable "servers_target_groups" {
+ type = string
+ description = "(Optional) An optional list of Target Groups to associate with the Auto Scaling group (comma separated list of ARNs, without spaces)"
+ default = ""
+}
+variable "deploy_internal_security_group" {
+ type = bool
+ description = "Select 'false' to use an existing Security group"
+ default = true
+}
+variable "source_security_group" {
+ type = string
+ description = "The ID of Security Group from which access will be allowed to the instances in this Auto Scaling group"
+ default = ""
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/modules/vpc/main.tf b/deprecated/terraform/aws/R81/modules/vpc/main.tf
new file mode 100755
index 00000000..b4b223b8
--- /dev/null
+++ b/deprecated/terraform/aws/R81/modules/vpc/main.tf
@@ -0,0 +1,66 @@
+// --- VPC ---
+resource "aws_vpc" "vpc" {
+ cidr_block = var.vpc_cidr
+}
+
+// --- Internet Gateway ---
+resource "aws_internet_gateway" "igw" {
+ vpc_id = aws_vpc.vpc.id
+}
+
+// --- Public Subnets ---
+resource "aws_subnet" "public_subnets" {
+ for_each = var.public_subnets_map
+
+ vpc_id = aws_vpc.vpc.id
+ availability_zone = each.key
+ cidr_block = cidrsubnet(aws_vpc.vpc.cidr_block, var.subnets_bit_length, each.value)
+ map_public_ip_on_launch = true
+ tags = {
+ Name = format("Public subnet %s", each.value)
+ }
+}
+
+// --- Private Subnets ---
+resource "aws_subnet" "private_subnets" {
+ for_each = var.private_subnets_map
+
+ vpc_id = aws_vpc.vpc.id
+ availability_zone = each.key
+ cidr_block = cidrsubnet(aws_vpc.vpc.cidr_block, var.subnets_bit_length, each.value)
+ tags = {
+ Name = format("Private subnet %s", each.value)
+ }
+}
+
+// --- tgw Subnets ---
+resource "aws_subnet" "tgw_subnets" {
+ for_each = var.tgw_subnets_map
+
+ vpc_id = aws_vpc.vpc.id
+ availability_zone = each.key
+ cidr_block = cidrsubnet(aws_vpc.vpc.cidr_block, var.subnets_bit_length, each.value)
+ tags = {
+ Name = format("tgw subnet %s", each.value)
+ }
+}
+
+
+// --- Routes ---
+resource "aws_route_table" "public_subnet_rtb" {
+ vpc_id = aws_vpc.vpc.id
+ tags = {
+ Name = "Public Subnets Route Table"
+ }
+}
+resource "aws_route" "vpc_internet_access" {
+ route_table_id = aws_route_table.public_subnet_rtb.id
+ destination_cidr_block = "0.0.0.0/0"
+ gateway_id = aws_internet_gateway.igw.id
+}
+resource "aws_route_table_association" "public_rtb_to_public_subnets" {
+ for_each = { for public_subnet in aws_subnet.public_subnets : public_subnet.cidr_block => public_subnet.id }
+ route_table_id = aws_route_table.public_subnet_rtb.id
+ subnet_id = each.value
+}
+
diff --git a/deprecated/terraform/aws/R81/modules/vpc/output.tf b/deprecated/terraform/aws/R81/modules/vpc/output.tf
new file mode 100755
index 00000000..fc4173c9
--- /dev/null
+++ b/deprecated/terraform/aws/R81/modules/vpc/output.tf
@@ -0,0 +1,18 @@
+output "vpc_id" {
+ value = aws_vpc.vpc.id
+}
+output "public_subnets_ids_list" {
+ value = [for public_subnet in aws_subnet.public_subnets : public_subnet.id ]
+}
+output "private_subnets_ids_list" {
+ value = [for private_subnet in aws_subnet.private_subnets : private_subnet.id]
+}
+output "tgw_subnets_ids_list" {
+ value = [for tgw_subnet in aws_subnet.tgw_subnets : tgw_subnet.id]
+}
+output "public_rtb" {
+ value = aws_route_table.public_subnet_rtb.id
+}
+output "aws_igw" {
+ value = aws_internet_gateway.igw.id
+}
diff --git a/deprecated/terraform/aws/R81/modules/vpc/variables.tf b/deprecated/terraform/aws/R81/modules/vpc/variables.tf
new file mode 100755
index 00000000..2623f9d0
--- /dev/null
+++ b/deprecated/terraform/aws/R81/modules/vpc/variables.tf
@@ -0,0 +1,22 @@
+variable "vpc_cidr" {
+ type = string
+}
+variable "public_subnets_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 1} ) "
+}
+variable "private_subnets_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 2} ) "
+
+}
+variable "tgw_subnets_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 2} ) "
+ default = {}
+}
+variable "subnets_bit_length" {
+ type = number
+ description = "Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20."
+}
+
diff --git a/deprecated/terraform/aws/R81/qs-autoscale-master/README.md b/deprecated/terraform/aws/R81/qs-autoscale-master/README.md
new file mode 100755
index 00000000..8bffc621
--- /dev/null
+++ b/deprecated/terraform/aws/R81/qs-autoscale-master/README.md
@@ -0,0 +1,256 @@
+# Check Point CloudGuard Network Quick Start Auto Scaling Master Terraform module for AWS
+
+Terraform module which deploys a Check Point CloudGuard Network Security Gateway Auto Scaling Group, an external ALB/NLB, and optionally a Security Management Server and a web server Auto Scaling Group in a new VPC.
+
+These types of Terraform resources are supported:
+* [VPC](https://www.terraform.io/docs/providers/aws/r/vpc.html)
+* [Subnet](https://www.terraform.io/docs/providers/aws/r/subnet.html)
+* [Route](https://www.terraform.io/docs/providers/aws/r/route.html)
+* [Security Group](https://www.terraform.io/docs/providers/aws/r/security_group.html)
+* [Load Balancer](https://www.terraform.io/docs/providers/aws/r/lb.html)
+* [Load Balancer Target Group](https://www.terraform.io/docs/providers/aws/r/lb_target_group.html)
+* [Launch template](https://www.terraform.io/docs/providers/aws/r/launch_template.html)
+* [Auto Scaling Group](https://www.terraform.io/docs/providers/aws/r/autoscaling_group.html)
+* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html)
+* [IAM Role](https://www.terraform.io/docs/providers/aws/r/iam_role.html) - conditional creation
+
+See the [Check Point CloudGuard Auto Scaling on AWS](https://aws.amazon.com/quickstart/architecture/check-point-cloudguard/) for additional information
+
+This solution uses the following modules:
+- /terraform/aws/qs-autoscale
+- /terraform/aws/autoscale
+- /terraform/aws/management
+- /terraform/aws/cme-iam-role
+- /terraform/aws/modules/vpc
+
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/qs-autoscale-master/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Static credentials are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/qs-autoscale, /terraform/aws/autoscale, /terraform/aws/management and /terraform/aws/cme-iam-role:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+ b. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/qs-autoscale, /terraform/aws/autoscale and /terraform/aws/management:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+
+## Usage
+- Fill all variables in the /terraform/aws/qs-autoscale-master/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+- Create or modify the deployment:
+ ```
+ terraform apply
+ ```
+
+- Variables are configured in /terraform/aws/qs-autoscale-master/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+ // --- Environment ---
+ prefix = "TF"
+ asg_name = "asg-qs"
+
+ // --- Network Configuration ---
+ vpc_cidr = "10.0.0.0/16"
+ public_subnets_map = {
+ "us-east-1a" = 1
+ "us-east-1b" = 2
+ }
+ private_subnets_map = {
+ "us-east-1a" = 3
+ "us-east-1b" = 4
+ }
+ subnets_bit_length = 8
+
+ // --- General Settings ---
+ key_name = "publickey"
+ enable_volume_encryption = true
+ enable_instance_connect = false
+ disable_instance_termination = false
+ allow_upload_download = true
+ provision_tag = "quickstart"
+ load_balancers_type = "Network Load Balancer"
+ LB_protocol = "TCP"
+ certificate = "arn:aws:iam::12345678:server-certificate/certificate"
+ service_port = "80"
+ admin_shell = "/etc/cli.sh"
+
+ // --- Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration ---
+ gateway_instance_type = "c5.xlarge"
+ gateways_min_group_size = 2
+ gateways_max_group_size = 8
+ gateway_version = "R81.20-BYOL"
+ gateway_password_hash = ""
+ gateway_maintenance_mode_password_hash = "" # For R81.10 the gateway_password_hash is used also as maintenance-mode password.
+ gateway_SICKey = "12345678"
+ enable_cloudwatch = false
+
+ // --- Check Point CloudGuard Network Security Management Server Configuration ---
+ management_deploy = true
+ management_instance_type = "m5.xlarge"
+ management_version = "R81.20-BYOL"
+ management_password_hash = ""
+ management_maintenance_mode_password_hash = "" # For R81.10 the management_password_hash is used also as maintenance-mode password.
+ gateways_policy = "Standard"
+ gateways_blades = true
+ admin_cidr = "0.0.0.0/0"
+ gateways_addresses = "0.0.0.0/0"
+
+ // --- Web Servers Auto Scaling Group Configuration ---
+ servers_deploy = true
+ servers_instance_type = "t3.micro"
+ server_ami = "ami-12345abc"
+ ```
+
+- Conditional creation
+ - To enable cloudwatch for ASG:
+ ```
+ enable_cloudwatch = true
+ ```
+ Note: enabling cloudwatch will automatically create IAM role with cloudwatch:PutMetricData permission
+ - To deploy Security Management Server:
+ ```
+ management_deploy = true
+ ```
+ - To deploy web servers:
+ ```
+ servers_deploy = true
+ ```
+ - To create an ASG configuration without a proxy ELB:
+ ```
+ proxy_elb_type= "none"
+ ```
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|-------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|----------|
+| prefix | (Optional) Instances name prefix | string | n/a | "" | no |
+| asg_name | Autoscaling Group name | string | n/a | Check-Point-ASG-tf | no |
+| vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes |
+| public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes |
+| private_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 2} ) | map | n/a | n/a | yes |
+| subnets_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20 | number | n/a | n/a | yes |
+| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes |
+| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no |
+| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no |
+| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no |
+| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no |
+| provision_tag | The tag is used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each Quick Start deployment | string | n/a | quickstart | no |
+| load_balancers_type | Use Network Load Balancer if you wish to preserve the source IP address and Application Load Balancer if you wish to use content based routing | string | - Network Load Balancer
- Application Load Balancer
| Network Load Balancer | no |
+| load_balancer_protocol | The protocol to use on the Load Balancer | string | Network Load Balancer:
- TCP
- TLS
- UDP
- TCP_UDP
Application Load Balancer:
- HTTP
- HTTPS | TCP | yes |
+| certificate | Amazon Resource Name (ARN) of an HTTPS Certificate, ignored if the selected protocol is HTTP | string | n/a | n/a | no |
+| service_port | The external Load Balancer listens to this port. Leave this field blank to use default ports: 80 for HTTP and 443 for HTTPS | string | n/a | n/a | no |
+| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no |
+| gateways_subnets | Select at least 2 public subnets in the VPC. If you choose to deploy a Security Management Server it will be deployed in the first subnet | list(string) | n/a | n/a | yes |
+| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no |
+| gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no |
+| gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no |
+| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no |
+| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes |
+| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no |
+| management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no |
+| management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no |
+| management_version | The license to install on the Security Management Server | string | - R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG
- R82-BYOL
- R82-PAYG | R81.20-BYOL | no |
+| management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| gateways_policy | The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group | string | n/a | Standard | no |
+| gateways_blades | Turn on the Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (additional Blades can be manually turned on later) | bool | true/false | true | no |
+| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR | n/a | no |
+| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | valid CIDR | n/a | no |
+| servers_deploy | Select 'true' to deploy web servers and an internal Application Load Balancer. If you select 'false' the other parameters of this section will be ignored | bool | true/false | false | no |
+| servers_subnets | Provide at least 2 private subnet IDs in the chosen VPC, separated by commas (e.g. subnet-0d72417c,subnet-1f61306f,subnet-1061d06f). | list(string) | n/a | n/a | yes |
+| servers_instance_type | The EC2 instance type for the web servers | string | - t3.nano
- t3.micro
- t3.small
- t3.medium
- t3.large
- t3.xlarge
- t3.2xlarge | t3.micro | no |
+| server_ami | The Amazon Machine Image ID of a preconfigured web server (e.g. ami-0dc7dc63) | string | n/a | n/a | yes |
+| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no |
+| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no |
+
+
+
+## Outputs
+| Name | Description |
+|----------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| vpc_id | The id of the deployed vpc |
+| public_subnets_ids_list | A list of the public subnets ids |
+| private_subnets_ids_list | A list of the private subnets ids |
+| public_rout_table | The public route table id |
+| internal_port | The internal Load Balancer should listen to this port |
+| management_name | The deployed Security Management AWS instance name |
+| load_balancer_url | The URL of the external Load Balancer |
+| external_load_balancer_arn | The external Load Balancer ARN |
+| internal_load_balancer_arn | The internal Load Balancer ARN |
+| external_lb_target_group_arn | The external Load Balancer Target Group ARN |
+| internal_lb_target_group_arn | The internal Load Balancer Target Group ARN |
+| autoscale_autoscaling_group_name | The name of the deployed AutoScaling Group |
+| autoscale_autoscaling_group_arn | The ARN for the deployed AutoScaling Group |
+| autoscale_security_group_id | The deployed AutoScaling Group's security group id |
+| autoscale_iam_role_name | The deployed AutoScaling Group's IAM role name (if created) |
+| configuration_template | The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name |
+| controller_name | The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name |
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|---------------------------------------------------------------------------------------|
+| 20240425 | Remove support for R81 and lower versions |
+| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20231127 | Add support for parameter admin shell |
+| 20231012 | Update AWS Terraform provider version to 5.20.1 |
+| 20230923 | Add support for C5d instance type |
+| 20230914 | Add support for maintenance mode password |
+| 20230829 | Change default Check Point version to R81.20 |
+| 20230806 | Add support for c6in instance type |
+| 20221226 | Support ASG Launch Template instead of Launch Configuration |
+| 20221123 | R81.20 version support |
+| 20220606 | New instance type support |
+| 20210309 | First release of Check Point Quick Start Auto Scaling Master Terraform module for AWS |
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details
diff --git a/deprecated/terraform/aws/R81/qs-autoscale-master/locals.tf b/deprecated/terraform/aws/R81/qs-autoscale-master/locals.tf
new file mode 100755
index 00000000..e23f58a2
--- /dev/null
+++ b/deprecated/terraform/aws/R81/qs-autoscale-master/locals.tf
@@ -0,0 +1,63 @@
+locals {
+ regex_valid_vpc_cidr = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$"
+ // Will fail if var.vpc_cidr is invalid
+ regex_vpc_cidr = regex(local.regex_valid_vpc_cidr, var.vpc_cidr) == var.vpc_cidr ? 0 : "Variable [vpc_cidr] must be a valid vpc cidr"
+
+ regex_valid_provision_tag = "^[a-zA-Z0-9-]{1,12}$"
+ // Will fail if var.provision_tag is invalid
+ regex_provision_tag = regex(local.regex_valid_provision_tag, var.provision_tag) == var.provision_tag ? 0 : "Variable [provision_tag] must be up to 12 alphanumeric characters and unique for each Quick Start deployment"
+
+ load_balancers_type_allowed_values = [
+ "Network Load Balancer",
+ "Application Load Balancer"]
+ // Will fail if var.load_balancers_type is invalid
+ validate_load_balancers_type = index(local.load_balancers_type_allowed_values, var.load_balancers_type)
+
+ lb_protocol_allowed_values = var.load_balancers_type == "Network Load Balancer" ? [
+ "TCP",
+ "TLS",
+ "UDP",
+ "TCP_UDP"] : [
+ "HTTP",
+ "HTTPS"]
+ // Will fail if var.load_balancer_protocol is invalid
+ validate_lb_protocol = index(local.lb_protocol_allowed_values, var.load_balancer_protocol)
+
+ regex_valid_key_name = "[\\S\\s]+[\\S]+"
+ // will fail if var.key_name is invalid
+ regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string"
+
+ regex_valid_certificate = "^(arn:aws:[a-z]+::[0-9]{12}:server-certificate/[a-zA-Z0-9-]*)?$"
+ // Will fail if var.certificate is invalid
+ regex_certificate = regex(local.regex_valid_certificate, var.certificate) == var.certificate ? 0 : "Variable [certificate] must be a valid Amazon Resource Name (ARN), for example: arn:aws:iam::123456789012:server-certificate/web-server-certificate"
+
+ regex_valid_service_port = "^([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])?$"
+ // Will fail if var.service_port is invalid
+ regex_service_port = regex(local.regex_valid_service_port, var.service_port) == var.service_port ? 0 : "Custom service port must be a number between 0 and 65535"
+
+ regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.gateway_password_hash is invalid
+ regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash."
+ regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
+
+ regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$"
+ // Will fail if var.gateway_SIC_Key is invalid
+ regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters."
+
+ regex_valid_management_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.gateway_password_hash is invalid
+ regex_management_password_hash = regex(local.regex_valid_management_password_hash, var.management_password_hash) == var.management_password_hash ? 0 : "Variable [management_password_hash] must be a valid password hash."
+
+ regex_valid_admin_cidr = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$"
+ // Will fail if var.admin_cidr is invalid
+ regex_admin_cidr = regex(local.regex_valid_admin_cidr, var.admin_cidr) == var.admin_cidr ? 0 : "Variable [admin_cidr] must be a valid CIDR."
+
+ regex_valid_gateways_addresses = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$"
+ // Will fail if var.gateways_addresses is invalid
+ regex_gateways_addresses = regex(local.regex_valid_gateways_addresses, var.gateways_addresses) == var.gateways_addresses ? 0 : "Variable [gateways_addresses] must be a valid gateways addresses."
+
+
+ regex_valid_server_ami = "^(ami-(([0-9a-f]{8})|([0-9a-f]{17})))?$"
+ // Will fail if var.server_ami is invalid
+ regex_server_ami = regex(local.regex_valid_server_ami, var.server_ami) == var.server_ami ? 0 : "Amazon Machine Image ID must be in the form ami-xxxxxxxx or ami-xxxxxxxxxxxxxxxxx"
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/qs-autoscale-master/main.tf b/deprecated/terraform/aws/R81/qs-autoscale-master/main.tf
new file mode 100755
index 00000000..9c7eada0
--- /dev/null
+++ b/deprecated/terraform/aws/R81/qs-autoscale-master/main.tf
@@ -0,0 +1,60 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+module "launch_vpc" {
+ source = "../modules/vpc"
+
+ vpc_cidr = var.vpc_cidr
+ public_subnets_map = var.public_subnets_map
+ private_subnets_map = var.private_subnets_map
+ subnets_bit_length = var.subnets_bit_length
+}
+
+module "launch_qs_autoscale" {
+ source = "../qs-autoscale"
+ providers = {
+ aws = aws
+ }
+
+ region = var.region
+ prefix = var.prefix
+ asg_name = var.asg_name
+ vpc_id = module.launch_vpc.vpc_id
+ key_name = var.key_name
+ enable_volume_encryption = var.enable_volume_encryption
+ enable_instance_connect = var.enable_instance_connect
+ disable_instance_termination = var.disable_instance_termination
+ metadata_imdsv2_required = var.metadata_imdsv2_required
+ allow_upload_download = var.allow_upload_download
+ provision_tag = var.provision_tag
+ load_balancers_type = var.load_balancers_type
+ load_balancer_protocol = var.load_balancer_protocol
+ certificate = var.certificate
+ service_port = var.service_port
+ admin_shell = var.admin_shell
+ gateways_subnets = module.launch_vpc.public_subnets_ids_list
+ gateway_instance_type = var.gateway_instance_type
+ gateways_min_group_size = var.gateways_min_group_size
+ gateways_max_group_size = var.gateways_max_group_size
+ gateway_version = var.gateway_version
+ gateway_password_hash = var.gateway_password_hash
+ gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash
+ gateway_SICKey = var.gateway_SICKey
+ enable_cloudwatch = var.enable_cloudwatch
+ management_deploy = var.management_deploy
+ management_instance_type = var.management_instance_type
+ management_version = var.management_version
+ management_password_hash = var.gateway_password_hash
+ management_maintenance_mode_password_hash = var.management_maintenance_mode_password_hash
+ gateways_policy = var.gateways_policy
+ gateways_blades = var.gateways_blades
+ admin_cidr = var.admin_cidr
+ gateways_addresses = var.gateways_addresses
+ servers_deploy= var.servers_deploy
+ servers_subnets = module.launch_vpc.private_subnets_ids_list
+ servers_instance_type = var.servers_instance_type
+ server_ami = var.server_ami
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/qs-autoscale-master/output.tf b/deprecated/terraform/aws/R81/qs-autoscale-master/output.tf
new file mode 100755
index 00000000..1130dfe0
--- /dev/null
+++ b/deprecated/terraform/aws/R81/qs-autoscale-master/output.tf
@@ -0,0 +1,58 @@
+output "Deployment" {
+ value = module.launch_qs_autoscale.Deployment
+}
+
+output "vpc_id" {
+ value = module.launch_vpc.vpc_id
+}
+output "public_subnets_ids_list" {
+ value = module.launch_vpc.public_subnets_ids_list
+}
+output "private_subnets_ids_list" {
+ value = module.launch_vpc.private_subnets_ids_list
+}
+output "public_rout_table" {
+ value = module.launch_vpc.public_rtb
+}
+
+output "management_name" {
+ value = module.launch_qs_autoscale.management_name
+}
+output "internal_port" {
+ value = module.launch_qs_autoscale.internal_port
+}
+output "load_balancer_url" {
+ value = module.launch_qs_autoscale.load_balancer_url
+}
+output "external_load_balancer_arn" {
+ value = module.launch_qs_autoscale.external_load_balancer_arn
+}
+output "internal_load_balancer_arn" {
+ value = module.launch_qs_autoscale.internal_load_balancer_arn
+}
+output "external_lb_target_group_arn" {
+ value = module.launch_qs_autoscale.external_lb_target_group_arn
+}
+output "internal_lb_target_group_arn" {
+ value = module.launch_qs_autoscale.internal_lb_target_group_arn
+}
+
+output "autoscale_autoscaling_group_name" {
+ value = module.launch_qs_autoscale.autoscale_autoscaling_group_name
+}
+output "autoscale_autoscaling_group_arn" {
+ value = module.launch_qs_autoscale.autoscale_autoscaling_group_arn
+}
+output "autoscale_security_group_id" {
+ value = module.launch_qs_autoscale.autoscale_security_group_id
+}
+output "autoscale_iam_role_name" {
+ value = module.launch_qs_autoscale.autoscale_iam_role_name
+}
+
+output "configuration_template" {
+ value = module.launch_qs_autoscale.configuration_template
+}
+output "controller_name" {
+ value = module.launch_qs_autoscale.controller_name
+}
diff --git a/deprecated/terraform/aws/R81/qs-autoscale-master/terraform.tfvars b/deprecated/terraform/aws/R81/qs-autoscale-master/terraform.tfvars
new file mode 100755
index 00000000..37a07774
--- /dev/null
+++ b/deprecated/terraform/aws/R81/qs-autoscale-master/terraform.tfvars
@@ -0,0 +1,57 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- Environment ---
+prefix = "TF"
+asg_name = "asg-qs"
+
+// --- Network Configuration ---
+vpc_cidr = "10.0.0.0/16"
+public_subnets_map = {
+ "us-east-1a" = 1
+ "us-east-1b" = 2
+}
+private_subnets_map = {
+ "us-east-1a" = 3
+ "us-east-1b" = 4
+}
+subnets_bit_length = 8
+
+// --- General Settings ---
+key_name = "publickey"
+enable_volume_encryption = true
+enable_instance_connect = false
+disable_instance_termination = false
+metadata_imdsv2_required = true
+allow_upload_download = true
+provision_tag = "quickstart"
+load_balancers_type = "Application Load Balancer"
+load_balancer_protocol = "HTTP"
+certificate = ""
+service_port = "80"
+admin_shell = "/etc/cli.sh"
+
+// --- Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration ---
+gateway_instance_type = "c5.xlarge"
+gateways_min_group_size = 2
+gateways_max_group_size = 8
+gateway_version = "R81.20-BYOL"
+gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 the gateway_password_hash is used also as maintenance-mode password.
+gateway_SICKey = "12345678"
+enable_cloudwatch = true
+
+// --- Check Point CloudGuard Network Security Management Server Configuration ---
+management_deploy = true
+management_instance_type = "m5.xlarge"
+management_version = "R81.20-BYOL"
+management_password_hash = ""
+management_maintenance_mode_password_hash = "" # For R81.10 the management_password_hash is used also as maintenance-mode password.
+gateways_policy = "Standard"
+gateways_blades = true
+admin_cidr = "0.0.0.0/0"
+gateways_addresses = "0.0.0.0/0"
+
+// --- Web Servers Auto Scaling Group Configuration ---
+servers_deploy = true
+servers_instance_type = "t3.micro"
+server_ami = "ami-12345abc"
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/qs-autoscale-master/variables.tf b/deprecated/terraform/aws/R81/qs-autoscale-master/variables.tf
new file mode 100755
index 00000000..317b1c94
--- /dev/null
+++ b/deprecated/terraform/aws/R81/qs-autoscale-master/variables.tf
@@ -0,0 +1,240 @@
+// Module: Check Point CloudGuard Network Quick Start Auto Scaling
+//Deploy a Check Point CloudGuard Network Security Gateways Auto Scaling Group, an external ALB/NLB, and optionally a Security Management Server and a web server Auto Scaling Group in a new VPC.
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+// --- Environment ---
+variable "prefix" {
+ type = string
+ description = "(Optional) Instances name prefix"
+ default = ""
+}
+variable "asg_name" {
+ type = string
+ description = "Autoscaling Group name"
+ default = "Check-Point-ASG-tf"
+}
+// --- Network Configuration ---
+variable "vpc_cidr" {
+ type = string
+ description = "The CIDR block of the VPC"
+ default = "10.0.0.0/16"
+}
+variable "public_subnets_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1} ) "
+}
+variable "private_subnets_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 2} ) "
+
+}
+variable "subnets_bit_length" {
+ type = number
+ description = "Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20"
+}
+
+// --- General Settings ---
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instance"
+}
+variable "enable_volume_encryption" {
+ type = bool
+ description = "Encrypt Environment instances volume with default AWS KMS key"
+ default = true
+}
+variable "enable_instance_connect" {
+ type = bool
+ description = "Enable SSH connection over AWS web console"
+ default = false
+}
+variable "disable_instance_termination" {
+ type = bool
+ description = "Prevents an instance from accidental termination"
+ default = false
+}
+variable "metadata_imdsv2_required" {
+ type = bool
+ description = "Set true to deploy the instance with metadata v2 token required"
+ default = true
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+variable "provision_tag" {
+ type = string
+ description = "The tag is used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each Quick Start deployment"
+ default = "quickstart"
+}
+variable "load_balancers_type" {
+ type = string
+ description = "Use Network Load Balancer if you wish to preserve the source IP address and Application Load Balancer if you wish to use content based routing"
+ default = "Network Load Balancer"
+}
+variable "load_balancer_protocol" {
+ type = string
+ description = "The protocol to use on the Load Balancer"
+}
+variable "certificate" {
+ type = string
+ description = "Amazon Resource Name (ARN) of an HTTPS Certificate, ignored if the selected protocol is HTTP"
+}
+variable "service_port" {
+ type = string
+ description = "The external Load Balancer listens to this port. Leave this field blank to use default ports: 80 for HTTP and 443 for HTTPS"
+}
+variable "admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+ default = "/etc/cli.sh"
+}
+
+// --- Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration ---
+variable "gateway_instance_type" {
+ type = string
+ description = "The instance type of the Security Gateways"
+ default = "c5.xlarge"
+}
+module "validate_gateway_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "gateway"
+ instance_type = var.gateway_instance_type
+}
+variable "gateways_min_group_size" {
+ type = number
+ description = "The minimal number of Security Gateways"
+ default = 2
+}
+variable "gateways_max_group_size" {
+ type = number
+ description = "The maximal number of Security Gateways"
+ default = 10
+}
+variable "gateway_version" {
+ type = string
+ description = "Gateway version and license"
+ default = "R81.20-BYOL"
+}
+module "validate_gateway_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "gateway"
+ version_license = var.gateway_version
+}
+variable "gateway_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "gateway_maintenance_mode_password_hash" {
+ description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+ type = string
+ default = ""
+}
+variable "gateway_SICKey" {
+ type = string
+ description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters"
+}
+variable "enable_cloudwatch" {
+ type = bool
+ description = "Report Check Point specific CloudWatch metrics"
+ default = false
+}
+
+// --- Check Point CloudGuard Network Security Management Server Configuration ---
+variable "management_deploy" {
+ type = bool
+ description = "Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section"
+ default = true
+}
+variable "management_instance_type" {
+ type = string
+ description = "The EC2 instance type of the Security Management Server"
+ default = "m5.xlarge"
+}
+module "validate_management_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "management"
+ instance_type = var.management_instance_type
+}
+variable "management_version" {
+ type = string
+ description = "The license to install on the Security Management Server"
+ default = "R81.20-BYOL"
+}
+module "validate_management_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "management"
+ version_license = var.management_version
+}
+variable "management_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "management_maintenance_mode_password_hash" {
+ description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+ type = string
+ default = ""
+}
+variable "gateways_policy" {
+ type = string
+ description = "The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group"
+ default = "Standard"
+}
+variable "gateways_blades" {
+ type = bool
+ description = "Turn on the Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (additional Blades can be manually turned on later)"
+ default = true
+}
+variable "admin_cidr" {
+ type = string
+ description = "Allow web, ssh, and graphical clients only from this network to communicate with the Security Management Server"
+}
+variable "gateways_addresses" {
+ type = string
+ description = "Allow gateways only from this network to communicate with the Security Management Server"
+}
+
+// --- Web Servers Auto Scaling Group Configuration ---
+variable "servers_deploy" {
+ type = bool
+ description = "Select 'true' to deploy web servers and an internal Application Load Balancer. If you select 'false' the other parameters of this section will be ignored"
+ default = false
+}
+variable "servers_instance_type" {
+ type = string
+ description = "The EC2 instance type for the web servers"
+ default = "t3.micro"
+}
+module "validate_servers_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "server"
+ instance_type = var.servers_instance_type
+}
+variable "server_ami" {
+ type = string
+ description = "The Amazon Machine Image ID of a preconfigured web server (e.g. ami-0dc7dc63)"
+}
diff --git a/deprecated/terraform/aws/R81/qs-autoscale-master/versions.tf b/deprecated/terraform/aws/R81/qs-autoscale-master/versions.tf
new file mode 100755
index 00000000..dbebf275
--- /dev/null
+++ b/deprecated/terraform/aws/R81/qs-autoscale-master/versions.tf
@@ -0,0 +1,15 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ http = {
+ version = "~> 3.4.0"
+ }
+ random = {
+ version = "~> 3.5.1"
+ }
+ }
+}
diff --git a/deprecated/terraform/aws/R81/qs-autoscale/README.md b/deprecated/terraform/aws/R81/qs-autoscale/README.md
new file mode 100755
index 00000000..b86ceddd
--- /dev/null
+++ b/deprecated/terraform/aws/R81/qs-autoscale/README.md
@@ -0,0 +1,238 @@
+# Check Point CloudGuard Network Quick Start Auto Scaling Terraform module for AWS
+
+Terraform module which deploys a Check Point CloudGuard Network Security Gateway Auto Scaling Group, an external ALB/NLB, and optionally a Security Management Server and a web server Auto Scaling Group.
+
+These types of Terraform resources are supported:
+* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html)
+* [Security Group](https://www.terraform.io/docs/providers/aws/r/security_group.html)
+* [Load Balancer](https://www.terraform.io/docs/providers/aws/r/lb.html)
+* [Load Balancer Target Group](https://www.terraform.io/docs/providers/aws/r/lb_target_group.html)
+* [Launch template](https://www.terraform.io/docs/providers/aws/r/launch_template.html)
+* [Auto Scaling Group](https://www.terraform.io/docs/providers/aws/r/autoscaling_group.html)
+* [IAM Role](https://www.terraform.io/docs/providers/aws/r/iam_role.html) - conditional creation
+
+See the [Check Point CloudGuard Auto Scaling on AWS](https://aws.amazon.com/quickstart/architecture/check-point-cloudguard/) for additional information
+
+This solution uses the following modules:
+- /terraform/aws/autoscale
+- /terraform/aws/modules/custom-autoscale
+- /terraform/aws/management
+- /terraform/aws/cme-iam-role
+
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.aws_access_key_ID
+ secret_key = var.aws_secret_access_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/qs-autoscale/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Static credentials are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/autoscale, /terraform/aws/management and /terraform/aws/cme-iam-role:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.aws_access_key_ID
+ // secret_key = var.aws_secret_access_key
+ }
+ ```
+ b. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/autoscale, /terraform/aws/management and /terraform/aws/cme-iam-role:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.aws_access_key_ID
+ // secret_key = var.aws_secret_access_key
+ }
+ ```
+
+## Usage
+- Fill all variables in the /terraform/aws/qs-autoscale/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+- Create or modify the deployment:
+ ```
+ terraform apply
+ ```
+
+- Variables are configured in /terraform/aws/qs-autoscale/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+ // --- Environment ---
+ prefix = "TF"
+ asg_name = "asg-qs"
+
+ // --- General Settings ---
+ vpc_id = "vpc-12345678"
+ key_name = "publickey"
+ enable_volume_encryption = true
+ enable_instance_connect = false
+ disable_instance_termination = false
+ allow_upload_download = true
+ provision_tag = "quickstart"
+ load_balancers_type = "Application Load Balancer"
+ load_balancer_protocol = "HTTP"
+ certificate = ""
+ service_port = "80"
+ admin_shell = "/etc/cli.sh"
+
+ // --- Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration ---
+ gateways_subnets = ["subnet-123b5678", "subnet-123a4567"]
+ gateway_instance_type = "c5.xlarge"
+ gateways_min_group_size = 2
+ gateways_max_group_size = 8
+ gateway_version = "R81.20-BYOL"
+ gateway_password_hash = ""
+ gateway_maintenance_mode_password_hash = "" # For R81.10 the gateway_password_hash is used also as maintenance-mode password.
+ gateway_SICKey = "12345678"
+ enable_cloudwatch = true
+
+ // --- Check Point CloudGuard Network Security Management Server Configuration ---
+ management_deploy = true
+ management_instance_type = "m5.xlarge"
+ management_version = "R81.20-BYOL"
+ management_password_hash = ""
+ management_maintenance_mode_password_hash = "" # For R81.10 the management_password_hash is used also as maintenance-mode password.
+ gateways_policy = "Standard"
+ gateways_blades = true
+ admin_cidr = "0.0.0.0/0"
+ gateways_addresses = "0.0.0.0/0"
+
+ // --- Web Servers Auto Scaling Group Configuration ---
+ servers_deploy = false
+ servers_subnets = ["subnet-1234abcd", "subnet-56789def"]
+ servers_instance_type = "t3.micro"
+ server_ami = "ami-12345678"
+ ```
+
+- Conditional creation
+ - To enable cloudwatch for ASG:
+ ```
+ enable_cloudwatch = true
+ ```
+ Note: enabling cloudwatch will automatically create IAM role with cloudwatch:PutMetricData permission
+ - To deploy Security Management Server:
+ ```
+ management_deploy = true
+ ```
+ - To deploy web servers:
+ ```
+ servers_deploy = true
+ ```
+ - To create an ASG configuration without a proxy ELB:
+ ```
+ proxy_elb_type= "none"
+ ```
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|-------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|----------|
+| prefix | (Optional) Instances name prefix | string | n/a | "" | no |
+| asg_name | Autoscaling Group name | string | n/a | Check-Point-ASG-tf | no |
+| vpc_id | Select an existing VPC | string | n/a | n/a | yes |
+| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes |
+| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no |
+| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no |
+| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no |
+| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no |
+| provision_tag | The tag is used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each Quick Start deployment | string | n/a | quickstart | no |
+| load_balancers_type | Use Network Load Balancer if you wish to preserve the source IP address and Application Load Balancer if you wish to use content based routing | string | - Network Load Balancer
- Application Load Balancer
| Network Load Balancer | no |
+| load_balancer_protocol | The protocol to use on the Load Balancer | string | Network Load Balancer:
- TCP
- TLS
- UDP
- TCP_UDP
Application Load Balancer:
- HTTP
- HTTPS | TCP | yes |
+| certificate | Amazon Resource Name (ARN) of an HTTPS Certificate, ignored if the selected protocol is HTTP | string | n/a | n/a | no |
+| service_port | The external Load Balancer listens to this port. Leave this field blank to use default ports: 80 for HTTP and 443 for HTTPS | string | n/a | n/a | no |
+| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no |
+| gateways_subnets | Select at least 2 public subnets in the VPC. If you choose to deploy a Security Management Server it will be deployed in the first subnet | list(string) | n/a | n/a | yes |
+| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no |
+| gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no |
+| gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no |
+| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no |
+| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes |
+| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no |
+| management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no |
+| management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no |
+| management_version | The license to install on the Security Management Server | string | - R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG
- R82-BYOL
- R82-PAYG | R81.20-BYOL | no |
+| management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| gateways_policy | The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group | string | n/a | Standard | no |
+| gateways_blades | Turn on the Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (additional Blades can be manually turned on later) | bool | true/false | true | no |
+| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR | n/a | no |
+| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | valid CIDR | n/a | no |
+| servers_deploy | Select 'true' to deploy web servers and an internal Application Load Balancer. If you select 'false' the other parameters of this section will be ignored | bool | true/false | false | no |
+| servers_subnets | Provide at least 2 private subnet IDs in the chosen VPC, separated by commas (e.g. subnet-0d72417c,subnet-1f61306f,subnet-1061d06f). | list(string) | n/a | n/a | yes |
+| servers_instance_type | The EC2 instance type for the web servers | string | - t3.nano
- t3.micro
- t3.small
- t3.medium
- t3.large
- t3.xlarge
- t3.2xlarge | t3.micro | no |
+| server_ami | The Amazon Machine Image ID of a preconfigured web server (e.g. ami-0dc7dc63) | string | n/a | n/a | yes |
+| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no |
+| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no |
+
+
+## Outputs
+| Name | Description |
+|----------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| management_name | The deployed Security Management AWS instance name |
+| internal_port | The internal Load Balancer should listen to this port |
+| load_balancer_url | The URL of the external Load Balancer |
+| external_load_balancer_arn | The external Load Balancer ARN |
+| internal_load_balancer_arn | The internal Load Balancer ARN |
+| external_LB_target_group_arn | The external Load Balancer Target Group ARN |
+| internal_LB_target_group_arn | The internal Load Balancer Target Group ARN |
+| autoscale_autoscaling_group_name | The name of the deployed AutoScaling Group |
+| autoscale_autoscaling_group_arn | The ARN for the deployed AutoScaling Group |
+| autoscale_security_group_id | The deployed AutoScaling Group's security group id |
+| autoscale_iam_role_name | The deployed AutoScaling Group's IAM role name (if created) |
+| configuration_template | The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name |
+| controller_name | The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name |
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|-------------------------------------------------------------------------------------------------------------------------------------|
+| 20240425 | Remove support for R81 and lower versions |
+| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20240130 | Network Load Balancer Health Check configuration change for higher than R81 version. New Health Check Port is 8117 and Protocol TCP |
+| 20231127 | Add support for parameter admin shell |
+| 20231022 | Fixed template to populate x-chkp-tags correctly |
+| 20231012 | Update AWS Terraform provider version to 5.20.1 |
+| 20230923 | Add support for C5d instance type |
+| 20230914 | Add support for maintenance mode password |
+| 20230829 | Change default Check Point version to R81.20 |
+| 20230806 | Add support for c6in instance type |
+| 20221226 | Support ASG Launch Template instead of Launch Configuration |
+| 20221123 | R81.20 version support |
+| 20220606 | New instance type support |
+| 20210329 | Stability fixes |
+| 20210309 | First release of Check Point Quick Start Auto Scaling Terraform module for AWS |
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details
diff --git a/deprecated/terraform/aws/R81/qs-autoscale/locals.tf b/deprecated/terraform/aws/R81/qs-autoscale/locals.tf
new file mode 100755
index 00000000..2ecac5dd
--- /dev/null
+++ b/deprecated/terraform/aws/R81/qs-autoscale/locals.tf
@@ -0,0 +1,71 @@
+locals {
+ load_balancer_name = format("%sLB", var.prefix != "" ? format("%s-", var.prefix) : "")
+ target_group_name = format("%sTG", var.prefix != "" ? format("%s-", var.prefix) : "")
+ regex_valid_provision_tag = "^[a-zA-Z0-9-]{1,12}$"
+ // Will fail if var.provision_tag is invalid
+ regex_provision_tag = regex(local.regex_valid_provision_tag, var.provision_tag) == var.provision_tag ? 0 : "Variable [provision_tag] must be up to 12 alphanumeric characters and unique for each Quick Start deployment"
+
+ load_balancers_type_allowed_values = [
+ "Network Load Balancer",
+ "Application Load Balancer"
+ ]
+ // Will fail if var.load_balancers_type is invalid
+ validate_load_balancers_type = index(local.load_balancers_type_allowed_values, var.load_balancers_type)
+
+ lb_protocol_allowed_values = var.load_balancers_type == "Network Load Balancer" ? [
+ "TCP",
+ "TLS",
+ "UDP",
+ "TCP_UDP"
+ ] : [
+ "HTTP",
+ "HTTPS"
+ ]
+ // Will fail if var.load_balancer_protocol is invalid
+ validate_lb_protocol = index(local.lb_protocol_allowed_values, var.load_balancer_protocol)
+
+ regex_valid_key_name = "[\\S\\s]+[\\S]+"
+ // will fail if var.key_name is invalid
+ regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string"
+
+ regex_valid_certificate = "^(arn:aws:[a-z]+::[0-9]{12}:server-certificate/[a-zA-Z0-9-]*)?$"
+ // Will fail if var.certificate is invalid
+ regex_certificate = regex(local.regex_valid_certificate, var.certificate) == var.certificate ? 0 : "Variable [certificate] must be a valid Amazon Resource Name (ARN), for example: arn:aws:iam::123456789012:server-certificate/web-server-certificate"
+
+ regex_valid_service_port = "^([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])?$"
+ // Will fail if var.service_port is invalid
+ regex_service_port = regex(local.regex_valid_service_port, var.service_port) == var.service_port ? 0 : "Custom service port must be a number between 0 and 65535"
+
+ regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.gateway_password_hash is invalid
+ regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash."
+ regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
+
+ regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$"
+ // Will fail if var.gateway_SIC_Key is invalid
+ regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters."
+
+ regex_valid_management_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.gateway_password_hash is invalid
+ regex_management_password_hash = regex(local.regex_valid_management_password_hash, var.management_password_hash) == var.management_password_hash ? 0 : "Variable [management_password_hash] must be a valid password hash."
+ regex_management_maintenance_mode_password_hash = regex(local.regex_valid_management_password_hash, var.management_maintenance_mode_password_hash) == var.management_maintenance_mode_password_hash ? 0 : "Variable [management_maintenance_mode_password_hash] must be a valid password hash"
+
+ regex_valid_admin_cidr = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$"
+ // Will fail if var.admin_cidr is invalid
+ regex_admin_cidr = regex(local.regex_valid_admin_cidr, var.admin_cidr) == var.admin_cidr ? 0 : "Variable [admin_cidr] must be a valid CIDR."
+
+ regex_valid_gateways_addresses = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$"
+ // Will fail if var.gateways_addresses is invalid
+ regex_gateways_addresses = regex(local.regex_valid_gateways_addresses, var.gateways_addresses) == var.gateways_addresses ? 0 : "Variable [gateways_addresses] must be a valid gateways addresses."
+
+ regex_valid_server_ami = "^(ami-(([0-9a-f]{8})|([0-9a-f]{17})))?$"
+ // Will fail if var.server_ami is invalid
+ regex_server_ami = regex(local.regex_valid_server_ami, var.server_ami) == var.server_ami ? 0 : "Amazon Machine Image ID must be in the form ami-xxxxxxxx or ami-xxxxxxxxxxxxxxxxx"
+
+ alb_condition = var.load_balancers_type == "Application Load Balancer"
+ nlb_condition = var.load_balancers_type == "Network Load Balancer"
+ provided_port_condition = var.service_port != ""
+ encrypted_protocol_condition = (local.alb_condition && var.load_balancer_protocol == "HTTPS") || (local.nlb_condition && var.load_balancer_protocol == "TLS") ? true : false
+ deploy_management_condition = var.management_deploy == true
+ deploy_servers_condition = var.servers_deploy == true
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/qs-autoscale/main.tf b/deprecated/terraform/aws/R81/qs-autoscale/main.tf
new file mode 100755
index 00000000..7fa5f27f
--- /dev/null
+++ b/deprecated/terraform/aws/R81/qs-autoscale/main.tf
@@ -0,0 +1,165 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+resource "aws_security_group" "external_alb_security_group" {
+ count = local.alb_condition ? 1 : 0
+ description = "External ALB security group"
+ vpc_id = var.vpc_id
+
+ egress {
+ from_port = local.encrypted_protocol_condition ? 9443 : 9080
+ protocol = "tcp"
+ to_port = local.encrypted_protocol_condition ? 9443 : 9080
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+ ingress {
+ from_port = local.provided_port_condition ? var.service_port : local.encrypted_protocol_condition ? 443 : 80
+ protocol = "tcp"
+ to_port = local.provided_port_condition ? var.service_port : local.encrypted_protocol_condition ? 443 : 80
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+}
+
+module "external_load_balancer" {
+ source = "../modules/common/load_balancer"
+
+ load_balancers_type = var.load_balancers_type
+ instances_subnets = var.gateways_subnets
+ prefix_name = "${var.prefix}-External"
+ internal = false
+ security_groups = local.alb_condition ? [aws_security_group.external_alb_security_group[0].id] : []
+ tags = {}
+ vpc_id = var.vpc_id
+ load_balancer_protocol = var.load_balancer_protocol
+ target_group_port = local.encrypted_protocol_condition ? 9443 : 9080
+ listener_port = local.provided_port_condition ? var.service_port : local.encrypted_protocol_condition ? "443" : "80"
+ certificate_arn = local.encrypted_protocol_condition ? var.certificate : ""
+ health_check_port = var.load_balancers_type == "Network Load Balancer" ? 8117 : null
+ health_check_protocol = var.load_balancers_type == "Network Load Balancer" ? "TCP" : null
+}
+
+module "autoscale" {
+ source = "../autoscale"
+ providers = {
+ aws = aws
+ }
+
+ prefix = var.prefix
+ asg_name = var.asg_name
+ vpc_id = var.vpc_id
+ subnet_ids = var.gateways_subnets
+ gateway_name = "${var.provision_tag}-security-gateway"
+ gateway_instance_type = var.gateway_instance_type
+ key_name = var.key_name
+ enable_volume_encryption = var.enable_volume_encryption
+ enable_instance_connect = var.enable_instance_connect
+ metadata_imdsv2_required = var.metadata_imdsv2_required
+ minimum_group_size = var.gateways_min_group_size
+ maximum_group_size = var.gateways_max_group_size
+ target_groups = tolist([module.external_load_balancer.target_group_arn])
+ gateway_version = var.gateway_version
+ admin_shell = var.admin_shell
+ gateway_password_hash = var.gateway_password_hash
+ gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash
+ gateway_SICKey = var.gateway_SICKey
+ allow_upload_download = var.allow_upload_download
+ enable_cloudwatch = var.enable_cloudwatch
+ gateway_bootstrap_script = "echo -e '\nStarting Bootstrap script\n'; echo 'Adding quickstart identifier to cloud-version'; cv_path='/etc/cloud-version'\n if test -f \"$cv_path\"; then sed -i '/template_name/c\\template_name: autoscale_qs' /etc/cloud-version; fi; cv_json_path='/etc/cloud-version.json'\n cv_json_path_tmp='/etc/cloud-version-tmp.json'\n if test -f \"$cv_json_path\"; then cat \"$cv_json_path\" | jq '.template_name = \"'\"autoscale_qs\"'\"' > \"$cv_json_path_tmp\"; mv \"$cv_json_path_tmp\" \"$cv_json_path\"; fi; echo -e '\nFinished Bootstrap script\n'"
+ management_server = "${var.provision_tag}-management"
+ configuration_template = "${var.provision_tag}-template"
+}
+
+data "aws_region" "current"{}
+
+module "management" {
+ providers = {
+ aws = aws
+ }
+ count = local.deploy_management_condition ? 1 : 0
+ source = "../management"
+
+ vpc_id = var.vpc_id
+ subnet_id = var.gateways_subnets[0]
+ management_name = "${var.provision_tag}-management"
+ management_instance_type = var.management_instance_type
+ key_name = var.key_name
+ volume_encryption = var.enable_volume_encryption ? "alias/aws/ebs" : ""
+ enable_instance_connect = var.enable_instance_connect
+ disable_instance_termination = var.disable_instance_termination
+ metadata_imdsv2_required = var.metadata_imdsv2_required
+ iam_permissions = "Create with read-write permissions"
+ management_version = var.management_version
+ admin_shell = var.admin_shell
+ management_password_hash = var.management_password_hash
+ management_maintenance_mode_password_hash = var.management_maintenance_mode_password_hash
+ allow_upload_download = var.allow_upload_download
+ admin_cidr = var.admin_cidr
+ gateway_addresses = var.gateways_addresses
+ management_bootstrap_script = "echo -e '\nStarting Bootstrap script\n'; echo 'Adding quickstart identifier to cloud-version'; cv_path='/etc/cloud-version'\n if test -f \"$cv_path\"; then sed -i '/template_name/c\\template_name: management_qs' /etc/cloud-version; fi; cv_json_path='/etc/cloud-version.json'\n cv_json_path_tmp='/etc/cloud-version-tmp.json'\n if test -f \"$cv_json_path\"; then cat \"$cv_json_path\" | jq '.template_name = \"'\"management_qs\"'\"' > \"$cv_json_path_tmp\"; mv \"$cv_json_path_tmp\" \"$cv_json_path\"; fi; echo 'Creating CME configuration'; autoprov_cfg -f init AWS -mn ${var.provision_tag}-management -tn ${var.provision_tag}-template -cn ${var.provision_tag}-controller -po ${var.gateways_policy} -otp ${var.gateway_SICKey} -r ${data.aws_region.current.name} -ver ${split("-", var.gateway_version)[0]} -iam; ${var.gateways_blades} && autoprov_cfg -f set template -tn ${var.provision_tag}-template -ips -appi -av -ab; echo -e '\nFinished Bootstrap script\n'"
+}
+
+resource "aws_security_group" "internal_security_group" {
+ count = local.deploy_servers_condition ? 1 : 0
+ vpc_id = var.vpc_id
+
+ egress {
+ from_port = local.provided_port_condition ? var.service_port : local.encrypted_protocol_condition ? 443 : 80
+ protocol = "tcp"
+ to_port = local.provided_port_condition ? var.service_port : local.encrypted_protocol_condition ? 443 : 80
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+ ingress {
+ from_port = local.encrypted_protocol_condition ? 443 : 80
+ protocol = "tcp"
+ to_port = local.encrypted_protocol_condition ? 443 : 80
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+ ingress {
+ from_port = -1
+ protocol = "icmp"
+ to_port = -1
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+}
+
+module "internal_load_balancer" {
+ count = local.deploy_servers_condition ? 1 : 0
+ source = "../modules/common/load_balancer"
+
+ load_balancers_type = var.load_balancers_type
+ instances_subnets = var.servers_subnets
+ prefix_name = "${var.prefix}-Internal"
+ internal = true
+ security_groups = local.alb_condition ? [aws_security_group.internal_security_group[0].id] : []
+ tags = {
+ x-chkp-management = "${var.provision_tag}-management"
+ x-chkp-template = "${var.provision_tag}-template"
+ }
+ vpc_id = var.vpc_id
+ load_balancer_protocol = var.load_balancer_protocol
+ target_group_port = local.encrypted_protocol_condition ? 443 : 80
+ listener_port = local.encrypted_protocol_condition ? "443" : "80"
+ certificate_arn = local.encrypted_protocol_condition ? var.certificate : ""
+}
+
+module "custom_autoscale" {
+ count = local.deploy_servers_condition ? 1 : 0
+ source = "../modules/custom-autoscale"
+
+ prefix = var.prefix
+ asg_name = var.asg_name
+ vpc_id = var.vpc_id
+ servers_subnets = var.servers_subnets
+ server_ami = var.server_ami
+ server_name = "${var.provision_tag}-server"
+ servers_instance_type = var.servers_instance_type
+ key_name = var.key_name
+ servers_min_group_size = var.gateways_min_group_size
+ servers_max_group_size = var.gateways_max_group_size
+ servers_target_groups = module.internal_load_balancer[0].target_group_id
+ deploy_internal_security_group = local.nlb_condition ? true : false
+ source_security_group = local.nlb_condition ? "" : aws_security_group.internal_security_group[0].id
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/qs-autoscale/output.tf b/deprecated/terraform/aws/R81/qs-autoscale/output.tf
new file mode 100755
index 00000000..edb1a1f6
--- /dev/null
+++ b/deprecated/terraform/aws/R81/qs-autoscale/output.tf
@@ -0,0 +1,45 @@
+output "Deployment" {
+ value = "Finalizing instances configuration may take up to 20 minutes after deployment is finished."
+}
+
+output "management_name" {
+ value = "${var.provision_tag}-management"
+}
+output "internal_port" {
+ value = local.encrypted_protocol_condition ? 443 : 80
+}
+output "load_balancer_url" {
+ value = module.external_load_balancer.load_balancer_url
+}
+output "external_load_balancer_arn" {
+ value = module.external_load_balancer.load_balancer_arn
+}
+output "internal_load_balancer_arn" {
+ value = module.internal_load_balancer[*].load_balancer_arn
+}
+output "external_lb_target_group_arn" {
+ value = module.external_load_balancer.target_group_arn
+}
+output "internal_lb_target_group_arn" {
+ value = module.internal_load_balancer[*].target_group_arn
+}
+
+output "autoscale_autoscaling_group_name" {
+ value = module.autoscale.autoscale_autoscaling_group_name
+}
+output "autoscale_autoscaling_group_arn" {
+ value = module.autoscale.autoscale_autoscaling_group_arn
+}
+output "autoscale_security_group_id" {
+ value = module.autoscale.autoscale_security_group_id
+}
+output "autoscale_iam_role_name" {
+ value = module.autoscale.autoscale_iam_role_name
+}
+
+output "configuration_template" {
+ value = "${var.provision_tag}-template"
+}
+output "controller_name" {
+ value = "${var.provision_tag}-controller"
+}
diff --git a/deprecated/terraform/aws/R81/qs-autoscale/terraform.tfvars b/deprecated/terraform/aws/R81/qs-autoscale/terraform.tfvars
new file mode 100755
index 00000000..d9eb16f4
--- /dev/null
+++ b/deprecated/terraform/aws/R81/qs-autoscale/terraform.tfvars
@@ -0,0 +1,48 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- Environment ---
+prefix = "TF"
+asg_name = "asg-qs"
+
+// --- General Settings ---
+vpc_id = "vpc-12345678"
+key_name = "publickey"
+enable_volume_encryption = true
+enable_instance_connect = false
+disable_instance_termination = false
+metadata_imdsv2_required = true
+allow_upload_download = true
+provision_tag = "quickstart"
+load_balancers_type = "Application Load Balancer"
+load_balancer_protocol = "HTTP"
+certificate = ""
+service_port = "80"
+admin_shell = "/etc/cli.sh"
+
+// --- Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration ---
+gateways_subnets = ["subnet-123b5678", "subnet-123a4567"]
+gateway_instance_type = "c5.xlarge"
+gateways_min_group_size = 2
+gateways_max_group_size = 8
+gateway_version = "R81.20-BYOL"
+gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 the gateway_password_hash is used also as maintenance-mode password.
+gateway_SICKey = "12345678"
+enable_cloudwatch = true
+
+// --- Check Point CloudGuard Network Security Management Server Configuration ---
+management_deploy = true
+management_instance_type = "m5.xlarge"
+management_version = "R81.20-BYOL"
+management_password_hash = ""
+management_maintenance_mode_password_hash = "" # For R81.10 the management_password_hash is used also as maintenance-mode password.
+gateways_policy = "Standard"
+gateways_blades = true
+admin_cidr = "0.0.0.0/0"
+gateways_addresses = "0.0.0.0/0"
+
+// --- Web Servers Auto Scaling Group Configuration ---
+servers_deploy = false
+servers_subnets = ["subnet-1234abcd", "subnet-56789def"]
+servers_instance_type = "t3.micro"
+server_ami = "ami-12345678"
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/qs-autoscale/variables.tf b/deprecated/terraform/aws/R81/qs-autoscale/variables.tf
new file mode 100755
index 00000000..070ec4f4
--- /dev/null
+++ b/deprecated/terraform/aws/R81/qs-autoscale/variables.tf
@@ -0,0 +1,231 @@
+// Module: Check Point CloudGuard Network Quick Start Auto Scaling
+//Deploy a Check Point CloudGuard Network Security Gateways Auto Scaling Group, an external ALB/NLB, and optionally a Security Management Server and a web server Auto Scaling Group.
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+// --- Environment ---
+variable "prefix" {
+ type = string
+ description = "(Optional) Instances name prefix"
+ default = ""
+}
+variable "asg_name" {
+ type = string
+ description = "Autoscaling Group name"
+ default = "Check-Point-ASG-tf"
+}
+// --- General Settings ---
+variable "vpc_id" {
+ type = string
+}
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instances"
+}
+variable "enable_volume_encryption" {
+ type = bool
+ description = "Encrypt Environment instances volume with default AWS KMS key"
+ default = true
+}
+variable "enable_instance_connect" {
+ type = bool
+ description = "Enable SSH connection over AWS web console"
+ default = false
+}
+variable "disable_instance_termination" {
+ type = bool
+ description = "Prevents an instance from accidental termination"
+ default = false
+}
+variable "metadata_imdsv2_required" {
+ type = bool
+ description = "Set true to deploy the instance with metadata v2 token required"
+ default = true
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+variable "provision_tag" {
+ type = string
+ description = "The tag is used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each Quick Start deployment"
+ default = "quickstart"
+}
+variable "load_balancers_type" {
+ type = string
+ description = "Use Network Load Balancer if you wish to preserve the source IP address and Application Load Balancer if you wish to use content based routing"
+ default = "Network Load Balancer"
+}
+variable "load_balancer_protocol" {
+ type = string
+ description = "The protocol to use on the Load Balancer"
+}
+variable "certificate" {
+ type = string
+ description = "Amazon Resource Name (ARN) of an HTTPS Certificate, ignored if the selected protocol is HTTP"
+}
+variable "service_port" {
+ type = string
+ description = "The external Load Balancer listens to this port. Leave this field blank to use default ports: 80 for HTTP and 443 for HTTPS"
+}
+variable "admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+ default = "/etc/cli.sh"
+}
+
+// --- Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration ---
+variable "gateways_subnets" {
+ type = list(string)
+ description = "Select at least 2 public subnets in the VPC. If you choose to deploy a Security Management Server it will be deployed in the first subnet"
+}
+variable "gateway_instance_type" {
+ type = string
+ description = "The instance type of the Security Gateways"
+ default = "c5.xlarge"
+}
+module "validate_gateway_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "gateway"
+ instance_type = var.gateway_instance_type
+}
+variable "gateways_min_group_size" {
+ type = number
+ description = "The minimal number of Security Gateways"
+ default = 2
+}
+variable "gateways_max_group_size" {
+ type = number
+ description = "The maximal number of Security Gateways"
+ default = 10
+}
+variable "gateway_version" {
+ type = string
+ description = "Gateway version and license"
+ default = "R81.20-BYOL"
+}
+module "validate_gateway_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "gateway"
+ version_license = var.gateway_version
+}
+variable "gateway_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "gateway_maintenance_mode_password_hash" {
+ description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+ type = string
+ default = ""
+}
+variable "gateway_SICKey" {
+ type = string
+ description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters"
+}
+variable "enable_cloudwatch" {
+ type = bool
+ description = "Report Check Point specific CloudWatch metrics"
+ default = false
+}
+
+// --- Check Point CloudGuard Network Security Management Server Configuration ---
+variable "management_deploy" {
+ type = bool
+ description = "Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section"
+ default = true
+}
+variable "management_instance_type" {
+ type = string
+ description = "The EC2 instance type of the Security Management Server"
+ default = "m5.xlarge"
+}
+module "validate_management_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "management"
+ instance_type = var.management_instance_type
+}
+variable "management_version" {
+ type = string
+ description = "The license to install on the Security Management Server"
+ default = "R81.20-BYOL"
+}
+module "validate_management_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "management"
+ version_license = var.management_version
+}
+variable "management_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "management_maintenance_mode_password_hash" {
+ description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+ type = string
+ default = ""
+}
+variable "gateways_policy" {
+ type = string
+ description = "The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group"
+ default = "Standard"
+}
+variable "gateways_blades" {
+ type = bool
+ description = "Turn on the Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (additional Blades can be manually turned on later)"
+ default = true
+}
+variable "admin_cidr" {
+ type = string
+ description = "Allow web, ssh, and graphical clients only from this network to communicate with the Security Management Server"
+}
+variable "gateways_addresses" {
+ type = string
+ description = "Allow gateways only from this network to communicate with the Security Management Server"
+}
+
+// --- Web Servers Auto Scaling Group Configuration ---
+variable "servers_deploy" {
+ type = bool
+ description = "Select 'true' to deploy web servers and an internal Application Load Balancer. If you select 'false' the other parameters of this section will be ignored"
+ default = false
+}
+variable "servers_subnets" {
+ type = list(string)
+ description = "Provide at least 2 private subnet IDs in the chosen VPC, separated by commas (e.g. subnet-1234,subnet-5678,subnet-9012)"
+}
+variable "servers_instance_type" {
+ type = string
+ description = "The EC2 instance type for the web servers"
+ default = "t3.micro"
+}
+module "validate_servers_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "server"
+ instance_type = var.servers_instance_type
+}
+variable "server_ami" {
+ type = string
+ description = "The Amazon Machine Image ID of a preconfigured web server (e.g. ami-1234)"
+}
diff --git a/deprecated/terraform/aws/R81/qs-autoscale/versions.tf b/deprecated/terraform/aws/R81/qs-autoscale/versions.tf
new file mode 100755
index 00000000..dbebf275
--- /dev/null
+++ b/deprecated/terraform/aws/R81/qs-autoscale/versions.tf
@@ -0,0 +1,15 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ http = {
+ version = "~> 3.4.0"
+ }
+ random = {
+ version = "~> 3.5.1"
+ }
+ }
+}
diff --git a/deprecated/terraform/aws/R81/standalone-master/README.md b/deprecated/terraform/aws/R81/standalone-master/README.md
new file mode 100755
index 00000000..3cc1d050
--- /dev/null
+++ b/deprecated/terraform/aws/R81/standalone-master/README.md
@@ -0,0 +1,202 @@
+# Check Point CloudGuard Network Security Management Server & Security Gateway (Standalone) Master Terraform module for AWS
+
+Terraform module which deploys a Check Point CloudGuard Network Security Gateway & Management (Standalone) instance into a new VPC.
+
+These types of Terraform resources are supported:
+* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html)
+* [VPC](https://www.terraform.io/docs/providers/aws/r/vpc.html)
+* [Security group](https://www.terraform.io/docs/providers/aws/r/security_group.html)
+* [Network interface](https://www.terraform.io/docs/providers/aws/r/network_interface.html)
+* [Route](https://www.terraform.io/docs/providers/aws/r/route.html)
+* [EIP](https://www.terraform.io/docs/providers/aws/r/eip.html) - conditional creation
+
+This solution uses the following modules:
+- /terraform/aws/standalone
+- /terraform/aws/modules/amis
+- /terraform/aws/modules/vpc
+
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/standalone-master/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Static credentials are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-module /terraform/aws/standalone:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+ b. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-module /terraform/aws/standalone:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+
+## Usage
+- Fill all variables in the /terraform/aws/standalone-master/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+- Create or modify the deployment:
+ - Due to terraform limitation, the apply command is:
+ ```
+ terraform apply -target=aws_route_table.private_subnet_rtb -auto-approve && terraform apply
+ ```
+ >Once terraform is updated, we will update accordingly.
+
+- Variables are configured in /terraform/aws/standalone-master/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+ // --- VPC Network Configuration ---
+ vpc_cidr = "10.0.0.0/16"
+ public_subnets_map = {
+ "us-east-1a" = 1
+ }
+ private_subnets_map = {
+ "us-east-1a" = 2
+ }
+ subnets_bit_length = 8
+
+ // --- EC2 Instance Configuration ---
+ standalone_name = "Check-Point-Standalone-tf"
+ standalone_instance_type = "c5.xlarge"
+ key_name = "publickey"
+ allocate_and_associate_eip = true
+ volume_size = 100
+ volume_encryption = "alias/aws/ebs"
+ enable_instance_connect = false
+ disable_instance_termination = false
+ instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+ }
+
+ // --- Check Point Settings ---
+ standalone_version = "R81.BYOL"
+ admin_shell = "/etc/cli.sh"
+ standalone_password_hash = ""
+ standalone_maintenance_mode_password_hash = ""
+
+ // --- Advanced Settings ---
+ resources_tag_name = "tag-name"
+ standalone_hostname = "standalone-tf"
+ allow_upload_download = true
+ enable_cloudwatch = false
+ standalone_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+ primary_ntp = ""
+ secondary_ntp = ""
+ admin_cidr = "0.0.0.0/0"
+ gateway_addresses = "0.0.0.0/0"
+ ```
+
+- Conditional creation
+ - To create an Elastic IP and associate it to the Standalone instance:
+ ```
+ allocate_and_associate_eip = true
+ ```
+
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------|----------|
+| vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes |
+| public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes |
+| private_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 2} ) | map | n/a | n/a | yes |
+| subnets_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20 | number | n/a | n/a | yes |
+| standalone_name | (Optional) The name tag of the Security Gateway & Management (Standalone) instance | string | n/a | Check-Point-Standalone-tf | no |
+| standalone_instance_type | The instance type of the Security Gateway & Management (Standalone) instance | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no |
+| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes |
+| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with the launched instance | bool | true/false | true | no |
+| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no |
+| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no |
+| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no |
+| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no |
+| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes |
+| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Standalone EC2 Instance | map(string) | n/a | {} | no |
+| standalone_version | Security Gateway & Management (Standalone) version and license | string | - R81-BYOL
- R81-PAYG-NGTP
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R82-BYOL
- R82-PAYG-NGTP | R81.20-BYOL | no |
+| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no |
+| standalone_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| resources_tag_name | (optional) | string | n/a | "" | no |
+| standalone_hostname | (Optional) Security Gateway & Management (Standalone) prompt hostname. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no |
+| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no |
+| standalone_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no |
+| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no |
+| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no |
+| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | n/a | 0.0.0.0/0 | no |
+| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | n/a | 0.0.0.0/0 | no |
+| standalone_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no |
+
+
+## Outputs
+| Name | Description |
+|------------------------------|------------------------------------------------------------------------------|
+| vpc_id | The id of the deployed vpc |
+| internal_rtb_id | The internal route table id |
+| vpc_public_subnets_ids_list | A list of the public subnets ids |
+| vpc_private_subnets_ids_list | A list of the private subnets ids |
+| standalone_instance_id | The deployed Security Gateway & Management (Standalone) AWS instance id |
+| standalone_instance_name | The deployed Security Gateway & Management (Standalone) AWS instance name |
+| standalone_public_ip | The deployed Security Gateway & Management (Standalone) AWS public address |
+| standalone_ssh | SSH command to the Security Gateway & Management (Standalone) |
+| standalone_url | URL to the portal of the deployed Security Gateway & Management (Standalone) |
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|-------------------------------------------------------------------------------------------------------------------------|
+| 20240704 | R80.40 version deprecation |
+| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20231113 | Add support for BYOL license type for Standalone |
+| 20231012 | Update AWS Terraform Provider version to 5.20.1 |
+| 20230914 | Add support for maintenance mode password |
+| 20230829 | Change default Check Point version to R81.20 |
+| 20230806 | Add support for c6in instance type |
+| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname |
+| 20221123 | R81.20 version support |
+| 20220606 | New instance type support |
+| 20210309 | First release of Check Point Security Management Server & Security Gateway (Standalone) Master Terraform module for AWS |
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/standalone-master/locals.tf b/deprecated/terraform/aws/R81/standalone-master/locals.tf
new file mode 100755
index 00000000..61326301
--- /dev/null
+++ b/deprecated/terraform/aws/R81/standalone-master/locals.tf
@@ -0,0 +1,36 @@
+locals {
+ regex_valid_vpc_cidr = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$"
+ // Will fail if var.vpc_cidr is invalid
+ regex_vpc_cidr = regex(local.regex_valid_vpc_cidr, var.vpc_cidr) == var.vpc_cidr ? 0 : "Variable [vpc_cidr] must be a valid vpc cidr"
+
+ admin_shell_allowed_values = [
+ "/etc/cli.sh",
+ "/bin/bash",
+ "/bin/csh",
+ "/bin/tcsh"]
+ // Will fail if var.admin_shell is invalid
+ validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell)
+
+ regex_valid_key_name = "[\\S\\s]+[\\S]+"
+ // will fail if var.key_name is invalid
+ regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string"
+
+ regex_valid_cidr_range = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))?$"
+ // Will fail if var.admin_subnet or var.gateway_addresses are invalid
+ mgmt_subnet_regex_result = regex(local.regex_valid_cidr_range, var.admin_cidr) == var.admin_cidr ? 0 : "var.admin_subnet must be a valid CIDR range"
+ gw_addr_regex_result = regex(local.regex_valid_cidr_range, var.gateway_addresses) == var.gateway_addresses ? 0 : "var.gateway_addresses must be a valid CIDR range"
+
+ regex_valid_primary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.primary_ntp is invalid
+ regex_primary_ntp = regex(local.regex_valid_primary_ntp, var.primary_ntp) == var.primary_ntp ? 0 : "Variable [primary_ntp] must be a valid ntp"
+
+ regex_valid_secondary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.secondary_ntp is invalid
+ regex_secondary_ntp = regex(local.regex_valid_secondary_ntp, var.secondary_ntp) == var.secondary_ntp ? 0 : "Variable [secondary_ntp] must be a valid ntp"
+
+ regex_valid_standalone_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.standalone_password_hash is invalid
+ regex_standalone_password_hash = regex(local.regex_valid_standalone_password_hash, var.standalone_password_hash) == var.standalone_password_hash ? 0 : "Variable [standalone_password_hash] must be a valid password hash"
+ regex_maintenance_mode_password_hash = regex(local.regex_valid_standalone_password_hash, var.standalone_maintenance_mode_password_hash) == var.standalone_maintenance_mode_password_hash ? 0 : "Variable [standalone_maintenance_mode_password_hash] must be a valid password hash"
+
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/standalone-master/main.tf b/deprecated/terraform/aws/R81/standalone-master/main.tf
new file mode 100755
index 00000000..999c506e
--- /dev/null
+++ b/deprecated/terraform/aws/R81/standalone-master/main.tf
@@ -0,0 +1,63 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+// --- VPC ---
+module "launch_vpc" {
+ source = "../modules/vpc"
+
+ vpc_cidr = var.vpc_cidr
+ public_subnets_map = var.public_subnets_map
+ private_subnets_map = var.private_subnets_map
+ subnets_bit_length = var.subnets_bit_length
+}
+
+resource "aws_route_table" "private_subnet_rtb" {
+ depends_on = [module.launch_vpc]
+ vpc_id = module.launch_vpc.vpc_id
+ tags = {
+ Name = "Private Subnets Route Table"
+ }
+}
+resource "aws_route_table_association" "private_rtb_to_private_subnets" {
+ depends_on = [module.launch_vpc, aws_route_table.private_subnet_rtb]
+ route_table_id = aws_route_table.private_subnet_rtb.id
+ subnet_id = module.launch_vpc.private_subnets_ids_list[0]
+}
+
+module "launch_standalone_into_vpc" {
+ source = "../standalone"
+ providers = {
+ aws = aws
+ }
+
+ vpc_id = module.launch_vpc.vpc_id
+ public_subnet_id = module.launch_vpc.public_subnets_ids_list[0]
+ private_subnet_id = module.launch_vpc.private_subnets_ids_list[0]
+ private_route_table = aws_route_table.private_subnet_rtb.id
+ resources_tag_name = var.resources_tag_name
+ standalone_name = var.standalone_name
+ standalone_instance_type = var.standalone_instance_type
+ key_name = var.key_name
+ allocate_and_associate_eip = var.allocate_and_associate_eip
+ volume_size = var.volume_size
+ volume_encryption = var.volume_encryption
+ enable_instance_connect = var.enable_instance_connect
+ disable_instance_termination = var.disable_instance_termination
+ metadata_imdsv2_required = var.metadata_imdsv2_required
+ instance_tags = var.instance_tags
+ standalone_version = var.standalone_version
+ admin_shell = var.admin_shell
+ standalone_password_hash = var.standalone_password_hash
+ standalone_maintenance_mode_password_hash = var.standalone_maintenance_mode_password_hash
+ standalone_hostname = var.standalone_hostname
+ allow_upload_download = var.allow_upload_download
+ enable_cloudwatch = var.enable_cloudwatch
+ standalone_bootstrap_script = var.standalone_bootstrap_script
+ primary_ntp = var.primary_ntp
+ secondary_ntp = var.secondary_ntp
+ admin_cidr = var.admin_cidr
+ gateway_addresses = var.gateway_addresses
+}
diff --git a/deprecated/terraform/aws/R81/standalone-master/output.tf b/deprecated/terraform/aws/R81/standalone-master/output.tf
new file mode 100755
index 00000000..11d557b9
--- /dev/null
+++ b/deprecated/terraform/aws/R81/standalone-master/output.tf
@@ -0,0 +1,27 @@
+output "vpc_id" {
+ value = module.launch_vpc.vpc_id
+}
+output "internal_rtb_id" {
+ value = aws_route_table.private_subnet_rtb.id
+}
+output "vpc_public_subnets_ids_list" {
+ value = module.launch_vpc.public_subnets_ids_list
+}
+output "vpc_private_subnets_ids_list" {
+ value = module.launch_vpc.private_subnets_ids_list
+}
+output "standalone_instance_id" {
+ value = module.launch_standalone_into_vpc.standalone_instance_id
+}
+output "standalone_instance_name" {
+ value = module.launch_standalone_into_vpc.standalone_instance_name
+}
+output "standalone_public_ip" {
+ value = module.launch_standalone_into_vpc.standalone_public_ip
+}
+output "standalone_ssh" {
+ value = module.launch_standalone_into_vpc.standalone_ssh
+}
+output "standalone_url" {
+ value = module.launch_standalone_into_vpc.standalone_url
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/standalone-master/terraform.tfvars b/deprecated/terraform/aws/R81/standalone-master/terraform.tfvars
new file mode 100755
index 00000000..4f6b6131
--- /dev/null
+++ b/deprecated/terraform/aws/R81/standalone-master/terraform.tfvars
@@ -0,0 +1,43 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- VPC Network Configuration ---
+vpc_cidr = "10.0.0.0/16"
+public_subnets_map = {
+ "us-east-1a" = 1
+}
+private_subnets_map = {
+ "us-east-1a" = 2
+}
+subnets_bit_length = 8
+
+// --- EC2 Instance Configuration ---
+standalone_name = "Check-Point-Standalone-tf"
+standalone_instance_type = "c5.xlarge"
+key_name = "publickey"
+allocate_and_associate_eip = true
+volume_size = 100
+volume_encryption = "alias/aws/ebs"
+enable_instance_connect = false
+disable_instance_termination = false
+metadata_imdsv2_required = true
+instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+}
+
+// --- Check Point Settings ---
+standalone_version = "R81.20-BYOL"
+admin_shell = "/etc/cli.sh"
+standalone_password_hash = ""
+standalone_maintenance_mode_password_hash = ""
+
+// --- Advanced Settings ---
+resources_tag_name = "tag-name"
+standalone_hostname = "standalone-tf"
+allow_upload_download = true
+enable_cloudwatch = false
+standalone_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+primary_ntp = ""
+secondary_ntp = ""
+admin_cidr = "0.0.0.0/0"
+gateway_addresses = "0.0.0.0/0"
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/standalone-master/variables.tf b/deprecated/terraform/aws/R81/standalone-master/variables.tf
new file mode 100755
index 00000000..212dc108
--- /dev/null
+++ b/deprecated/terraform/aws/R81/standalone-master/variables.tf
@@ -0,0 +1,174 @@
+// Module: Check Point CloudGuard Network Security Gateway & Management (Standalone) instance into a new VPC
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+// --- VPC Network Configuration ---
+variable "vpc_cidr" {
+ type = string
+ description = "The CIDR block of the VPC"
+ default = "10.0.0.0/16"
+}
+variable "public_subnets_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 1} ) "
+}
+variable "private_subnets_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 2} ) "
+
+}
+variable "subnets_bit_length" {
+ type = number
+ description = "Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20"
+}
+
+// --- EC2 Instance Configuration ---
+variable "standalone_name" {
+ type = string
+ description = "(Optional) The name tag of the Security Gateway & Management (Standalone) instance"
+ default = "Check-Point-Standalone-tf"
+}
+variable "standalone_instance_type" {
+ type = string
+ description = "The instance type of the Security Gateway & Management (Standalone) instance"
+ default = "c5.xlarge"
+}
+module "validate_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "standalone"
+ instance_type = var.standalone_instance_type
+}
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instance"
+}
+variable "allocate_and_associate_eip" {
+ type = bool
+ description = "If set to true, an elastic IP will be allocated and associated with the launched instance"
+ default = true
+}
+variable "volume_size" {
+ type = number
+ description = "Root volume size (GB) - minimum 100"
+ default = 100
+}
+resource "null_resource" "volume_size_too_small" {
+ // Volume Size validation - resource will not be created if the volume size is smaller than 100
+ count = var.volume_size >= 100 ? 0 : "volume_size must be at least 100"
+}
+variable "volume_encryption" {
+ type = string
+ description = "KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs')"
+ default = "alias/aws/ebs"
+}
+variable "enable_instance_connect" {
+ type = bool
+ description = "Enable SSH connection over AWS web console"
+ default = false
+}
+variable "disable_instance_termination" {
+ type = bool
+ description = "Prevents an instance from accidental termination"
+ default = false
+}
+variable "metadata_imdsv2_required" {
+ type = bool
+ description = "Set true to deploy the instance with metadata v2 token required"
+ default = true
+}
+variable "instance_tags" {
+ type = map(string)
+ description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Standalone EC2 Instance"
+ default = {}
+}
+
+// --- Check Point Settings ---
+variable "standalone_version" {
+ type = string
+ description = "Gateway & Management (Standalone) version and license"
+ default = "R81.20-BYOL"
+}
+module "validate_standalone_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "standalone"
+ version_license = var.standalone_version
+}
+variable "admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+ default = "/etc/cli.sh"
+}
+variable "standalone_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "standalone_maintenance_mode_password_hash" {
+ description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+ type = string
+ default = ""
+}
+
+// --- Advanced Settings ---
+variable "resources_tag_name" {
+ type = string
+ description = "(Optional) The name tag of the resources"
+ default = ""
+}
+variable "standalone_hostname" {
+ type = string
+ description = "(Optional) Security Gateway & Management (Standalone) prompt hostname"
+ default = ""
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+variable "enable_cloudwatch" {
+ type = bool
+ description = "Report Check Point specific CloudWatch metrics"
+ default = false
+}
+variable "standalone_bootstrap_script" {
+ type = string
+ description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot"
+ default = ""
+}
+variable "primary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol primary server"
+ default = "169.254.169.123"
+}
+variable "secondary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server"
+ default = "0.pool.ntp.org"
+}
+variable "admin_cidr" {
+ type = string
+ description = "(CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server"
+ default = "0.0.0.0/0"
+}
+variable "gateway_addresses" {
+ type = string
+ description = "(CIDR) Allow gateways only from this network to communicate with the Management Server"
+ default = "0.0.0.0/0"
+}
diff --git a/deprecated/terraform/aws/R81/standalone-master/versions.tf b/deprecated/terraform/aws/R81/standalone-master/versions.tf
new file mode 100755
index 00000000..a95f0172
--- /dev/null
+++ b/deprecated/terraform/aws/R81/standalone-master/versions.tf
@@ -0,0 +1,12 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ http = {
+ version = "~> 3.4.0"
+ }
+ }
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/standalone/README.md b/deprecated/terraform/aws/R81/standalone/README.md
new file mode 100755
index 00000000..0a0562f4
--- /dev/null
+++ b/deprecated/terraform/aws/R81/standalone/README.md
@@ -0,0 +1,178 @@
+# Check Point CloudGuard Network Security Management Server & Security Gateway (Standalone) Terraform module for AWS
+
+Terraform module which deploys a Check Point CloudGuard Network Security Gateway & Management (Standalone) instance into an existing VPC.
