CheckPointSW · chkp-natanelm · Jan 25, 2024 · Dec 14, 2023 · Dec 14, 2023 · Dec 21, 2023
diff --git a/terraform/azure/modules/add-routing-intent.py b/terraform/azure/modules/add-routing-intent.py
@@ -0,0 +1,29 @@
+import json
+import requests
+import sys
+
+
+def perform_put_request(url, data, headers=None):
+    """
+    This function perform the PUT request to Azure in order to edit the vWAN Hub Routing-Intent
+    """
+    result = {"status": "success", "message": ""}
+    try:
+        response = requests.put(url, json=data, headers=headers)
+        result["message"] = response.text
+    except Exception as e:
+        result["status"] = "error"
+        result["message"] = f"An error occurred: {str(e)}"
+    return result
+
+
+if __name__ == "__main__":
+    """
+    This script receives url, body, and authorization token as arguments and set vWAN Hub Routing-Intent
+    """
+    api_url = sys.argv[1]
+    api_data = eval(sys.argv[2])
+    auth_token = sys.argv[3]
+    api_headers = {"Authorization": f'Bearer {auth_token}'}
+    result = perform_put_request(api_url, api_data, api_headers)
+    print(json.dumps(result))
diff --git a/terraform/azure/nva-into-existing-hub/README.md b/terraform/azure/nva-into-existing-hub/README.md
diff --git a/terraform/azure/nva-into-existing-hub/main.tf b/terraform/azure/nva-into-existing-hub/main.tf
@@ -0,0 +1,186 @@
+//********************** Basic Configuration **************************//
+resource "azurerm_resource_group" "managed-app-rg" {
+  name     = var.resource-group-name
+  location = var.location
+}
+
+data "azurerm_virtual_hub" "vwan-hub" {
+  name                = var.vwan-hub-name
+  resource_group_name = var.vwan-hub-resource-group
+}
+
+//********************** Image Version **************************//
+
+data "external" "az_access_token" {
+  count = var.authentication_method == "Azure CLI" ? 1 : 0
+  program = ["az", "account", "get-access-token", "--resource=https://management.azure.com", "--output=json"]
+}
+
+data "http" "azure_auth" {
+  count = var.authentication_method == "Service Principal" ? 1 : 0
+  url    = "https://login.microsoftonline.com/${var.tenant_id}/oauth2/v2.0/token"
+  method = "POST"
+  request_headers = {
+    "Content-Type" = "application/x-www-form-urlencoded"
+  }
+  request_body = "grant_type=client_credentials&client_id=${var.client_id}&client_secret=${var.client_secret}&scope=https://management.azure.com/.default"
+}
+
+locals {
+  access_token = var.authentication_method == "Service Principal" ? jsondecode(data.http.azure_auth[0].response_body).access_token : data.external.az_access_token[0].result.accessToken
+}
+
+data "http" "image-versions" {
+  method = "GET"
+  url = "https://management.azure.com/subscriptions/${var.subscription_id}/providers/Microsoft.Network/networkVirtualApplianceSKUs/checkpoint${var.license-type == "Full Package (NGTX + S1C)" ? "-ngtx" : ""}?api-version=2020-05-01"
+  request_headers = {
+    Accept = "application/json"
+    "Authorization" = "Bearer ${local.access_token}"
+  }
+}
+
+locals {
+      image_versions = tolist([for version in jsondecode(data.http.image-versions.response_body).properties.availableVersions : version if substr(version, 0, 4) == substr(lower(var.os-version), 1, 4)])
+      routing_intent-internet-policy = {
+        "name": "InternetTraffic",
+        "destinations": [
+          "Internet"
+        ],
+        "nextHop": "/subscriptions/${var.subscription_id}/resourcegroups/${var.nva-rg-name}/providers/Microsoft.Network/networkVirtualAppliances/${var.nva-name}"
+      }
+      routing_intent-private-policy = {
+        "name": "PrivateTrafficPolicy",
+        "destinations": [
+          "PrivateTraffic"
+        ],
+        "nextHop": "/subscriptions/${var.subscription_id}/resourcegroups/${var.nva-rg-name}/providers/Microsoft.Network/networkVirtualAppliances/${var.nva-name}"
+      }
+      routing-intent-policies = var.routing-intent-internet-traffic == "yes" ? (var.routing-intent-private-traffic == "yes" ? tolist([local.routing_intent-internet-policy, local.routing_intent-private-policy]) : tolist([local.routing_intent-internet-policy])) : (var.routing-intent-private-traffic == "yes" ? tolist([local.routing_intent-private-policy]) : [])
+      req_body = jsonencode({"properties": {"routingPolicies": local.routing-intent-policies}})