+
+These types of Terraform resources are supported:
+* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html)
+* [Security group](https://www.terraform.io/docs/providers/aws/r/security_group.html)
+* [Network interface](https://www.terraform.io/docs/providers/aws/r/network_interface.html)
+* [EIP](https://www.terraform.io/docs/providers/aws/r/eip.html) - conditional creation
+* [Route](https://www.terraform.io/docs/providers/aws/r/route.html) - conditional creation
+
+
+This solution uses the following modules:
+- /terraform/aws/modules/amis
+
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/standalone/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+
+## Usage
+- Fill all variables in the /terraform/aws/standalone/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+- Create or modify the deployment:
+ ```
+ terraform apply
+ ```
+
+- Variables are configured in /terraform/aws/standalone/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+ // --- VPC Network Configuration ---
+ vpc_id = "vpc-12345678"
+ public_subnet_id = "subnet-123456"
+ private_subnet_id = "subnet-345678"
+ private_route_table = "rtb-12345678"
+
+ // --- EC2 Instance Configuration ---
+ standalone_name = "Check-Point-Standalone-tf"
+ standalone_instance_type = "c5.xlarge"
+ key_name = "publickey"
+ allocate_and_associate_eip = true
+ volume_size = 100
+ volume_encryption = "alias/aws/ebs"
+ enable_instance_connect = false
+ disable_instance_termination = false
+ instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+ }
+
+ // --- Check Point Settings ---
+ standalone_version = "R81.20-BYOL"
+ admin_shell = "/etc/cli.sh"
+ standalone_password_hash = ""
+ standalone_maintenance_mode_password_hash = ""
+ // --- Advanced Settings ---
+ resources_tag_name = "tag-name"
+ standalone_hostname = "standalone-tf"
+ allow_upload_download = true
+ enable_cloudwatch = false
+ standalone_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+ primary_ntp = ""
+ secondary_ntp = ""
+ admin_cidr = "0.0.0.0/0"
+ gateway_addresses = "0.0.0.0/0"
+ ```
+
+- Conditional creation
+ - To create an Elastic IP and associate it to the Standalone instance:
+ ```
+ allocate_and_associate_eip = true
+ ```
+ - To create route from '0.0.0.0/0' to the Standalone instance, please provide route table:
+ ```
+ private_route_table = "rtb-12345678"
+ ```
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------|----------|
+| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes |
+| public_subnet_id | The public subnet of the Security Gateway & Management (Standalone) | string | n/a | n/a | yes |
+| private_subnet_id | The private subnet of the Security Gateway & Management (Standalone) | string | n/a | n/a | yes |
+| private_route_table | Sets '0.0.0.0/0' route to the Security Gateway & Management (Standalone) instance in the specified route table (e.g. rtb-12a34567) | string | n/a | "" | no |
+| standalone_name | (Optional) The name tag of the Security Gateway & Management (Standalone) instance | string | n/a | Check-Point-Standalone-tf | no |
+| standalone_instance_type | The instance type of the Security Gateway & Management (Standalone) instance | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no |
+| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes |
+| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with the launched instance | bool | true/false | true | no |
+| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no |
+| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no |
+| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no |
+| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no |
+| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes |
+| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Standalone EC2 Instance | map(string) | n/a | {} | no |
+| standalone_version | Security Gateway & Management (Standalone) version and license | string | - R81-BYOL
- R81-PAYG-NGTP
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R82-BYOL
- R82-PAYG-NGTP | R81.20-BYOL | no |
+| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no |
+| standalone_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| resources_tag_name | (optional) | string | n/a | "" | no |
+| standalone_hostname | (Optional) Security Gateway & Management (Standalone) prompt hostname. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no |
+| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no |
+| standalone_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no |
+| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no |
+| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no |
+| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | n/a | 0.0.0.0/0 | no |
+| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | n/a | 0.0.0.0/0 | no |
+| standalone_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no |
+
+
+## Outputs
+| Name | Description |
+|--------------------------|------------------------------------------------------------------------------|
+| standalone_instance_id | The deployed Security Gateway & Management (Standalone) AWS instance id |
+| standalone_instance_name | The deployed Security Gateway & Management (Standalone) AWS instance name |
+| standalone_public_ip | The deployed Security Gateway & Management (Standalone) AWS public address |
+| standalone_ssh | SSH command to the Security Gateway & Management (Standalone) |
+| standalone_url | URL to the portal of the deployed Security Gateway & Management (Standalone) |
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|------------------------------------------------------------------------------------------------------------------|
+| 20240704 | R80.40 version deprecation |
+| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20231113 | Add support for BYOL license type for Standalone |
+| 20231012 | Update AWS Terraform provider version to 5.20.1 |
+| 20230923 | Add support for C5d instance type |
+| 20230914 | Add support for maintenance mode password |
+| 20230829 | Change default Check Point version to R81.20 |
+| 20230806 | Add support for c6in instance type |
+| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname |
+| 20221123 | R81.20 version support |
+| 20220606 | New instance type support |
+| 20210329 | Stability fixes |
+| 20210309 | First release of Check Point Security Management Server & Security Gateway (Standalone) Terraform module for AWS |
+
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/standalone/locals.tf b/deprecated/terraform/aws/R81/standalone/locals.tf
new file mode 100755
index 00000000..6e438e83
--- /dev/null
+++ b/deprecated/terraform/aws/R81/standalone/locals.tf
@@ -0,0 +1,41 @@
+locals {
+ admin_shell_allowed_values = [
+ "/etc/cli.sh",
+ "/bin/bash",
+ "/bin/csh",
+ "/bin/tcsh"]
+ // Will fail if var.admin_shell is invalid
+ validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell)
+
+ enable_cloudwatch_policy = var.enable_cloudwatch ? 1 : 0
+
+ regex_valid_key_name = "[\\S\\s]+[\\S]+"
+ // will fail if var.key_name is invalid
+ regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string"
+
+ regex_valid_cidr_range = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))?$"
+ // Will fail if var.admin_subnet or var.gateway_addresses are invalid
+ mgmt_subnet_regex_result = regex(local.regex_valid_cidr_range, var.admin_cidr) == var.admin_cidr ? 0 : "var.admin_subnet must be a valid CIDR range"
+ gw_addr_regex_result = regex(local.regex_valid_cidr_range, var.gateway_addresses) == var.gateway_addresses ? 0 : "var.gateway_addresses must be a valid CIDR range"
+ volume_encryption_condition = var.volume_encryption != "" ? true : false
+
+ regex_valid_primary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.primary_ntp is invalid
+ regex_primary_ntp = regex(local.regex_valid_primary_ntp, var.primary_ntp) == var.primary_ntp ? 0 : "Variable [primary_ntp] must be a valid ntp"
+
+ regex_valid_secondary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.secondary_ntp is invalid
+ regex_secondary_ntp = regex(local.regex_valid_secondary_ntp, var.secondary_ntp) == var.secondary_ntp ? 0 : "Variable [secondary_ntp] must be a valid ntp"
+
+ regex_valid_standalone_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.standalone_password_hash is invalid
+ regex_standalone_password_hash = regex(local.regex_valid_standalone_password_hash, var.standalone_password_hash) == var.standalone_password_hash ? 0 : "Variable [standalone_password_hash] must be a valid password hash"
+ regex_maintenance_mode_password_hash = regex(local.regex_valid_standalone_password_hash, var.standalone_maintenance_mode_password_hash) == var.standalone_maintenance_mode_password_hash ? 0 : "Variable [standalone_maintenance_mode_password_hash] must be a valid password hash"
+
+ //Splits the version and licence and returns the os version
+ version_split = element(split("-", var.standalone_version), 0)
+
+ standalone_bootstrap_script64 = base64encode(var.standalone_bootstrap_script)
+ standalone_password_hash_base64 = base64encode(var.standalone_password_hash)
+ maintenance_mode_password_hash_base64 = base64encode(var.standalone_maintenance_mode_password_hash)
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/standalone/main.tf b/deprecated/terraform/aws/R81/standalone/main.tf
new file mode 100755
index 00000000..f9df43ff
--- /dev/null
+++ b/deprecated/terraform/aws/R81/standalone/main.tf
@@ -0,0 +1,145 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+module "amis" {
+ source = "../modules/amis"
+
+ version_license = var.standalone_version
+ chkp_type = "standalone"
+}
+
+module "common_permissive_sg" {
+ source = "../modules/common/permissive_sg"
+
+ vpc_id = var.vpc_id
+ resources_tag_name = var.resources_tag_name
+ gateway_name = var.standalone_name
+}
+
+resource "aws_iam_instance_profile" "standalone_instance_profile" {
+ count = local.enable_cloudwatch_policy
+ path = "/"
+ role = aws_iam_role.standalone_iam_role[count.index].name
+}
+
+resource "aws_iam_role" "standalone_iam_role" {
+ count = local.enable_cloudwatch_policy
+ assume_role_policy = data.aws_iam_policy_document.standalone_role_assume_policy_document.json
+ path = "/"
+}
+
+data "aws_iam_policy_document" "standalone_role_assume_policy_document" {
+ version = "2012-10-17"
+ statement {
+ effect = "Allow"
+ actions = ["sts:AssumeRole"]
+ principals {
+ type = "Service"
+ identifiers = ["ec2.amazonaws.com"]
+ }
+ }
+}
+
+module "attach_cloudwatch_policy" {
+ source = "../modules/cloudwatch-policy"
+ count = local.enable_cloudwatch_policy
+ role = aws_iam_role.standalone_iam_role[count.index].name
+ tag_name = var.resources_tag_name != "" ? var.resources_tag_name : var.standalone_name
+}
+resource "aws_network_interface" "public_eni" {
+ subnet_id = var.public_subnet_id
+ security_groups = [module.common_permissive_sg.permissive_sg_id]
+ description = "eth0"
+ source_dest_check = false
+ tags = {
+ Name = format("%s-external-eni", var.resources_tag_name != "" ? var.resources_tag_name : var.standalone_name) }
+}
+resource "aws_network_interface" "private_eni" {
+ subnet_id = var.private_subnet_id
+ security_groups = [module.common_permissive_sg.permissive_sg_id]
+ description = "eth1"
+ source_dest_check = false
+ tags = {
+ Name = format("%s-internal-eni", var.resources_tag_name != "" ? var.resources_tag_name : var.standalone_name) }
+}
+
+module "common_eip" {
+ source = "../modules/common/elastic_ip"
+
+ allocate_and_associate_eip = var.allocate_and_associate_eip
+ external_eni_id = aws_network_interface.public_eni.id
+ private_ip_address = aws_network_interface.public_eni.private_ip
+}
+
+module "common_internal_default_route" {
+ source = "../modules/common/internal_default_route"
+
+ private_route_table = var.private_route_table
+ internal_eni_id = aws_network_interface.private_eni.id
+}
+
+resource "aws_launch_template" "standalone_launch_template" {
+ instance_type = var.standalone_instance_type
+ key_name = var.key_name
+ image_id = module.amis.ami_id
+ description = "Initial launch template version"
+
+ iam_instance_profile {
+ name = (local.enable_cloudwatch_policy == 1 ? aws_iam_instance_profile.standalone_instance_profile[0].id : "")
+ }
+
+ network_interfaces {
+ network_interface_id = aws_network_interface.public_eni.id
+ device_index = 0
+ }
+
+ metadata_options {
+ http_tokens = var.metadata_imdsv2_required ? "required" : "optional"
+ }
+
+ network_interfaces {
+ network_interface_id = aws_network_interface.private_eni.id
+ device_index = 1
+ }
+}
+
+resource "aws_instance" "standalone-instance" {
+ launch_template {
+ id = aws_launch_template.standalone_launch_template.id
+ version = "$Latest"
+ }
+
+ disable_api_termination = var.disable_instance_termination
+
+ tags = merge({
+ Name = var.standalone_name
+ }, var.instance_tags)
+
+ ebs_block_device {
+ device_name = "/dev/xvda"
+ volume_type = "gp2"
+ volume_size = var.volume_size
+ encrypted = local.volume_encryption_condition
+ kms_key_id = local.volume_encryption_condition ? var.volume_encryption : ""
+ }
+
+ user_data = templatefile("${path.module}/standalone_userdata.yaml", {
+ // script's arguments
+ Hostname = var.standalone_hostname,
+ PasswordHash = local.standalone_password_hash_base64,
+ MaintenanceModePassword = local.maintenance_mode_password_hash_base64,
+ AllowUploadDownload = var.allow_upload_download,
+ EnableCloudWatch = var.enable_cloudwatch,
+ NTPPrimary = var.primary_ntp,
+ NTPSecondary = var.secondary_ntp,
+ Shell = var.admin_shell,
+ AdminSubnet = var.admin_cidr,
+ EnableInstanceConnect = var.enable_instance_connect,
+ StandaloneBootstrapScript = local.standalone_bootstrap_script64
+ AllocateElasticIP = var.allocate_and_associate_eip
+ OsVersion = local.version_split
+ })
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/standalone/output.tf b/deprecated/terraform/aws/R81/standalone/output.tf
new file mode 100755
index 00000000..5a46d0fa
--- /dev/null
+++ b/deprecated/terraform/aws/R81/standalone/output.tf
@@ -0,0 +1,15 @@
+output "standalone_instance_id" {
+ value = aws_instance.standalone-instance.id
+}
+output "standalone_instance_name" {
+ value = aws_instance.standalone-instance.tags["Name"]
+}
+output "standalone_public_ip" {
+ value = aws_instance.standalone-instance.public_ip
+}
+output "standalone_ssh" {
+ value = format("ssh -i %s admin@%s", var.key_name, aws_instance.standalone-instance.public_ip)
+}
+output "standalone_url" {
+ value = format("https://%s", aws_instance.standalone-instance.public_ip)
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/standalone/standalone_userdata.yaml b/deprecated/terraform/aws/R81/standalone/standalone_userdata.yaml
new file mode 100755
index 00000000..0bf47ec4
--- /dev/null
+++ b/deprecated/terraform/aws/R81/standalone/standalone_userdata.yaml
@@ -0,0 +1,4 @@
+#cloud-config
+runcmd:
+ - |
+ python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" installationType=\"standalone\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20240704\" templateName=\"standalone\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" adminSubnet=\"${AdminSubnet}\" allocatePublicAddress=\"${AllocateElasticIP}\" bootstrapScript64=\"${StandaloneBootstrapScript}\"
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/standalone/terraform.tfvars b/deprecated/terraform/aws/R81/standalone/terraform.tfvars
new file mode 100755
index 00000000..edad70cd
--- /dev/null
+++ b/deprecated/terraform/aws/R81/standalone/terraform.tfvars
@@ -0,0 +1,39 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- VPC Network Configuration ---
+vpc_id = "vpc-12345678"
+public_subnet_id = "subnet-123456"
+private_subnet_id = "subnet-345678"
+private_route_table = "rtb-12345678"
+
+// --- EC2 Instance Configuration ---
+standalone_name = "Check-Point-Standalone-tf"
+standalone_instance_type = "c5.xlarge"
+key_name = "publickey"
+allocate_and_associate_eip = true
+volume_size = 100
+volume_encryption = "alias/aws/ebs"
+enable_instance_connect = false
+disable_instance_termination = false
+metadata_imdsv2_required = true
+instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+}
+
+// --- Check Point Settings ---
+standalone_version = "R81.20-BYOL"
+admin_shell = "/etc/cli.sh"
+standalone_password_hash = ""
+standalone_maintenance_mode_password_hash = ""
+
+// --- Advanced Settings ---
+resources_tag_name = "tag-name"
+standalone_hostname = "standalone-tf"
+allow_upload_download = true
+enable_cloudwatch = false
+standalone_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+primary_ntp = ""
+secondary_ntp = ""
+admin_cidr = "0.0.0.0/0"
+gateway_addresses = "0.0.0.0/0"
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/standalone/variables.tf b/deprecated/terraform/aws/R81/standalone/variables.tf
new file mode 100755
index 00000000..afdec993
--- /dev/null
+++ b/deprecated/terraform/aws/R81/standalone/variables.tf
@@ -0,0 +1,172 @@
+// Module: Check Point CloudGuard Network Security Gateway & Management (Standalone) instance into an existing VPC
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+// --- VPC Network Configuration ---
+variable "vpc_id" {
+ type = string
+}
+variable "public_subnet_id" {
+ type = string
+ description = "The public subnet of the Security Gateway & Management (Standalone)"
+}
+variable "private_subnet_id" {
+ type = string
+ description = "The private subnet of the Security Gateway & Management (Standalone)"
+}
+variable "private_route_table" {
+ type = string
+ description = "Sets '0.0.0.0/0' route to the Security Gateway & Management (Standalone) instance in the specified route table (e.g. rtb-12a34567)"
+ default= ""
+}
+
+// --- EC2 Instance Configuration ---
+variable "standalone_name" {
+ type = string
+ description = "(Optional) The name tag of the Security Gateway & Management (Standalone) instance"
+ default = "Check-Point-Standalone-tf"
+}
+variable "standalone_instance_type" {
+ type = string
+ description = "The instance type of the Security Gateway & Management (Standalone) instance"
+ default = "c5.xlarge"
+}
+module "validate_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "standalone"
+ instance_type = var.standalone_instance_type
+}
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instance"
+}
+variable "allocate_and_associate_eip" {
+ type = bool
+ description = "If set to true, an elastic IP will be allocated and associated with the launched instance"
+ default = true
+}
+variable "volume_size" {
+ type = number
+ description = "Root volume size (GB) - minimum 100"
+ default = 100
+}
+resource "null_resource" "volume_size_too_small" {
+ // Volume Size validation - resource will not be created if the volume size is smaller than 100
+ count = var.volume_size >= 100 ? 0 : "volume_size must be at least 100"
+}
+variable "volume_encryption" {
+ type = string
+ description = "KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs')"
+ default = "alias/aws/ebs"
+}
+variable "enable_instance_connect" {
+ type = bool
+ description = "Enable SSH connection over AWS web console"
+ default = false
+}
+variable "disable_instance_termination" {
+ type = bool
+ description = "Prevents an instance from accidental termination"
+ default = false
+}
+variable "metadata_imdsv2_required" {
+ type = bool
+ description = "Set true to deploy the instance with metadata v2 token required"
+ default = true
+}
+variable "instance_tags" {
+ type = map(string)
+ description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Standalone EC2 Instance"
+ default = {}
+}
+
+// --- Check Point Settings ---
+variable "standalone_version" {
+ type = string
+ description = "Security Gateway & Management (Standalone) version and license"
+ default = "R81.20-BYOL"
+}
+module "validate_standalone_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "standalone"
+ version_license = var.standalone_version
+}
+variable "admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+ default = "/etc/cli.sh"
+}
+variable "standalone_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "standalone_maintenance_mode_password_hash" {
+ description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+ type = string
+ default = ""
+}
+
+// --- Advanced Settings ---
+variable "resources_tag_name" {
+ type = string
+ description = "(Optional) The name tag of the resources"
+ default = ""
+}
+variable "standalone_hostname" {
+ type = string
+ description = "(Optional) Security Gateway & Management (Standalone) prompt hostname"
+ default = ""
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+variable "enable_cloudwatch" {
+ type = bool
+ description = "Report Check Point specific CloudWatch metrics"
+ default = false
+}
+variable "standalone_bootstrap_script" {
+ type = string
+ description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot"
+ default = ""
+}
+variable "primary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol primary server"
+ default = "169.254.169.123"
+}
+variable "secondary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server"
+ default = "0.pool.ntp.org"
+}
+variable "admin_cidr" {
+ type = string
+ description = "(CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server"
+ default = "0.0.0.0/0"
+}
+variable "gateway_addresses" {
+ type = string
+ description = "(CIDR) Allow gateways only from this network to communicate with the Management Server"
+ default = "0.0.0.0/0"
+}
diff --git a/deprecated/terraform/aws/R81/standalone/versions.tf b/deprecated/terraform/aws/R81/standalone/versions.tf
new file mode 100755
index 00000000..c138bbb3
--- /dev/null
+++ b/deprecated/terraform/aws/R81/standalone/versions.tf
@@ -0,0 +1,12 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ http = {
+ version = "~> 3.4.0"
+ }
+ }
+}
diff --git a/deprecated/terraform/aws/R81/tests/cluster_master_test.go b/deprecated/terraform/aws/R81/tests/cluster_master_test.go
new file mode 100755
index 00000000..adf31fe9
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tests/cluster_master_test.go
@@ -0,0 +1,100 @@
+package tests
+
+import (
+ "github.com/stretchr/testify/assert"
+ "testing"
+
+ "github.com/gruntwork-io/terratest/modules/terraform"
+)
+
+// Test the Terraform module in aws/cluster-master using terratest.
+func TestClusterMaster(t *testing.T) {
+ t.Parallel()
+
+ // website::tag::1::Configure Terraform setting path to Terraform code, EC2 instance name, and AWS Region.
+ terraformOptions := GetTerraformOptionsClusterMaster()
+ terraformOptionsWithTarget := GetTerraformOptionsWithTargetClusterMaster()
+
+ // website::tag::4::At the end of the tests, run `terraform destroy` to clean up any resources that were created
+ defer terraform.Destroy(t, terraformOptions)
+
+ // website::tag::2::Run `terraform init` and `terraform apply` and fail the tests if there are any errors
+ terraform.InitAndApply(t, terraformOptionsWithTarget)
+ terraform.Apply(t, terraformOptions)
+
+ // Run 'terraform output' and validate output values
+ ValidateOutputsClusterMaster(t, terraformOptions)
+}
+
+func GetTerraformOptionsClusterMaster() *terraform.Options {
+ terraformOptions := &terraform.Options{
+ TerraformDir: "../cluster-master",
+
+ // Variables passed to the module execution using -var options. To change any value refer to globals.go
+ Vars: map[string]interface{}{
+ "vpc_cidr": vpcCIDR,
+ "public_subnets_map": publicSubnetsMapSingle,
+ "private_subnets_map": privateSubnetsMapSingle,
+ "subnets_bit_length": subnetsBitLength,
+
+ "gateway_name": clusterGatewayExpectedName,
+ "gateway_instance_type": gatewayInstanceType,
+ "key_name": keyName,
+ "allocate_and_associate_eip": allocateAndAssociatePublicEip,
+ "volume_size": volumeSize,
+ "volume_encryption": volumeEncryption,
+ "enable_instance_connect": enableInstanceConnect,
+ "disable_instance_termination": disableInstanceTermination,
+ "instance_tags": map[string]string{expectedTestTagKey: expectedTestTagValueClusterGateway},
+ "predefined_role": predefinedRole,
+
+ "gateway_version": version,
+ "admin_shell": adminShell,
+ "gateway_SICKey": SICKey,
+ "gateway_password_hash": passwordHash,
+ "gateway_maintenance_mode_password_hash": passwordHash,
+
+ "memberAToken": gatewaySmart1CloudToken,
+ "memberBToken": gatewaySmart1CloudToken,
+
+ "resources_tag_name": resourcesTagName,
+ "gateway_hostname": gatewayHostname,
+ "allow_upload_download": allowUploadDownload,
+ "enable_cloudwatch": enableCloudWatch,
+ "gateway_bootstrap_script": gatewayBootstrapScript,
+ "primary_ntp": primaryNtp,
+ "secondary_ntp": secondaryNtp,
+ },
+
+ // Set environment variables when running Terraform
+ EnvVars: envVars,
+ }
+ return terraformOptions
+}
+
+func GetTerraformOptionsWithTargetClusterMaster() *terraform.Options {
+ terraformOptionsWithTarget := GetTerraformOptionsClusterMaster()
+ terraformOptionsWithTarget.Targets = []string{"aws_route_table.private_subnet_rtb"}
+
+ return terraformOptionsWithTarget
+}
+
+func ValidateOutputsClusterMaster(t *testing.T, terraformOptions *terraform.Options) {
+ outputAmiId := terraform.Output(t, terraformOptions, "ami_id")
+ outputClusterPublicIP := terraform.Output(t, terraformOptions, "cluster_public_ip")
+ outputMemberAEipPublicIP := terraform.Output(t, terraformOptions, "member_a_public_ip")
+ outputMemberBEipPublicIP := terraform.Output(t, terraformOptions, "member_b_public_ip")
+ outputMemberASSH := terraform.Output(t, terraformOptions, "member_a_ssh")
+ outputMemberBSSH := terraform.Output(t, terraformOptions, "member_b_ssh")
+ outputMemberAURL := terraform.Output(t, terraformOptions, "member_a_url")
+ outputMemberBURL := terraform.Output(t, terraformOptions, "member_b_url")
+
+ assert.NotEmpty(t, outputAmiId)
+ assert.NotEmpty(t, outputClusterPublicIP)
+ assert.NotEmpty(t, outputMemberAEipPublicIP)
+ assert.NotEmpty(t, outputMemberBEipPublicIP)
+ assert.NotEmpty(t, outputMemberASSH)
+ assert.NotEmpty(t, outputMemberBSSH)
+ assert.NotEmpty(t, outputMemberAURL)
+ assert.NotEmpty(t, outputMemberBURL)
+}
diff --git a/deprecated/terraform/aws/R81/tests/cross_az_cluster_master_test.go b/deprecated/terraform/aws/R81/tests/cross_az_cluster_master_test.go
new file mode 100755
index 00000000..9e09bcef
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tests/cross_az_cluster_master_test.go
@@ -0,0 +1,99 @@
+package tests
+
+import (
+ "github.com/gruntwork-io/terratest/modules/terraform"
+ "github.com/stretchr/testify/assert"
+ "testing"
+)
+
+// Test the Terraform module in aws/cross-az-cluster-master using terratest.
+func TestCrossAzClusterMaster(t *testing.T) {
+ t.Parallel()
+
+ // website::tag::1::Configure Terraform setting path to Terraform code, EC2 instance name, and AWS Region.
+ terraformOptions := GetTerraformOptionsCrossAzClusterMaster()
+ terraformOptionsWithTarget := GetTerraformOptionsWithTargetCrossAzClusterMaster()
+
+ // website::tag::4::At the end of the tests, run `terraform destroy` to clean up any resources that were created
+ defer terraform.Destroy(t, terraformOptions)
+
+ // website::tag::2::Run `terraform init` and `terraform apply` and fail the tests if there are any errors
+ terraform.InitAndApply(t, terraformOptionsWithTarget)
+ terraform.Apply(t, terraformOptions)
+
+ // Run 'terraform output' and validate output values
+ ValidateOutputsCrossAzClusterMaster(t, terraformOptions)
+}
+
+func GetTerraformOptionsCrossAzClusterMaster() *terraform.Options {
+ terraformOptions := &terraform.Options{
+ TerraformDir: "../cross-az-cluster-master",
+
+ // Variables passed to the module execution using -var options
+ Vars: map[string]interface{}{
+ "vpc_cidr": vpcCIDR,
+ "public_subnets_map": publicSubnetsMap,
+ "private_subnets_map": privateSubnetsMap,
+ "subnets_bit_length": subnetsBitLength,
+
+ "gateway_name": crossAZClusterGatewayExpectedName,
+ "gateway_instance_type": gatewayInstanceType,
+ "key_name": keyName,
+ "volume_size": volumeSize,
+ "volume_encryption": volumeEncryption,
+ "enable_instance_connect": enableInstanceConnect,
+ "disable_instance_termination": disableInstanceTermination,
+ "instance_tags": map[string]string{expectedTestTagKey: expectedTestTagValueClusterGateway},
+ "predefined_role": predefinedRole,
+
+ "gateway_version": version,
+ "admin_shell": adminShell,
+ "gateway_SICKey": SICKey,
+ "gateway_password_hash": passwordHash,
+ "gateway_maintenance_mode_password_hash": passwordHash,
+
+ "memberAToken": gatewaySmart1CloudToken,
+ "memberBToken": gatewaySmart1CloudToken,
+
+ "resources_tag_name": resourcesTagName,
+ "gateway_hostname": gatewayHostname,
+ "allow_upload_download": allowUploadDownload,
+ "enable_cloudwatch": enableCloudWatch,
+ "gateway_bootstrap_script": gatewayBootstrapScript,
+ "primary_ntp": primaryNtp,
+ "secondary_ntp": secondaryNtp,
+ },
+
+ // Set environment variables when running Terraform
+ EnvVars: envVars,
+ }
+ return terraformOptions
+}
+
+func GetTerraformOptionsWithTargetCrossAzClusterMaster() *terraform.Options {
+ terraformOptionsWithTarget := GetTerraformOptionsCrossAzClusterMaster()
+ terraformOptionsWithTarget.Targets = []string{"aws_route_table.private_subnet_rtb"}
+
+ return terraformOptionsWithTarget
+}
+
+func ValidateOutputsCrossAzClusterMaster(t *testing.T, terraformOptions *terraform.Options) {
+ outputAmiId := terraform.Output(t, terraformOptions, "ami_id")
+ outputClusterPublicIP := terraform.Output(t, terraformOptions, "cluster_public_ip")
+ outputMemberAPublicIP := terraform.Output(t, terraformOptions, "member_a_public_ip")
+ outputMemberBPublicIP := terraform.Output(t, terraformOptions, "member_b_public_ip")
+ outputMemberASSH := terraform.Output(t, terraformOptions, "member_a_ssh")
+ outputMemberBSSH := terraform.Output(t, terraformOptions, "member_b_ssh")
+ outputMemberAURL := terraform.Output(t, terraformOptions, "member_a_url")
+ outputMemberBURL := terraform.Output(t, terraformOptions, "member_b_url")
+
+ // Validate that all output values exist
+ assert.NotEmpty(t, outputAmiId)
+ assert.NotEmpty(t, outputClusterPublicIP)
+ assert.NotEmpty(t, outputMemberAPublicIP)
+ assert.NotEmpty(t, outputMemberASSH)
+ assert.NotEmpty(t, outputMemberAURL)
+ assert.NotEmpty(t, outputMemberBPublicIP)
+ assert.NotEmpty(t, outputMemberBSSH)
+ assert.NotEmpty(t, outputMemberBURL)
+}
diff --git a/deprecated/terraform/aws/R81/tests/gateway_master_test.go b/deprecated/terraform/aws/R81/tests/gateway_master_test.go
new file mode 100755
index 00000000..dd803d59
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tests/gateway_master_test.go
@@ -0,0 +1,119 @@
+package tests
+
+import (
+ "testing"
+
+ "github.com/gruntwork-io/terratest/modules/aws"
+ "github.com/gruntwork-io/terratest/modules/terraform"
+ "github.com/stretchr/testify/assert"
+)
+
+// Test the Terraform module in aws/gateway-master using terratest.
+func TestGatewayMaster(t *testing.T) {
+ t.Parallel()
+
+ // website::tag::1::Configure Terraform setting path to Terraform code, EC2 instance name, and AWS Region.
+ terraformOptions := GetTerraformOptionsGatewayMaster()
+ terraformOptionsWithTarget := GetTerraformOptionsWithTargetGatewayMaster()
+
+ // website::tag::4::At the end of the tests, run `terraform destroy` to clean up any resources that were created
+ defer terraform.Destroy(t, terraformOptions)
+
+ // website::tag::2::Run `terraform init` and `terraform apply` and fail the tests if there are any errors
+ terraform.InitAndApply(t, terraformOptionsWithTarget)
+ terraform.Apply(t, terraformOptions)
+
+ // Run 'terraform output' and validate output values
+ ValidateOutputsGatewayMaster(t, terraformOptions)
+}
+
+func GetTerraformOptionsGatewayMaster() *terraform.Options {
+ terraformOptions := &terraform.Options{
+ TerraformDir: "../gateway-master",
+
+ // Variables passed to the module execution using -var options
+ Vars: map[string]interface{}{
+ "vpc_cidr": vpcCIDR,
+ "public_subnets_map": publicSubnetsMapSingle,
+ "private_subnets_map": privateSubnetsMapSingle,
+ "subnets_bit_length": subnetsBitLength,
+
+ "gateway_name": gatewayExpectedName,
+ "gateway_instance_type": gatewayInstanceType,
+ "key_name": keyName,
+ "allocate_and_associate_eip": allocateAndAssociatePublicEip,
+ "volume_size": volumeSize,
+ "volume_encryption": volumeEncryption,
+ "enable_instance_connect": enableInstanceConnect,
+ "disable_instance_termination": disableInstanceTermination,
+ "instance_tags": map[string]string{expectedTestTagKey: expectedTestTagValueGateway},
+
+ "gateway_version": version,
+ "admin_shell": adminShell,
+ "gateway_SICKey": SICKey,
+ "gateway_password_hash": passwordHash,
+ "gateway_maintenance_mode_password_hash": passwordHash,
+
+ "gateway_TokenKey": gatewaySmart1CloudToken,
+
+ "resources_tag_name": resourcesTagName,
+ "gateway_hostname": gatewayHostname,
+ "allow_upload_download": allowUploadDownload,
+ "enable_cloudwatch": enableCloudWatch,
+ "gateway_bootstrap_script": gatewayBootstrapScript,
+ "primary_ntp": primaryNtp,
+ "secondary_ntp": secondaryNtp,
+
+ "control_gateway_over_public_or_private_address": gatewaysProvisionAddressType,
+ "management_server": managementExpectedName,
+ "configuration_template": configurationTemplate,
+ },
+
+ // Set environment variables when running Terraform
+ EnvVars: envVars,
+ }
+ return terraformOptions
+}
+
+func GetTerraformOptionsWithTargetGatewayMaster() *terraform.Options {
+ terraformOptionsWithTarget := GetTerraformOptionsGatewayMaster()
+ terraformOptionsWithTarget.Targets = []string{"aws_route_table.private_subnet_rtb"}
+
+ return terraformOptionsWithTarget
+}
+
+func ValidateOutputsGatewayMaster(t *testing.T, terraformOptions *terraform.Options) {
+ outputVpcId := terraform.Output(t, terraformOptions, "vpc_id")
+ outputInternalRouteTableId := terraform.Output(t, terraformOptions, "internal_rtb_id")
+ outputVpcPublicSubnetsIdsList := terraform.Output(t, terraformOptions, "vpc_public_subnets_ids_list")
+ outputVpcPrivateSubnetsIdsList := terraform.Output(t, terraformOptions, "vpc_private_subnets_ids_list")
+ outputAmiId := terraform.Output(t, terraformOptions, "ami_id")
+ outputPermissiveSgId := terraform.Output(t, terraformOptions, "permissive_sg_id")
+ outputPermissiveSgName := terraform.Output(t, terraformOptions, "permissive_sg_name")
+ outputGatewayUrl := terraform.Output(t, terraformOptions, "gateway_url")
+ outputGatewayPublicIp := terraform.Output(t, terraformOptions, "gateway_public_ip")
+ outputGatewayInstanceId := terraform.Output(t, terraformOptions, "gateway_instance_id")
+ outputGatewayInstanceName := terraform.Output(t, terraformOptions, "gateway_instance_name")
+
+ instanceTags := aws.GetTagsForEc2Instance(t, region, outputGatewayInstanceId)
+ nameTag, containsNameTag := instanceTags["Name"]
+ assert.True(t, containsNameTag)
+ assert.Equal(t, gatewayExpectedName, nameTag)
+ assert.Equal(t, gatewayExpectedName, outputGatewayInstanceName)
+
+ testTag, containsTestTag := instanceTags[expectedTestTagKey]
+ assert.True(t, containsTestTag)
+ assert.Equal(t, expectedTestTagValueGateway, testTag)
+
+ assert.NotEmpty(t, outputVpcId)
+ assert.NotEmpty(t, outputInternalRouteTableId)
+ assert.NotEmpty(t, outputVpcPublicSubnetsIdsList)
+ assert.NotEmpty(t, outputVpcPrivateSubnetsIdsList)
+ assert.NotEmpty(t, outputAmiId)
+ assert.NotEmpty(t, outputPermissiveSgId)
+ assert.NotEmpty(t, outputPermissiveSgName)
+ assert.NotEmpty(t, outputGatewayUrl)
+ assert.NotEmpty(t, outputGatewayPublicIp)
+ assert.NotEmpty(t, outputGatewayInstanceId)
+ assert.NotEmpty(t, outputGatewayInstanceName)
+}
diff --git a/deprecated/terraform/aws/R81/tests/globals.go b/deprecated/terraform/aws/R81/tests/globals.go
new file mode 100755
index 00000000..647a026f
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tests/globals.go
@@ -0,0 +1,177 @@
+package tests
+
+import "fmt"
+
+// AWS region for deployed resources
+const region = "ca-central-1"
+
+var envVars = map[string]string{
+ "AWS_DEFAULT_REGION": region,
+}
+
+const availabilityZoneA = region + "a"
+
+const availabilityZoneB = region + "b"
+
+// Predefined prefix for deployed resources
+const predefinedPrefix = "test"
+
+// Predefined names for deployed resources
+const gatewayPredefinedName = "CheckPoint-Gateway"
+
+const standalonePredefinedName = "CheckPoint-Standalone"
+
+const managementPredefinedName = "CheckPoint-Management"
+
+const gwlbPredefinedName = "CheckPoint-GWLB"
+
+const clusterGatewayPredefinedName = "CheckPoint-Cluster-Gateway"
+
+const crossAZClusterGatewayPredefinedName = "CheckPoint-Cross-AZ-Cluster-Gateway"
+
+const qsAutoscaleGatewayPredefinedName = "quickstart-security-gateway"
+
+const qsAutoscaleProvisionTag = "quickstart"
+
+const configurationTemplate = "configuration-template"
+
+// Expected names for deployed resources
+func getExpectedName(predefinedName string) string {
+ return fmt.Sprintf("%s-%s", predefinedPrefix, predefinedName)
+}
+
+var gatewayExpectedName = getExpectedName(gatewayPredefinedName)
+
+var standaloneExpectedName = getExpectedName(standalonePredefinedName)
+
+var managementExpectedName = getExpectedName(managementPredefinedName)
+
+var gwlbExpectedName = getExpectedName(gwlbPredefinedName)
+
+var clusterGatewayExpectedName = getExpectedName(clusterGatewayPredefinedName)
+
+var crossAZClusterGatewayExpectedName = getExpectedName(crossAZClusterGatewayPredefinedName)
+
+var qsAutoscaleGatewayExpectedName = getExpectedName(qsAutoscaleGatewayPredefinedName)
+
+// Autoscale group capacity configuration
+const autoscaleGroupExpectedCapacityMin = 1
+
+const autoscaleGroupExpectedCapacityMax = 1
+
+const targetGroup1Name = "tf-test-target-group-1"
+
+// Common parameters for deployed resources
+const keyName = "tf-test"
+
+const version = "R81.20-BYOL"
+
+const standaloneVersion = "R81.20-BYOL"
+
+const adminShell = "/bin/bash"
+
+const gatewayBootstrapScript = "echo 'this is gateway bootstrap script' > /home/admin/bootstrap.txt"
+
+const standaloneBootstrapScript = "echo 'this is standalone bootstrap script' > /home/admin/bootstrap.txt"
+
+const passwordHash = "12345678"
+
+const SICKey = "12345678"
+
+const gatewayInstanceType = "c5.xlarge"
+
+const standaloneInstanceType = gatewayInstanceType
+
+const managementInstanceType = "m5.xlarge"
+
+const volumeSize = 100
+
+const volumeEncryption = "alias/aws/ebs"
+
+const webServerInstanceType = "t3.micro"
+
+const webServerAMI = "ami-0718a739967397e7d"
+
+const volumeType = "gp3"
+
+const anywhereAddress = "0.0.0.0/0"
+
+const loadBalancersType = "Network Load Balancer"
+
+const loadBalancerProtocol = "TCP"
+
+const certificate = ""
+
+const servicePort = "80"
+
+const enableVolumeEncryption = true
+
+const allocatePublicIP = true
+
+const allocateAndAssociatePublicEip = true
+
+const allowUploadDownload = true
+
+const enableInstanceConnect = true
+
+const enableCloudWatch = false
+
+const connectionAcceptanceRequired = false
+
+const enableCrossZoneLoadBalancing = true
+
+const managementDeploy = true
+
+const webServerDeploy = true
+
+const gatewaysBlades = true
+
+const disableInstanceTermination = false
+
+const gatewaySmart1CloudToken = ""
+
+const predefinedRole = ""
+
+const primaryNtp = ""
+
+const secondaryNtp = ""
+
+const expectedTestTagKey = "test_tag"
+
+const expectedTestTagValueClusterGateway = "cluster_gateway_tf"
+
+const expectedTestTagValueGateway = "gateway_tf"
+
+const autoscaleGroupName = "CheckPoint-ASG"
+
+const resourcesTagName = "tag-name"
+
+const gatewayHostname = "gw-hostname"
+
+const gatewaysProvisionAddressType = "private"
+
+const gatewaysPolicy = "Standard"
+
+const gatewayManagement = "Locally managed"
+
+// New VPC configuration
+const vpcCIDR = "10.0.0.0/16"
+
+var publicSubnetsMap = map[string]int{availabilityZoneA: 1, availabilityZoneB: 3}
+
+var privateSubnetsMap = map[string]int{availabilityZoneA: 2, availabilityZoneB: 4}
+
+var publicSubnetsMapSingle = map[string]int{availabilityZoneA: 1}
+
+var privateSubnetsMapSingle = map[string]int{availabilityZoneA: 2}
+
+var tgwSubnetsMap = map[string]int{availabilityZoneA: 5, availabilityZoneB: 6}
+
+var availabilityZones = []string{availabilityZoneA, availabilityZoneB}
+
+const numberOfAZs = 2
+
+const subnetsBitLength = 8
+
+// Controller expected names
+const gwlbControlllerExpectedName = "gwlb-controller"
diff --git a/deprecated/terraform/aws/R81/tests/gwlb_master_test.go b/deprecated/terraform/aws/R81/tests/gwlb_master_test.go
new file mode 100755
index 00000000..787277a8
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tests/gwlb_master_test.go
@@ -0,0 +1,99 @@
+package tests
+
+import (
+ "testing"
+
+ "github.com/gruntwork-io/terratest/modules/terraform"
+ "github.com/stretchr/testify/assert"
+)
+
+// Test the Terraform module in aws/gwlb-master using terratest.
+func TestGwlbMaster(t *testing.T) {
+ t.Parallel()
+
+ // website::tag::1::Configure Terraform setting path to Terraform code, EC2 instance name, and AWS Region.
+ terraformOptions := GetTerraformOptionsGwlbMaster()
+
+ // website::tag::4::At the end of the tests, run `terraform destroy` to clean up any resources that were created
+ defer terraform.Destroy(t, terraformOptions)
+
+ // website::tag::2::Run `terraform init` and `terraform apply` and fail the tests if there are any errors
+ terraform.InitAndApply(t, terraformOptions)
+
+ // Run 'terraform output' and validate output values
+ ValidateOutputsGwlbMaster(t, terraformOptions)
+}
+
+func GetTerraformOptionsGwlbMaster() *terraform.Options {
+ terraformOptions := &terraform.Options{
+ TerraformDir: "../gwlb-master",
+
+ // Variables passed to the module execution using -var options
+ Vars: map[string]interface{}{
+ "vpc_cidr": vpcCIDR,
+ "public_subnets_map": publicSubnetsMap,
+ "subnets_bit_length": subnetsBitLength,
+
+ "key_name": keyName,
+ "enable_volume_encryption": enableVolumeEncryption,
+ "volume_size": volumeSize,
+ "enable_instance_connect": enableInstanceConnect,
+ "management_server": managementExpectedName,
+ "configuration_template": configurationTemplate,
+ "admin_shell": adminShell,
+
+ "gateway_load_balancer_name": gwlbExpectedName,
+ "target_group_name": targetGroup1Name,
+ "connection_acceptance_required": connectionAcceptanceRequired,
+ "enable_cross_zone_load_balancing": enableCrossZoneLoadBalancing,
+
+ "gateway_name": gatewayExpectedName,
+ "gateway_instance_type": gatewayInstanceType,
+ "minimum_group_size": autoscaleGroupExpectedCapacityMin,
+ "maximum_group_size": autoscaleGroupExpectedCapacityMax,
+ "gateway_version": version,
+ "gateway_password_hash": passwordHash,
+ "gateway_maintenance_mode_password_hash": passwordHash,
+ "gateway_SICKey": SICKey,
+ "gateways_provision_address_type": gatewaysProvisionAddressType,
+ "allocate_public_IP": allocatePublicIP,
+ "enable_cloudwatch": enableCloudWatch,
+ "gateway_bootstrap_script": gatewayBootstrapScript,
+
+ "management_deploy": managementDeploy,
+ "management_instance_type": managementInstanceType,
+ "management_version": version,
+ "management_password_hash": passwordHash,
+ "management_maintenance_mode_password_hash": passwordHash,
+ "gateways_policy": gatewaysPolicy,
+ "gateway_management": gatewayManagement,
+ "admin_cidr": anywhereAddress,
+ "gateways_addresses": anywhereAddress,
+
+ "volume_type": volumeType,
+ },
+
+ // Set environment variables when running Terraform
+ EnvVars: envVars,
+ }
+ return terraformOptions
+}
+
+func ValidateOutputsGwlbMaster(t *testing.T, terraformOptions *terraform.Options) {
+ outputDeployment := terraform.Output(t, terraformOptions, "Deployment")
+ outputManagementPublicIP := terraform.Output(t, terraformOptions, "management_public_ip")
+ outputGWLBARN := terraform.Output(t, terraformOptions, "gwlb_arn")
+ outputGWLBServiceName := terraform.Output(t, terraformOptions, "gwlb_service_name")
+ outputGWLBName := terraform.Output(t, terraformOptions, "gwlb_name")
+ outputGWLBControllerName := terraform.Output(t, terraformOptions, "controller_name")
+ outputConfigurationTemplateName := terraform.Output(t, terraformOptions, "template_name")
+
+ assert.Equal(t, outputGWLBName, gwlbExpectedName)
+ assert.Equal(t, outputGWLBControllerName, gwlbControlllerExpectedName)
+ assert.Equal(t, outputConfigurationTemplateName, configurationTemplate)
+
+ assert.NotEmpty(t, outputDeployment)
+ assert.NotEmpty(t, outputManagementPublicIP)
+ assert.NotEmpty(t, outputGWLBARN)
+ assert.NotEmpty(t, outputGWLBServiceName)
+}
diff --git a/deprecated/terraform/aws/R81/tests/qs_autoscale_master_test.go b/deprecated/terraform/aws/R81/tests/qs_autoscale_master_test.go
new file mode 100755
index 00000000..df2bdbab
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tests/qs_autoscale_master_test.go
@@ -0,0 +1,129 @@
+package tests
+
+import (
+ "github.com/gruntwork-io/terratest/modules/aws"
+ "testing"
+
+ "github.com/gruntwork-io/terratest/modules/terraform"
+ "github.com/stretchr/testify/assert"
+)
+
+// Test the Terraform module in qs-autoscale-master using terratest.
+func TestQsAutoscaleMaster(t *testing.T) {
+ t.Parallel()
+
+ // website::tag::1::Configure Terraform setting path to Terraform code, EC2 instance name, and AWS Region.
+ terraformOptions := GetTerraformOptionsQsAutoscaleMaster()
+
+ // website::tag::4::At the end of the tests, run `terraform destroy` to clean up any resources that were created
+ defer terraform.Destroy(t, terraformOptions)
+
+ // website::tag::2::Run `terraform init` and `terraform apply` and fail the tests if there are any errors
+ terraform.InitAndApply(t, terraformOptions)
+
+ // Run 'terraform output' and validate output values
+ ValidateOutputsQsAutoscaleMaster(t, terraformOptions)
+}
+
+func GetTerraformOptionsQsAutoscaleMaster() *terraform.Options {
+ terraformOptions := &terraform.Options{
+ TerraformDir: "../qs-autoscale-master",
+
+ // Variables passed to the module execution using -var options
+ Vars: map[string]interface{}{
+ "prefix": predefinedPrefix,
+ "asg_name": autoscaleGroupName,
+
+ "vpc_cidr": vpcCIDR,
+ "public_subnets_map": publicSubnetsMap,
+ "private_subnets_map": privateSubnetsMap,
+ "subnets_bit_length": subnetsBitLength,
+
+ "key_name": keyName,
+ "enable_volume_encryption": enableVolumeEncryption,
+ "enable_instance_connect": enableInstanceConnect,
+ "disable_instance_termination": disableInstanceTermination,
+ "allow_upload_download": allowUploadDownload,
+ "provision_tag": qsAutoscaleProvisionTag,
+
+ "load_balancers_type": loadBalancersType,
+ "load_balancer_protocol": loadBalancerProtocol,
+ "certificate": certificate,
+ "service_port": servicePort,
+
+ "gateway_instance_type": gatewayInstanceType,
+ "gateways_min_group_size": autoscaleGroupExpectedCapacityMin,
+ "gateways_max_group_size": autoscaleGroupExpectedCapacityMax,
+ "gateway_version": version,
+ "gateway_password_hash": passwordHash,
+ "gateway_maintenance_mode_password_hash": passwordHash,
+ "gateway_SICKey": SICKey,
+ "enable_cloudwatch": enableCloudWatch,
+
+ "management_deploy": managementDeploy,
+ "management_instance_type": managementInstanceType,
+ "management_version": version,
+ "management_password_hash": passwordHash,
+ "management_maintenance_mode_password_hash": passwordHash,
+ "gateways_policy": gatewaysPolicy,
+ "gateways_blades": gatewaysBlades,
+ "admin_cidr": anywhereAddress,
+ "gateways_addresses": anywhereAddress,
+
+ "servers_deploy": webServerDeploy,
+ "servers_instance_type": webServerInstanceType,
+ "server_ami": webServerAMI,
+ },
+
+ // Set environment variables when running Terraform
+ EnvVars: envVars,
+ }
+ return terraformOptions
+}
+
+func ValidateOutputsQsAutoscaleMaster(t *testing.T, terraformOptions *terraform.Options) {
+ outputVpcId := terraform.Output(t, terraformOptions, "vpc_id")
+ outputPublicSubnetsIdsList := terraform.Output(t, terraformOptions, "public_subnets_ids_list")
+ outputPrivateSubnetsIdsList := terraform.Output(t, terraformOptions, "private_subnets_ids_list")
+ outputManagementInstanceName := terraform.Output(t, terraformOptions, "management_name")
+ outputLBUrl := terraform.Output(t, terraformOptions, "load_balancer_url")
+ outputExternalLBId := terraform.Output(t, terraformOptions, "external_load_balancer_arn")
+ outputInternalLBId := terraform.Output(t, terraformOptions, "internal_load_balancer_arn")
+ outputExternalTGId := terraform.Output(t, terraformOptions, "external_lb_target_group_arn")
+ outputInternalTGId := terraform.Output(t, terraformOptions, "internal_lb_target_group_arn")
+ outputGwsASGId := terraform.Output(t, terraformOptions, "autoscale_autoscaling_group_arn")
+ outputSecurityGroup := terraform.Output(t, terraformOptions, "autoscale_security_group_id")
+
+ asgName := terraform.Output(t, terraformOptions, "autoscale_autoscaling_group_name")
+ asgCapacityInfo := aws.GetCapacityInfoForAsg(t, asgName, region)
+ awsInstancesIds := aws.GetInstanceIdsForAsg(t, asgName, region)
+
+ // website::tag::3::
+ // Verify the ASG's Gateway instances contain the expected Name tag value
+ for _, instanceId := range awsInstancesIds {
+ // Look up the tags for the given Instance ID
+ instanceTags := aws.GetTagsForEc2Instance(t, region, instanceId)
+
+ nameTag, containsNameTag := instanceTags["Name"]
+ assert.True(t, containsNameTag)
+ assert.Equal(t, qsAutoscaleGatewayExpectedName, nameTag)
+ }
+
+ // Verify the ASG capacity info matches the expected
+ assert.Equal(t, int64(autoscaleGroupExpectedCapacityMax), asgCapacityInfo.MaxCapacity)
+ assert.Equal(t, int64(autoscaleGroupExpectedCapacityMin), asgCapacityInfo.MinCapacity)
+ assert.Equal(t, int64(autoscaleGroupExpectedCapacityMin), asgCapacityInfo.CurrentCapacity)
+ assert.Equal(t, int64(autoscaleGroupExpectedCapacityMin), asgCapacityInfo.DesiredCapacity)
+
+ assert.NotEmpty(t, outputManagementInstanceName)
+ assert.NotEmpty(t, outputVpcId)
+ assert.NotEmpty(t, outputPublicSubnetsIdsList)
+ assert.NotEmpty(t, outputPrivateSubnetsIdsList)
+ assert.NotEmpty(t, outputLBUrl)
+ assert.NotEmpty(t, outputExternalLBId)
+ assert.NotEmpty(t, outputInternalLBId)
+ assert.NotEmpty(t, outputExternalTGId)
+ assert.NotEmpty(t, outputInternalTGId)
+ assert.NotEmpty(t, outputGwsASGId)
+ assert.NotEmpty(t, outputSecurityGroup)
+}
diff --git a/deprecated/terraform/aws/R81/tests/standalone_master_test.go b/deprecated/terraform/aws/R81/tests/standalone_master_test.go
new file mode 100755
index 00000000..c04e7f78
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tests/standalone_master_test.go
@@ -0,0 +1,112 @@
+package tests
+
+import (
+ "github.com/gruntwork-io/terratest/modules/aws"
+ "testing"
+
+ "github.com/gruntwork-io/terratest/modules/terraform"
+ "github.com/stretchr/testify/assert"
+)
+
+// Test the Terraform module in aws/standalone-master using terratest.
+func TestStandaloneMaster(t *testing.T) {
+ t.Parallel()
+
+ // website::tag::1::Configure Terraform setting path to Terraform code, EC2 instance name, and AWS Region.
+ terraformOptions := GetTerraformOptionsStandaloneMaster()
+ terraformOptionsWithTarget := GetTerraformOptionsWithTargetStandaloneMaster()
+
+ // website::tag::4::At the end of the tests, run `terraform destroy` to clean up any resources that were created
+ defer terraform.Destroy(t, terraformOptions)
+
+ // website::tag::2::Run `terraform init` and `terraform apply` and fail the tests if there are any errors
+ terraform.InitAndApply(t, terraformOptionsWithTarget)
+ terraform.Apply(t, terraformOptions)
+
+ // Run 'terraform output' and validate output values
+ ValidateOutputsStandaloneMaster(t, terraformOptions)
+}
+
+func GetTerraformOptionsStandaloneMaster() *terraform.Options {
+ terraformOptions := &terraform.Options{
+ TerraformDir: "../standalone-master",
+
+ // Variables passed to the module execution using -var options
+ Vars: map[string]interface{}{
+ "vpc_cidr": vpcCIDR,
+ "public_subnets_map": publicSubnetsMapSingle,
+ "private_subnets_map": privateSubnetsMapSingle,
+ "subnets_bit_length": subnetsBitLength,
+
+ "standalone_name": standaloneExpectedName,
+ "standalone_instance_type": standaloneInstanceType,
+ "key_name": keyName,
+ "allocate_and_associate_eip": allocateAndAssociatePublicEip,
+ "volume_size": volumeSize,
+ "volume_encryption": volumeEncryption,
+ "enable_instance_connect": enableInstanceConnect,
+ "disable_instance_termination": disableInstanceTermination,
+ "instance_tags": map[string]string{expectedTestTagKey: expectedTestTagValueGateway},
+
+ "standalone_version": standaloneVersion,
+ "admin_shell": adminShell,
+ "standalone_password_hash": passwordHash,
+ "standalone_maintenance_mode_password_hash": passwordHash,
+
+ "resources_tag_name": resourcesTagName,
+ "standalone_hostname": gatewayHostname,
+ "allow_upload_download": allowUploadDownload,
+ "enable_cloudwatch": enableCloudWatch,
+ "standalone_bootstrap_script": standaloneBootstrapScript,
+ "primary_ntp": primaryNtp,
+ "secondary_ntp": secondaryNtp,
+ "admin_cidr": anywhereAddress,
+ "gateway_addresses": anywhereAddress,
+ },
+
+ // Set environment variables when running Terraform
+ EnvVars: envVars,
+ }
+ return terraformOptions
+}
+
+func GetTerraformOptionsWithTargetStandaloneMaster() *terraform.Options {
+ terraformOptionsWithTarget := GetTerraformOptionsStandaloneMaster()
+ terraformOptionsWithTarget.Targets = []string{"aws_route_table.private_subnet_rtb"}
+
+ return terraformOptionsWithTarget
+}
+
+func ValidateOutputsStandaloneMaster(t *testing.T, terraformOptions *terraform.Options) {
+ outputVpcId := terraform.Output(t, terraformOptions, "vpc_id")
+ outputInternalRouteTableId := terraform.Output(t, terraformOptions, "internal_rtb_id")
+ outputVpcPublicSubnetsIdsList := terraform.Output(t, terraformOptions, "vpc_public_subnets_ids_list")
+ outputVpcPrivateSubnetsIdsList := terraform.Output(t, terraformOptions, "vpc_private_subnets_ids_list")
+ outputStandaloneInstanceId := terraform.Output(t, terraformOptions, "standalone_instance_id")
+ outputStandaloneInstanceName := terraform.Output(t, terraformOptions, "standalone_instance_name")
+ outputStandalonePublicIP := terraform.Output(t, terraformOptions, "standalone_public_ip")
+ outputStandaloneSSH := terraform.Output(t, terraformOptions, "standalone_ssh")
+ outputStandaloneURL := terraform.Output(t, terraformOptions, "standalone_url")
+
+ // website::tag::3::
+ // Verify the Standalone's instances contain the expected Name tag value
+ instanceTags := aws.GetTagsForEc2Instance(t, region, outputStandaloneInstanceId)
+ nameTag, containsNameTag := instanceTags["Name"]
+ assert.True(t, containsNameTag)
+ assert.Equal(t, standaloneExpectedName, nameTag)
+ assert.Equal(t, standaloneExpectedName, outputStandaloneInstanceName)
+
+ testTag, containsTestTag := instanceTags[expectedTestTagKey]
+ assert.True(t, containsTestTag)
+ assert.Equal(t, expectedTestTagValueGateway, testTag)
+
+ assert.NotEmpty(t, outputVpcId)
+ assert.NotEmpty(t, outputInternalRouteTableId)
+ assert.NotEmpty(t, outputVpcPublicSubnetsIdsList)
+ assert.NotEmpty(t, outputVpcPrivateSubnetsIdsList)
+ assert.NotEmpty(t, outputStandaloneInstanceId)
+ assert.NotEmpty(t, outputStandaloneInstanceName)
+ assert.NotEmpty(t, outputStandalonePublicIP)
+ assert.NotEmpty(t, outputStandaloneSSH)
+ assert.NotEmpty(t, outputStandaloneURL)
+}
diff --git a/deprecated/terraform/aws/R81/tests/tgw_asg_master_test.go b/deprecated/terraform/aws/R81/tests/tgw_asg_master_test.go
new file mode 100755
index 00000000..c5c98afa
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tests/tgw_asg_master_test.go
@@ -0,0 +1,95 @@
+package tests
+
+import (
+ "testing"
+
+ "github.com/gruntwork-io/terratest/modules/terraform"
+ "github.com/stretchr/testify/assert"
+)
+
+// Test the Terraform module in aws/tgw-asg-master using terratest.
+func TestTgwAsgMaster(t *testing.T) {
+ t.Parallel()
+
+ // website::tag::1::Configure Terraform setting path to Terraform code, EC2 instance name, and AWS Region.
+ terraformOptions := GetTerraformOptionsTgwAsgMaster()
+
+ // website::tag::4::At the end of the tests, run `terraform destroy` to clean up any resources that were created
+ defer terraform.Destroy(t, terraformOptions)
+
+ // website::tag::2::Run `terraform init` and `terraform apply` and fail the tests if there are any errors
+ terraform.InitAndApply(t, terraformOptions)
+
+ // Run 'terraform output' and validate output values
+ ValidateOutputsTgwAsgMaster(t, terraformOptions)
+}
+
+func GetTerraformOptionsTgwAsgMaster() *terraform.Options {
+ terraformOptions := &terraform.Options{
+ TerraformDir: "../tgw-asg-master",
+
+ // Variables passed to the module execution using -var options
+ Vars: map[string]interface{}{
+ "vpc_cidr": vpcCIDR,
+ "public_subnets_map": publicSubnetsMap,
+ "subnets_bit_length": subnetsBitLength,
+
+ "key_name": keyName,
+ "enable_volume_encryption": enableVolumeEncryption,
+ "enable_instance_connect": enableInstanceConnect,
+ "disable_instance_termination": disableInstanceTermination,
+ "allow_upload_download": allowUploadDownload,
+
+ "gateway_name": crossAZClusterGatewayExpectedName,
+ "gateway_instance_type": gatewayInstanceType,
+ "gateways_min_group_size": autoscaleGroupExpectedCapacityMin,
+ "gateways_max_group_size": autoscaleGroupExpectedCapacityMax,
+ "gateway_version": version,
+ "gateway_password_hash": passwordHash,
+ "gateway_maintenance_mode_password_hash": passwordHash,
+ "gateway_SICKey": SICKey,
+ "enable_cloudwatch": enableCloudWatch,
+ "asn": 6500,
+
+ "management_deploy": managementDeploy,
+ "management_instance_type": managementInstanceType,
+ "management_version": version,
+ "management_password_hash": passwordHash,
+ "management_maintenance_mode_password_hash": passwordHash,
+ "management_permissions": "Create with read-write permissions",
+ "management_predefined_role": predefinedRole,
+ "gateways_blades": gatewaysBlades,
+ "admin_cidr": anywhereAddress,
+ "gateways_addresses": anywhereAddress,
+ "gateway_management": gatewayManagement,
+
+ "control_gateway_over_public_or_private_address": "private",
+ "management_server": managementExpectedName,
+ "configuration_template": configurationTemplate,
+ },
+
+ // Set environment variables when running Terraform
+ EnvVars: envVars,
+ }
+ return terraformOptions
+}
+
+func ValidateOutputsTgwAsgMaster(t *testing.T, terraformOptions *terraform.Options) {
+ outputVpcId := terraform.Output(t, terraformOptions, "vpc_id")
+ outputVpcPublicSubnetsIdsList := terraform.Output(t, terraformOptions, "public_subnets_ids_list")
+ outputManagementInstanceName := terraform.Output(t, terraformOptions, "management_instance_name")
+ outputConfigurationTemplate := terraform.Output(t, terraformOptions, "configuration_template")
+ outputControllerName := terraform.Output(t, terraformOptions, "controller_name")
+ outputManagementPublicIP := terraform.Output(t, terraformOptions, "management_public_ip")
+ outputManagementURL := terraform.Output(t, terraformOptions, "management_url")
+ outputAutoscalingGroupName := terraform.Output(t, terraformOptions, "autoscaling_group_name")
+
+ assert.NotEmpty(t, outputVpcId)
+ assert.NotEmpty(t, outputVpcPublicSubnetsIdsList)
+ assert.NotEmpty(t, outputManagementInstanceName)
+ assert.NotEmpty(t, outputConfigurationTemplate)
+ assert.NotEmpty(t, outputControllerName)
+ assert.NotEmpty(t, outputManagementPublicIP)
+ assert.NotEmpty(t, outputManagementURL)
+ assert.NotEmpty(t, outputAutoscalingGroupName)
+}
diff --git a/deprecated/terraform/aws/R81/tests/tgw_cross_az_cluster_master_test.go b/deprecated/terraform/aws/R81/tests/tgw_cross_az_cluster_master_test.go
new file mode 100755
index 00000000..8220bcd3
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tests/tgw_cross_az_cluster_master_test.go
@@ -0,0 +1,103 @@
+package tests
+
+import (
+ "github.com/gruntwork-io/terratest/modules/terraform"
+ "github.com/stretchr/testify/assert"
+ "testing"
+)
+
+// Test the Terraform module in aws/tgw-cross-az-cluster-master using terratest.
+func TestTgwCrossAzClusterMaster(t *testing.T) {
+ t.Parallel()
+
+ // website::tag::1::Configure Terraform setting path to Terraform code, EC2 instance name, and AWS Region.
+ terraformOptions := GetTerraformOptionsTgwCrossAzClusterMaster()
+ terraformOptionsWithTarget := GetTerraformOptionsWithTargetTgwCrossAzClusterMaster()
+
+ // website::tag::4::At the end of the tests, run `terraform destroy` to clean up any resources that were created
+ defer terraform.Destroy(t, terraformOptions)
+
+ // website::tag::2::Run `terraform init` and `terraform apply` and fail the tests if there are any errors
+ terraform.InitAndApply(t, terraformOptionsWithTarget)
+ terraform.Apply(t, terraformOptions)
+
+ // Run 'terraform output' and validate output values
+ ValidateOutputsTgwCrossAzClusterMaster(t, terraformOptions)
+}
+
+func GetTerraformOptionsTgwCrossAzClusterMaster() *terraform.Options {
+ terraformOptions := &terraform.Options{
+ TerraformDir: "../tgw-cross-az-cluster-master",
+
+ // Variables passed to the module execution using -var options
+ Vars: map[string]interface{}{
+ "vpc_cidr": vpcCIDR,
+ "public_subnets_map": publicSubnetsMap,
+ "private_subnets_map": privateSubnetsMap,
+ "tgw_subnets_map": tgwSubnetsMap,
+ "subnets_bit_length": subnetsBitLength,
+
+ "gateway_name": crossAZClusterGatewayExpectedName,
+ "gateway_instance_type": gatewayInstanceType,
+ "key_name": keyName,
+ "volume_size": volumeSize,
+ "volume_encryption": volumeEncryption,
+ "enable_instance_connect": enableInstanceConnect,
+ "disable_instance_termination": disableInstanceTermination,
+
+ "predefined_role": predefinedRole,
+
+ "gateway_version": version,
+ "admin_shell": adminShell,
+ "gateway_SICKey": SICKey,
+ "gateway_password_hash": passwordHash,
+ "gateway_maintenance_mode_password_hash": passwordHash,
+
+ "memberAToken": gatewaySmart1CloudToken,
+ "memberBToken": gatewaySmart1CloudToken,
+
+ "resources_tag_name": resourcesTagName,
+ "gateway_hostname": gatewayHostname,
+ "allow_upload_download": allowUploadDownload,
+ "enable_cloudwatch": enableCloudWatch,
+ "gateway_bootstrap_script": gatewayBootstrapScript,
+ "primary_ntp": primaryNtp,
+ "secondary_ntp": secondaryNtp,
+ },
+
+ // Set environment variables when running Terraform
+ EnvVars: envVars,
+ }
+ return terraformOptions
+}
+
+func GetTerraformOptionsWithTargetTgwCrossAzClusterMaster() *terraform.Options {
+ terraformOptionsWithTarget := GetTerraformOptionsTgwCrossAzClusterMaster()
+ terraformOptionsWithTarget.Targets = []string{"aws_route_table.private_subnet_rtb"}
+
+ return terraformOptionsWithTarget
+}
+
+func ValidateOutputsTgwCrossAzClusterMaster(t *testing.T, terraformOptions *terraform.Options) {
+ outputClusterPublicIP := terraform.Output(t, terraformOptions, "cluster_public_ip")
+ outputMemberAPublicIP := terraform.Output(t, terraformOptions, "member_a_public_ip")
+ outputMemberBPublicIP := terraform.Output(t, terraformOptions, "member_b_public_ip")
+ outputMemberASSH := terraform.Output(t, terraformOptions, "member_a_ssh")
+ outputMemberBSSH := terraform.Output(t, terraformOptions, "member_b_ssh")
+ outputMemberAURL := terraform.Output(t, terraformOptions, "member_a_url")
+ outputMemberBURL := terraform.Output(t, terraformOptions, "member_b_url")
+ outputMemberAENI := terraform.Output(t, terraformOptions, "member_a_eni")
+ outputMemberBENI := terraform.Output(t, terraformOptions, "member_b_eni")
+ outputVpcId := terraform.Output(t, terraformOptions, "vpc_id")
+
+ assert.NotEmpty(t, outputClusterPublicIP)
+ assert.NotEmpty(t, outputMemberAPublicIP)
+ assert.NotEmpty(t, outputMemberASSH)
+ assert.NotEmpty(t, outputMemberAURL)
+ assert.NotEmpty(t, outputMemberBPublicIP)
+ assert.NotEmpty(t, outputMemberBSSH)
+ assert.NotEmpty(t, outputMemberBURL)
+ assert.NotEmpty(t, outputMemberAENI)
+ assert.NotEmpty(t, outputMemberBENI)
+ assert.NotEmpty(t, outputVpcId)
+}
diff --git a/deprecated/terraform/aws/R81/tests/tgw_gwlb_master_test.go b/deprecated/terraform/aws/R81/tests/tgw_gwlb_master_test.go
new file mode 100755
index 00000000..da863cea
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tests/tgw_gwlb_master_test.go
@@ -0,0 +1,110 @@
+package tests
+
+import (
+ "testing"
+
+ "github.com/gruntwork-io/terratest/modules/terraform"
+ "github.com/stretchr/testify/assert"
+)
+
+// Test the Terraform module in aws/tgw-gwlb-master using terratest.
+func TestTgwGwlbMaster(t *testing.T) {
+ t.Parallel()
+
+ // website::tag::1::Configure Terraform setting path to Terraform code, EC2 instance name, and AWS Region.
+ terraformOptions := GetTerraformOptionsTgwGwlbMaster()
+
+ // website::tag::4::At the end of the tests, run `terraform destroy` to clean up any resources that were created
+ defer terraform.Destroy(t, terraformOptions)
+
+ // website::tag::2::Run `terraform init` and `terraform apply` and fail the tests if there are any errors
+ terraform.InitAndApply(t, terraformOptions)
+
+ // Run 'terraform output' and validate output values
+ ValidateOutputsTgwGwlbMaster(t, terraformOptions)
+}
+
+func GetTerraformOptionsTgwGwlbMaster() *terraform.Options {
+ terraformOptions := &terraform.Options{
+ TerraformDir: "../tgw-gwlb-master",
+
+ // Variables passed to the module execution using -var options
+ Vars: map[string]interface{}{
+ "vpc_cidr": vpcCIDR,
+ "public_subnets_map": publicSubnetsMap,
+ "tgw_subnets_map": tgwSubnetsMap,
+ "subnets_bit_length": subnetsBitLength,
+
+ "availability_zones": availabilityZones,
+ "number_of_AZs": numberOfAZs,
+
+ "nat_gw_subnet_1_cidr": "10.0.13.0/24",
+ "nat_gw_subnet_2_cidr": "10.0.23.0/24",
+
+ "gwlbe_subnet_1_cidr": "10.0.14.0/24",
+ "gwlbe_subnet_2_cidr": "10.0.24.0/24",
+
+ "key_name": keyName,
+ "enable_volume_encryption": enableVolumeEncryption,
+ "volume_size": volumeSize,
+ "enable_instance_connect": enableInstanceConnect,
+ "disable_instance_termination": disableInstanceTermination,
+ "allow_upload_download": allowUploadDownload,
+ "management_server": managementExpectedName,
+ "configuration_template": configurationTemplate,
+ "admin_shell": adminShell,
+
+ "gateway_load_balancer_name": gwlbExpectedName,
+ "target_group_name": targetGroup1Name,
+ "enable_cross_zone_load_balancing": enableCrossZoneLoadBalancing,
+
+ "gateway_name": gatewayExpectedName,
+ "gateway_instance_type": gatewayInstanceType,
+ "minimum_group_size": autoscaleGroupExpectedCapacityMin,
+ "maximum_group_size": autoscaleGroupExpectedCapacityMax,
+ "gateway_version": version,
+ "gateway_password_hash": passwordHash,
+ "gateway_maintenance_mode_password_hash": passwordHash,
+ "gateway_SICKey": SICKey,
+ "gateways_provision_address_type": gatewaysProvisionAddressType,
+ "allocate_public_IP": allocatePublicIP,
+ "enable_cloudwatch": enableCloudWatch,
+ "gateway_bootstrap_script": gatewayBootstrapScript,
+
+ "management_deploy": managementDeploy,
+ "management_instance_type": managementInstanceType,
+ "management_version": version,
+ "management_password_hash": passwordHash,
+ "management_maintenance_mode_password_hash": passwordHash,
+ "gateways_policy": gatewaysPolicy,
+ "gateway_management": gatewayManagement,
+ "admin_cidr": anywhereAddress,
+ "gateways_addresses": anywhereAddress,
+
+ "volume_type": volumeType,
+ },
+
+ // Set environment variables when running Terraform
+ EnvVars: envVars,
+ }
+ return terraformOptions
+}
+
+func ValidateOutputsTgwGwlbMaster(t *testing.T, terraformOptions *terraform.Options) {
+ outputDeployment := terraform.Output(t, terraformOptions, "Deployment")
+ outputManagementPublicIP := terraform.Output(t, terraformOptions, "management_public_ip")
+ outputGWLBARN := terraform.Output(t, terraformOptions, "gwlb_arn")
+ outputGWLBServiceName := terraform.Output(t, terraformOptions, "gwlb_service_name")
+ outputGWLBName := terraform.Output(t, terraformOptions, "gwlb_name")
+ outputGWLBControllerName := terraform.Output(t, terraformOptions, "controller_name")
+ outputConfigurationTemplateName := terraform.Output(t, terraformOptions, "template_name")
+
+ assert.Equal(t, outputGWLBName, gwlbExpectedName)
+ assert.Equal(t, outputGWLBControllerName, gwlbControlllerExpectedName)
+ assert.Equal(t, outputConfigurationTemplateName, configurationTemplate)
+
+ assert.NotEmpty(t, outputDeployment)
+ assert.NotEmpty(t, outputManagementPublicIP)
+ assert.NotEmpty(t, outputGWLBARN)
+ assert.NotEmpty(t, outputGWLBServiceName)
+}
diff --git a/deprecated/terraform/aws/R81/tgw-asg-master/README.md b/deprecated/terraform/aws/R81/tgw-asg-master/README.md
new file mode 100755
index 00000000..211549c8
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tgw-asg-master/README.md
@@ -0,0 +1,224 @@
+# Check Point CloudGuard Network Transit Gateway Auto Scaling Group Master Terraform module for AWS
+
+Terraform module which deploys a Check Point CloudGuard Network Security Gateway Auto Scaling Group for Transit Gateway with an optional Management Server in a new VPC.
+
+These types of Terraform resources are supported:
+* [VPC](https://www.terraform.io/docs/providers/aws/r/vpc.html)
+* [Subnet](https://www.terraform.io/docs/providers/aws/r/subnet.html)
+* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html)
+* [Security Group](https://www.terraform.io/docs/providers/aws/r/security_group.html)
+* [Network interface](https://www.terraform.io/docs/providers/aws/r/network_interface.html)
+* [CloudWatch Metric Alarm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm)
+* [EIP](https://www.terraform.io/docs/providers/aws/r/eip.html)
+* [Launch template](https://www.terraform.io/docs/providers/aws/r/launch_template.html)
+* [Auto Scaling Group](https://www.terraform.io/docs/providers/aws/r/autoscaling_group.html)
+* [IAM Role](https://www.terraform.io/docs/providers/aws/r/iam_role.html) - conditional creation
+
+See the [CloudGuard Network for AWS Transit Gateway R80.10 and Higher Deployment Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_AWS_Transit_Gateway/Content/Topics-AWS-TGW-R80-10-AG/Introduction.htm) for additional information
+
+This solution uses the following modules:
+- /terraform/aws/tgw-asg
+- /terraform/aws/autoscale
+- /terraform/aws/management
+- /terraform/aws/cme-iam-role
+- /terraform/aws/modules/vpc
+
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.aws_access_key_ID
+ secret_key = var.aws_secret_access_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/tgw-asg-master/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Static credentials are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/tgw-asg, /terraform/aws/autoscale, /terraform/aws/management and /terraform/aws/cme-iam-role:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.aws_access_key_ID
+ // secret_key = var.aws_secret_access_key
+ }
+ ```
+ b. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/tgw-asg, /terraform/aws/autoscale, /terraform/aws/management and /terraform/aws/cme-iam-role:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.aws_access_key_ID
+ // secret_key = var.aws_secret_access_key
+ }
+ ```
+
+## Usage
+- Fill all variables in the /terraform/aws/tgw-asg-master/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+- Create or modify the deployment:
+ ```
+ terraform apply
+ ```
+
+- Variables are configured in /terraform/aws/tgw-asg-master/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+ // --- Network Configuration ---
+ vpc_cidr = "10.0.0.0/16"
+ public_subnets_map = {
+ "us-east-1a" = 1
+ "us-east-1b" = 2
+ }
+ subnets_bit_length = 8
+
+ // --- General Settings ---
+ key_name = "publickey"
+ enable_volume_encryption = true
+ enable_instance_connect = false
+ disable_instance_termination = false
+ allow_upload_download = true
+
+ // --- Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration ---
+ gateway_name = "Check-Point-gateway"
+ gateway_instance_type = "c5.xlarge"
+ gateways_min_group_size = 2
+ gateways_max_group_size = 8
+ gateway_version = "R81.20-BYOL"
+ gateway_password_hash = ""
+ gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+ gateway_SICKey = "12345678"
+ enable_cloudwatch = true
+ asn = "6500"
+
+ // --- Check Point CloudGuard Network Security Management Server Configuration ---
+ management_deploy = true
+ management_instance_type = "m5.xlarge"
+ management_version = "R81.20-BYOL"
+ management_password_hash = ""
+ management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password.