+      req_url = "https://management.azure.com/subscriptions/${var.subscription_id}/resourceGroups/${var.vwan-hub-resource-group}/providers/Microsoft.Network/virtualHubs/${var.vwan-hub-name}/routingIntent/hubRoutingIntent?api-version=2022-01-01"
+}
+
+//********************** Marketplace Terms & Solution Registration **************************//
+data "http" "accept-marketplace-terms-existing-agreement" {
+  method = "GET"
+  url = "https://management.azure.com/subscriptions/${var.subscription_id}/providers/Microsoft.MarketplaceOrdering/agreements/checkpoint/offers/cp-vwan-managed-app/plans/vwan-app?api-version=2021-01-01"
+  request_headers = {
+    Accept = "application/json"
+    "Authorization" = "Bearer ${local.access_token}"
+  }
+}
+
+resource "azurerm_marketplace_agreement" "accept-marketplace-terms" {
+  count = can(jsondecode(data.http.accept-marketplace-terms-existing-agreement.response_body).id) ? (jsondecode(data.http.accept-marketplace-terms-existing-agreement.response_body).properties.state == "Active" ? 0 : 1) : 1
+  publisher = "checkpoint"
+  offer     = "cp-vwan-managed-app"
+  plan      = "vwan-app"
+}
+
+data "http" "azurerm_resource_provider_registration-exist" {
+  method = "GET"
+  url = "https://management.azure.com/subscriptions/${var.subscription_id}/providers/Microsoft.Solutions?api-version=2021-01-01"
+  request_headers = {
+    Accept = "application/json"
+    "Authorization" = "Bearer ${local.access_token}"
+  }
+}
+
+resource "azurerm_resource_provider_registration" "solutions" {
+  count = jsondecode(data.http.azurerm_resource_provider_registration-exist.response_body).registrationState == "Registered" ? 0 : 1
+  name = "Microsoft.Solutions"
+}
+
+
+//********************** Managed Application Configuration **************************//
+resource "azurerm_managed_application" "nva" {
+  depends_on = [azurerm_marketplace_agreement.accept-marketplace-terms, azurerm_resource_provider_registration.solutions]
+  name                        = var.managed-app-name
+  location                    = azurerm_resource_group.managed-app-rg.location
+  resource_group_name         = azurerm_resource_group.managed-app-rg.name
+  kind                        = "MarketPlace"
+  managed_resource_group_name = var.nva-rg-name
+
+  plan {
+    name      = "vwan-app"
+    product   = "cp-vwan-managed-app"
+    publisher = "checkpoint"
+    version   = "1.0.8"
+  }
+  parameter_values = jsonencode({
+    location = {
+      value = azurerm_resource_group.managed-app-rg.location
+    },
+    hubId = {
+      value = data.azurerm_virtual_hub.vwan-hub.id
+    },
+    osVersion = {
+      value = var.os-version
+    },
+    LicenseType = {
+      value = var.license-type
+    },
+    imageVersion = {
+      value = element(local.image_versions, length(local.image_versions) -1)
+    },
+    scaleUnit = {
+      value = var.scale-unit
+    },
+    bootstrapScript = {
+      value = var.bootstrap-script
+    },
+    adminShell = {
+      value = var.admin-shell
+    },
+    sicKey = {
+      value = var.sic-key
+    },
+    sshPublicKey = {
+      value = var.ssh-public-key
+    },
+    BGP = {
+      value = var.bgp-asn
+    },
+    NVA = {
+      value = var.nva-name
+    },
+    customMetrics = {
+      value = var.custom-metrics
+    },
+    hubASN = {
+      value = data.azurerm_virtual_hub.vwan-hub.virtual_router_asn
+    },
+    hubPeers = {
+      value = data.azurerm_virtual_hub.vwan-hub.virtual_router_ips
+    },
+    smart1CloudTokenA = {
+      value = var.smart1-cloud-token-a
+    },
+    smart1CloudTokenB = {
+      value = var.smart1-cloud-token-b
+    },
+    smart1CloudTokenC = {
+      value = var.smart1-cloud-token-c
+    },
+    smart1CloudTokenD = {
+      value = var.smart1-cloud-token-d
+    },
+    smart1CloudTokenE = {
+      value = var.smart1-cloud-token-e
+    }
+  })
+}
+
+//********************** Routing Intent **************************//
+
+
+data "external" "update-routing-intent" {
+  count = length(local.routing-intent-policies) != 0 ? 1 : 0
+  depends_on = [azurerm_managed_application.nva]
+  program = ["python", "../modules/add-routing-intent.py", "${local.req_url}", "${local.req_body}", "${local.access_token}"]
+}
+
+output "api_request_result" {
+  value = length(local.routing-intent-policies) != 0 ? data.external.update-routing-intent[0].result : {routing-intent: "not changed"}
+}
+
diff --git a/terraform/azure/nva-into-existing-hub/terraform.tfvars b/terraform/azure/nva-into-existing-hub/terraform.tfvars
@@ -0,0 +1,29 @@