+ management_permissions = "Create with read-write permissions"
+ management_predefined_role = ""
+ gateways_blades = true
+ admin_cidr = "0.0.0.0/0"
+ gateways_addresses = "0.0.0.0/0"
+ gateway_management = "Locally managed"
+
+ // --- Automatic Provisioning with Security Management Server Settings ---
+ control_gateway_over_public_or_private_address = "private"
+ management_server = "management-server"
+ configuration_template = "template-name"
+ ```
+
+- Conditional creation
+ - To create a Security Management server with IAM Role:
+ ```
+ management_permissions = "Create with read permissions" | "Create with read-write permissions" | "Create with assume role permissions (specify an STS role ARN)"
+ ```
+ - To enable cloudwatch for ASG:
+ ```
+ enable_cloudwatch = true
+ ```
+ Note: enabling cloudwatch will automatically create IAM role with cloudwatch:PutMetricData permission
+ - To deploy Security Management Server:
+ ```
+ management_deploy = true
+ ```
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------|----------|
+| vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes |
+| public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes |
+| subnets_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20 | number | n/a | n/a | yes |
+| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes |
+| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no |
+| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no |
+| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no |
+| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no |
+| gateway_name | (Optional) The name tag of the Security Gateway instances | string | n/a | Check-Point-Gateway | no |
+| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no |
+| gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no |
+| gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no |
+| gateway_version | Gateway version and license | string | - R81-BYOL
- R81-PAYG-NGTP
- R81-PAYG-NGTX
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no |
+| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes |
+| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no |
+| asn | The organization Autonomous System Number (ASN) that identifies the routing domain for the Security Gateways | string | n/a | 6500 | no |
+| management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no |
+| management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no |
+| management_version | The license to install on the Security Management Server | string | - R81-BYOL
- R81-PAYG
- R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG
- R82-BYOL
- R82-PAYG | R81.20-BYOL | no |
+| management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| management_permissions | IAM role to attach to the instance profile | string | - None (configure later)
- Use existing (specify an existing IAM role name)
- Create with assume role permissions (specify an STS role ARN)
- Create with read permissions
- Create with read-write permissions | Create with read-write permissions | no |
+| management_predefined_role | ((Optional) A predefined IAM role to attach to the instance profile. Ignored if IAM role is not set to 'Use existing' | string | n/a | "" | no |
+| gateways_blades | Turn on the Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (additional Blades can be manually turned on later) | bool | true/false | true | no |
+| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR | n/a | no |
+| gateway_addresses | Allow gateways only from this network to communicate with the Security Management Server | string | valid CIDR | n/a | no |
+| gateway_management | Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address | string | - Locally managed
- Over the internet | Locally managed | no |
+| control_gateway_over_public_or_private_address | Determines if the gateways are provisioned using their private or public address | string | - private
- public | private | no |
+| management_server | (Optional) The name that represents the Security Management Server in the automatic provisioning configuration | string | n/a | management-server | no |
+| configuration_template | (Optional) A name of a Security Gateway configuration template in the automatic provisioning configuration | string | n/a | TGW-ASG-configuration | no |
+| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no |
+| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no |
+
+
+## Outputs
+| Name | Description |
+|--------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| vpc_id | The id of the deployed vpc |
+| public_subnets_ids_list | A list of the public subnets ids |
+| management_instance_name | The deployed Security Management AWS instance name |
+| management_public_ip | The deployed Security Management Server AWS public ip |
+| management_url | URL to the portal of the deployed Security Management Server |
+| autoscaling_group_name | The name of the deployed AutoScaling Group |
+| configuration_template | The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name |
+| controller_name | The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name |
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|-------------------------------------------------------------------------------------------------|
+| 20240704 | R80.40 version deprecation |
+| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20231012 | Update AWS Terraform provider version to 5.20.1 |
+| 20230923 | Add support for C5d instance type |
+| 20230914 | Add support for maintenance mode password |
+| 20230829 | Change default Check Point version to R81.20 |
+| 20230806 | Add support for c6in instance type |
+| 20221226 | Support ASG Launch Template instead of Launch Configuration |
+| 20221123 | R81.20 version support |
+| 20220606 | New instance type support |
+| 20210329 | First release of Check Point Transit Gateway Auto Scaling Group Master Terraform module for AWS |
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details
diff --git a/deprecated/terraform/aws/R81/tgw-asg-master/locals.tf b/deprecated/terraform/aws/R81/tgw-asg-master/locals.tf
new file mode 100755
index 00000000..467c4b4e
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tgw-asg-master/locals.tf
@@ -0,0 +1,66 @@
+locals {
+ regex_valid_vpc_cidr = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$"
+ // Will fail if var.vpc_cidr is invalid
+ regex_vpc_cidr = regex(local.regex_valid_vpc_cidr, var.vpc_cidr) == var.vpc_cidr ? 0 : "Variable [vpc_cidr] must be a valid vpc cidr"
+
+ permissions_allowed_values = [
+ "None (configure later)",
+ "Use existing (specify an existing IAM role name)",
+ "Create with assume role permissions (specify an STS role ARN)",
+ "Create with read permissions",
+ "Create with read-write permissions"]
+ // Will fail if var.management_permissions is invalid
+ validate_permissions = index(local.permissions_allowed_values, var.management_permissions)
+
+ regex_valid_key_name = "[\\S\\s]+[\\S]+"
+ // will fail if var.key_name is invalid
+ regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string"
+
+ regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$"
+ // Will fail if var.gateway_SIC_Key is invalid
+ regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters"
+
+ control_over_public_or_private_allowed_values = [
+ "public",
+ "private"]
+ // will fail if [var.control_gateway_over_public_or_private_address] is invalid:
+ validate_control_over_public_or_private = index(local.control_over_public_or_private_allowed_values, var.control_gateway_over_public_or_private_address)
+
+ gateway_management_allowed_values = [
+ "Locally managed",
+ "Over the internet"]
+ // will fail if [var.gateway_management] is invalid:
+ validate_gateway_management = index(local.gateway_management_allowed_values, var.gateway_management)
+
+ regex_valid_management_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.management_password_hash is invalid
+ regex_management_password_hash = regex(local.regex_valid_management_password_hash, var.management_password_hash) == var.management_password_hash ? 0 : "Variable [management_password_hash] must be a valid password hash"
+ regex_management_maintenance_mode_password_hash = regex(local.regex_valid_management_password_hash, var.management_maintenance_mode_password_hash) == var.management_maintenance_mode_password_hash ? 0 : "Variable [management_maintenance_mode_password_hash] must be a valid password hash"
+
+ regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.gateway_password_hash is invalid
+ regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+ regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
+
+ regex_valid_asn = "^[0-9]+$"
+ // Will fail if var.asn is invalid
+ regex_asn = regex(local.regex_valid_asn, var.asn) == var.asn ? 0 : "Variable [asn] must be a valid asn"
+
+ regex_valid_admin_cidr = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$"
+ // Will fail if var.admin_cidr is invalid
+ regex_admin_cidr = regex(local.regex_valid_admin_cidr, var.admin_cidr) == var.admin_cidr ? 0 : "Variable [admin_cidr] must be a valid CIDR"
+
+ regex_valid_gateways_addresses = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$"
+ // Will fail if var.gateways_addresses is invalid
+ regex_gateways_addresses = regex(local.regex_valid_gateways_addresses, var.gateways_addresses) == var.gateways_addresses ? 0 : "Variable [gateways_addresses] must be a valid gateways addresses"
+
+ regex_valid_management_server = "^[0-9a-zA-Z-._]+$"
+ // Will fail if var.management_server is invalid
+ regex_management_server = regex(local.regex_valid_management_server, var.management_server) == var.management_server ? 0 : "Variable [management_server] can not be an empty string"
+
+ regex_valid_configuration_template = "^[0-9a-zA-Z-._]+$"
+ // Will fail if var.configuration_template is invalid
+ regex_configuration_template = regex(local.regex_valid_configuration_template, var.configuration_template) == var.configuration_template ? 0 : "Variable [configuration_template] can not be an empty string"
+
+ deploy_management_condition = var.management_deploy == true
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/tgw-asg-master/main.tf b/deprecated/terraform/aws/R81/tgw-asg-master/main.tf
new file mode 100755
index 00000000..a9fdd06e
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tgw-asg-master/main.tf
@@ -0,0 +1,55 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+// --- VPC ---
+module "launch_vpc" {
+ source = "../modules/vpc"
+
+ vpc_cidr = var.vpc_cidr
+ public_subnets_map = var.public_subnets_map
+ private_subnets_map = {}
+ subnets_bit_length = var.subnets_bit_length
+}
+
+module "launch_tgw_asg_into_vpc" {
+ source = "../tgw-asg"
+ providers = {
+ aws = aws
+ }
+
+ vpc_id = module.launch_vpc.vpc_id
+ gateways_subnets = module.launch_vpc.public_subnets_ids_list
+ key_name = var.key_name
+ enable_volume_encryption = var.enable_volume_encryption
+ enable_instance_connect = var.enable_instance_connect
+ disable_instance_termination = var.disable_instance_termination
+ metadata_imdsv2_required = var.metadata_imdsv2_required
+ allow_upload_download = var.allow_upload_download
+ gateway_name = var.gateway_name
+ gateway_instance_type = var.gateway_instance_type
+ gateways_min_group_size = var.gateways_min_group_size
+ gateways_max_group_size = var.gateways_max_group_size
+ gateway_version = var.gateway_version
+ gateway_password_hash = var.gateway_password_hash
+ gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash
+ gateway_SICKey = var.gateway_SICKey
+ enable_cloudwatch = var.enable_cloudwatch
+ asn = var.asn
+ management_deploy = var.management_deploy
+ management_instance_type = var.management_instance_type
+ management_version = var.management_version
+ management_password_hash = var.management_password_hash
+ management_maintenance_mode_password_hash = var.management_maintenance_mode_password_hash
+ management_permissions = var.management_permissions
+ management_predefined_role = var.management_predefined_role
+ gateways_blades = var.gateways_blades
+ admin_cidr = var.admin_cidr
+ gateways_addresses = var.gateways_addresses
+ gateway_management = var.gateway_management
+ control_gateway_over_public_or_private_address = var.control_gateway_over_public_or_private_address
+ management_server = var.management_server
+ configuration_template = var.configuration_template
+}
diff --git a/deprecated/terraform/aws/R81/tgw-asg-master/output.tf b/deprecated/terraform/aws/R81/tgw-asg-master/output.tf
new file mode 100755
index 00000000..ed183c0a
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tgw-asg-master/output.tf
@@ -0,0 +1,24 @@
+output "vpc_id" {
+ value = module.launch_vpc.vpc_id
+}
+output "public_subnets_ids_list" {
+ value = module.launch_vpc.public_subnets_ids_list
+}
+output "management_instance_name" {
+ value = module.launch_tgw_asg_into_vpc.management_instance_name
+}
+output "configuration_template" {
+ value = module.launch_tgw_asg_into_vpc.configuration_template
+}
+output "controller_name" {
+ value = module.launch_tgw_asg_into_vpc.controller_name
+}
+output "management_public_ip" {
+ value = module.launch_tgw_asg_into_vpc.management_public_ip
+}
+output "management_url" {
+ value = module.launch_tgw_asg_into_vpc.management_url
+}
+output "autoscaling_group_name" {
+ value = module.launch_tgw_asg_into_vpc.autoscaling_group_name
+}
diff --git a/deprecated/terraform/aws/R81/tgw-asg-master/terraform.tfvars b/deprecated/terraform/aws/R81/tgw-asg-master/terraform.tfvars
new file mode 100755
index 00000000..7807cc3d
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tgw-asg-master/terraform.tfvars
@@ -0,0 +1,47 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- Network Configuration ---
+vpc_cidr = "10.0.0.0/16"
+public_subnets_map = {
+ "us-east-1a" = 1
+ "us-east-1b" = 2
+}
+subnets_bit_length = 8
+
+// --- General Settings ---
+key_name = "publickey"
+enable_volume_encryption = true
+enable_instance_connect = false
+disable_instance_termination = false
+metadata_imdsv2_required = true
+allow_upload_download = true
+
+// --- Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration ---
+gateway_name = "Check-Point-gateway"
+gateway_instance_type = "c5.xlarge"
+gateways_min_group_size = 2
+gateways_max_group_size = 8
+gateway_version = "R81.20-BYOL"
+gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+gateway_SICKey = "12345678"
+enable_cloudwatch = true
+asn = "6500"
+
+// --- Check Point CloudGuard Network Security Management Server Configuration ---
+management_deploy = true
+management_instance_type = "m5.xlarge"
+management_version = "R81.20-BYOL"
+management_password_hash = ""
+management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password.
+management_permissions = "Create with read-write permissions"
+management_predefined_role = ""
+gateways_blades = true
+admin_cidr = "0.0.0.0/0"
+gateways_addresses = "0.0.0.0/0"
+gateway_management = "Locally managed"
+
+// --- Automatic Provisioning with Security Management Server Settings ---
+control_gateway_over_public_or_private_address = "private"
+management_server = "management-server"
+configuration_template = "template-name"
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/tgw-asg-master/variables.tf b/deprecated/terraform/aws/R81/tgw-asg-master/variables.tf
new file mode 100755
index 00000000..a709a74f
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tgw-asg-master/variables.tf
@@ -0,0 +1,217 @@
+// Module: Check Point CloudGuard Network Transit Gateway Auto Scaling Group
+// Deploy an Auto Scaling Group of CloudGuard Security Gateways for Transit Gateway with an optional Management Server in a new VPC
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+// --- Network Configuration ---
+variable "vpc_cidr" {
+ type = string
+ description = "The CIDR block of the VPC"
+ default = "10.0.0.0/16"
+}
+variable "public_subnets_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1} ) "
+}
+variable "subnets_bit_length" {
+ type = number
+ description = "Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20"
+}
+
+// --- General Settings ---
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instances"
+ default = true
+}
+variable "enable_volume_encryption" {
+ type = bool
+ description = "Encrypt Environment instances volume with default AWS KMS key"
+ default = true
+}
+variable "enable_instance_connect" {
+ type = bool
+ description = "Enable SSH connection over AWS web console"
+ default = false
+}
+variable "disable_instance_termination" {
+ type = bool
+ description = "Prevents an instance from accidental termination"
+ default = false
+}
+variable "metadata_imdsv2_required" {
+ type = bool
+ description = "Set true to deploy the instance with metadata v2 token required"
+ default = true
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+
+// --- Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration ---
+variable "gateway_name" {
+ type = string
+ description = "(Optional) The name tag of the Security Gateway instances"
+ default = "Check-Point-Gateway"
+}
+variable "gateway_instance_type" {
+ type = string
+ description = "The instance type of the Security Gateways"
+ default = "c5.xlarge"
+}
+module "validate_gateway_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "gateway"
+ instance_type = var.gateway_instance_type
+}
+variable "gateways_min_group_size" {
+ type = number
+ description = "The minimal number of Security Gateways"
+ default = 2
+}
+variable "gateways_max_group_size" {
+ type = number
+ description = "The maximal number of Security Gateways"
+ default = 10
+}
+variable "gateway_version" {
+ type = string
+ description = "Gateway version and license"
+ default = "R81.20-BYOL"
+}
+module "validate_gateway_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "gateway"
+ version_license = var.gateway_version
+}
+variable "gateway_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "gateway_maintenance_mode_password_hash" {
+ description = "Maintenance mode password hash for the gateway instances, relevant only for R81.20 and higher versions"
+ type = string
+ default = ""
+}
+variable "gateway_SICKey" {
+ type = string
+ description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters"
+}
+variable "enable_cloudwatch" {
+ type = bool
+ description = "Report Check Point specific CloudWatch metrics"
+ default = false
+}
+variable "asn" {
+ type = string
+ description = "The organization Autonomous System Number (ASN) that identifies the routing domain for the Security Gateways"
+ default = "6500"
+}
+
+// --- Check Point CloudGuard Network Security Management Server Configuration ---
+variable "management_deploy" {
+ type = bool
+ description = "Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section"
+ default = true
+}
+variable "management_instance_type" {
+ type = string
+ description = "The EC2 instance type of the Security Management Server"
+ default = "m5.xlarge"
+}
+module "validate_management_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "management"
+ instance_type = var.management_instance_type
+}
+variable "management_version" {
+ type = string
+ description = "The license to install on the Security Management Server"
+ default = "R81.20-BYOL"
+}
+module "validate_management_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "management"
+ version_license = var.management_version
+}
+variable "management_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "management_maintenance_mode_password_hash" {
+ description = "Maintenance mode password hash for the management instance, relevant only for R81.20 and higher versions"
+ type = string
+ default = ""
+}
+variable "management_permissions" {
+ type = string
+ description = "IAM role to attach to the instance profile"
+ default = "Create with read-write permissions"
+}
+variable "management_predefined_role" {
+ type = string
+ description = "(Optional) A predefined IAM role to attach to the instance profile. Ignored if IAM role is not set to 'Use existing'"
+ default = ""
+}
+variable "gateways_blades" {
+ type = bool
+ description = "Turn on the Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (additional Blades can be manually turned on later)"
+ default = true
+}
+variable "admin_cidr" {
+ type = string
+ description = "Allow web, ssh, and graphical clients only from this network to communicate with the Security Management Server"
+}
+variable "gateways_addresses" {
+ type = string
+ description = "Allow gateways only from this network to communicate with the Security Management Server"
+}
+variable "gateway_management" {
+ type = string
+ description = "Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address"
+ default = "Locally managed"
+}
+
+// --- Automatic Provisioning with Security Management Server Settings ---
+variable "control_gateway_over_public_or_private_address" {
+ type = string
+ description = "Determines if the gateways are provisioned using their private or public address"
+ default = "private"
+}
+variable "management_server" {
+ type = string
+ description = "(Optional) The name that represents the Security Management Server in the automatic provisioning configuration"
+ default = "management-server"
+}
+variable "configuration_template" {
+ type = string
+ description = "(Optional) A name of a Security Gateway configuration template in the automatic provisioning configuration"
+ default = "TGW-ASG-configuration"
+ validation {
+ condition = length(var.configuration_template) < 31
+ error_message = "The configuration_template name can not exceed 30 characters"
+ }
+}
diff --git a/deprecated/terraform/aws/R81/tgw-asg-master/versions.tf b/deprecated/terraform/aws/R81/tgw-asg-master/versions.tf
new file mode 100755
index 00000000..dbebf275
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tgw-asg-master/versions.tf
@@ -0,0 +1,15 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ http = {
+ version = "~> 3.4.0"
+ }
+ random = {
+ version = "~> 3.5.1"
+ }
+ }
+}
diff --git a/deprecated/terraform/aws/R81/tgw-asg/README.md b/deprecated/terraform/aws/R81/tgw-asg/README.md
new file mode 100755
index 00000000..8f09e0cf
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tgw-asg/README.md
@@ -0,0 +1,214 @@
+# Check Point CloudGuard Network Transit Gateway Auto Scaling Group Terraform module for AWS
+
+Terraform module which deploys a Check Point CloudGuard Network Security Gateway Auto Scaling Group for Transit Gateway with an optional Management Server into an existing VPC.
+
+These types of Terraform resources are supported:
+* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html)
+* [Security Group](https://www.terraform.io/docs/providers/aws/r/security_group.html)
+* [Network interface](https://www.terraform.io/docs/providers/aws/r/network_interface.html)
+* [CloudWatch Metric Alarm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm)
+* [EIP](https://www.terraform.io/docs/providers/aws/r/eip.html)
+* [Launch template](https://www.terraform.io/docs/providers/aws/r/launch_template.html)
+* [Auto Scaling Group](https://www.terraform.io/docs/providers/aws/r/autoscaling_group.html)
+* [IAM Role](https://www.terraform.io/docs/providers/aws/r/iam_role.html) - conditional creation
+
+See the [CloudGuard Network for AWS Transit Gateway R80.10 and Higher Deployment Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_AWS_Transit_Gateway/Content/Topics-AWS-TGW-R80-10-AG/Introduction.htm) for additional information
+
+This solution uses the following modules:
+- /terraform/aws/autoscale
+- /terraform/aws/management
+- /terraform/aws/cme-iam-role
+
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.aws_access_key_ID
+ secret_key = var.aws_secret_access_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/tgw-asg/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Static credentials are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/autoscale, /terraform/aws/management and /terraform/aws/cme-iam-role:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.aws_access_key_ID
+ // secret_key = var.aws_secret_access_key
+ }
+ ```
+ b. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/autoscale, /terraform/aws/management and /terraform/aws/cme-iam-role:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.aws_access_key_ID
+ // secret_key = var.aws_secret_access_key
+ }
+ ```
+
+## Usage
+- Fill all variables in the /terraform/aws/tgw-asg/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+- Create or modify the deployment:
+ ```
+ terraform apply
+ ```
+
+- Variables are configured in /terraform/aws/tgw-asg/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+ // --- Network Configuration ---
+ vpc_id = "vpc-12345678"
+ gateways_subnets = ["subnet-123b5678", "subnet-123a4567"]
+
+ // --- General Settings ---
+ key_name = "publickey"
+ enable_volume_encryption = true
+ enable_instance_connect = false
+ disable_instance_termination = false
+ allow_upload_download = true
+
+ // --- Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration ---
+ gateway_name = "Check-Point-gateway"
+ gateway_instance_type = "c5.xlarge"
+ gateways_min_group_size = 2
+ gateways_max_group_size = 8
+ gateway_version = "R81.20-BYOL"
+ gateway_password_hash = ""
+ gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+ gateway_SICKey = "12345678"
+ enable_cloudwatch = true
+ asn = "6500"
+
+ // --- Check Point CloudGuard Network Security Management Server Configuration ---
+ management_deploy = true
+ management_instance_type = "m5.xlarge"
+ management_version = "R81.20-BYOL"
+ management_password_hash = ""
+ management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password.
+ management_permissions = "Create with read-write permissions"
+ management_predefined_role = ""
+ gateways_blades = true
+ admin_cidr = "0.0.0.0/0"
+ gateways_addresses = "0.0.0.0/0"
+ gateway_management = "Locally managed"
+
+ // --- Automatic Provisioning with Security Management Server Settings ---
+ control_gateway_over_public_or_private_address = "private"
+ management_server = "management-server"
+ configuration_template = "template-name"
+ ```
+
+- Conditional creation
+ - To create a Security Management server with IAM Role:
+ ```
+ management_permissions = "Create with read permissions" | "Create with read-write permissions" | "Create with assume role permissions (specify an STS role ARN)"
+ ```
+ - To enable cloudwatch for ASG:
+ ```
+ enable_cloudwatch = true
+ ```
+ Note: enabling cloudwatch will automatically create IAM role with cloudwatch:PutMetricData permission
+ - To deploy Security Management Server:
+ ```
+ management_deploy = true
+ ```
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------|----------|
+| vpc_id | Select an existing VPC | string | n/a | n/a | yes |
+| gateways_subnets | Select at least 2 public subnets in the VPC. If you choose to deploy a Security Management Server it will be deployed in the first subnet | list(string) | n/a | n/a | yes |
+| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes |
+| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no |
+| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no |
+| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no |
+| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no |
+| gateway_name | (Optional) The name tag of the Security Gateway instances | string | n/a | Check-Point-Gateway | no |
+| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no |
+| gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no |
+| gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no |
+| gateway_version | Gateway version and license | string | - R81-BYOL
- R81-PAYG-NGTP
- R81-PAYG-NGTX
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no |
+| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes |
+| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no |
+| asn | The organization Autonomous System Number (ASN) that identifies the routing domain for the Security Gateways | string | n/a | 6500 | no |
+| management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no |
+| management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no |
+| management_version | The license to install on the Security Management Server | string | - R81-BYOL
- R81-PAYG
- R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG
- R82-BYOL
- R82-PAYG | R81.20-BYOL | no |
+| management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| management_permissions | IAM role to attach to the instance profile | string | - None (configure later)
- Use existing (specify an existing IAM role name)
- Create with assume role permissions (specify an STS role ARN)
- Create with read permissions
- Create with read-write permissions | Create with read-write permissions | no |
+| management_predefined_role | ((Optional) A predefined IAM role to attach to the instance profile. Ignored if IAM role is not set to 'Use existing' | string | n/a | "" | no |
+| gateways_blades | Turn on the Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (additional Blades can be manually turned on later) | bool | true/false | true | no |
+| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR | n/a | no |
+| gateway_addresses | Allow gateways only from this network to communicate with the Security Management Server | string | valid CIDR | n/a | no |
+| gateway_management | Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address | string | - Locally managed
- Over the internet | Locally managed | no |
+| control_gateway_over_public_or_private_address | Determines if the gateways are provisioned using their private or public address | string | - private
- public | private | no |
+| management_server | (Optional) The name that represents the Security Management Server in the automatic provisioning configuration | string | n/a | management-server | no |
+| configuration_template | (Optional) A name of a Security Gateway configuration template in the automatic provisioning configuration | string | n/a | TGW-ASG-configuration | no |
+| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no |
+| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no |
+
+
+## Outputs
+| Name | Description |
+|--------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| management_instance_name | The deployed Security Management AWS instance name |
+| management_public_ip | The deployed Security Management Server AWS public ip |
+| management_url | URL to the portal of the deployed Security Management Server |
+| autoscaling_group_name | The name of the deployed AutoScaling Group |
+| configuration_template | The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name |
+| controller_name | The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name |
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|------------------------------------------------------------------------------------------|
+| 20240704 | R80.40 version deprecation |
+| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20231012 | Update AWS Terraform provider version to 5.20.1 |
+| 20230923 | Add support for C5d instance type |
+| 20230914 | Add support for maintenance mode password |
+| 20230829 | Change default Check Point version to R81.20 |
+| 20230806 | Add support for c6in instance type |
+| 20230626 | Fixed missing x-chkp-* tags on Auto Scale Group |
+| 20221226 | Support ASG Launch Template instead of Launch Configuration |
+| 20221123 | R81.20 version support |
+| 20220606 | New instance type support |
+| 20210329 | First release of Check Point Transit Gateway Auto Scaling Group Terraform module for AWS |
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details
diff --git a/deprecated/terraform/aws/R81/tgw-asg/locals.tf b/deprecated/terraform/aws/R81/tgw-asg/locals.tf
new file mode 100755
index 00000000..7ecd5cf4
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tgw-asg/locals.tf
@@ -0,0 +1,64 @@
+locals {
+ permissions_allowed_values = [
+ "None (configure later)",
+ "Use existing (specify an existing IAM role name)",
+ "Create with assume role permissions (specify an STS role ARN)",
+ "Create with read permissions",
+ "Create with read-write permissions"]
+ // Will fail if var.management_permissions is invalid
+ validate_permissions = index(local.permissions_allowed_values, var.management_permissions)
+
+ regex_valid_key_name = "[\\S\\s]+[\\S]+"
+ // will fail if var.key_name is invalid
+ regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string"
+
+ regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$"
+ // Will fail if var.gateway_SIC_Key is invalid
+ regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters"
+
+ control_over_public_or_private_allowed_values = [
+ "public",
+ "private"]
+ // will fail if [var.control_gateway_over_public_or_private_address] is invalid:
+ validate_control_over_public_or_private = index(local.control_over_public_or_private_allowed_values, var.control_gateway_over_public_or_private_address)
+
+ gateway_management_allowed_values = [
+ "Locally managed",
+ "Over the internet"]
+ // will fail if [var.gateway_management] is invalid:
+ validate_gateway_management = index(local.gateway_management_allowed_values, var.gateway_management)
+
+ regex_valid_management_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.management_password_hash is invalid
+ regex_management_password_hash = regex(local.regex_valid_management_password_hash, var.management_password_hash) == var.management_password_hash ? 0 : "Variable [management_password_hash] must be a valid password hash"
+ regex_management_maintenance_mode_password_hash = regex(local.regex_valid_management_password_hash, var.management_maintenance_mode_password_hash) == var.management_maintenance_mode_password_hash ? 0 : "Variable [management_maintenance_mode_password_hash] must be a valid password hash"
+
+
+ regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.gateway_password_hash is invalid
+ regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+ regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
+
+
+ regex_valid_asn = "^[0-9]+$"
+ // Will fail if var.asn is invalid
+ regex_asn = regex(local.regex_valid_asn, var.asn) == var.asn ? 0 : "Variable [asn] must be a valid asn"
+
+ regex_valid_admin_cidr = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$"
+ // Will fail if var.admin_cidr is invalid
+ regex_admin_cidr = regex(local.regex_valid_admin_cidr, var.admin_cidr) == var.admin_cidr ? 0 : "Variable [admin_cidr] must be a valid CIDR"
+
+ regex_valid_gateways_addresses = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$"
+ // Will fail if var.gateways_addresses is invalid
+ regex_gateways_addresses = regex(local.regex_valid_gateways_addresses, var.gateways_addresses) == var.gateways_addresses ? 0 : "Variable [gateways_addresses] must be a valid gateways addresses"
+
+ regex_valid_management_server = "^[0-9a-zA-Z-._]+$"
+ // Will fail if var.management_server is invalid
+ regex_management_server = regex(local.regex_valid_management_server, var.management_server) == var.management_server ? 0 : "Variable [management_server] can not be an empty string"
+
+ regex_valid_configuration_template = "^[0-9a-zA-Z-._]+$"
+ // Will fail if var.configuration_template is invalid
+ regex_configuration_template = regex(local.regex_valid_configuration_template, var.configuration_template) == var.configuration_template ? 0 : "Variable [configuration_template] can not be an empty string"
+
+ deploy_management_condition = var.management_deploy == true
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/tgw-asg/main.tf b/deprecated/terraform/aws/R81/tgw-asg/main.tf
new file mode 100755
index 00000000..8b7b3cf1
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tgw-asg/main.tf
@@ -0,0 +1,64 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+module "autoscale" {
+ source = "../autoscale"
+ providers = {
+ aws = aws
+ }
+
+ vpc_id = var.vpc_id
+ subnet_ids = var.gateways_subnets
+ gateway_name = var.gateway_name
+ gateway_instance_type = var.gateway_instance_type
+ key_name = var.key_name
+ enable_volume_encryption = var.enable_volume_encryption
+ enable_instance_connect = var.enable_instance_connect
+ metadata_imdsv2_required = var.metadata_imdsv2_required
+ minimum_group_size = var.gateways_min_group_size
+ maximum_group_size = var.gateways_max_group_size
+ gateway_version = var.gateway_version
+ gateway_password_hash = var.gateway_password_hash
+ gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash
+ gateway_SICKey = var.gateway_SICKey
+ allow_upload_download = var.allow_upload_download
+ enable_cloudwatch = var.enable_cloudwatch
+ gateway_bootstrap_script = "echo -e '\nStarting Bootstrap script\n'; echo 'Adding tgw identifier to cloud-version'; cv_path='/etc/cloud-version'\n if test -f \"$cv_path\"; then sed -i '/template_name/c\\template_name: autoscale_tgw' /etc/cloud-version; fi; cv_json_path='/etc/cloud-version.json'\n cv_json_path_tmp='/etc/cloud-version-tmp.json'\n if test -f \"$cv_json_path\"; then cat \"$cv_json_path\" | jq '.template_name = \"'\"autoscale_tgw\"'\"' > \"$cv_json_path_tmp\"; mv \"$cv_json_path_tmp\" \"$cv_json_path\"; fi; echo 'Setting ASN to: ${var.asn}'; clish -c 'set as ${var.asn}' -s; echo -e '\nFinished Bootstrap script\n'"
+ gateways_provision_address_type = var.control_gateway_over_public_or_private_address
+ management_server = var.management_server
+ configuration_template = var.configuration_template
+}
+
+data "aws_region" "current"{}
+
+module "management" {
+ providers = {
+ aws = aws
+ }
+ count = local.deploy_management_condition ? 1 : 0
+ source = "../management"
+
+ vpc_id = var.vpc_id
+ subnet_id = var.gateways_subnets[0]
+ management_name = var.management_server
+ management_instance_type = var.management_instance_type
+ key_name = var.key_name
+ allocate_and_associate_eip = true
+ volume_encryption = var.enable_volume_encryption ? "alias/aws/ebs" : ""
+ enable_instance_connect = var.enable_instance_connect
+ disable_instance_termination = var.disable_instance_termination
+ metadata_imdsv2_required = var.metadata_imdsv2_required
+ iam_permissions = var.management_permissions
+ predefined_role = var.management_predefined_role
+ management_version = var.management_version
+ management_password_hash = var.management_password_hash
+ management_maintenance_mode_password_hash = var.management_maintenance_mode_password_hash
+ allow_upload_download = var.allow_upload_download
+ admin_cidr = var.admin_cidr
+ gateway_addresses = var.gateways_addresses
+ gateway_management = var.gateway_management
+ management_bootstrap_script = "echo -e '\nStarting Bootstrap script\n'; echo 'Adding tgw identifier to cloud-version'; cv_path='/etc/cloud-version'\n if test -f \"$cv_path\"; then sed -i '/template_name/c\\template_name: management_tgw_asg' /etc/cloud-version; fi; cv_json_path='/etc/cloud-version.json'\n cv_json_path_tmp='/etc/cloud-version-tmp.json'\n if test -f \"$cv_json_path\"; then cat \"$cv_json_path\" | jq '.template_name = \"'\"management_tgw_asg\"'\"' > \"$cv_json_path_tmp\"; mv \"$cv_json_path_tmp\" \"$cv_json_path\"; fi; echo 'Configuring VPN community: tgw-community'; [[ -d /opt/CPcme/menu/additions ]] && /opt/CPcme/menu/additions/config-community.sh \"tgw-community\" || /etc/fw/scripts/autoprovision/config-community.sh \"tgw-community\"; echo 'Setting VPN rules'; mgmt_cli -r true add access-layer name 'Inline'; mgmt_cli -r true add access-rule layer Network position 1 name 'tgw-community VPN Traffic Rule' vpn.directional.1.from 'tgw-community' vpn.directional.1.to 'tgw-community' vpn.directional.2.from 'tgw-community' vpn.directional.2.to External_clear action 'Apply Layer' inline-layer 'Inline'; mgmt_cli -r true add nat-rule package standard position bottom install-on 'Policy Targets' original-source All_Internet translated-source All_Internet method hide; echo 'Creating CME configuration'; autoprov_cfg -f init AWS -mn ${var.management_server} -tn ${var.configuration_template} -cn tgw-controller -po Standard -otp ${var.gateway_SICKey} -r ${data.aws_region.current.name} -ver ${split("-", var.gateway_version)[0]} -iam -dt TGW; autoprov_cfg -f set controller AWS -cn tgw-controller -sv -com tgw-community; autoprov_cfg -f set template -tn ${var.configuration_template} -vpn -vd '''' -con tgw-community; ${var.gateways_blades} && autoprov_cfg -f set template -tn ${var.configuration_template} -ia -ips -appi -av -ab; echo -e '\nFinished Bootstrap script\n'"
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/tgw-asg/output.tf b/deprecated/terraform/aws/R81/tgw-asg/output.tf
new file mode 100755
index 00000000..8a282a53
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tgw-asg/output.tf
@@ -0,0 +1,18 @@
+output "management_instance_name" {
+ value = module.management[0].management_instance_name
+}
+output "configuration_template" {
+ value = var.configuration_template
+}
+output "controller_name" {
+ value = "tgw-controller"
+}
+output "management_public_ip" {
+ value = module.management[0].management_public_ip
+}
+output "management_url" {
+ value = module.management[0].management_url
+}
+output "autoscaling_group_name" {
+ value = module.autoscale.autoscale_autoscaling_group_name
+}
diff --git a/deprecated/terraform/aws/R81/tgw-asg/terraform.tfvars b/deprecated/terraform/aws/R81/tgw-asg/terraform.tfvars
new file mode 100755
index 00000000..943f16b4
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tgw-asg/terraform.tfvars
@@ -0,0 +1,43 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- Network Configuration ---
+vpc_id = "vpc-12345678"
+gateways_subnets = ["subnet-123b5678", "subnet-123a4567"]
+
+// --- General Settings ---
+key_name = "publickey"
+enable_volume_encryption = true
+enable_instance_connect = false
+disable_instance_termination = false
+metadata_imdsv2_required = true
+allow_upload_download = true
+
+// --- Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration ---
+gateway_name = "Check-Point-gateway"
+gateway_instance_type = "c5.xlarge"
+gateways_min_group_size = 2
+gateways_max_group_size = 8
+gateway_version = "R81.20-BYOL"
+gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+gateway_SICKey = "12345678"
+enable_cloudwatch = true
+asn = "65000"
+
+// --- Check Point CloudGuard Network Security Management Server Configuration ---
+management_deploy = true
+management_instance_type = "m5.xlarge"
+management_version = "R81.20-BYOL"
+management_password_hash = ""
+management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password.
+management_permissions = "Create with read-write permissions"
+management_predefined_role = ""
+gateways_blades = true
+admin_cidr = "0.0.0.0/0"
+gateways_addresses = "0.0.0.0/0"
+gateway_management = "Locally managed"
+
+// --- Automatic Provisioning with Security Management Server Settings ---
+control_gateway_over_public_or_private_address = "private"
+management_server = "management-server"
+configuration_template = "template-name"
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/tgw-asg/variables.tf b/deprecated/terraform/aws/R81/tgw-asg/variables.tf
new file mode 100755
index 00000000..9a9a47e1
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tgw-asg/variables.tf
@@ -0,0 +1,211 @@
+// Module: Check Point CloudGuard Network Transit Gateway Auto Scaling Group
+// Deploy an Auto Scaling Group of CloudGuard Security Gateways for Transit Gateway with an optional Management Server into an existing VPC
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+// --- Network Configuration ---
+variable "vpc_id" {
+ type = string
+}
+variable "gateways_subnets" {
+ type = list(string)
+ description = "Select at least 2 external subnets in the VPC. If you choose to deploy a Security Management Server it will be deployed in the first subnet"
+}
+
+// --- General Settings ---
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instances"
+ default = true
+}
+variable "enable_volume_encryption" {
+ type = bool
+ description = "Encrypt Environment instances volume with default AWS KMS key"
+ default = true
+}
+variable "enable_instance_connect" {
+ type = bool
+ description = "Enable SSH connection over AWS web console"
+ default = false
+}
+variable "disable_instance_termination" {
+ type = bool
+ description = "Prevents an instance from accidental termination"
+ default = false
+}
+variable "metadata_imdsv2_required" {
+ type = bool
+ description = "Set true to deploy the instance with metadata v2 token required"
+ default = true
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+
+// --- Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration ---
+variable "gateway_name" {
+ type = string
+ description = "(Optional) The name tag of the Security Gateway instances"
+ default = "Check-Point-Gateway"
+}
+variable "gateway_instance_type" {
+ type = string
+ description = "The instance type of the Security Gateways"
+ default = "c5.xlarge"
+}
+module "validate_gateway_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "gateway"
+ instance_type = var.gateway_instance_type
+}
+variable "gateways_min_group_size" {
+ type = number
+ description = "The minimal number of Security Gateways"
+ default = 2
+}
+variable "gateways_max_group_size" {
+ type = number
+ description = "The maximal number of Security Gateways"
+ default = 10
+}
+variable "gateway_version" {
+ type = string
+ description = "Gateway version and license"
+ default = "R81.20-BYOL"
+}
+module "validate_gateway_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "gateway"
+ version_license = var.gateway_version
+}
+variable "gateway_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "gateway_maintenance_mode_password_hash" {
+ description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+ type = string
+ default = ""
+}
+variable "gateway_SICKey" {
+ type = string
+ description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters"
+}
+variable "enable_cloudwatch" {
+ type = bool
+ description = "Report Check Point specific CloudWatch metrics"
+ default = false
+}
+variable "asn" {
+ type = string
+ description = "The organization Autonomous System Number (ASN) that identifies the routing domain for the Security Gateways"
+ default = "6500"
+}
+
+// --- Check Point CloudGuard Network Security Management Server Configuration ---
+variable "management_deploy" {
+ type = bool
+ description = "Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section"
+ default = true
+}
+variable "management_instance_type" {
+ type = string
+ description = "The EC2 instance type of the Security Management Server"
+ default = "m5.xlarge"
+}
+module "validate_management_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "management"
+ instance_type = var.management_instance_type
+}
+variable "management_version" {
+ type = string
+ description = "The license to install on the Security Management Server"
+ default = "R81.20-BYOL"
+}
+module "validate_management_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "management"
+ version_license = var.management_version
+}
+variable "management_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "management_maintenance_mode_password_hash" {
+ description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)."
+ type = string
+ default = ""
+}
+variable "management_permissions" {
+ type = string
+ description = "IAM role to attach to the instance profile"
+ default = "Create with read-write permissions"
+}
+variable "management_predefined_role" {
+ type = string
+ description = "(Optional) A predefined IAM role to attach to the instance profile. Ignored if IAM role is not set to 'Use existing'"
+ default = ""
+}
+variable "gateways_blades" {
+ type = bool
+ description = "Turn on the Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (additional Blades can be manually turned on later)"
+ default = true
+}
+variable "admin_cidr" {
+ type = string
+ description = "Allow web, ssh, and graphical clients only from this network to communicate with the Security Management Server"
+}
+variable "gateways_addresses" {
+ type = string
+ description = "Allow gateways only from this network to communicate with the Security Management Server"
+}
+variable "gateway_management" {
+ type = string
+ description = "Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address"
+ default = "Locally managed"
+}
+
+// --- Automatic Provisioning with Security Management Server Settings ---
+variable "control_gateway_over_public_or_private_address" {
+ type = string
+ description = "Determines if the gateways are provisioned using their private or public address"
+ default = "private"
+}
+variable "management_server" {
+ type = string
+ description = "(Optional) The name that represents the Security Management Server in the automatic provisioning configuration"
+ default = "management-server"
+}
+variable "configuration_template" {
+ type = string
+ description = "(Optional) A name of a Security Gateway configuration template in the automatic provisioning configuration"
+ default = "TGW-ASG-configuration"
+ validation {
+ condition = length(var.configuration_template) < 31
+ error_message = "The configuration_template name can not exceed 30 characters"
+ }
+}
diff --git a/deprecated/terraform/aws/R81/tgw-asg/versions.tf b/deprecated/terraform/aws/R81/tgw-asg/versions.tf
new file mode 100755
index 00000000..dbebf275
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tgw-asg/versions.tf
@@ -0,0 +1,15 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ http = {
+ version = "~> 3.4.0"
+ }
+ random = {
+ version = "~> 3.5.1"
+ }
+ }
+}
diff --git a/deprecated/terraform/aws/R81/tgw-cross-az-cluster-master/README.md b/deprecated/terraform/aws/R81/tgw-cross-az-cluster-master/README.md
new file mode 100755
index 00000000..db75e948
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tgw-cross-az-cluster-master/README.md
@@ -0,0 +1,208 @@
+# Check Point CloudGuard Network Security Cross AZ Cluster for Transit Gateway Terraform module for AWS
+
+Terraform module which deploys a Check Point CloudGuard Network Security Cross AZ Cluster with a new VPC on AWS for Transit Gateway.
+
+These types of Terraform resources are supported:
+* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html)
+* [Security Group](https://www.terraform.io/docs/providers/aws/r/security_group.html)
+* [Network interface](https://www.terraform.io/docs/providers/aws/r/network_interface.html)
+* [IAM Role](https://www.terraform.io/docs/providers/aws/r/iam_role.html) - conditional creation
+
+See the [Deploying a Check Point Cluster in AWS (Amazon Web Services)](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Cross_AZ_Cluster/Default.htm) for additional information
+
+This solution uses the following modules:
+- /terraform/aws/modules/amis
+- /terraform/aws/modules/cluster-iam-role
+
+
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/cluster/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+
+## Usage
+- Fill all variables in the /terraform/aws/cluster/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+- Create or modify the deployment:
+ ```
+ terraform apply -target=aws_route_table.private_subnet_rtb -auto-approve && terraform apply
+ ```
+
+ - Variables are configured in /terraform/aws/cluster/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+ // --- VPC Network Configuration ---
+ vpc_cidr = "10.0.0.0/16"
+ public_subnets_map = {
+ "us-east-1a" = 1
+ "us-east-1b" = 2
+ }
+ private_subnets_map = {
+ "us-east-1a" = 3
+ "us-east-1b" = 4
+ }
+ tgw_subnets_map = {
+ "us-east-1a" = 5
+ "us-east-1b" = 6
+ }
+ subnets_bit_length = 8
+
+ // --- EC2 Instance Configuration ---
+ gateway_name = "Check-Point-Cluster-tf"
+ gateway_instance_type = "c5.xlarge"
+ key_name = "publickey"
+ allocate_and_associate_eip = true
+ volume_size = 100
+ volume_encryption = "alias/aws/ebs"
+ enable_instance_connect = false
+ disable_instance_termination = false
+ instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+ }
+ predefined_role = ""
+
+ // --- Check Point Settings ---
+ gateway_version = "R81.20-BYOL"
+ admin_shell = "/etc/cli.sh"
+ gateway_SICKey = "12345678"
+ gateway_password_hash = ""
+ gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+ // --- Quick connect to Smart-1 Cloud (Recommended) ---
+ memberAToken = ""
+ memberBToken = ""
+
+ // --- Advanced Settings ---
+ resources_tag_name = "tag-name"
+ gateway_hostname = "gw-hostname"
+ allow_upload_download = true
+ enable_cloudwatch = false
+ gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+ primary_ntp = ""
+ secondary_ntp = ""
+ ```
+
+- Conditional creation
+ - To create an Elastic IP and associate it to each cluster member instance:
+ ```
+ allocate_and_associate_eip = "true"
+ ```
+ - To create IAM Role:
+ ```
+ predefined_role = ""
+ ```
+ - To create route from '0.0.0.0/0' to the Active Cluster member instance, please provide route table:
+ ```
+ private_route_table = "rtb-12345678"
+ ```
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+ ### Optional re-deploy of cluster member:
+ In case of re-deploying one cluster member, make sure that it's in STANDBY state, and the second member is the ACTIVE one.
+ Follow the commands below in order to re-deploy (replace MEMBER with a or b):
+ - terraform taint aws_instance.member-MEMBER-instance
+ - terraform plan (review the changes)
+ - terraform apply
+ - In Smart Console: reset SIC with the re-deployed member and install policy
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|----------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|----------|
+| vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes |
+| public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1 \"us-east-1b\" = 2} ) | map | n/a | n/a | yes |
+| private_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 3 \"us-east-1b\" = 4} ) | map | n/a | n/a | yes |
+| tgw_subnets_map | A map of pairs {availability-zone = subnet-suffix-number} for the tgw subnets. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes |
+| subnets_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20 | number | n/a | n/a | yes |
+| gateway_name | (Optional) The name tag of the Security Gateway instances | string | n/a | Check-Point-Cluster-tf | no |
+| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no |
+| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes |
+| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with each cluster member, in addition to the shared cluster Elastic IP | bool | true/false | true | no |
+| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no |
+| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no |
+| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no |
+| enable_instance_connect | Enable AWS Instance Connect. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no |
+| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no |
+| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes |
+| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances | map(string) | n/a | {} | no |
+| predefined_role | (Optional) A predefined IAM role to attach to the cluster profile | string | n/a | "" | no |
+| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no |
+| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no |
+| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes |
+| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| memberAToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no |
+| memberBToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no |
+| resources_tag_name | (Optional) Name tag prefix of the resources | string | n/a | "" | no |
+| gateway_hostname | (Optional) The host name will be appended with member-a/b accordingly. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no |
+| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no |
+| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no |
+| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no |
+| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no |
+| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no |
+
+
+## Outputs
+| Name | Description |
+|--------------------|-----------------------------------|
+| cluster_public_ip | The public address of the cluster |
+| member_a_public_ip | The public address of member A |
+| member_b_public_ip | The public address of member B |
+| member_a_ssh | SSH command to member A |
+| member_b_ssh | SSH command to member B |
+| member_a_url | URL to the member A portal |
+| member_b_url | URL to the member B portal |
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20231012 | Update AWS Terraform provider version to 5.20.1 |
+| 20230923 | Add support for C5d instance type |
+| 20230914 | Add support for maintenance mode password |
+| 20230829 | Change default Check Point version to R81.20 |
+| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname |
+| 20230503 | Smart-1 Cloud token validation |
+| 20230411 | - Improved deployment experience for gateways and clusters managed by Smart-1 Cloud
- Multiple VIPs support for Cross Availability Zone Cluster. For more details refer to the [Cross Availability Zone Cluster for AWS R81.20 Administration Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Cross_AZ_Cluster/Content/Topics-AWS-CrossAZ-Cluster-AG/Check-Point-CloudGuard-for-AWS.htm) -> "Deploying Cross AZ Cluster with multiple VIPs" section. |
+| 20221123 | R81.20 version support |
+| 20221229 | Removed unsupported versions |
+| 20221123 | First release of Check Point Security Cluster Terraform module for AWS |
+
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details
diff --git a/deprecated/terraform/aws/R81/tgw-cross-az-cluster-master/locals.tf b/deprecated/terraform/aws/R81/tgw-cross-az-cluster-master/locals.tf
new file mode 100755
index 00000000..387fb7c1
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tgw-cross-az-cluster-master/locals.tf
@@ -0,0 +1,61 @@
+locals {
+ regex_valid_vpc_cidr = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$"
+ // Will fail if var.vpc_cidr is invalid
+ regex_vpc_cidr = regex(local.regex_valid_vpc_cidr, var.vpc_cidr) == var.vpc_cidr ? 0 : "Variable [vpc_cidr] must be a valid vpc cidr"
+
+ admin_shell_allowed_values = [
+ "/etc/cli.sh",
+ "/bin/bash",
+ "/bin/csh",
+ "/bin/tcsh"]
+ // Will fail if var.admin_shell is invalid
+ validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell)
+
+ create_iam_role = var.predefined_role == "" ? 1 : 0
+
+ regex_valid_key_name = "[\\S\\s]+[\\S]+"
+ // will fail if var.key_name is invalid
+ regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string"
+
+ regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$"
+ // Will fail if var.gateway_SIC_Key is invalid
+ regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters"
+
+ is_both_tokens_used = length(var.memberAToken) > 0 == length(var.memberBToken) > 0
+ validation_message_both = "Smart-1 Cloud Tokens for member A and member B can not be empty."
+ //Will fail if var.memberAToken is empty and var.memberBToken isn't and vice versa
+ regex_s1c_validate = regex("^$", (local.is_both_tokens_used ? "" : local.validation_message_both))
+
+ is_tokens_used = length(var.memberAToken) > 0
+ is_both_tokens_the_same = var.memberAToken == var.memberBToken
+ validation_message_unique = "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+ //Will fail if both s1c tokens are the same
+ regex_s1c_unique = local.is_tokens_used ? regex("^$", (local.is_both_tokens_the_same ? local.validation_message_unique : "")) : ""
+
+ regex_valid_gateway_hostname = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$"
+ // Will fail if var.gateway_hostname is invalid
+ regex_gateway_hostname = regex(local.regex_valid_gateway_hostname, var.gateway_hostname) == var.gateway_hostname ? 0 : "Variable [gateway_hostname] must be a valid hostname label or an empty string"
+ volume_encryption_condition = var.volume_encryption != "" ? true : false
+
+ regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.gateway_password_hash is invalid
+ regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+ regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
+
+ regex_valid_primary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.primary_ntp is invalid
+ regex_primary_ntp = regex(local.regex_valid_primary_ntp, var.primary_ntp) == var.primary_ntp ? 0 : "Variable [primary_ntp] must be a valid ntp"
+
+ regex_valid_secondary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.secondary_ntp is invalid
+ regex_secondary_ntp = regex(local.regex_valid_secondary_ntp, var.secondary_ntp) == var.secondary_ntp ? 0 : "Variable [secondary_ntp] must be a valid ntp"
+
+ //Splits the version and licence and returns the os version
+ version_split = element(split("-", var.gateway_version), 0)
+
+ volume_type_allowed_values = [
+ "gp3",
+ "gp2"]
+ // will fail if [var.VolumeType] is invalid:
+ validate_volume_type = index(local.volume_type_allowed_values, var.volume_type)
+}
diff --git a/deprecated/terraform/aws/R81/tgw-cross-az-cluster-master/main.tf b/deprecated/terraform/aws/R81/tgw-cross-az-cluster-master/main.tf
new file mode 100755
index 00000000..d04b9548
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tgw-cross-az-cluster-master/main.tf
@@ -0,0 +1,73 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+module "launch_vpc" {
+ source = "../modules/vpc"
+
+ vpc_cidr = var.vpc_cidr
+ public_subnets_map = var.public_subnets_map
+ private_subnets_map = var.private_subnets_map
+ tgw_subnets_map = var.tgw_subnets_map
+ subnets_bit_length = var.subnets_bit_length
+}
+resource "aws_route_table" "private_subnet_rtb" {
+ depends_on = [module.launch_vpc]
+ vpc_id = module.launch_vpc.vpc_id
+ tags = {
+ Name = "Private Subnets Route Table"
+ }
+}
+resource "aws_route_table_association" "private_rtb_to_private_subnet1" {
+ depends_on = [module.launch_vpc, aws_route_table.private_subnet_rtb]
+ route_table_id = aws_route_table.private_subnet_rtb.id
+ subnet_id = module.launch_vpc.private_subnets_ids_list[0]
+}
+resource "aws_route_table_association" "private_rtb_to_private_subnet2" {
+ depends_on = [module.launch_vpc, aws_route_table.private_subnet_rtb]
+ route_table_id = aws_route_table.private_subnet_rtb.id
+ subnet_id = module.launch_vpc.private_subnets_ids_list[1]
+}
+module "tgw_cluster_into_vpc" {
+ depends_on = [module.launch_vpc, aws_route_table.private_subnet_rtb]
+ source = "../tgw-cross-az-cluster"
+ providers = {
+ aws = aws
+ }
+
+ vpc_id = module.launch_vpc.vpc_id
+ public_subnet_1 = module.launch_vpc.public_subnets_ids_list[0]
+ public_subnet_2 = module.launch_vpc.public_subnets_ids_list[1]
+ private_subnet_1 = module.launch_vpc.private_subnets_ids_list[0]
+ private_subnet_2 = module.launch_vpc.private_subnets_ids_list[1]
+ tgw_subnet_1_id = module.launch_vpc.tgw_subnets_ids_list[0]
+ tgw_subnet_2_id =module.launch_vpc.tgw_subnets_ids_list[1]
+ private_route_table = aws_route_table.private_subnet_rtb.id
+ gateway_name = var.gateway_name
+ gateway_instance_type = var.gateway_instance_type
+ key_name = var.key_name
+ volume_size = var.volume_size
+ volume_encryption = var.volume_encryption
+ enable_instance_connect = var.enable_instance_connect
+ disable_instance_termination = var.disable_instance_termination
+ metadata_imdsv2_required = var.metadata_imdsv2_required
+ instance_tags = var.instance_tags
+ predefined_role = var.predefined_role
+ gateway_version = var.gateway_version
+ admin_shell = var.admin_shell
+ gateway_SICKey = var.gateway_SICKey
+ gateway_password_hash = var.gateway_password_hash
+ gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash
+ memberAToken = var.memberAToken
+ memberBToken = var.memberBToken
+ resources_tag_name = var.resources_tag_name
+ gateway_hostname = var.gateway_hostname
+ allow_upload_download = var.allow_upload_download
+ enable_cloudwatch = var.enable_cloudwatch
+ gateway_bootstrap_script = var.gateway_bootstrap_script
+ primary_ntp = var.primary_ntp
+ secondary_ntp = var.secondary_ntp
+ volume_type = var.volume_type
+}
diff --git a/deprecated/terraform/aws/R81/tgw-cross-az-cluster-master/output.tf b/deprecated/terraform/aws/R81/tgw-cross-az-cluster-master/output.tf
new file mode 100755
index 00000000..fd143a67
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tgw-cross-az-cluster-master/output.tf
@@ -0,0 +1,30 @@
+output "cluster_public_ip" {
+ value = module.tgw_cluster_into_vpc.cluster_public_ip
+}
+output "member_a_public_ip" {
+ value = module.tgw_cluster_into_vpc.member_a_public_ip
+}
+output "member_b_public_ip" {
+ value = module.tgw_cluster_into_vpc.member_b_public_ip
+}
+output "member_a_ssh" {
+ value = module.tgw_cluster_into_vpc.member_a_ssh
+}
+output "member_b_ssh" {
+ value = module.tgw_cluster_into_vpc.member_b_ssh
+}
+output "member_a_url" {
+ value = module.tgw_cluster_into_vpc.member_a_url
+}
+output "member_b_url" {
+ value = module.tgw_cluster_into_vpc.member_b_url
+}
+output "member_a_eni" {
+ value = module.tgw_cluster_into_vpc.member_a_eni
+}
+output "member_b_eni" {
+ value = module.tgw_cluster_into_vpc.member_b_eni
+}
+output "vpc_id" {
+ value = module.launch_vpc.vpc_id
+}
diff --git a/deprecated/terraform/aws/R81/tgw-cross-az-cluster-master/terraform.tfvars b/deprecated/terraform/aws/R81/tgw-cross-az-cluster-master/terraform.tfvars
new file mode 100755
index 00000000..2a1fee10
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tgw-cross-az-cluster-master/terraform.tfvars
@@ -0,0 +1,48 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- VPC Network Configuration ---
+vpc_cidr = "10.29.0.0/16"
+public_subnets_map = {
+ "us-east-1a" = 1
+ "us-east-1b" = 2
+}
+private_subnets_map = {
+ "us-east-1a" = 3
+ "us-east-1b" = 4
+}
+tgw_subnets_map = {
+ "us-east-1a" = 5
+ "us-east-1b" = 6
+}
+subnets_bit_length = 8
+
+// --- EC2 Instance Configuration ---
+gateway_name = "Check-Point-Cluster-tf"
+gateway_instance_type = "c5.xlarge"
+key_name = "publickey"
+volume_size = 100
+volume_encryption = "alias/aws/ebs"
+enable_instance_connect = false
+disable_instance_termination = false
+metadata_imdsv2_required = true
+
+predefined_role = ""
+
+// --- Check Point Settings ---
+gateway_version = "R81.20-BYOL"
+admin_shell = "/etc/cli.sh"
+gateway_SICKey = "12345678"
+gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+// --- Quick connect to Smart-1 Cloud (Recommended) ---
+memberAToken = ""
+memberBToken = ""
+
+// --- Advanced Settings ---
+resources_tag_name = "tag-name"
+gateway_hostname = "gw-hostname"
+allow_upload_download = true
+enable_cloudwatch = false
+gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+primary_ntp = ""
+secondary_ntp = ""
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/tgw-cross-az-cluster-master/variables.tf b/deprecated/terraform/aws/R81/tgw-cross-az-cluster-master/variables.tf
new file mode 100755
index 00000000..1485389b
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tgw-cross-az-cluster-master/variables.tf
@@ -0,0 +1,200 @@
+// Module: Check Point CloudGuard Network Security Cluster into an existing VPC
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+// ---VPC Network Configuration ---
+variable "vpc_cidr" {
+ type = string
+ description = "The CIDR block of the VPC"
+ default = "10.0.0.0/16"
+}
+variable "public_subnets_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1} ) "
+}
+resource "null_resource" "tgw_availability_zones_validation1" {
+ count = length(var.public_subnets_map) == 2 ? 0 : "variable public_subnets_map size must be equal to variable 2"
+}
+variable "private_subnets_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 2} ) "
+}
+resource "null_resource" "tgw_availability_zones_validation2" {
+ count = length(var.private_subnets_map) == 2 ? 0 : "variable private_subnets_map size must be equal to variable 2"
+}
+variable "tgw_subnets_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = subnet-suffix-number} for the tgw subnets. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 3} ) "
+}
+resource "null_resource" "tgw_availability_zones_validation3" {
+ count = length(var.tgw_subnets_map) == 2 ? 0 : "variable tgw_subnets_map size must be equal to variable 2"
+}
+variable "subnets_bit_length" {
+ type = number
+ description = "Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20"
+}
+
+
+// --- EC2 Instance Configuration ---
+variable "gateway_name" {
+ type = string
+ description = "(Optional) The name tag of the Security Gateway instances"
+ default = "Check-Point-Cluster-tf"
+}
+variable "gateway_instance_type" {
+ type = string
+ description = "The instance type of the Security Gateways"
+ default = "c5.xlarge"
+}
+module "validate_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "gateway"
+ instance_type = var.gateway_instance_type
+}
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instance"
+}
+variable "allocate_and_associate_eip" {
+ type = bool
+ description = "If set to true, an elastic IP will be allocated and associated with each cluster member, in addition to the shared cluster Elastic IP"
+ default = true
+}
+variable "volume_size" {
+ type = number
+ description = "Root volume size (GB) - minimum 100"
+ default = 100
+}
+resource "null_resource" "volume_size_too_small" {
+ // Volume Size validation - resource will not be created if the volume size is smaller than 100
+ count = var.volume_size >= 100 ? 0 : "volume_size must be at least 100"
+}
+variable "volume_type" {
+ type = string
+ description = "General Purpose SSD Volume Type"
+ default = "gp3"
+}
+variable "volume_encryption" {
+ type = string
+ description = "KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs')"
+ default = "alias/aws/ebs"
+}
+variable "enable_instance_connect" {
+ type = bool
+ description = "Enable SSH connection over AWS web console"
+ default = false
+}
+variable "disable_instance_termination" {
+ type = bool
+ description = "Prevents an instance from accidental termination"
+ default = false
+}
+variable "metadata_imdsv2_required" {
+ type = bool
+ description = "Set true to deploy the instance with metadata v2 token required"
+ default = true
+}
+variable "instance_tags" {
+ type = map(string)
+ description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances"
+ default = {}
+}
+variable "predefined_role" {
+ type = string
+ description = "(Optional) A predefined IAM role to attach to the cluster profile"
+ default = ""
+}
+
+// --- Check Point Settings ---
+variable "gateway_version" {
+ type = string
+ description = "Gateway version and license"
+ default = "R81.20-BYOL"
+}
+module "validate_gateway_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "gateway"
+ version_license = var.gateway_version
+}
+variable "admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+ default = "/etc/cli.sh"
+}
+variable "gateway_SICKey" {
+ type = string
+ description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters"
+}
+variable "gateway_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "gateway_maintenance_mode_password_hash" {
+ description = "Maintenance mode password hash for the gateway instances, relevant only for R81.20 and higher versions"
+ type = string
+ default = ""
+}
+// --- Quick connect to Smart-1 Cloud (Recommended) ---
+variable "memberAToken" {
+ type = string
+ description = "Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud."
+}
+variable "memberBToken" {
+ type = string
+ description = "Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud."
+}
+
+// --- Advanced Settings ---
+variable "resources_tag_name" {
+ type = string
+ description = "(Optional) Name tag prefix of the resources"
+ default = ""
+}
+variable "gateway_hostname" {
+ type = string
+ description = "(Optional) The host name will be appended with member-a/b accordingly"
+ default = ""
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+variable "enable_cloudwatch" {
+ type = bool
+ description = "Report Check Point specific CloudWatch metrics"
+ default = false
+}
+variable "gateway_bootstrap_script" {
+ type = string
+ description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot"
+ default = ""
+}
+variable "primary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol primary server"
+ default = "169.254.169.123"
+}
+variable "secondary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server"
+ default = "0.pool.ntp.org"
+}
diff --git a/deprecated/terraform/aws/R81/tgw-cross-az-cluster-master/versions.tf b/deprecated/terraform/aws/R81/tgw-cross-az-cluster-master/versions.tf
new file mode 100755
index 00000000..dbebf275
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tgw-cross-az-cluster-master/versions.tf
@@ -0,0 +1,15 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ http = {
+ version = "~> 3.4.0"
+ }
+ random = {
+ version = "~> 3.5.1"
+ }
+ }
+}
diff --git a/deprecated/terraform/aws/R81/tgw-cross-az-cluster/README.md b/deprecated/terraform/aws/R81/tgw-cross-az-cluster/README.md
new file mode 100755
index 00000000..fb62e2fe
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tgw-cross-az-cluster/README.md
@@ -0,0 +1,204 @@
+# Check Point CloudGuard Network Security Cross AZ Cluster for Transit Gateway Terraform module for AWS
+
+Terraform module which deploys a Check Point CloudGuard Network Security Cross AZ Cluster into an existing VPC on AWS for Transit Gateway.
+
+These types of Terraform resources are supported:
+* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html)
+* [Security Group](https://www.terraform.io/docs/providers/aws/r/security_group.html)
+* [Network interface](https://www.terraform.io/docs/providers/aws/r/network_interface.html)
+* [IAM Role](https://www.terraform.io/docs/providers/aws/r/iam_role.html) - conditional creation
+
+See the [Deploying a Check Point Cluster in AWS (Amazon Web Services)](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Cross_AZ_Cluster/Default.htm) for additional information
+
+This solution uses the following modules:
+- /terraform/aws/modules/amis
+- /terraform/aws/modules/cluster-iam-role
+
+
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/cluster/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+
+## Usage
+- Fill all variables in the /terraform/aws/cluster/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+- Create or modify the deployment:
+ ```
+ terraform apply
+ ```
+
+ - Variables are configured in /terraform/aws/cluster/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+ // --- VPC Network Configuration ---
+ vpc_id = "vpc-1234"
+ public_subnet_1 = "subnet-1234"
+ public_subnet_2 = "subnet-2345"
+ private_subnet_1 = "subnet-3456"
+ private_subnet_2 = "subnet-4567"
+ tgw_subnet_1_id = "subnet-5678"
+ tgw_subnet_2_id = "subnet-6789"
+ private_route_table = ""
+
+ // --- EC2 Instance Configuration ---
+ gateway_name = "Check-Point-Cluster-tf"
+ gateway_instance_type = "c5.xlarge"
+ key_name = "publickey"
+ allocate_and_associate_eip = true
+ volume_size = 100
+ volume_encryption = "alias/aws/ebs"
+ enable_instance_connect = false
+ disable_instance_termination = false
+ instance_tags = {
+ key1 = "value1"
+ key2 = "value2"
+ }
+ predefined_role = ""
+
+ // --- Check Point Settings ---
+ gateway_version = "R81.20-BYOL"
+ admin_shell = "/etc/cli.sh"
+ gateway_SICKey = "12345678"
+ gateway_password_hash = ""
+ gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+
+ // --- Quick connect to Smart-1 Cloud (Recommended) ---
+ memberAToken = ""
+ memberBToken = ""
+
+ // --- Advanced Settings ---
+ resources_tag_name = "tag-name"
+ gateway_hostname = "gw-hostname"
+ allow_upload_download = true
+ enable_cloudwatch = false
+ gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+ primary_ntp = ""
+ secondary_ntp = ""
+ ```
+
+- Conditional creation
+ - To create an Elastic IP and associate it to each cluster member instance:
+ ```
+ allocate_and_associate_eip = "true"
+ ```
+ - To create IAM Role:
+ ```
+ predefined_role = ""
+ ```
+ - To create route from '0.0.0.0/0' to the Active Cluster member instance, please provide route table:
+ ```
+ private_route_table = "rtb-12345678"
+ ```
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+ ### Optional re-deploy of cluster member:
+ In case of re-deploying one cluster member, make sure that it's in STANDBY state, and the second member is the ACTIVE one.
+ Follow the commands below in order to re-deploy (replace MEMBER with a or b):
+ - terraform taint aws_instance.member-MEMBER-instance
+ - terraform plan (review the changes)
+ - terraform apply
+ - In Smart Console: reset SIC with the re-deployed member and install policy
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|----------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|----------|
+| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes |
+| public_subnet_id | The public subnet of the cluster. The cluster's public IPs will be generated from this subnet | string | n/a | n/a | yes |
+| private_subnet_id | The private subnet of the cluster. The cluster's private IPs will be generated from this subnet | string | n/a | n/a | yes |
+| tgw_subnet_1_id | The TGW attachment subnet ID located in the 1st Availability Zone | string | n/a | n/a | yes |
+| tgw_subnet_2_id | The TGW attachment subnet ID located in the 2st Availability Zone | string | n/a | n/a | yes |
+| private_route_table | (Optional) Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route | string | n/a | "" | no |
+| gateway_name | (Optional) The name tag of the Security Gateway instances | string | n/a | Check-Point-Cluster-tf | no |
+| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no |
+| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes |
+| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with each cluster member, in addition to the shared cluster Elastic IP | bool | true/false | true | no |
+| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no |
+| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no |
+| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no |
+| enable_instance_connect | Enable AWS Instance Connect. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no |
+| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no |
+| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes |
+| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances | map(string) | n/a | {} | no |
+| predefined_role | (Optional) A predefined IAM role to attach to the cluster profile | string | n/a | "" | no |
+| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no |
+| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no |
+| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes |
+| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| memberAToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no |
+| memberBToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no |
+| resources_tag_name | (Optional) Name tag prefix of the resources | string | n/a | "" | no |
+| gateway_hostname | (Optional) The host name will be appended with member-a/b accordingly. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no |
+| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no |
+| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no |
+| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no |
+| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no |
+| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no |
+
+
+## Outputs
+| Name | Description |
+|--------------------|-----------------------------------|
+| cluster_public_ip | The public address of the cluster |
+| member_a_public_ip | The public address of member A |
+| member_b_public_ip | The public address of member B |
+| member_a_ssh | SSH command to member A |
+| member_b_ssh | SSH command to member B |
+| member_a_url | URL to the member A portal |
+| member_b_url | URL to the member B portal |
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20231012 | Update AWS Terraform provider version to 5.20.1 |
+| 20230923 | Add support for C5d instance type |
+| 20230914 | Add support for maintenance mode password |
+| 20230829 | Change default Check Point version to R81.20 |
+| 20230806 | Add support for c6in instance type |
+| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname |
+| 20230503 | Smart-1 Cloud token validation |
+| 20230411 | - Improved deployment experience for gateways and clusters managed by Smart-1 Cloud
- Multiple VIPs support for Cross Availability Zone Cluster. For more details refer to the [Cross Availability Zone Cluster for AWS R81.20 Administration Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Cross_AZ_Cluster/Content/Topics-AWS-CrossAZ-Cluster-AG/Check-Point-CloudGuard-for-AWS.htm) -> "Deploying Cross AZ Cluster with multiple VIPs" section. |
+| 20221229 | Removed unsupported versions |
+| 20221123 | R81.20 version support |
+| 20221123 | First release of Check Point Security Cluster Terraform module for AWS |
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details
diff --git a/deprecated/terraform/aws/R81/tgw-cross-az-cluster/locals.tf b/deprecated/terraform/aws/R81/tgw-cross-az-cluster/locals.tf
new file mode 100755
index 00000000..9a9929b7
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tgw-cross-az-cluster/locals.tf
@@ -0,0 +1,60 @@
+locals {
+ admin_shell_allowed_values = [
+ "/etc/cli.sh",
+ "/bin/bash",
+ "/bin/csh",
+ "/bin/tcsh"]
+ // Will fail if var.admin_shell is invalid
+ validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell)
+
+ create_iam_role = var.predefined_role == "" ? 1 : 0
+ provided_roue_table = var.private_route_table == "" ? 0 : 1
+ internal_route_table_condition = var.private_route_table != "" ? 1 : 0
+
+ regex_valid_key_name = "[\\S\\s]+[\\S]+"
+ // will fail if var.key_name is invalid
+ regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string"
+
+ regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$"
+ // Will fail if var.gateway_SIC_Key is invalid
+ regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters"
+
+ is_both_tokens_used = length(var.memberAToken) > 0 == length(var.memberBToken) > 0
+ validation_message_both = "Smart-1 Cloud Tokens for member A and member B can not be empty."
+ //Will fail if var.memberAToken is empty and var.memberBToken isn't and vice versa
+ regex_s1c_validate = regex("^$", (local.is_both_tokens_used ? "" : local.validation_message_both))
+
+ is_tokens_used = length(var.memberAToken) > 0
+ is_both_tokens_the_same = var.memberAToken == var.memberBToken
+ validation_message_unique = "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token"
+ //Will fail if both s1c tokens are the same
+ regex_s1c_unique = local.is_tokens_used ? regex("^$", (local.is_both_tokens_the_same ? local.validation_message_unique : "")) : ""
+
+ regex_valid_gateway_hostname = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$"
+ // Will fail if var.gateway_hostname is invalid
+ regex_gateway_hostname = regex(local.regex_valid_gateway_hostname, var.gateway_hostname) == var.gateway_hostname ? 0 : "Variable [gateway_hostname] must be a valid hostname label or an empty string"
+ volume_encryption_condition = var.volume_encryption != "" ? true : false
+
+ regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.gateway_password_hash is invalid
+ regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+ regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
+
+ regex_valid_primary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.primary_ntp is invalid
+ regex_primary_ntp = regex(local.regex_valid_primary_ntp, var.primary_ntp) == var.primary_ntp ? 0 : "Variable [primary_ntp] must be a valid ntp"
+
+ regex_valid_secondary_ntp = "^[\\.a-zA-Z0-9\\-]*$"
+ // Will fail if var.secondary_ntp is invalid
+ regex_secondary_ntp = regex(local.regex_valid_secondary_ntp, var.secondary_ntp) == var.secondary_ntp ? 0 : "Variable [secondary_ntp] must be a valid ntp"
+
+ gateway_bootstrap_script64 = base64encode(var.gateway_bootstrap_script)
+ //Splits the version and licence and returns the os version
+ version_split = element(split("-", var.gateway_version), 0)
+
+ volume_type_allowed_values = [
+ "gp3",
+ "gp2"]
+ // will fail if [var.VolumeType] is invalid:
+ validate_volume_type = index(local.volume_type_allowed_values, var.volume_type)
+}
diff --git a/deprecated/terraform/aws/R81/tgw-cross-az-cluster/main.tf b/deprecated/terraform/aws/R81/tgw-cross-az-cluster/main.tf
new file mode 100755
index 00000000..4ae319ab
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tgw-cross-az-cluster/main.tf
@@ -0,0 +1,62 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+
+module "cluster_into_vpc" {
+ source = "../cross-az-cluster"
+ providers = {
+ aws = aws
+ }
+
+ vpc_id = var.vpc_id
+ public_subnet_ids = tolist([var.public_subnet_1, var.public_subnet_2])
+ private_subnet_ids = tolist([var.private_subnet_1, var.private_subnet_2])
+ private_route_table = var.private_route_table
+ gateway_name = var.gateway_name
+ gateway_instance_type = var.gateway_instance_type
+ key_name = var.key_name
+ volume_size = var.volume_size
+ volume_encryption = var.volume_encryption
+ enable_instance_connect = var.enable_instance_connect
+ disable_instance_termination = var.disable_instance_termination
+ metadata_imdsv2_required = var.metadata_imdsv2_required
+ instance_tags = var.instance_tags
+ predefined_role = var.predefined_role
+ gateway_version = var.gateway_version
+ admin_shell = var.admin_shell
+ gateway_SICKey = var.gateway_SICKey
+ gateway_password_hash = var.gateway_password_hash
+ gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash
+ memberAToken = var.memberAToken
+ memberBToken = var.memberBToken
+ resources_tag_name = var.resources_tag_name
+ gateway_hostname = var.gateway_hostname
+ allow_upload_download = var.allow_upload_download
+ enable_cloudwatch = var.enable_cloudwatch
+ gateway_bootstrap_script = var.gateway_bootstrap_script
+ primary_ntp = var.primary_ntp
+ secondary_ntp = var.secondary_ntp
+ volume_type = var.volume_type
+}
+resource "aws_route_table" "tgw_route_table" {
+ vpc_id = var.vpc_id
+ route{
+ cidr_block = "0.0.0.0/0"
+ network_interface_id = module.cluster_into_vpc.member_a_eni
+ }
+ tags = {
+ Name = "TGW Attachment Route Table"
+ Network = "Private"
+ }
+}
+resource "aws_route_table_association" "tgw_attachment1_rtb_assoc" {
+ subnet_id = var.tgw_subnet_1_id
+ route_table_id = aws_route_table.tgw_route_table.id
+}
+resource "aws_route_table_association" "tgw_attachment2_rtb_assoc" {
+ subnet_id = var.tgw_subnet_2_id
+ route_table_id = aws_route_table.tgw_route_table.id
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/tgw-cross-az-cluster/output.tf b/deprecated/terraform/aws/R81/tgw-cross-az-cluster/output.tf
new file mode 100755
index 00000000..2aa6d333
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tgw-cross-az-cluster/output.tf
@@ -0,0 +1,27 @@
+output "cluster_public_ip" {
+ value = module.cluster_into_vpc.cluster_public_ip
+}
+output "member_a_public_ip" {
+ value = module.cluster_into_vpc.member_a_public_ip
+}
+output "member_b_public_ip" {
+ value = module.cluster_into_vpc.member_b_public_ip
+}
+output "member_a_eni" {
+ value = module.cluster_into_vpc.member_a_eni
+}
+output "member_a_ssh" {
+ value = module.cluster_into_vpc.member_a_ssh
+}
+output "member_b_ssh" {
+ value = module.cluster_into_vpc.member_b_ssh
+}
+output "member_a_url" {
+ value = module.cluster_into_vpc.member_a_url
+}
+output "member_b_url" {
+ value = module.cluster_into_vpc.member_b_url
+}
+output "member_b_eni" {
+ value = module.cluster_into_vpc.member_b_eni
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/tgw-cross-az-cluster/terraform.tfvars b/deprecated/terraform/aws/R81/tgw-cross-az-cluster/terraform.tfvars
new file mode 100755
index 00000000..c1008d0d
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tgw-cross-az-cluster/terraform.tfvars
@@ -0,0 +1,43 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- VPC Network Configuration ---
+vpc_id = "vpc-1234"
+public_subnet_1 = "subnet-1234"
+public_subnet_2 = "subnet-2345"
+private_subnet_1 = "subnet-3456"
+private_subnet_2 = "subnet-4567"
+tgw_subnet_1_id = "subnet-5678"
+tgw_subnet_2_id = "subnet-6789"
+private_route_table = ""
+
+// --- EC2 Instance Configuration ---
+gateway_name = "Check-Point-Cluster-tf"
+gateway_instance_type = "c5.xlarge"
+key_name = "publickey"
+volume_size = 100
+volume_encryption = "alias/aws/ebs"
+enable_instance_connect = false
+disable_instance_termination = false
+metadata_imdsv2_required = true
+
+predefined_role = ""
+
+// --- Check Point Settings ---
+gateway_version = "R81.20-BYOL"
+admin_shell = "/etc/cli.sh"
+gateway_SICKey = "12345678"
+gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+
+// --- Quick connect to Smart-1 Cloud (Recommended) ---
+memberAToken = ""
+memberBToken = ""
+
+// --- Advanced Settings ---
+resources_tag_name = "tag-name"
+gateway_hostname = "gw-hostname"
+allow_upload_download = true
+enable_cloudwatch = false
+gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+primary_ntp = ""
+secondary_ntp = ""
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/tgw-cross-az-cluster/variables.tf b/deprecated/terraform/aws/R81/tgw-cross-az-cluster/variables.tf
new file mode 100755
index 00000000..eb330795
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tgw-cross-az-cluster/variables.tf
@@ -0,0 +1,201 @@
+// Module: Check Point CloudGuard Network Security Cluster into an existing VPC
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+// --- VPC Network Configuration ---
+variable "vpc_id" {
+ type = string
+}
+variable "public_subnet_1" {
+ type = string
+ description = "The public subnet ID of the cluster that located in the 1st Availability Zone"
+}
+variable "public_subnet_2" {
+ type = string
+ description = "The public subnet of the cluster that located in the 2st Availability Zone"
+}
+variable "private_subnet_1" {
+ type = string
+ description = "The private subnet of the cluster that located in the 1st Availability Zone"
+}
+variable "private_subnet_2" {
+ type = string
+ description = "The private subnet of the cluster that located in the 2st Availability Zone"
+}
+variable "tgw_subnet_1_id" {
+ type = string
+ description = "The TGW attachment subnet ID located in the 1st Availability Zone"
+}
+variable "tgw_subnet_2_id" {
+ type = string
+ description = "The TGW attachment subnet ID located in the 2st Availability Zone"
+}
+variable "private_route_table" {
+ type = string
+ description = "(Optional) Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route"
+ default= ""
+}
+
+// --- EC2 Instance Configuration ---
+variable "gateway_name" {
+ type = string
+ description = "(Optional) The name tag of the Security Gateway instances"
+ default = "Check-Point-Cluster-tf"
+}
+variable "gateway_instance_type" {
+ type = string
+ description = "The instance type of the Security Gateways"
+ default = "c5.xlarge"
+}
+module "validate_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "gateway"
+ instance_type = var.gateway_instance_type
+}
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instance"
+}
+variable "allocate_and_associate_eip" {
+ type = bool
+ description = "If set to true, an elastic IP will be allocated and associated with each cluster member, in addition to the shared cluster Elastic IP"
+ default = true
+}
+variable "volume_size" {
+ type = number
+ description = "Root volume size (GB) - minimum 100"
+ default = 100
+}
+resource "null_resource" "volume_size_too_small" {
+ // Volume Size validation - resource will not be created if the volume size is smaller than 100
+ count = var.volume_size >= 100 ? 0 : "volume_size must be at least 100"
+}
+variable "volume_type" {
+ type = string
+ description = "General Purpose SSD Volume Type"
+ default = "gp3"
+}
+variable "volume_encryption" {
+ type = string
+ description = "KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs')"
+ default = "alias/aws/ebs"
+}
+variable "enable_instance_connect" {
+ type = bool
+ description = "Enable SSH connection over AWS web console"
+ default = false
+}
+variable "disable_instance_termination" {
+ type = bool
+ description = "Prevents an instance from accidental termination"
+ default = false
+}
+variable "metadata_imdsv2_required" {
+ type = bool
+ description = "Set true to deploy the instance with metadata v2 token required"
+ default = true
+}
+variable "instance_tags" {
+ type = map(string)
+ description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances"
+ default = {}
+}
+variable "predefined_role" {
+ type = string
+ description = "(Optional) A predefined IAM role to attach to the cluster profile"
+ default = ""
+}
+
+// --- Check Point Settings ---
+variable "gateway_version" {
+ type = string
+ description = "Gateway version and license"
+ default = "R81.20-BYOL"
+}
+module "validate_gateway_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "gateway"
+ version_license = var.gateway_version
+}
+variable "admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+ default = "/etc/cli.sh"
+}
+variable "gateway_SICKey" {
+ type = string
+ description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters"
+}
+variable "gateway_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "gateway_maintenance_mode_password_hash" {
+ description = "Maintenance mode password hash for the gateway instances, relevant only for R81.20 and higher versions"
+ type = string
+ default = ""
+}
+// --- Quick connect to Smart-1 Cloud (Recommended) ---
+variable "memberAToken" {
+ type = string
+ description = "Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud."