+#PLEASE refer to the README.md for accepted values for the variables below
+authentication_method               = "PLEASE ENTER AUTHENTICATION METHOD"                                                # "Service Principal"
+client_secret                       = "PLEASE ENTER CLIENT SECRET"                                                        # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+client_id                           = "PLEASE ENTER CLIENT ID"                                                            # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+tenant_id                           = "PLEASE ENTER TENANT ID"                                                            # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+subscription_id                     = "PLEASE ENTER SUBSCRIPTION ID"                                                      # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+resource-group-name                 = "PLEASE ENTER RESOURCE GROUP NAME"                                                  # "tf-managed-app-resource-group"
+location                            = "PLEASE ENTER LOCATION"                                                             # "westcentralus"
+vwan-hub-name                       = "PLEASE ENTER VWAN HUB NAME"                                                        # "tf-vwan-hub"
+vwan-hub-resource-group             = "PLEASE ENTER VWAN HUB RESOURCE GROUP"                                              # "tf-vwan-hub-rg"
+managed-app-name                    = "PLEASE ENTER MANAGED APPLICATION NAME"                                             # "tf-vwan-managed-app-nva"
+nva-rg-name                         = "PLEASE ENTER NVA RESOURCE GROUP NAME"                                              # "tf-vwan-nva-rg"
+nva-name                            = "PLEASE ENTER NVA NAME"                                                             # "tf-vwan-nva"
+os-version                          = "PLEASE ENTER GAIA OS VERSION"                                                      # "R8120"
+license-type                        = "PLEASE ENTER LICENSE TYPE"                                                         # "Security Enforcement (NGTP)"
+scale-unit                          = "PLEASE ENTER SCALE UNIT"                                                           # "2"
+bootstrap-script                    = "PLEASE ENTER CUSTOM SCRIPT OR LEAVE EMPTY DOUBLE QUOTES"                           # "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
+admin-shell                         = "PLEASE ENTER ADMIN SHELL"                                                          # "/etc/cli.sh"
+sic-key                             = "PLEASE ENTER SIC KEY"                                                              # "xxxxxxxxxx"
+ssh-public-key                      = "PLEASE ENTER SSH PUBLIC KEY"                                                       # "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key"
+bgp-asn                             = "PLEASE ENTER BGP AUTONOMOUS SYSTEM NUMBER"                                         # "64512"
+custom-metrics                      = "PLEASE ENTER yes or no"                                                            # "yes"
+routing-intent-internet-traffic     = "PLEASE ENTER yes or no"                                                            # "yes"
+routing-intent-private-traffic      = "PLEASE ENTER yes or no"                                                            # "yes"
+smart1-cloud-token-a                = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL FOR INSTANCE A OR LEAVE EMPTY DOUBLE QUOTES" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+smart1-cloud-token-b                = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL FOR INSTANCE B OR LEAVE EMPTY DOUBLE QUOTES" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+smart1-cloud-token-c                = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL FOR INSTANCE C OR LEAVE EMPTY DOUBLE QUOTES" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+smart1-cloud-token-d                = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL FOR INSTANCE D OR LEAVE EMPTY DOUBLE QUOTES" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+smart1-cloud-token-e                = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL FOR INSTANCE E OR LEAVE EMPTY DOUBLE QUOTES" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"