+}
+variable "memberBToken" {
+ type = string
+ description = "Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud."
+}
+
+// --- Advanced Settings ---
+variable "resources_tag_name" {
+ type = string
+ description = "(Optional) Name tag prefix of the resources"
+ default = ""
+}
+variable "gateway_hostname" {
+ type = string
+ description = "(Optional) The host name will be appended with member-a/b accordingly"
+ default = ""
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+variable "enable_cloudwatch" {
+ type = bool
+ description = "Report Check Point specific CloudWatch metrics"
+ default = false
+}
+variable "gateway_bootstrap_script" {
+ type = string
+ description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot"
+ default = ""
+}
+variable "primary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol primary server"
+ default = "169.254.169.123"
+}
+variable "secondary_ntp" {
+ type = string
+ description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server"
+ default = "0.pool.ntp.org"
+}
diff --git a/deprecated/terraform/aws/R81/tgw-cross-az-cluster/versions.tf b/deprecated/terraform/aws/R81/tgw-cross-az-cluster/versions.tf
new file mode 100755
index 00000000..dbebf275
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tgw-cross-az-cluster/versions.tf
@@ -0,0 +1,15 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ http = {
+ version = "~> 3.4.0"
+ }
+ random = {
+ version = "~> 3.5.1"
+ }
+ }
+}
diff --git a/deprecated/terraform/aws/R81/tgw-gwlb-master/README.md b/deprecated/terraform/aws/R81/tgw-gwlb-master/README.md
new file mode 100755
index 00000000..edcd4f34
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tgw-gwlb-master/README.md
@@ -0,0 +1,265 @@
+# Check Point CloudGuard Network Gateway Load Balancer for Transit Gateway Terraform Master module for AWS
+
+Terraform module which deploys an AWS Auto Scaling group configured for Gateway Load Balancer into new Centralized Security VPC for Transit Gateway.
+
+These types of Terraform resources are supported:
+* [AWS Instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance)
+* [Security Group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group)
+* [Load Balancer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb)
+* [Load Balancer Target Group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group)
+* [Launch template](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template)
+* [Auto Scaling Group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group)
+* [IAM Role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) - conditional creation
+
+See the [Check Point CloudGuard Gateway Load Balancer on AWS](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_AWS_Centralized_Gateway_Load_Balancer/Content/Topics-AWS-GWLB-VPC-DG/Introduction.htm) for additional information
+
+This solution uses the following modules:
+- /terraform/aws/autoscale-gwlb
+- /terraform/aws/modules/vpc
+- /terraform/aws/management
+- /terraform/aws/cme-iam-role-gwlb
+- /terraform/aws/modules/amis
+- /terraform/aws/gwlb
+
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.aws_access_key_ID
+ secret_key = var.aws_secret_access_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/qs-autoscale/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Static credentials are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/autoscale-gwlb, /terraform/aws/management and /terraform/aws/cme-iam-role-gwlb:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.aws_access_key_ID
+ // secret_key = var.aws_secret_access_key
+ }
+ ```
+ b. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/autoscale, /terraform/aws/management and /terraform/aws/cme-iam-role-gwlb:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.aws_access_key_ID
+ // secret_key = var.aws_secret_access_key
+ }
+ ```
+
+## Usage
+- Fill all variables in the /terraform/aws/gwlb/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+ - Create or modify the deployment:
+ ```
+ terraform apply
+ ```
+
+ - Variables are configured in /terraform/aws/qs-autoscale/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+ // --- VPC Network Configuration ---
+ vpc_cidr = "10.0.0.0/16"
+ public_subnets_map = {
+ "us-east-1a" = 1
+ "us-east-1b" = 2
+ "us-east-1c" = 3
+ "us-east-1d" = 4
+ }
+ tgw_subnets_map = {
+ "us-east-1a" = 5
+ "us-east-1b" = 6
+ "us-east-1c" = 7
+ "us-east-1d" = 8
+ }
+ subnets_bit_length = 8
+
+ availability_zones = ["us-east-1a", "us-east-1b", "us-east-1c", "us-east-1d"]
+ number_of_AZs = 4
+
+ nat_gw_subnet_1_cidr ="10.0.13.0/24"
+ nat_gw_subnet_2_cidr = "10.0.23.0/24"
+ nat_gw_subnet_3_cidr = "10.0.33.0/24"
+ nat_gw_subnet_4_cidr = "10.0.43.0/24"
+
+ gwlbe_subnet_1_cidr = "10.0.14.0/24"
+ gwlbe_subnet_2_cidr = "10.0.24.0/24"
+ gwlbe_subnet_3_cidr = "10.0.34.0/24"
+ gwlbe_subnet_4_cidr = "10.0.44.0/24"
+
+ // --- General Settings ---
+ key_name = "publickey"
+ enable_volume_encryption = true
+ volume_size = 100
+ enable_instance_connect = false
+ disable_instance_termination = false
+ allow_upload_download = true
+ management_server = "CP-Management-gwlb-tf"
+ configuration_template = "gwlb-configuration"
+ admin_shell = "/etc/cli.sh"
+
+ // --- Gateway Load Balancer Configuration ---
+ gateway_load_balancer_name = "gwlb"
+ target_group_name = "tg1"
+ enable_cross_zone_load_balancing = "true"
+
+ // --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration ---
+ gateway_name = "Check-Point-GW-tf"
+ gateway_instance_type = "c5.xlarge"
+ minimum_group_size = 2
+ maximum_group_size = 10
+ gateway_version = "R81.20-BYOL"
+ gateway_password_hash = ""
+ gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+ gateway_SICKey = "12345678"
+ gateways_provision_address_type = "private"
+ allocate_public_IP = false
+ enable_cloudwatch = false
+ gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+
+ // --- Check Point CloudGuard IaaS Security Management Server Configuration ---
+ management_deploy = true
+ management_instance_type = "m5.xlarge"
+ management_version = "R81.20-BYOL"
+ management_password_hash = ""
+ management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password.
+ gateways_policy = "Standard"
+ gateway_management = "Locally managed"
+ admin_cidr = "0.0.0.0/0"
+ gateways_addresses = "0.0.0.0/0"
+
+ // --- Other parameters ---
+ volume_type = "gp3"
+ ```
+
+- Conditional creation
+ - To enable cloudwatch for tgw-gwlb-master:
+ ```
+ enable_cloudwatch = true
+ ```
+ Note: enabling cloudwatch will automatically create IAM role with cloudwatch:PutMetricData permission
+ - To deploy Security Management Server:
+ ```
+ management_deploy = true
+ ```
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|----------|
+| vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes |
+| subnets_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20 | number | n/a | n/a | yes |
+| public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes |
+| availability_zones | The Availability Zones (AZs) to use for the subnets in the VPC. | string | n/a | n/a | yes |
+| Number_of_AZs | Number of Availability Zones to use in the VPC. | number | n/a | 2 | yes |
+| tgw_subnets_map | A map of pairs {availability-zone = subnet-suffix-number} for the tgw subnets. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes |
+| nat_gw_subnet_1_cidr | CIDR block for NAT subnet 1 located in the 1st Availability Zone | string | n/a | 10.0.13.0/24 | yes |
+| nat_gw_subnet_2_cidr | CIDR block for NAT subnet 2 located in the 2st Availability Zone | string | n/a | 10.0.23.0/24 | yes |
+| nat_gw_subnet_3_cidr | CIDR block for NAT subnet 3 located in the 3st Availability Zone | string | n/a | 10.0.33.0/24 | yes |
+| nat_gw_subnet_4_cidr | CIDR block for NAT subnet 4 located in the 4st Availability Zone | string | n/a | 10.0.43.0/24 | yes |
+| gwlbe_subnet_1_cidr | CIDR block for GWLBe subnet 1 located in the 1st Availability Zone | string | n/a | 10.0.14.0/24 | yes |
+| gwlbe_subnet_2_cidr | CIDR block for GWLBe subnet 2 located in the 2st Availability Zone | string | n/a | 10.0.24.0/24 | yes |
+| gwlbe_subnet_3_cidr | CIDR block for GWLBe subnet 3 located in the 3st Availability Zone | string | n/a | 10.0.34.0/24 | yes |
+| gwlbe_subnet_4_cidr | CIDR block for GWLBe subnet 4 located in the 4st Availability Zone | string | n/a | 10.0.44.0/24 | yes |
+| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes |
+| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no |
+| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no |
+| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no |
+| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes |
+| volume_size | Instances volume size | number | n/a | 100 | no |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no |
+| management_server | The name that represents the Security Management Server in the automatic provisioning configuration. | string | n/a | CP-Management-gwlb-tf | yes |
+| configuration_template | The tag is used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each Quick Start deployment | string | n/a | gwlb-ter | no |
+| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no |
+| gateway_load_balancer_name | Load Balancer name in AWS | string | n/a | gwlb-terraform | yes |
+| target_group_name | Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. | string | n/a | tg1-terraform | yes |
+| connection_acceptance_required | Indicate whether requests from service consumers to create an endpoint to your service must be accepted. Default is set to false(acceptance not required). | bool | true/false | false | yes |
+| enable_cross_zone_load_balancing | Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges. | bool | true/false | true | yes |
+| gateway_name | The name tag of the Security Gateway instances. (optional) | string | n/a | gwlb-terraform | yes |
+| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no |
+| gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no |
+| gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no |
+| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no |
+| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes |
+| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no |
+| gateway_bootstrap_script | (Optional) An optional script with semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no |
+| gateways_provision_address_type | Determines if the gateways are provisioned using their private or public address. | string | - private
- public | private | no |
+| allocate_public_IP | Allocate a Public IP for gateway members. | bool | true/false | false | no |
+| management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no |
+| management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no |
+| management_version | The license to install on the Security Management Server | string | - R81-BYOL
- R81-PAYG
- R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG
- R82-BYOL
- R82-PAYG | R81.20-BYOL | no |
+| management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| gateways_policy | The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group | string | n/a | Standard | no |
+| gateway_management | Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. | string | - Locally managed
- Over the internet | Locally managed | no |
+| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR | n/a | no |
+| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | valid CIDR | n/a | no |
+| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no |
+| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no |
+| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no |
+
+
+## Outputs
+| Name | Description |
+|---------------------|---------------------------------------------------------------------------------------|
+| managment_public_ip | The deployed Security Management AWS instance public IP |
+| load_balancer_url | The URL of the external Load Balancer |
+| template_name | Name of a gateway configuration template in the automatic provisioning configuration. |
+| controller_name | The controller name in CME. |
+| gwlb_name | The name of the deployed Gateway Load Balancer |
+| gwlb_service_name | The service name for the deployed Gateway Load Balancer |
+| gwlb_arn | The arn for the deployed Gateway Load Balancer |
+
+
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|----------------------------------------------------------------------------------------------------------------------------|
+| 20240704 | R80.40 version deprecation |
+| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20231012 | Update AWS Terraform provider version to 5.20.1 |
+| 20230923 | Add support for C5d instance type |
+| 20230914 | Add support for maintenance mode password |
+| 20230910 | Add bootstrap script execution option for deployed gateways |
+| 20230829 | Change default Check Point version to R81.20 |
+| 20230806 | Add support for c6in instance type |
+| 20221226 | Support ASG Launch Template instead of Launch Configuration |
+| 20221123 | R81.20 version support |
+| 20220606 | New instance type support |
+| 20220414 | First release of Check Point CloudGuar d Network Gateway Load Balancer for Transit Gateway Master Terraform module for AWS |
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details
diff --git a/deprecated/terraform/aws/R81/tgw-gwlb-master/locals.tf b/deprecated/terraform/aws/R81/tgw-gwlb-master/locals.tf
new file mode 100755
index 00000000..d75eeaa5
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tgw-gwlb-master/locals.tf
@@ -0,0 +1,62 @@
+locals {
+ regex_valid_vpc_cidr = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$"
+ // Will fail if var.vpc_cidr is invalid
+ regex_vpc_cidr = regex(local.regex_valid_vpc_cidr, var.vpc_cidr) == var.vpc_cidr ? 0 : "Variable [vpc_cidr] must be a valid vpc cidr"
+
+ regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$"
+ // Will fail if var.gateway_SIC_Key is invalid
+ regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters"
+
+ control_over_public_or_private_allowed_values = [
+ "public",
+ "private"]
+ // will fail if [var.control_gateway_over_public_or_private_address] is invalid:
+ validate_control_over_public_or_private = index(local.control_over_public_or_private_allowed_values, var.gateways_provision_address_type)
+
+ gateway_management_allowed_values = [
+ "Locally managed",
+ "Over the internet"]
+ // will fail if [var.gateway_management] is invalid:
+ validate_gateway_management = index(local.gateway_management_allowed_values, var.gateway_management)
+
+ regex_valid_key_name = "[\\S\\s]+[\\S]+"
+ // will fail if var.key_name is invalid
+ regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string"
+
+ regex_valid_management_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.management_password_hash is invalid
+ regex_management_password_hash = regex(local.regex_valid_management_password_hash, var.management_password_hash) == var.management_password_hash ? 0 : "Variable [management_password_hash] must be a valid password hash"
+ regex_management_maintenance_mode_password_hash = regex(local.regex_valid_management_password_hash, var.management_maintenance_mode_password_hash) == var.management_maintenance_mode_password_hash ? 0 : "Variable [management_maintenance_mode_password_hash] must be a valid password hash"
+ regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.gateway_password_hash is invalid
+ regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+ regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
+
+
+ regex_valid_admin_cidr = "^([0-9]{1,3}\\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$"
+ // Will fail if var.admin_cidr is invalid
+ regex_admin_cidr = regex(local.regex_valid_admin_cidr, var.admin_cidr) == var.admin_cidr ? 0 : "Variable [admin_cidr] must be a valid CIDR"
+
+ regex_valid_gateways_addresses = "^([0-9]{1,3}\\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$"
+ // Will fail if var.gateways_addresses is invalid
+ regex_gateways_addresses = regex(local.regex_valid_gateways_addresses, var.gateways_addresses) == var.gateways_addresses ? 0 : "Variable [gateways_addresses] must be a valid gateways addresses"
+
+ regex_valid_management_server = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$"
+ // Will fail if var.management_server is invalid
+ regex_management_server = regex(local.regex_valid_management_server, var.management_server) == var.management_server ? 0 : "Variable [management_server] can not be an empty string"
+
+ regex_valid_configuration_template = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$"
+ // Will fail if var.configuration_template is invalid
+ regex_configuration_template = regex(local.regex_valid_configuration_template, var.configuration_template) == var.configuration_template ? 0 : "Variable [configuration_template] can not be an empty string"
+
+ deploy_management_condition = var.management_deploy == true
+
+ volume_type_allowed_values = [
+ "gp3",
+ "gp2"]
+ // will fail if [var.volume_type] is invalid:
+ validate_volume_type = index(local.volume_type_allowed_values, var.volume_type)
+
+
+ #note: we need to add validiation for every subnet in masters solution
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/tgw-gwlb-master/main.tf b/deprecated/terraform/aws/R81/tgw-gwlb-master/main.tf
new file mode 100755
index 00000000..3b616ebc
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tgw-gwlb-master/main.tf
@@ -0,0 +1,85 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+module "launch_vpc" {
+ source = "../modules/vpc"
+
+ vpc_cidr = var.vpc_cidr
+ public_subnets_map = var.public_subnets_map
+ private_subnets_map = {}
+ tgw_subnets_map = var.tgw_subnets_map
+ subnets_bit_length = var.subnets_bit_length
+}
+module "tgw-gwlb"{
+ source = "../tgw-gwlb"
+ providers = {
+ aws = aws
+ }
+ vpc_id = module.launch_vpc.vpc_id
+ gateways_subnets = module.launch_vpc.public_subnets_ids_list
+ number_of_AZs = var.number_of_AZs
+ availability_zones = var.availability_zones
+ internet_gateway_id = module.launch_vpc.aws_igw
+
+ transit_gateway_attachment_subnet_1_id = element(module.launch_vpc.tgw_subnets_ids_list, 0)
+ transit_gateway_attachment_subnet_2_id = element(module.launch_vpc.tgw_subnets_ids_list, 1)
+ transit_gateway_attachment_subnet_3_id = var.number_of_AZs >= 3 ? element(module.launch_vpc.tgw_subnets_ids_list, 2) : ""
+ transit_gateway_attachment_subnet_4_id = var.number_of_AZs >= 4 ? element(module.launch_vpc.tgw_subnets_ids_list, 3) : ""
+
+ nat_gw_subnet_1_cidr = var.nat_gw_subnet_1_cidr
+ nat_gw_subnet_2_cidr = var.nat_gw_subnet_2_cidr
+ nat_gw_subnet_3_cidr = var.nat_gw_subnet_3_cidr
+ nat_gw_subnet_4_cidr = var.nat_gw_subnet_4_cidr
+
+ gwlbe_subnet_1_cidr = var.gwlbe_subnet_1_cidr
+ gwlbe_subnet_2_cidr = var.gwlbe_subnet_2_cidr
+ gwlbe_subnet_3_cidr = var.gwlbe_subnet_3_cidr
+ gwlbe_subnet_4_cidr = var.gwlbe_subnet_4_cidr
+
+ // --- General Settings ---
+ key_name = var.key_name
+ enable_volume_encryption = var.enable_volume_encryption
+ volume_size = var.volume_size
+ enable_instance_connect = var.enable_instance_connect
+ disable_instance_termination = var.disable_instance_termination
+ metadata_imdsv2_required = var.metadata_imdsv2_required
+ allow_upload_download = var.allow_upload_download
+ management_server = var.management_server
+ configuration_template = var.configuration_template
+ admin_shell = var.admin_shell
+
+ // --- Gateway Load Balancer Configuration ---
+ gateway_load_balancer_name = var.gateway_load_balancer_name
+ target_group_name = var.target_group_name
+ enable_cross_zone_load_balancing = var.enable_cross_zone_load_balancing
+
+ // --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration ---
+ gateway_name = var.gateway_name
+ gateway_instance_type = var.gateway_instance_type
+ minimum_group_size = var.minimum_group_size
+ maximum_group_size = var.maximum_group_size
+ gateway_version = var.gateway_version
+ gateway_password_hash = var.gateway_password_hash
+ gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash
+ gateway_SICKey = var.gateway_SICKey
+ gateways_provision_address_type = var.gateways_provision_address_type
+ allocate_public_IP = var.allocate_public_IP
+ enable_cloudwatch = var.enable_cloudwatch
+ gateway_bootstrap_script = var.gateway_bootstrap_script
+
+ // --- Check Point CloudGuard IaaS Security Management Server Configuration ---
+ management_deploy = var.management_deploy
+ management_instance_type = var.management_instance_type
+ management_version = var.management_version
+ management_password_hash = var.management_password_hash
+ management_maintenance_mode_password_hash = var.management_maintenance_mode_password_hash
+ gateways_policy = var.gateways_policy
+ gateway_management = var.gateway_management
+ admin_cidr = var.admin_cidr
+ gateways_addresses = var.gateways_addresses
+
+ volume_type = var.volume_type
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/tgw-gwlb-master/output.tf b/deprecated/terraform/aws/R81/tgw-gwlb-master/output.tf
new file mode 100755
index 00000000..67085776
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tgw-gwlb-master/output.tf
@@ -0,0 +1,24 @@
+output "Deployment" {
+ value = "Finalizing instances configuration may take up to 20 minutes after deployment is finished."
+}
+output "management_public_ip" {
+ depends_on = [module.tgw-gwlb]
+ value = module.tgw-gwlb[*].management_public_ip
+}
+output "gwlb_arn" {
+ depends_on = [module.tgw-gwlb]
+ value = module.tgw-gwlb[*].gwlb_arn
+}
+output "gwlb_service_name" {
+ depends_on = [module.tgw-gwlb]
+ value = module.tgw-gwlb[*].gwlb_service_name
+}
+output "gwlb_name" {
+ value = var.gateway_load_balancer_name
+}
+output "controller_name" {
+ value = "gwlb-controller"
+}
+output "template_name" {
+ value = var.configuration_template
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/tgw-gwlb-master/terraform.tfvars b/deprecated/terraform/aws/R81/tgw-gwlb-master/terraform.tfvars
new file mode 100755
index 00000000..bdb7a361
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tgw-gwlb-master/terraform.tfvars
@@ -0,0 +1,76 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- VPC Network Configuration ---
+vpc_cidr = "10.0.0.0/16"
+public_subnets_map = {
+ "us-east-1a" = 1
+ "us-east-1b" = 2
+ "us-east-1c" = 3
+ "us-east-1d" = 4
+}
+tgw_subnets_map = {
+ "us-east-1a" = 5
+ "us-east-1b" = 6
+ "us-east-1c" = 7
+ "us-east-1d" = 8
+}
+subnets_bit_length = 8
+
+availability_zones = ["us-east-1a", "us-east-1b", "us-east-1c", "us-east-1d"]
+number_of_AZs = 4
+
+nat_gw_subnet_1_cidr = "10.0.13.0/24"
+nat_gw_subnet_2_cidr = "10.0.23.0/24"
+nat_gw_subnet_3_cidr = "10.0.33.0/24"
+nat_gw_subnet_4_cidr = "10.0.43.0/24"
+
+gwlbe_subnet_1_cidr = "10.0.14.0/24"
+gwlbe_subnet_2_cidr = "10.0.24.0/24"
+gwlbe_subnet_3_cidr = "10.0.34.0/24"
+gwlbe_subnet_4_cidr = "10.0.44.0/24"
+
+// --- General Settings ---
+key_name = "publickey"
+enable_volume_encryption = true
+volume_size = 100
+enable_instance_connect = false
+disable_instance_termination = false
+metadata_imdsv2_required = true
+allow_upload_download = true
+management_server = "CP-Management-gwlb-tf"
+configuration_template = "gwlb-configuration"
+admin_shell = "/etc/cli.sh"
+
+// --- Gateway Load Balancer Configuration ---
+gateway_load_balancer_name = "gwlb1"
+target_group_name = "tg1"
+enable_cross_zone_load_balancing = "true"
+
+// --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration ---
+gateway_name = "Check-Point-GW-tf"
+gateway_instance_type = "c5.xlarge"
+minimum_group_size = 2
+maximum_group_size = 10
+gateway_version = "R81.20-BYOL"
+gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+gateway_SICKey = "12345678"
+gateways_provision_address_type = "private"
+allocate_public_IP = false
+enable_cloudwatch = false
+gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+
+// --- Check Point CloudGuard IaaS Security Management Server Configuration ---
+management_deploy = true
+management_instance_type = "m5.xlarge"
+management_version = "R81.20-BYOL"
+management_password_hash = ""
+management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password.
+gateways_policy = "Standard"
+gateway_management = "Locally managed"
+admin_cidr = "0.0.0.0/0"
+gateways_addresses = "0.0.0.0/0"
+
+// --- Other parameters ---
+volume_type = "gp3"
+
diff --git a/deprecated/terraform/aws/R81/tgw-gwlb-master/variables.tf b/deprecated/terraform/aws/R81/tgw-gwlb-master/variables.tf
new file mode 100755
index 00000000..af425811
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tgw-gwlb-master/variables.tf
@@ -0,0 +1,326 @@
+// Module: Check Point CloudGuard Network Gateway Load Balancer into an existing VPC
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+// ---VPC Network Configuration ---
+variable "number_of_AZs" {
+ type = number
+ description = "Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter"
+ default = 2
+}
+variable "availability_zones"{
+ type = list(string)
+ description = "The Availability Zones (AZs) to use for the subnets in the VPC. Select two (the logical order is preserved)"
+}
+resource "null_resource" "tgw_availability_zones_validation1" {
+ count = var.number_of_AZs == length(var.availability_zones) ? 0 : "variable availability_zones list size must be equal to variable num_of_AZs"
+}
+variable "vpc_cidr" {
+ type = string
+ description = "The CIDR block of the VPC"
+ default = "10.0.0.0/16"
+}
+variable "public_subnets_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1} ) "
+}
+resource "null_resource" "tgw_availability_zones_validation2" {
+ count = var.number_of_AZs == length(var.public_subnets_map) ? 0 : "variable public_subnets_map size must be equal to variable num_of_AZs"
+}
+variable "subnets_bit_length" {
+ type = number
+ description = "Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20"
+}
+variable "tgw_subnets_map" {
+ type = map(string)
+ description = "A map of pairs {availability-zone = subnet-suffix-number} for the tgw subnets. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1} ) "
+}
+resource "null_resource" "tgw_availability_zones_validation3" {
+ count = var.number_of_AZs == length(var.tgw_subnets_map) ? 0 : "variable tgw_subnets_map size must be equal to variable num_of_AZs"
+}
+variable "nat_gw_subnet_1_cidr" {
+ type = string
+ description = "CIDR block for NAT subnet 1 located in the 1st Availability Zone"
+ default = "10.0.13.0/24"
+}
+variable "nat_gw_subnet_2_cidr" {
+ type = string
+ description = "CIDR block for NAT subnet 2 located in the 2st Availability Zone"
+ default = "10.0.23.0/24"
+}
+variable "nat_gw_subnet_3_cidr" {
+ type = string
+ description = "CIDR block for NAT subnet 3 located in the 3st Availability Zone"
+ default = "10.0.33.0/24"
+}
+variable "nat_gw_subnet_4_cidr" {
+ type = string
+ description = "CIDR block for NAT subnet 4 located in the 4st Availability Zone"
+ default = "10.0.43.0/24"
+}
+variable "gwlbe_subnet_1_cidr" {
+ type = string
+ description = "CIDR block for Gateway Loadbalancer endpoint subnet 1 located in the 1st Availability Zone"
+ default = "10.0.14.0/24"
+}
+variable "gwlbe_subnet_2_cidr" {
+ type = string
+ description = "CIDR block for Gateway Loadbalancer endpoint subnet 2 located in the 2st Availability Zone"
+ default = "10.0.24.0/24"
+}
+variable "gwlbe_subnet_3_cidr" {
+ type = string
+ description = "CIDR block for Gateway Loadbalancer endpoint subnet 3 located in the 3st Availability Zone"
+ default = "10.0.34.0/24"
+}
+variable "gwlbe_subnet_4_cidr" {
+ type = string
+ description = "CIDR block for Gateway Loadbalancer endpoint subnet 4 located in the 4st Availability Zone"
+ default = "10.0.44.0/24"
+}
+// --- General Settings ---
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instances"
+}
+variable "enable_volume_encryption" {
+ type = bool
+ description = "Encrypt Environment instances volume with default AWS KMS key"
+ default = true
+}
+variable "volume_size" {
+ type = number
+ description = "Root volume size (GB) - minimum 100"
+ default = 100
+}
+resource "null_resource" "volume_size_too_small" {
+ // Will fail if var.volume_size is less than 100
+ count = var.volume_size >= 100 ? 0 : "variable volume_size must be at least 100"
+}
+variable "volume_type" {
+ type = string
+ description = "General Purpose SSD Volume Type"
+ default = "gp3"
+}
+variable "enable_instance_connect" {
+ type = bool
+ description = "Enable SSH connection over AWS web console"
+ default = false
+}
+variable "disable_instance_termination" {
+ type = bool
+ description = "Prevents an instance from accidental termination"
+ default = false
+}
+variable "metadata_imdsv2_required" {
+ type = bool
+ description = "Set true to deploy the instance with metadata v2 token required"
+ default = true
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+variable "management_server" {
+ type = string
+ description = "The name that represents the Security Management Server in the automatic provisioning configuration."
+ default = "gwlb-management-server"
+}
+variable "configuration_template" {
+ type = string
+ description = "A name of a gateway configuration template in the automatic provisioning configuration."
+ default = "gwlb-ASG-configuration"
+ validation {
+ condition = length(var.configuration_template) < 31
+ error_message = "The configuration_template name can not exceed 30 characters"
+ }
+}
+variable "admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+ default = "/etc/cli.sh"
+}
+
+// --- Gateway Load Balancer Configuration ---
+
+variable "gateway_load_balancer_name" {
+ type = string
+ description = "Gateway Load Balancer name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen."
+ default = "gwlb1"
+}
+resource "null_resource" "gateway_load_balancer_name_too_long" {
+ // Will fail if gateway_load_balancer_name more than 32
+ count = length(var.gateway_load_balancer_name) <= 32 ? 0 : "variable gateway_load_balancer_name must be at most 32"
+}
+variable "target_group_name" {
+ type = string
+ description = "Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen."
+ default = "tg1"
+}
+resource "null_resource" "target_group_name_too_long" {
+ // Will fail if target_group_name more than 32
+ count = length(var.target_group_name) <= 32 ? 0 : "variable target_group_name must be at most 32"
+}
+variable "enable_cross_zone_load_balancing" {
+ type = bool
+ description = "Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges."
+ default = true
+}
+
+// --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration ---
+
+variable "gateway_name" {
+ type = string
+ description = "The name tag of the Security Gateway instances. (optional)"
+ default = "Check-Point-Gateway-tf"
+}
+variable "gateway_instance_type" {
+ type = string
+ description = "The EC2 instance type for the Security Gateways."
+ default = "c5.xlarge"
+}
+module "validate_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "gateway"
+ instance_type = var.gateway_instance_type
+}
+variable "minimum_group_size" {
+ type = number
+ description = "The minimal number of Security Gateways."
+ default = 2
+}
+variable "maximum_group_size" {
+ type = number
+ description = "The maximal number of Security Gateways."
+ default = 10
+}
+variable "gateway_version" {
+ type = string
+ description = "The version and license to install on the Security Gateways."
+ default = "R81.20-BYOL"
+}
+module "validate_gateway_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "gwlb_gw"
+ version_license = var.gateway_version
+}
+variable "gateway_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+}
+variable "gateway_maintenance_mode_password_hash" {
+ description = "Maintenance mode password hash for the gateway instances, relevant only for R81.20 and higher versions"
+ type = string
+ default = ""
+}
+variable "gateway_SICKey" {
+ type = string
+ description = "The Secure Internal Communication key for trusted connection between Check Point components (at least 8 alphanumeric characters)"
+}
+
+variable "gateways_provision_address_type" {
+ type = string
+ description = "Determines if the gateways are provisioned using their private or public address"
+ default = "private"
+}
+
+variable "allocate_public_IP" {
+ type = bool
+ description = "Allocate an Elastic IP for security gateway."
+ default = false
+}
+
+resource "null_resource" "invalid_allocation" {
+ // Will fail if var.gateways_provision_address_type is public and var.allocate_public_IP is false
+ count = var.gateways_provision_address_type != "public" ? 0 : var.allocate_public_IP == true ? 0 : "Gateway's selected to be provisioned by public IP, but [allocate_public_IP] parameter is false"
+}
+
+
+variable "enable_cloudwatch" {
+ type = bool
+ description = "Report Check Point specific CloudWatch metrics."
+ default = false
+}
+
+variable "gateway_bootstrap_script" {
+ type = string
+ description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot"
+ default = ""
+}
+
+// --- Check Point CloudGuard IaaS Security Management Server Configuration ---
+
+variable "management_deploy" {
+ type = bool
+ description = "Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section"
+ default = true
+}
+variable "management_instance_type" {
+ type = string
+ description = "The EC2 instance type of the Security Management Server"
+ default = "m5.xlarge"
+}
+module "validate_management_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "management"
+ instance_type = var.management_instance_type
+}
+variable "management_version" {
+ type = string
+ description = "The license to install on the Security Management Server"
+ default = "R81.20-BYOL"
+}
+module "validate_management_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "management"
+ version_license = var.management_version
+}
+variable "management_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "management_maintenance_mode_password_hash" {
+ description = "Maintenance mode password hash for the management instance, relevant only for R81.20 and higher versions"
+ type = string
+ default = ""
+}
+variable "gateways_policy" {
+ type = string
+ description = "The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group"
+ default = "Standard"
+}
+variable "gateway_management" {
+ type = string
+ description = "Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address."
+ default = "Locally managed"
+}
+variable "admin_cidr" {
+ type = string
+ description = "Allow web, ssh, and graphical clients only from this network to communicate with the Security Management Server"
+}
+variable "gateways_addresses" {
+ type = string
+ description = "Allow gateways only from this network to communicate with the Security Management Server"
+}
+
diff --git a/deprecated/terraform/aws/R81/tgw-gwlb-master/versions.tf b/deprecated/terraform/aws/R81/tgw-gwlb-master/versions.tf
new file mode 100755
index 00000000..dbebf275
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tgw-gwlb-master/versions.tf
@@ -0,0 +1,15 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ http = {
+ version = "~> 3.4.0"
+ }
+ random = {
+ version = "~> 3.5.1"
+ }
+ }
+}
diff --git a/deprecated/terraform/aws/R81/tgw-gwlb/README.md b/deprecated/terraform/aws/R81/tgw-gwlb/README.md
new file mode 100755
index 00000000..e5c3a379
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tgw-gwlb/README.md
@@ -0,0 +1,264 @@
+# Check Point CloudGuard Network Gateway Load Balancer for Transit Gateway Terraform module for AWS
+
+Terraform module which deploys an AWS Auto Scaling group configured for Gateway Load Balancer into existing Centralized Security VPC for Transit Gateway.
+
+These types of Terraform resources are supported:
+* [AWS Instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance)
+* [VPC](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc)
+* [Security Group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group)
+* [Load Balancer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb)
+* [Load Balancer Target Group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group)
+* [Launch template](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template)
+* [Auto Scaling Group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group)
+* [IAM Role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) - conditional creation
+
+See the [Check Point CloudGuard Gateway Load Balancer on AWS](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_AWS_Centralized_Gateway_Load_Balancer/Content/Topics-AWS-GWLB-VPC-DG/Introduction.htm) for additional information
+
+This solution uses the following modules:
+- /terraform/aws/autoscale-gwlb
+- /terraform/aws/management
+- /terraform/aws/cme-iam-role-gwlb
+- /terraform/aws/modules/amis
+- /terraform/aws/gwlb
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+ region = var.region
+ access_key = var.aws_access_key_ID
+ secret_key = var.aws_secret_access_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/qs-autoscale/**terraform.tfvars** file as follows:
+```
+region = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Static credentials are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/autoscale-gwlb, /terraform/aws/management and /terraform/aws/cme-iam-role-gwlb:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.access_key
+ // secret_key = var.secret_key
+ }
+ ```
+- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.aws_access_key_ID
+ // secret_key = var.aws_secret_access_key
+ }
+ ```
+ b. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/autoscale, /terraform/aws/management and /terraform/aws/cme-iam-role-gwlb:
+ ```
+ provider "aws" {
+ // region = var.region
+ // access_key = var.aws_access_key_ID
+ // secret_key = var.aws_secret_access_key
+ }
+ ```
+
+## Usage
+- Fill all variables in the /terraform/aws/gwlb/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+ ```
+ terraform init
+ ```
+- Create an execution plan:
+ ```
+ terraform plan
+ ```
+ - Create or modify the deployment:
+ ```
+ terraform apply
+ ```
+
+ - Variables are configured in /terraform/aws/qs-autoscale/**terraform.tfvars** file as follows:
+
+ ```
+ //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+ // --- VPC Network Configuration ---
+ vpc_id = "vpc-12345678"
+ internet_gateway_id ="igw-12345"
+ availability_zones = ["us-east-1a", "us-east-1b"]
+ number_of_AZs = 2
+ gateways_subnets= ["subnet-123456", "subnet-234567"]
+
+ transit_gateway_attachment_subnet_1_id="subnet-3456"
+ transit_gateway_attachment_subnet_2_id="subnet-4567"
+ transit_gateway_attachment_subnet_3_id="subnet-5678"
+ transit_gateway_attachment_subnet_4_id="subnet-6789"
+
+ nat_gw_subnet_1_cidr ="10.0.13.0/24"
+ nat_gw_subnet_2_cidr = "10.0.23.0/24"
+ nat_gw_subnet_3_cidr = "10.0.33.0/24"
+ nat_gw_subnet_4_cidr = "10.0.43.0/24"
+
+ gwlbe_subnet_1_cidr = "10.0.14.0/24"
+ gwlbe_subnet_2_cidr = "10.0.24.0/24"
+ gwlbe_subnet_3_cidr = "10.0.34.0/24"
+ gwlbe_subnet_4_cidr = "10.0.44.0/24"
+
+
+ // --- General Settings ---
+ key_name = "publickey"
+ enable_volume_encryption = true
+ volume_size = 100
+ enable_instance_connect = false
+ disable_instance_termination = false
+ allow_upload_download = true
+ management_server = "CP-Management-gwlb-tf"
+ configuration_template = "gwlb-configuration"
+ admin_shell = "/etc/cli.sh"
+
+ // --- Gateway Load Balancer Configuration ---
+ gateway_load_balancer_name = "gwlb1"
+ target_group_name = "tg1"
+ connection_acceptance_required = "false"
+ enable_cross_zone_load_balancing = "true"
+
+ // --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration ---
+ gateway_name = "Check-Point-GW-tf"
+ gateway_instance_type = "c5.xlarge"
+ minimum_group_size = 2
+ maximum_group_size = 10
+ gateway_version = "R81.20-BYOL"
+ gateway_password_hash = ""
+ gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+ gateway_SICKey = "12345678"
+ gateways_provision_address_type = "private"
+ allocate_public_IP = false
+ enable_cloudwatch = false
+ gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+
+ // --- Check Point CloudGuard IaaS Security Management Server Configuration ---
+ management_deploy = true
+ management_instance_type = "m5.xlarge"
+ management_version = "R81.20-BYOL"
+ management_password_hash = ""
+ management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password.
+ gateways_policy = "Standard"
+ gateway_management = "Locally managed"
+ admin_cidr = ""
+ gateways_addresses = ""
+
+ // --- Other parameters ---
+ VolumeType = "gp3"
+
+
+ ```
+
+- Conditional creation
+ - To enable cloudwatch for tgw-gwlb:
+ ```
+ enable_cloudwatch = true
+ ```
+ Note: enabling cloudwatch will automatically create IAM role with cloudwatch:PutMetricData permission
+ - To deploy Security Management Server:
+ ```
+ management_deploy = true
+ ```
+- To tear down your resources:
+ ```
+ terraform destroy
+ ```
+
+## Inputs
+| Name | Description | Type | Allowed values | Default | Required |
+|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|----------|
+| vpc_id | Select an existing VPC | string | n/a | n/a | yes |
+| internet_gateway_id | VPC's Internet Gateway Id | string | n/a | n/a | yes |
+| availability_zones | The Availability Zones (AZs) to use for the subnets in the VPC. | string | n/a | n/a | yes |
+| Number_of_AZs | Number of Availability Zones to use in the VPC. | number | n/a | 2 | yes |
+| Gateways_subnets | Select at least 2 public subnets in the VPC. If you choose to deploy a Security Management Server it will be deployed in the first subnet | string | n/a | n/a | yes |
+| transit_gateway_attachment_subnet_1_id | The TGW attachment subnet ID located in the 1st Availability Zone | string | n/a | n/a | yes |
+| transit_gateway_attachment_subnet_2_id | The TGW attachment subnet ID located in the 2st Availability Zone | string | n/a | n/a | yes |
+| transit_gateway_attachment_subnet_3_id | The TGW attachment subnet ID located in the 3st Availability Zone | string | n/a | n/a | yes |
+| transit_gateway_attachment_subnet_4_id | The TGW attachment subnet ID located in the 4st Availability Zone | string | n/a | n/a | yes |
+| nat_gw_subnet_1_cidr | CIDR block for NAT subnet 1 located in the 1st Availability Zone | string | n/a | 10.0.13.0/24 | yes |
+| nat_gw_subnet_2_cidr | CIDR block for NAT subnet 2 located in the 2st Availability Zone | string | n/a | 10.0.23.0/24 | yes |
+| nat_gw_subnet_3_cidr | CIDR block for NAT subnet 3 located in the 3st Availability Zone | string | n/a | 10.0.33.0/24 | yes |
+| nat_gw_subnet_4_cidr | CIDR block for NAT subnet 4 located in the 4st Availability Zone | string | n/a | 10.0.43.0/24 | yes |
+| gwlbe_subnet_1_cidr | CIDR block for GWLBe subnet 1 located in the 1st Availability Zone | string | n/a | 10.0.14.0/24 | yes |
+| gwlbe_subnet_2_cidr | CIDR block for GWLBe subnet 2 located in the 2st Availability Zone | string | n/a | 10.0.24.0/24 | yes |
+| gwlbe_subnet_3_cidr | CIDR block for GWLBe subnet 3 located in the 3st Availability Zone | string | n/a | 10.0.34.0/24 | yes |
+| gwlbe_subnet_4_cidr | CIDR block for GWLBe subnet 4 located in the 4st Availability Zone | string | n/a | 10.0.44.0/24 | yes |
+| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes |
+| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no |
+| management_server | The name that represents the Security Management Server in the automatic provisioning configuration. | string | n/a | CP-Management-gwlb-tf | yes |
+| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no |
+| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no |
+| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes |
+| volume_size | Instances volume size | number | n/a | 100 | no |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no |
+| configuration_template | The tag is used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each Quick Start deployment | string | n/a | gwlb-ter | no |
+| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no |
+| gateway_load_balancer_name | Load Balancer name in AWS | string | n/a | gwlb-terraform | yes |
+| target_group_name | Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. | string | n/a | tg1-terraform | yes |
+| connection_acceptance_required | Indicate whether requests from service consumers to create an endpoint to your service must be accepted. Default is set to false(acceptance not required). | bool | true/false | false | yes |
+| enable_cross_zone_load_balancing | Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges. | bool | true/false | true | yes |
+| gateway_name | The name tag of the Security Gateway instances. (optional) | string | n/a | gwlb-terraform | yes |
+| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no |
+| gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no |
+| gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no |
+| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no |
+| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes |
+| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no |
+| gateway_bootstrap_script | (Optional) An optional script with semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no |
+| gateways_provision_address_type | Determines if the gateways are provisioned using their private or public address. | string | - private
- public | private | no |
+| allocate_public_IP | Allocate a Public IP for gateway members. | bool | true/false | false | no |
+| management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no |
+| management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no |
+| management_version | The license to install on the Security Management Server | string | - R81-BYOL
- R81-PAYG
- R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG
- R82-BYOL
- R82-PAYG | R81.20-BYOL | no |
+| management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no |
+| gateways_policy | The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group | string | n/a | Standard | no |
+| gateway_management | Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. | string | - Locally managed
- Over the internet | Locally managed | no |
+| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR | n/a | no |
+| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | valid CIDR | n/a | no |
+| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no |
+| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no |
+| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no |
+
+
+## Outputs
+| Name | Description |
+|---------------------|---------------------------------------------------------------------------------------|
+| managment_public_ip | The deployed Security Management AWS instance public IP |
+| load_balancer_url | The URL of the external Load Balancer |
+| template_name | Name of a gateway configuration template in the automatic provisioning configuration. |
+| controller_name | The controller name in CME. |
+| gwlb_name | The name of the deployed Gateway Load Balancer |
+| gwlb_service_name | The service name for the deployed Gateway Load Balancer |
+| gwlb_arn | The arn for the deployed Gateway Load Balancer |
+
+
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description |
+|------------------|--------------------------------------------------------------------------------------------------------------------|
+| 20240704 | R80.40 version deprecation |
+| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only |
+| 20231012 | Update AWS Terraform provider version to 5.20.1 |
+| 20230923 | Add support for C5d instance type |
+| 20230914 | Add support for maintenance mode password |
+| 20230910 | Add bootstrap script execution option for deployed gateways |
+| 20230829 | Change default Check Point version to R81.20 |
+| 20230806 | Add support for c6in instance type |
+| 20221226 | Support ASG Launch Template instead of Launch Configuration |
+| 20221123 | R81.20 version support |
+| 20220606 | New instance type support |
+| 20220414 | First release of Check Point CloudGuard Network Gateway Load Balancer for Transit Gateway Terraform module for AWS |
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details
diff --git a/deprecated/terraform/aws/R81/tgw-gwlb/locals.tf b/deprecated/terraform/aws/R81/tgw-gwlb/locals.tf
new file mode 100755
index 00000000..0693df6d
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tgw-gwlb/locals.tf
@@ -0,0 +1,60 @@
+locals {
+
+ regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$"
+ // Will fail if var.gateway_SIC_Key is invalid
+ regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters"
+
+ control_over_public_or_private_allowed_values = [
+ "public",
+ "private"]
+ // will fail if [var.control_gateway_over_public_or_private_address] is invalid:
+ validate_control_over_public_or_private = index(local.control_over_public_or_private_allowed_values, var.gateways_provision_address_type)
+
+ gateway_management_allowed_values = [
+ "Locally managed",
+ "Over the internet"]
+ // will fail if [var.gateway_management] is invalid:
+ validate_gateway_management = index(local.gateway_management_allowed_values, var.gateway_management)
+
+ regex_valid_key_name = "[\\S\\s]+[\\S]+"
+ // will fail if var.key_name is invalid
+ regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string"
+
+ regex_valid_management_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.management_password_hash is invalid
+ regex_management_password_hash = regex(local.regex_valid_management_password_hash, var.management_password_hash) == var.management_password_hash ? 0 : "Variable [management_password_hash] must be a valid password hash"
+ regex_management_maintenance_mode_password_hash = regex(local.regex_valid_management_password_hash, var.management_maintenance_mode_password_hash) == var.management_maintenance_mode_password_hash ? 0 : "Variable [management_maintenance_mode_password_hash] must be a valid password hash"
+
+ regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$"
+ // Will fail if var.gateway_password_hash is invalid
+ regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash"
+ regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash"
+
+
+ regex_valid_admin_cidr = "^([0-9]{1,3}\\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$"
+ // Will fail if var.admin_cidr is invalid
+ regex_admin_cidr = regex(local.regex_valid_admin_cidr, var.admin_cidr) == var.admin_cidr ? 0 : "Variable [admin_cidr] must be a valid CIDR"
+
+ regex_valid_gateways_addresses = "^([0-9]{1,3}\\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$"
+ // Will fail if var.gateways_addresses is invalid
+ regex_gateways_addresses = regex(local.regex_valid_gateways_addresses, var.gateways_addresses) == var.gateways_addresses ? 0 : "Variable [gateways_addresses] must be a valid gateways addresses"
+
+ regex_valid_management_server = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$"
+ // Will fail if var.management_server is invalid
+ regex_management_server = regex(local.regex_valid_management_server, var.management_server) == var.management_server ? 0 : "Variable [management_server] can not be an empty string"
+
+ regex_valid_configuration_template = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$"
+ // Will fail if var.configuration_template is invalid
+ regex_configuration_template = regex(local.regex_valid_configuration_template, var.configuration_template) == var.configuration_template ? 0 : "Variable [configuration_template] can not be an empty string"
+
+ deploy_management_condition = var.management_deploy == true
+
+ volume_type_allowed_values = [
+ "gp3",
+ "gp2"]
+ // will fail if [var.VolumeType] is invalid:
+ validate_volume_type = index(local.volume_type_allowed_values, var.volume_type)
+
+
+ #note: we need to add validiation for every subnet in masters solution
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/tgw-gwlb/main.tf b/deprecated/terraform/aws/R81/tgw-gwlb/main.tf
new file mode 100755
index 00000000..64ce7101
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tgw-gwlb/main.tf
@@ -0,0 +1,438 @@
+provider "aws" {
+ region = var.region
+ access_key = var.access_key
+ secret_key = var.secret_key
+}
+
+
+resource "aws_subnet" "gwlbe_subnet1" {
+ vpc_id = var.vpc_id
+ availability_zone = element(var.availability_zones, 0)
+ cidr_block = var.gwlbe_subnet_1_cidr
+ tags = {
+ Name = "GWLBe subnet 1"
+ Network = "Private"
+ }
+}
+resource "aws_route_table" "gwlbe_subnet1_rtb" {
+ vpc_id = var.vpc_id
+ route{
+ cidr_block = "0.0.0.0/0"
+ nat_gateway_id = aws_nat_gateway.nat_gateway1.id
+ }
+ tags = {
+ Name = "GWLBe Subnet 1 Route Table"
+ Network = "Private"
+ }
+}
+resource "aws_route_table_association" "gwlbe_subnet1_rtb_assoc" {
+ subnet_id = aws_subnet.gwlbe_subnet1.id
+ route_table_id = aws_route_table.gwlbe_subnet1_rtb.id
+}
+
+
+resource "aws_subnet" "gwlbe_subnet2" {
+ vpc_id = var.vpc_id
+ availability_zone = element(var.availability_zones, 1)
+ cidr_block = var.gwlbe_subnet_2_cidr
+ tags = {
+ Name = "GWLBe subnet 2"
+ Network = "Private"
+ }
+}
+resource "aws_route_table" "gwlbe_subnet2_rtb" {
+ vpc_id = var.vpc_id
+ route{
+ cidr_block = "0.0.0.0/0"
+ nat_gateway_id = aws_nat_gateway.nat_gateway2.id
+ }
+ tags = {
+ Name = "GWLBe Subnet 2 Route Table"
+ Network = "Private"
+ }
+}
+resource "aws_route_table_association" "gwlbe_subnet2_rtb_assoc" {
+ subnet_id = aws_subnet.gwlbe_subnet2.id
+ route_table_id = aws_route_table.gwlbe_subnet2_rtb.id
+}
+
+
+resource "aws_subnet" "gwlbe_subnet3" {
+ count = var.number_of_AZs >= 3 ? 1 :0
+ vpc_id = var.vpc_id
+ availability_zone = element(var.availability_zones, 2)
+ cidr_block = var.gwlbe_subnet_3_cidr
+ tags = {
+ Name = "GWLBe subnet 3"
+ Network = "Private"
+ }
+}
+resource "aws_route_table" "gwlbe_subnet3_rtb" {
+ count = var.number_of_AZs >= 3 ? 1 :0
+ vpc_id = var.vpc_id
+ route{
+ cidr_block = "0.0.0.0/0"
+ nat_gateway_id = aws_nat_gateway.nat_gateway3[0].id
+ }
+ tags = {
+ Name = "GWLBe Subnet 3 Route Table"
+ Network = "Private"
+ }
+}
+resource "aws_route_table_association" "gwlbe_subnet3_rtb_assoc" {
+ count = var.number_of_AZs >= 3 ? 1 :0
+ subnet_id = aws_subnet.gwlbe_subnet3[0].id
+ route_table_id = aws_route_table.gwlbe_subnet3_rtb[0].id
+}
+
+
+resource "aws_subnet" "gwlbe_subnet4" {
+ count = var.number_of_AZs >= 4 ? 1 :0
+ vpc_id = var.vpc_id
+ availability_zone = element(var.availability_zones, 3)
+ cidr_block = var.gwlbe_subnet_4_cidr
+ tags = {
+ Name = "GWLBe subnet 4"
+ Network = "Private"
+ }
+}
+resource "aws_route_table" "gwlbe_subnet4_rtb" {
+ count = var.number_of_AZs >= 4 ? 1 :0
+ vpc_id = var.vpc_id
+ route{
+ cidr_block = "0.0.0.0/0"
+ nat_gateway_id = aws_nat_gateway.nat_gateway4[0].id
+ }
+ tags = {
+ Name = "GWLBe Subnet 4 Route Table"
+ Network = "Private"
+ }
+}
+resource "aws_route_table_association" "gwlbe_subnet4_rtb_assoc" {
+ count = var.number_of_AZs >= 4 ? 1 :0
+ subnet_id = aws_subnet.gwlbe_subnet4[0].id
+ route_table_id = aws_route_table.gwlbe_subnet4_rtb[0].id
+}
+
+
+
+
+resource "aws_subnet" "nat_gw_subnet1" {
+ vpc_id = var.vpc_id
+ availability_zone = element(var.availability_zones, 0)
+ cidr_block = var.nat_gw_subnet_1_cidr
+ tags = {
+ Name = "NAT subnet 1"
+ Network = "Private"
+ }
+}
+resource "aws_route_table" "nat_gw_subnet1_rtb" {
+ vpc_id = var.vpc_id
+ route{
+ cidr_block = "0.0.0.0/0"
+ gateway_id = var.internet_gateway_id
+ }
+ tags = {
+ Name = "NAT Subnet 1 Route Table"
+ Network = "Public"
+ }
+}
+resource "aws_route_table_association" "nat_gw_subnet1_rtb_assoc" {
+ subnet_id = aws_subnet.nat_gw_subnet1.id
+ route_table_id = aws_route_table.nat_gw_subnet1_rtb.id
+}
+
+resource "aws_subnet" "nat_gw_subnet2" {
+ vpc_id = var.vpc_id
+ availability_zone = element(var.availability_zones, 1)
+ cidr_block = var.nat_gw_subnet_2_cidr
+ tags = {
+ Name = "NAT subnet 2"
+ Network = "Private"
+ }
+}
+resource "aws_route_table" "nat_gw_subnet2_rtb" {
+ vpc_id = var.vpc_id
+ route{
+ cidr_block = "0.0.0.0/0"
+ gateway_id = var.internet_gateway_id
+ }
+ tags = {
+ Name = "NAT Subnet 2 Route Table"
+ Network = "Public"
+ }
+}
+resource "aws_route_table_association" "nat_gw_subnet2_rtb_assoc" {
+ subnet_id = aws_subnet.nat_gw_subnet2.id
+ route_table_id = aws_route_table.nat_gw_subnet2_rtb.id
+}
+
+resource "aws_subnet" "nat_gw_subnet3" {
+ count = var.number_of_AZs >= 3 ? 1 :0
+ vpc_id = var.vpc_id
+ availability_zone = element(var.availability_zones, 2)
+ cidr_block = var.nat_gw_subnet_3_cidr
+ tags = {
+ Name = "NAT subnet 3"
+ Network = "Private"
+ }
+}
+resource "aws_route_table" "nat_gw_subnet3_rtb" {
+ count = var.number_of_AZs >= 3 ? 1 :0
+ vpc_id = var.vpc_id
+ route{
+ cidr_block = "0.0.0.0/0"
+ gateway_id = var.internet_gateway_id
+ }
+ tags = {
+ Name = "NAT Subnet 3 Route Table"
+ Network = "Public"
+ }
+}
+resource "aws_route_table_association" "nat_gw_subnet3_rtb_assoc" {
+ count = var.number_of_AZs >= 3 ? 1 :0
+ subnet_id = aws_subnet.nat_gw_subnet3[0].id
+ route_table_id = aws_route_table.nat_gw_subnet3_rtb[0].id
+}
+
+resource "aws_subnet" "nat_gw_subnet4" {
+ count = var.number_of_AZs >= 4 ? 1 :0
+ vpc_id = var.vpc_id
+ availability_zone = element(var.availability_zones, 3)
+ cidr_block = var.nat_gw_subnet_4_cidr
+ tags = {
+ Name = "NAT subnet 4"
+ Network = "Private"
+ }
+}
+resource "aws_route_table" "nat_gw_subnet4_rtb" {
+ count = var.number_of_AZs >= 4 ? 1 :0
+ vpc_id = var.vpc_id
+ route{
+ cidr_block = "0.0.0.0/0"
+ gateway_id = var.internet_gateway_id
+ }
+ tags = {
+ Name = "NAT Subnet 4 Route Table"
+ Network = "Public"
+ }
+}
+resource "aws_route_table_association" "nat_gw_subnet4_rtb_assoc" {
+ count = var.number_of_AZs >= 4 ? 1 :0
+ subnet_id = aws_subnet.nat_gw_subnet4[0].id
+ route_table_id = aws_route_table.nat_gw_subnet4_rtb[0].id
+}
+
+module "gwlb" {
+ source = "../gwlb"
+ providers = {
+ aws = aws
+ }
+ vpc_id = var.vpc_id
+ subnet_ids = var.gateways_subnets
+
+ // --- General Settings ---
+ key_name = var.key_name
+ enable_volume_encryption = var.enable_volume_encryption
+ volume_size = var.volume_size
+ enable_instance_connect = var.enable_instance_connect
+ disable_instance_termination = var.disable_instance_termination
+ metadata_imdsv2_required = var.metadata_imdsv2_required
+ allow_upload_download = var.allow_upload_download
+ management_server = var.management_server
+ configuration_template = var.configuration_template
+ admin_shell = var.admin_shell
+
+ // --- Gateway Load Balancer Configuration ---
+ gateway_load_balancer_name = var.gateway_load_balancer_name
+ target_group_name = var.target_group_name
+ connection_acceptance_required = false
+ enable_cross_zone_load_balancing = var.enable_cross_zone_load_balancing
+
+ // --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration ---
+ gateway_name = var.gateway_name
+ gateway_instance_type = var.gateway_instance_type
+ minimum_group_size = var.minimum_group_size
+ maximum_group_size = var.maximum_group_size
+ gateway_version = var.gateway_version
+ gateway_password_hash = var.gateway_password_hash
+ gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash
+ gateway_SICKey = var.gateway_SICKey
+ gateways_provision_address_type = var.gateways_provision_address_type
+ allocate_public_IP = var.allocate_public_IP
+ enable_cloudwatch = var.enable_cloudwatch
+ gateway_bootstrap_script = var.gateway_bootstrap_script
+
+ // --- Check Point CloudGuard IaaS Security Management Server Configuration ---
+ management_deploy = var.management_deploy
+ management_instance_type = var.management_instance_type
+ management_version = var.management_version
+ management_password_hash = var.management_password_hash
+ management_maintenance_mode_password_hash = var.management_maintenance_mode_password_hash
+ gateways_policy = var.gateways_policy
+ gateway_management = var.gateway_management
+ admin_cidr = var.admin_cidr
+ gateways_addresses = var.gateways_addresses
+
+ volume_type = var.volume_type
+}
+
+resource "aws_vpc_endpoint" "gwlb_endpoint1" {
+ depends_on = [module.gwlb, aws_subnet.gwlbe_subnet1]
+ vpc_id = var.vpc_id
+ vpc_endpoint_type = "GatewayLoadBalancer"
+ service_name = module.gwlb.gwlb_service_name
+ subnet_ids = aws_subnet.gwlbe_subnet1[*].id
+ tags = {
+ "Name" = "gwlb_endpoint1"
+ }
+}
+resource "aws_vpc_endpoint" "gwlb_endpoint2" {
+ depends_on = [module.gwlb, aws_subnet.gwlbe_subnet2]
+ vpc_id = var.vpc_id
+ vpc_endpoint_type = "GatewayLoadBalancer"
+ service_name = module.gwlb.gwlb_service_name
+ subnet_ids = aws_subnet.gwlbe_subnet2[*].id
+ tags = {
+ "Name" = "gwlb_endpoint2"
+ }
+}
+resource "aws_vpc_endpoint" "gwlb_endpoint3" {
+ count = var.number_of_AZs >= 3 ? 1 :0
+ depends_on = [module.gwlb, aws_subnet.gwlbe_subnet3]
+ vpc_id = var.vpc_id
+ vpc_endpoint_type = "GatewayLoadBalancer"
+ service_name = module.gwlb.gwlb_service_name
+ subnet_ids = aws_subnet.gwlbe_subnet3[*].id
+ tags = {
+ "Name" = "gwlb_endpoint3"
+ }
+}
+resource "aws_vpc_endpoint" "gwlb_endpoint4" {
+ count = var.number_of_AZs >= 4 ? 1 :0
+ depends_on = [module.gwlb, aws_subnet.gwlbe_subnet4]
+ vpc_id = var.vpc_id
+ vpc_endpoint_type = "GatewayLoadBalancer"
+ service_name = module.gwlb.gwlb_service_name
+ subnet_ids = aws_subnet.gwlbe_subnet4[*].id
+ tags = {
+ "Name" = "gwlb_endpoint4"
+ }
+}
+
+
+resource "aws_route_table" "tgw_attachment_subnet1_rtb" {
+ vpc_id = var.vpc_id
+ route{
+ cidr_block = "0.0.0.0/0"
+ vpc_endpoint_id = aws_vpc_endpoint.gwlb_endpoint1.id
+ }
+ tags = {
+ Name = "TGW Attachment Subnet 1 Route Table"
+ Network = "Private"
+ }
+}
+resource "aws_route_table_association" "tgw_attachment1_rtb_assoc" {
+ subnet_id = var.transit_gateway_attachment_subnet_1_id
+ route_table_id = aws_route_table.tgw_attachment_subnet1_rtb.id
+}
+resource "aws_route_table" "tgw_attachment_subnet2_rtb" {
+ vpc_id = var.vpc_id
+ route{
+ cidr_block = "0.0.0.0/0"
+ vpc_endpoint_id = aws_vpc_endpoint.gwlb_endpoint2.id
+ }
+ tags = {
+ Name = "TGW Attachment Subnet 2 Route Table"
+ Network = "Private"
+ }
+}
+resource "aws_route_table_association" "tgw_attachment2_rtb_assoc" {
+ subnet_id = var.transit_gateway_attachment_subnet_2_id
+ route_table_id = aws_route_table.tgw_attachment_subnet2_rtb.id
+}
+resource "aws_route_table" "tgw_attachment_subnet3_rtb" {
+ count = var.number_of_AZs >= 3 ? 1 :0
+ vpc_id = var.vpc_id
+ route{
+ cidr_block = "0.0.0.0/0"
+ vpc_endpoint_id = aws_vpc_endpoint.gwlb_endpoint3[0].id
+ }
+ tags = {
+ Name = "TGW Attachment Subnet 3 Route Table"
+ Network = "Private"
+ }
+}
+resource "aws_route_table_association" "tgw_attachment3_rtb_assoc" {
+ count = var.number_of_AZs >= 3 ? 1 :0
+ subnet_id = var.transit_gateway_attachment_subnet_3_id
+ route_table_id = aws_route_table.tgw_attachment_subnet3_rtb[0].id
+}
+resource "aws_route_table" "tgw_attachment_subnet4_rtb" {
+ count = var.number_of_AZs >= 4 ? 1 :0
+ vpc_id = var.vpc_id
+ route{
+ cidr_block = "0.0.0.0/0"
+ vpc_endpoint_id = aws_vpc_endpoint.gwlb_endpoint4[0].id
+ }
+ tags = {
+ Name = "TGW Attachment Subnet 4 Route Table"
+ Network = "Private"
+ }
+}
+resource "aws_route_table_association" "tgw_attachment4_rtb_assoc" {
+ count = var.number_of_AZs >= 4 ? 1 :0
+ subnet_id = var.transit_gateway_attachment_subnet_4_id
+ route_table_id = aws_route_table.tgw_attachment_subnet4_rtb[0].id
+}
+
+
+resource "aws_eip" "nat_gw_public_address1" {
+}
+resource "aws_eip" "nat_gw_public_address2" {
+}
+resource "aws_eip" "nat_gw_public_address3" {
+ count = var.number_of_AZs >= 3 ? 1 : 0
+}
+resource "aws_eip" "nat_gw_public_address4" {
+ count = var.number_of_AZs >= 4 ? 1 : 0
+}
+
+resource "aws_nat_gateway" "nat_gateway1" {
+ depends_on = [aws_subnet.nat_gw_subnet1, aws_eip.nat_gw_public_address1]
+ allocation_id = aws_eip.nat_gw_public_address1.id
+ subnet_id = aws_subnet.nat_gw_subnet1.id
+
+ tags = {
+ Name = "NatGW1"
+ }
+}
+resource "aws_nat_gateway" "nat_gateway2" {
+ depends_on = [aws_subnet.nat_gw_subnet2, aws_eip.nat_gw_public_address2]
+ allocation_id = aws_eip.nat_gw_public_address2.id
+ subnet_id = aws_subnet.nat_gw_subnet2.id
+
+ tags = {
+ Name = "NatGW2"
+ }
+}
+resource "aws_nat_gateway" "nat_gateway3" {
+ count = var.number_of_AZs >= 3 ? 1 :0
+ depends_on = [aws_subnet.nat_gw_subnet3, aws_eip.nat_gw_public_address3]
+ allocation_id = aws_eip.nat_gw_public_address3[0].id
+ subnet_id = aws_subnet.nat_gw_subnet3[0].id
+
+ tags = {
+ Name = "NatGW3"
+ }
+}
+resource "aws_nat_gateway" "nat_gateway4" {
+ count = var.number_of_AZs >= 4 ? 1 :0
+ depends_on = [aws_subnet.nat_gw_subnet4, aws_eip.nat_gw_public_address4]
+ allocation_id = aws_eip.nat_gw_public_address4[0].id
+ subnet_id = aws_subnet.nat_gw_subnet4[0].id
+
+ tags = {
+ Name = "NatGW4"
+ }
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/tgw-gwlb/output.tf b/deprecated/terraform/aws/R81/tgw-gwlb/output.tf
new file mode 100755
index 00000000..15cb48a3
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tgw-gwlb/output.tf
@@ -0,0 +1,24 @@
+output "Deployment" {
+ value = "Finalizing instances configuration may take up to 20 minutes after deployment is finished."
+}
+output "management_public_ip" {
+ depends_on = [module.gwlb]
+ value = module.gwlb[*].management_public_ip
+}
+output "gwlb_arn" {
+ depends_on = [module.gwlb]
+ value = module.gwlb[*].gwlb_arn
+}
+output "gwlb_service_name" {
+ depends_on = [module.gwlb]
+ value = module.gwlb[*].gwlb_service_name
+}
+output "gwlb_name" {
+ value = var.gateway_load_balancer_name
+}
+output "controller_name" {
+ value = "gwlb-controller"
+}
+output "template_name" {
+ value = var.configuration_template
+}
\ No newline at end of file
diff --git a/deprecated/terraform/aws/R81/tgw-gwlb/terraform.tfvars b/deprecated/terraform/aws/R81/tgw-gwlb/terraform.tfvars
new file mode 100755
index 00000000..266b4d1a
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tgw-gwlb/terraform.tfvars
@@ -0,0 +1,69 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+// --- VPC Network Configuration ---
+vpc_id = "vpc-12345678"
+internet_gateway_id ="igw-12345"
+availability_zones = ["us-east-1a", "us-east-1b"]
+number_of_AZs = 2
+gateways_subnets= ["subnet-123456", "subnet-234567"]
+
+transit_gateway_attachment_subnet_1_id="subnet-3456"
+transit_gateway_attachment_subnet_2_id="subnet-4567"
+transit_gateway_attachment_subnet_3_id="subnet-5678"
+transit_gateway_attachment_subnet_4_id="subnet-6789"
+
+nat_gw_subnet_1_cidr ="10.0.13.0/24"
+nat_gw_subnet_2_cidr = "10.0.23.0/24"
+nat_gw_subnet_3_cidr = "10.0.33.0/24"
+nat_gw_subnet_4_cidr = "10.0.43.0/24"
+
+gwlbe_subnet_1_cidr = "10.0.14.0/24"
+gwlbe_subnet_2_cidr = "10.0.24.0/24"
+gwlbe_subnet_3_cidr = "10.0.34.0/24"
+gwlbe_subnet_4_cidr = "10.0.44.0/24"
+
+// --- General Settings ---
+key_name = "publickey"
+enable_volume_encryption = true
+volume_size = 100
+enable_instance_connect = false
+disable_instance_termination = false
+metadata_imdsv2_required = true
+allow_upload_download = true
+management_server = "CP-Management-gwlb-tf"
+configuration_template = "gwlb-configuration"
+admin_shell = "/etc/cli.sh"
+
+// --- Gateway Load Balancer Configuration ---
+gateway_load_balancer_name = "gwlb1"
+target_group_name = "tg1"
+enable_cross_zone_load_balancing = "true"
+
+// --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration ---
+gateway_name = "Check-Point-GW-tf"
+gateway_instance_type = "c5.xlarge"
+minimum_group_size = 2
+maximum_group_size = 10
+gateway_version = "R81.20-BYOL"
+gateway_password_hash = ""
+gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password.
+gateway_SICKey = "12345678"
+gateways_provision_address_type = "private"
+allocate_public_IP = false
+enable_cloudwatch = false
+gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+
+// --- Check Point CloudGuard IaaS Security Management Server Configuration ---
+management_deploy = true
+management_instance_type = "m5.xlarge"
+management_version = "R81.20-BYOL"
+management_password_hash = ""
+management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password.
+gateways_policy = "Standard"
+gateway_management = "Locally managed"
+admin_cidr = "0.0.0.0/0"
+gateways_addresses = "0.0.0.0/0"
+
+// --- Other parameters ---
+volume_type = "gp3"
+
diff --git a/deprecated/terraform/aws/R81/tgw-gwlb/variables.tf b/deprecated/terraform/aws/R81/tgw-gwlb/variables.tf
new file mode 100755
index 00000000..52b97b13
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tgw-gwlb/variables.tf
@@ -0,0 +1,333 @@
+// Module: Check Point CloudGuard Network Gateway Load Balancer into an existing VPC
+
+// --- AWS Provider ---
+variable "region" {
+ type = string
+ description = "AWS region"
+ default = ""
+}
+variable "access_key" {
+ type = string
+ description = "AWS access key"
+ default = ""
+}
+variable "secret_key" {
+ type = string
+ description = "AWS secret key"
+ default = ""
+}
+
+// ---VPC Network Configuration ---
+variable "vpc_id" {
+ type = string
+}
+variable "internet_gateway_id" {
+ type = string
+ description = "VPC's Internet Gateway Id (e.g. igw-123a4567)"
+}
+variable "availability_zones"{
+ type = list(string)
+ description = "The Availability Zones (AZs) to use for the subnets in the VPC. Select two (the logical order is preserved)"
+}
+variable "number_of_AZs" {
+ type = number
+ description = "Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter"
+ default = 2
+}
+resource "null_resource" "availability_zones_validation1" {
+ count = var.number_of_AZs == length(var.availability_zones) ? 0 : "variable availability_zones list size must be equal to variable num_of_AZs"
+}
+
+variable "gateways_subnets" {
+ type = list(string)
+ description = "Select at least 2 public subnets in the VPC. If you choose to deploy a Security Management Server it will be deployed in the first subnet"
+}
+
+variable "transit_gateway_attachment_subnet_1_id" {
+ type = string
+ description = "The TGW attachment subnet ID located in the 1st Availability Zone"
+}
+variable "transit_gateway_attachment_subnet_2_id" {
+ type = string
+ description = "The TGW attachment subnet ID located in the 2st Availability Zone"
+}
+variable "transit_gateway_attachment_subnet_3_id" {
+ type = string
+ description = "The TGW attachment subnet ID located in the 3st Availability Zone"
+ default = ""
+}
+variable "transit_gateway_attachment_subnet_4_id" {
+ type = string
+ description = "The TGW attachment subnet ID located in the 4st Availability Zone"
+ default = ""
+}
+variable "nat_gw_subnet_1_cidr" {
+ type = string
+ description = "CIDR block for NAT subnet 1 located in the 1st Availability Zone"
+ default = "10.0.13.0/24"
+}
+variable "nat_gw_subnet_2_cidr" {
+ type = string
+ description = "CIDR block for NAT subnet 2 located in the 2st Availability Zone"
+ default = "10.0.23.0/24"
+}
+variable "nat_gw_subnet_3_cidr" {
+ type = string
+ description = "CIDR block for NAT subnet 3 located in the 3st Availability Zone"
+ default = "10.0.33.0/24"
+}
+variable "nat_gw_subnet_4_cidr" {
+ type = string
+ description = "CIDR block for NAT subnet 4 located in the 4st Availability Zone"
+ default = "10.0.43.0/24"
+}
+variable "gwlbe_subnet_1_cidr" {
+ type = string
+ description = "CIDR block for Gateway Loadbalancer endpoint subnet 1 located in the 1st Availability Zone"
+ default = "10.0.14.0/24"
+}
+variable "gwlbe_subnet_2_cidr" {
+ type = string
+ description = "CIDR block for Gateway Loadbalancer endpoint subnet 2 located in the 2st Availability Zone"
+ default = "10.0.24.0/24"
+}
+variable "gwlbe_subnet_3_cidr" {
+ type = string
+ description = "CIDR block for Gateway Loadbalancer endpoint subnet 3 located in the 3st Availability Zone"
+ default = "10.0.34.0/24"
+}
+variable "gwlbe_subnet_4_cidr" {
+ type = string
+ description = "CIDR block for Gateway Loadbalancer endpoint subnet 4 located in the 4st Availability Zone"
+ default = "10.0.44.0/24"
+}
+// --- General Settings ---
+variable "key_name" {
+ type = string
+ description = "The EC2 Key Pair name to allow SSH access to the instances"
+}
+variable "enable_volume_encryption" {
+ type = bool
+ description = "Encrypt Environment instances volume with default AWS KMS key"
+ default = true
+}
+variable "volume_size" {
+ type = number
+ description = "Root volume size (GB) - minimum 100"
+ default = 100
+}
+resource "null_resource" "volume_size_too_small" {
+ // Will fail if var.volume_size is less than 100
+ count = var.volume_size >= 100 ? 0 : "variable volume_size must be at least 100"
+}
+variable "volume_type" {
+ type = string
+ description = "General Purpose SSD Volume Type"
+ default = "gp3"
+}
+variable "enable_instance_connect" {
+ type = bool
+ description = "Enable SSH connection over AWS web console"
+ default = false
+}
+variable "disable_instance_termination" {
+ type = bool
+ description = "Prevents an instance from accidental termination"
+ default = false
+}
+variable "metadata_imdsv2_required" {
+ type = bool
+ description = "Set true to deploy the instance with metadata v2 token required"
+ default = true
+}
+variable "allow_upload_download" {
+ type = bool
+ description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point"
+ default = true
+}
+variable "management_server" {
+ type = string
+ description = "The name that represents the Security Management Server in the automatic provisioning configuration."
+ default = "gwlb-management-server"
+}
+variable "configuration_template" {
+ type = string
+ description = "A name of a gateway configuration template in the automatic provisioning configuration."
+ default = "gwlb-ASG-configuration"
+ validation {
+ condition = length(var.configuration_template) < 31
+ error_message = "The configuration_template name can not exceed 30 characters"
+ }
+}
+variable "admin_shell" {
+ type = string
+ description = "Set the admin shell to enable advanced command line configuration"
+ default = "/etc/cli.sh"
+}
+
+// --- Gateway Load Balancer Configuration ---
+
+variable "gateway_load_balancer_name" {
+ type = string
+ description = "Gateway Load Balancer name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen."
+ default = "gwlb1"
+}
+resource "null_resource" "gateway_load_balancer_name_too_long" {
+ // Will fail if gateway_load_balancer_name more than 32
+ count = length(var.gateway_load_balancer_name) <= 32 ? 0 : "variable gateway_load_balancer_name must be at most 32"
+}
+variable "target_group_name" {
+ type = string
+ description = "Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen."
+ default = "tg1"
+}
+resource "null_resource" "target_group_name_too_long" {
+ // Will fail if target_group_name more than 32
+ count = length(var.target_group_name) <= 32 ? 0 : "variable target_group_name must be at most 32"
+}
+variable "enable_cross_zone_load_balancing" {
+ type = bool
+ description = "Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges."
+ default = true
+}
+
+// --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration ---
+
+variable "gateway_name" {
+ type = string
+ description = "The name tag of the Security Gateway instances. (optional)"
+ default = "Check-Point-Gateway-tf"
+}
+variable "gateway_instance_type" {
+ type = string
+ description = "The EC2 instance type for the Security Gateways."
+ default = "c5.xlarge"
+}
+module "validate_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "gateway"
+ instance_type = var.gateway_instance_type
+}
+variable "minimum_group_size" {
+ type = number
+ description = "The minimal number of Security Gateways."
+ default = 2
+}
+variable "maximum_group_size" {
+ type = number
+ description = "The maximal number of Security Gateways."
+ default = 10
+}
+variable "gateway_version" {
+ type = string
+ description = "The version and license to install on the Security Gateways."
+ default = "R81.20-BYOL"
+}
+module "validate_gateway_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "gwlb_gw"
+ version_license = var.gateway_version
+}
+variable "gateway_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+}
+variable "gateway_maintenance_mode_password_hash" {
+ description = "Maintenance mode password hash for the gateway instances, relevant only for R81.20 and higher versions"
+ type = string
+ default = ""
+}
+variable "gateway_SICKey" {
+ type = string
+ description = "The Secure Internal Communication key for trusted connection between Check Point components (at least 8 alphanumeric characters)"
+}
+
+variable "gateways_provision_address_type" {
+ type = string
+ description = "Determines if the gateways are provisioned using their private or public address"
+ default = "private"
+}
+
+variable "allocate_public_IP" {
+ type = bool
+ description = "Allocate an Elastic IP for security gateway."
+ default = false
+}
+
+resource "null_resource" "invalid_allocation" {
+ // Will fail if var.gateways_provision_address_type is public and var.allocate_public_IP is false
+ count = var.gateways_provision_address_type != "public" ? 0 : var.allocate_public_IP == true ? 0 : "Gateway's selected to be provisioned by public IP, but [allocate_public_IP] parameter is false"
+}
+
+variable "enable_cloudwatch" {
+ type = bool
+ description = "Report Check Point specific CloudWatch metrics."
+ default = false
+}
+
+variable "gateway_bootstrap_script" {
+ type = string
+ description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot"
+ default = ""
+}
+
+// --- Check Point CloudGuard IaaS Security Management Server Configuration ---
+
+variable "management_deploy" {
+ type = bool
+ description = "Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section"
+ default = true
+}
+variable "management_instance_type" {
+ type = string
+ description = "The EC2 instance type of the Security Management Server"
+ default = "m5.xlarge"
+}
+module "validate_management_instance_type" {
+ source = "../modules/common/instance_type"
+
+ chkp_type = "management"
+ instance_type = var.management_instance_type
+}
+variable "management_version" {
+ type = string
+ description = "The license to install on the Security Management Server"
+ default = "R81.20-BYOL"
+}
+module "validate_management_version" {
+ source = "../modules/common/version_license"
+
+ chkp_type = "management"
+ version_license = var.management_version
+}
+variable "management_password_hash" {
+ type = string
+ description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)"
+ default = ""
+}
+variable "management_maintenance_mode_password_hash" {
+ description = "Maintenance mode password hash for the management instance, relevant only for R81.20 and higher versions"
+ type = string
+ default = ""
+}
+variable "gateways_policy" {
+ type = string
+ description = "The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group"
+ default = "Standard"
+}
+variable "gateway_management" {
+ type = string
+ description = "Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address."
+ default = "Locally managed"
+}
+variable "admin_cidr" {
+ type = string
+ description = "Allow web, ssh, and graphical clients only from this network to communicate with the Security Management Server"
+}
+variable "gateways_addresses" {
+ type = string
+ description = "Allow gateways only from this network to communicate with the Security Management Server"
+}
+
diff --git a/deprecated/terraform/aws/R81/tgw-gwlb/versions.tf b/deprecated/terraform/aws/R81/tgw-gwlb/versions.tf
new file mode 100755
index 00000000..dbebf275
--- /dev/null
+++ b/deprecated/terraform/aws/R81/tgw-gwlb/versions.tf
@@ -0,0 +1,15 @@
+terraform {
+ required_version = ">= 0.14.3"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.20.0"
+ }
+ http = {
+ version = "~> 3.4.0"
+ }
+ random = {
+ version = "~> 3.5.1"
+ }
+ }
+}